Plex Remote Access intermittently down

Hi,

I’m running my Plex server on a Synology NAS. The NAS is behind a VPN. However, my pfsense router has port 32400 (my plex remote port) forwarded and under DNS RESOLVER the following is defined:
server: private-domain: “plex.direct”

This setup works the majority of the time. However, every now and then it appears the connection is lost. Tautulli informs me The Plex Media Server remote access is down. (Plex remote access port mapped, but the port is unreachable from Plex.tv).

Does anyone know why this might be occurring and of a way to fix the issue?

Many Thanks

The most common problem is the “Exit IP” (where it appears on the WAN) is dynamic.

Plex only updates hourly. If it changes sometime within that hour, there will be a perceived outage.

I also have pfSense but use no VPN.

If you’re using the VPN to control access to the server, I have an alternative which works better.

1. Each person who has access to your server sets up a DDNS which self updates on their end.
2. They give you that DDNS FQDN name
3. Create an alias “Plex Allowed Remotes”
4. Add each allowed remote FQDN to that list.
5. Now restart Plex.
6. From your DEBUG logs, get the list of Plex’s servers which support your account.
7. Add them to the “Plex Allowed Remotes” alias.
8. Now create the pfsense firewall rule which only passes “Plex Allowed Remotes”

From time to time, you will need to update the Plex IP list … be aware of it.

What is the purpose of the VPN - to provide remote access into your network? Or to obfuscate requests (and responses) from your network?

When a Plex Media Server’s traffic is routed through a VPN, it’s common for Remote Access to break.

If inbound packets come through the ISP WAN, but outbound packets are routed through the VPN, things don’t work.

I’m not familiar with VPN on the Synology NAS. Can it be configured to exclude Plex?

@Volts

No. VPN on DSM is “All or Nothing”

Normal Linux allows creating routing table entries.
DSM does not permit this.

If it’s an “outbound” VPN, and Plex can’t be excluded … I would expect Remote Access problems.

If the Remote Access page in Plex shows a different Public IP address than the ISP WAN connection, it probably won’t work.

@Volts

The only workaround is:

1. Create a bonded adapter which includes ALL physical adapters
2. Now All PMS traffic will flow through the VPN.

Caveat

Changing VPN state (UP/ DOWN) requires PMS restart so Plex.tv knows the current WAN address to look at.

This is not 100% guaranteed as some traffic might still report the modem/router’s WAN address but Plex.tv does seem to obey the VPN exit IP address reported.

Unknown is whether the VPN provider allows unsolicited incoming traffic (Remote Access requests)

Hi,

To be clear, my VPN runs on my router NOT on my NAS.

My router is already setup with an Alias for plextv. The IP addresses of plex.tv are then stored in a table and traffic on port 32400 forwarded, the total result of which means Plex traffic will bypass my VPN for Plex Server connections to plex.tv. In short, you can ignore the VPN here, it is NOT used (Plex logs confirm this with the correct WAN address).

I’m not to sure why I’d need external DDNS for external IPs. I’m not actively blocking external IPs so this should not be required. I don’t want to go over kill on security.

The WAN update Vs Plex update is interesting though. I can keep an eye on this to see if the error occurs inline with then I’m provided a new IP. If so, I don’t think there is much I can do about this, as if Plex isn’t updating my IP on their servers, I have no way to force that.

@Lockie

I offered the DDNS option because there are those users who want the VPN as a means to hide their location and secure their PMS.

If your router is completely captive as you describe then there should be no issues whatsoever.

Intermittent down is the interval from when the VPN WAN IP changes to when PMS sends its next update (each hour).

The is nothing which can be done to detect this without PMS polling the address every minute.

Normally, PMS is notified of IP address changes (being on the same host) but since your VPN is in the router, it’s detached. Can it send notifications to the host ?

Why does the VPN matter. If it goes up/down, changes IP doesn’t .etc. Its not part of my Plex setup, I simply mentioned it to highlight why I’m running these by pass rules. Plex will always go via the “normal” WAN.

Of course from time to time the WAN IP will change but this is rare, but this still could be the cause of my issue, I’ll just have to be watchful to see if it is I guess.

Right so I’m now thinking this is nothing to do with my WAN IP but entirely to do with Plex.tv DNS and when it changes. As it is when the DNS changes that issues seem to appear.

My pfsense router doesn’t appear to be updating the DNS addresses often enough and so Remote Access appears to drop out.

I think by altering the “Aliases Hostnames Resolve Interval” from 300 to 60 could help. I’m going to give this a go and see if anything changes.

Perhaps its a combination of WAN IP and DNS update issues. I don’t know. I’ll update when I can.

Even if Plex.tv traffic bypasses the VPN, but other outbound traffic IS stuffed down the VPN, I would expect problems.

Even if Plex.tv is fully excluded from the VPN, actual client traffic won’t be.

Consider an incoming request to the Plex server from a Plex client on a random remote IP address.

The request packets will hit the WAN address and be forwarded to Plex. Good so far.

But when Plex responds to the remote client, since there’s no exclusion rule for the remote IP, the response will be sent over the VPN.

The response will fail. Stateful firewalls and NAT systems need to see both directions of traffic flow through them.

The client may fall back to a “Relay” connection if that’s available.

I don’t know of any that support Automatic/UPnP-IGD/PCP. (Maybe that’s nonsensical over VPN anyway.)

Mullvad (highly recommended) allows manual port forwarding. I imagine there are other providers that also do.

Maybe that’s the most reliable option - pass all traffic through the VPN. Forward a port via the VPN, not the WAN router.

That works really well when the VPN is on the same server as Plex.

If the VPN is terminated by pfSense, pfSense would also need to forward the port to the Plex server. I wonder if that’s possible in PfSense.

I’d want to test performance first, but it could work.

It’s been a few days now since I had an issue.

The fix seems to be altering within PFsense “Aliases Hostnames Resolve Interval” from 300 to 60 (seconds). This means it should request the DNS of plex.tv more often catching any changes and as a result if/when my WAN changes the value is updated more readily. So when users try to connect via the TV app for example, the service functions as expected.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.