Plex port VPN bypass using iptables on DD-WRT router

I tried to fit all the right keywords in the title, so thanks for reading…

My question is a little weird because I actually have everything working the way I want it using one of two sets of rules.
The problem is that I don’t quite understand why both are working.

So I’m looking for someone that understands iptables, and also the Plex server itself to know how it communicates.

The only requirement here is that I added the port 32400 forwarding using the GUI, and I added the “route-noexec” directive in my additional options of the VPN config file so that the ISP is the default. [By not adding “route-noexec” the VPN would be the default route - and the below logic is reversed]

########Start script
MY_PLEX_SERVER_IP=192.168.1.125
MY_TUN=tun1

#clear out previous entries
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#Disable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#Copy main route table to new table, and add our tunnel as default route
ip route show table main | grep -Ev ^default | grep -Ev $MY_TUN
| while read ROUTE ; do
ip route add table 100 ROUTE done ip route add default table 100 via (nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#This is where my question begins…
#First make all traffic from the plex server ip use the VPN as default
iptables -t mangle -A PREROUTING -i br0 -s $MY_PLEX_SERVER_IP -j MARK --set-mark 0
#Next tell only port 32400 coming from the plex server to use the to use the ISP directly
iptables -t mangle -A PREROUTING -i br0 -s $MY_PLEX_SERVER_IP -p tcp -m tcp --sport 32400 -j MARK --set-mark 1
#Finally let the plex server talk to all ips associated with “plex.tv” to use the ISP also
iptables -t mangle -A PREROUTING -i br0 -s $MY_PLEX_SERVER_IP -p tcp -m multiport --dport 443,80 -d plex.tv -j MARK --set-mark 1
############End here, or use below option instead of last 2 iptables commands

#instead of using the last 2 lines above - Send all traffic from the plex server thats going to plex.tv thru the ISP
iptables -t mangle -A PREROUTING -i br0 -s $MY_PLEX_SERVER_IP -d plex.tv -j MARK --set-mark 1
###############End script

So my question here is:
How does the plex traffic find its way to my device when I’m forwading all plex.tv traffic through the ISP?
Or which option is better?

Thanks in advance

Scenario A works because you are specifying -sport 32400 which specifies the ephemeral source port for the connection so when your PMS connects to plex.tv on destination port 80 or 443 it uses ephemeral port 32400 and registers itself with plex.tv using that port and your Public IP since no VPN and since you setup port forward you are good.

Scenario B is the same thing just a catch all so regardless of the source port or destination for that matter it will get sent out to ISP again using your public IP and since you setup port forward you are good.

I would use option B unless you are DoD and lock down every thing!

@nokdim: In scenario A, a connection between my plex server and my external device is made [over the ISP]. I believe the same thing is happening in scenario B, but I haven’t done the tcpdump to prove it yet [plan to in the next few days if time allows].
So in scenario B, how would the traffic get to my device since it is not one of the plex.tv ip’s that gets specified?

In both cases my device says the server is “Remote”, not “Indirect”.

I verified the traffic flows over the ISP to my device - i just don’t understand how the traffic is being marked to use that path when no rule exists to do so.