Server Version#:1.21.1.3876
Player Version#:4.49.2
I have a PMS that is behind a Palo PA220. I managed to get Remote access working finally (none of the tips or recommendations on here worked) by creating a security rule that allows web traffic through to my inside zone (dest WAN IP) with applications Plex and SSL using any service (so non standard ports could be used for Plex and SSL) so in order to make this rule as safe as possible I created a dynamic address group using your dynamic EC2 IP list. Plugged that group into approved source list for the security rule and low and behold remote access stops working…BUT on my LAN it works and in the admin console it shows remote access is working.
has anyone experienced anything like this before? how often does that IP range get updated is it real time? are there other IP’s that I need to white list for plex? clearly my server can see plex’s EC2 but remote connection coming back is an issue.
Did you also include the WAN IP addresses of the remote clients which will be accessing your server? The fact that the server shows itself as being available from outside of your network implies that the list is working, inasmuch as Plex’s servers are able to successfully check connectivity.
I have not added the WAN IP’s of the remote clients as these are friends and family with dynamic ip’s from there ISP’s. I assumed (i know i know) that inbound traffic from remote clients would be routed through those EC2 servers. How does PMS handle the inbound connections are the clients directly connecting to my WAN and plex is essentially acting as a dynamic dns client for my IP and serving that back to the client to connect to?
Connections from clients are only routed through Plex’s servers in the event that a direct connection cannot be made; this is Plex’s relay service:
Being bandwidth-limited as it is, relay is likely not what you want.
Otherwise, remote clients attempt to connect directly to your server via the addresses which it (the server) publishes to Plex, Inc. This direct connection requires that those clients’ WAN IP addresses be allowed by your rule as well. This is why firewall rules which include source address matching are generally not useful for Plex Media Server remote access.
I’m not entirely sure what you’re asking here. If you’re going to match source IP addresses on your inbound firewall rules, then those rules must include all the possible source IP addresses. You could ask your friends and family to obtain static IP addresses from their ISPs and use those in your rules.
Or, maybe you could have them set up a dynamic DNS service. There are some free ones out there. Once in place, check their FQDN occasionally to see if their IP address has changed and update your rules accordingly (or I think PA allows you to use an FQDN object for source matching).
I’ve really wanted to setup my PA220 just to monitor the plex activity and log it. The relay process which they use is sketchy. After blocking China on the PA220 I could not longer use plex. Now it maybe that PA has a wrong subnet/ip range listed but the IPs at the time seemed to be confirmed. I had all this posted awhile back when the relay stuff was a mess.
@CChiarello > You could whitelist all inbounds to specific port and application (plex is pre-configured/defined by PA). Although I am noticing specific attacks on ports 34200. You may want a reverse proxy in the DMZ to deal with that.
Personally from my experience the relay functions pretty much suck. Best to turn them off and have your friends/family connect directly. The quality of the relay is very limited as well.
I posted in another thread for you RE: Remote Access but you’ve got that bit working.
You need to either add the IP of your remote clients or have them set up a DDNS. My remote users all use no-ip and I’ve just added the fqdns addresses as objects into an address group, and then added that to my security rule.
