Yes, 10.0.0.X is the primary Internet service so unfortunately I can’t remove or disable the gateway.
I actually thought about plugging the 10.0.0.x network into the QNAP’s second LAN port in the hopes that it would enumerate as eth2, which would allow me to disconnect eth0 and hopefully make Plex see eth1 as the “primary” connection, but it’s just as likely the onboard adapter takes priority and pushes the virtual adapter up to eth2 instead.
Is the 172.28.x.x a second internet provider that has its own equipment and you have 2 public IPs? or is it a device behind your 10.0.0.x network and you have 1 public IP?
You could try removing the gateway on the 10.0.0.x network of the Qnap and seeing if plex then is able to connect directly. Also, in the dashboard under settings > remote access it will tell you what your PMS is expecting for an open port to the public internet.
I don’t actually have a public IP at all. The ISP uses CGNAT, where multiple users all simutaneously share the same public IP address. This works fine for outbound connections like any other NAT, but incoming connections wouldn’t know “which” instance of a specific IP they needed to connect to, so port forwarding etc is not possible.
172.28.x.x is a virtual LAN that runs on top of the ISP connection, providing a tunnel so devices on the VLAN can all see and communicate with each other on any port just like they were on a real local network.
Also, in the dashboard under settings > remote access it will tell you what your PMS is expecting for an open port to the public internet
It should be seen as a local connection, not using remote access at all. And this works just fine for web browsers, but nobody seems to know why it’s not working for the Plex client, other than it seems to be caching bad connection information somehow. in the Plex directory.
Then this is why you get the indirect connection on the apps. I suspect that you are going to your local ip instead of app.plex.tv when you play from the browser. They need to have a port open on the public internet that routes to the port of your PMS. Yes even when they are local, Plex does some automagic when it detects the connection is from the internal network so it doesn’t actually loop around.
On some of the TV version of the apps you can specify a local server address in settings. Not sure if that is available on mobile or not.
Plex apps use the information published to their servers to determine where they should connect. The fact that it is showing “Indirect” for a local client implies that something is going wrong with either the publishing of the connection information, or the name resolution of their plex.direct address.
@PlexUser01 If you connect via browser to https://app.plex.tv do you see that same behavior when you play content (Indirect shown on the dashboard)? If you do, try setting that system’s DNS server to 1.1.1.1 and try again (you may need to flush your DNS cache).
Also, do you use multiple VLANs in your network? If so, do you have routes explicitly configured to allow connections to your Plex server between your logical networks?
@PlexUser01 what is the router providing the 10.0.0.x LAN internet show as it’s wan ip address? is it also a 172.28.x.x address? or is it a CGNAT IP which should be in the 100.64.0.0/10 range (100.64.0.0 to 100.127.255.255).
The thing I’m having trouble wrapping my head around with your LAN setup is the need for two separate LANs. Both do the same thing, and from what I’m gathering the 12.28.x.x. network is provided and controlled by your ISP and may also be shared with other clients of theirs.
No, it still shows up as a Local connection, however I notice it’s showing a different connection speed (6Mbps vs 10Gbps) and using a different playback method (Direct Play vs Transcode/Direct Stream).
I’m not sure the significance of that.
10.0.0.x addressing is provided by an ASUS router on 10.0.0.1 functioning as the DHCP server and gateway for the internal network. Not sure the exact model other than it’s fairly new, so probably one of the 802.11ac ones. The WAN port on the router is connected to the ISP gateway.
172.28.x.x addressing only exists for individual devices running the ZeroTier software, which creates a virtual adapter and connects it to a virtual LAN using whatever addressing scheme you select. (the default is 172.28.x.x). All devices are assigned static IPs in the ZeroTier control panel at the time they are authorized on the network.
It’s not two separate LANs tho, it’s one physical LAN and one virtual LAN running on top of it. I’m sure you understand the use of VPNs to get around ISP limitations. You may not be familiar with ZeroTier but it’s basically similar to FreeLAN, WireGuard, OpenVPN, etc. but as a “freemium” service platform.
Ok, now I understand. You are not actually using a vLAN, but a VPN. If you want to use a VPN to get around the limitation of your ISP not being able to allow port forwarding setup the VPN connection on your router, not your clients. You essentially have two ISP with completely separate routers with completely separate local area networks connected to each device and Plex has no idea where to send the packets.
