I recently replaced my previous firewall/router solution with a Palo Alto PA-220, In doing so I have seemingly lost the ability to initiate remote access - it is enabled and manually set to 32400. on my previous solution I had UPnP disabled and port 32400 forwarded and had no issues with remote connections.
I have created associated NAT and Security Rules for Plex but it seems to connect only for a brief moment before losing connection. below images are of my NAT and Security Rules
According to Monitor on the firewall - when I attempt to retry there is a DNS request a reply with IP 99.81.153.144 (amazon EC2) and 99.81.164.127 (vodafone italia)
SSL connection to .144 then web-browsing request from .127 that flags as tcp-fin and another SSL from .144 that flags tcp-rst-from-server. these ip’s change every time I attempt and there not on plex’s white list
in Wireshark there is
[TCP DUP ACK 51228 →32400] [TCP Previous segment not captured] then [TCP Out-of-Order] 32400 → 51228 [ACK]
then starts another attempt from another port 55756 and so on until it stops trying to establish remote connectivity.
is there something I’m missing on my NAT or Security policies? any suggestions would be greatly appreciated.
I have a Zyxel firewall. In mine, I had to setup the service (TCP:32400), host (PMS IP), add a firewall rule to allow the PMS inbound (from=WAN, to=LAN1, source=ANY, destination=PMS, service=TCP:32400, action=ALLOW), and then add the NAT rule (name=NAT_PMS, interface=WAN, source ip=ANY, external ip =WAN_IP, internal server=PMS, external port=TCP:32400, internal port=TCP:32400).
I’m not aware of how the Palo Alto firewall OS is setup, but I hope this helps.
I have changed up my whole setup again to use my PA-220 as a bump and I noticed something.
I’m not receiving a SYN ACK back from plex’s ec2 so my connection - incompletes and ages out
I just got my setup w/ PA-220 working. Your nat and sec rules look ok. I might suggest adding trusted network to nat rule source zone. I was told that sometimes there might some traffic that might try to go back to the original machine.
My issue ultimately was that I had both the service destination port and source port set to 32400 (should just be destination port) But it looks like you are using any for service so it should be ok.
Are you still having an issue with this? I had the same issue as you and identified it to be (with the help of a friend) that the Palo can’t identify what type of traffic is coming through as it only detects the encrypted packet.
A quick note you don’t need DNS as an application for Plex remote access in your security rule. You only need SSL if you’re connections are set a secure in PMS itself.
The two ways to fix this are have a custom service rather than app-id or turn off secure connections on the Plex Media Server itself. I wouldn’t recommend the latter because someone could try to access your devices using apps on non-standard ports (like RDP on port 80 for example).
I have mine set up with a custom service containing my custom port for plex, 80, and 443. I have locked it down to only allow from the Plex AWS ips, and some family/friends whose IPs I have.
I haven’t yet looked into SSL decryption but that is another option potentially if you can get the required certs from Plex.
If you’d like more help or some screenshots to explain, please let me know.