What you should do is set the local clients to prefer the 10.0.0.x address. Do not connect those devices to the ZeroTier VPN when you are actually home, just use the 10.0.0.x LAN. If ZeroTier Supports port forwarding use that to for remote connections so you are not using indirect when outside of your home. Otherwise, the ZeroTier connections are doing you absolutly no good as the 10.0.0.X address will take care of this within your own home.
@pshanew is Split Tunneling the solution here too? Maybe CGNAT gets in the way as the user wants PMS to be public. Does the router solution VTron21 posted just work?
Honestly, I’m not sure. Reading back through the first few posts in the thread, I’m unsure if remote access was always the problem and it just wasn’t clearly stated. If so, then yes, I agree that split tunneling could be a likely candidate as a solution. Or at least selective tunneling. Since Plex determines the address to use for inbound connections based on what it sees as the source of outbound connections to their servers, we need to manipulate the source address of outbound connections from the server. Usually that’s done by configuring the interface metric/priority in the outbound routes.
I was under the impression that VPN was a point-to-point tunnel and VLAN was one-to-many? I guess I was forgetting that in this case ZeroTier is serving as the intermediary, so it technically is still just point-to-point like a VPN. I apologize for my confusing terminology.
This is already the case. Whenever I’m at the 10.0.0.x location, I simply turn off ZeroTier on my devices and use the local WiFi addressing. I only use ZeroTier when I’m at another location because there’s no other way to connect to the Plex server.
The only way to run ZeroTier on my router would be to wipe the firmware and install OpenWRT, and since I’ve never done that before I’m somewhat hesitant to try, unless I’m totally confident it will actually solve the Plex limitation of expecting Remote Access on eth0.
VLAN or Virtual Local Area Network is a technology that runs on a switch making a single switch act like it’s two in its simplest form.
I did look at what ZeroTeir offers on their site. And it looks like it would support a scenario where each device should act as if they are on the same LAN even though they may be in different physical locations. But I’m not sure if that is possible in this situation. but you’d probably have to set the prefered network to any on your PMS
I actually tried this first with ZeroTier: I wanted it to use the same 10.0.0.x addressing as the local network and then use static addressing or DHCP reservation to divide the subnet between local and remote devices.
Unfortunately, I ran into the problem when these devices would join other networks that also used 10.0.0.x addressing (very common I discovered!) and there ended up being two 10.0.0.1 gateways suddenly. Since nobody ever seems to use 172.28.x.x addressing, I realized this would be much safer for portable devices like phones and tablets.
I’m sure it’s a solvable problem (e.g. make my gateway something unusual) but dickering with settings manually with almost no documentation was frustrating as hell, and while I’d happily pay for support, ZeroTier only offer paid support to Enterprise accounts. Non-Enterprise accounts are stuck with the community forums which are basically dead.
I wish I had some idea whether it’s going to be easier to get Plex to work on the 172.28.x.x subnet, or to get ZeroTier to use the 10.0.0.x one.
Well In theory you should be able to have plex use two separate physical networks. Were both networks have their own internet connection and have devices on the either local network should play as local. Hence it works on a laptop in a browser. I take it the apps that are not working are your phones. It’s possible that the ZeroTier app on the phone is not able to override the internet routing for the Plex app on your phone and it is using your carrier or Wi-Fi connection only
In theory yes, in actuality no due to Plex’s poor handling of multiple adapters. I see no possible advantage to forcing the first enumerated adapter to be the Remote Access connection versus letting the server owner choose from an enumerated list of available adapters. It’s just making bad assumptions, imo.
I don’t mean to sound snotty, but if Plex’s own custom-designed client application does a worse job connecting than a web browser following a design from 1981, I think that’s a clear sign something has gone off the tracks. Plex is reinventing the wheel by using the directory to try and manage remote connections, except it’s doing a worse job than simply asking the user for an IP.
At the end of the day, indirect connections aren’t the end of the world. I lose quality because it only streams SD, which kinda sucks, but I can always just download it to play it locally if that’s an issue. Which sorta means I overpaid for a glorified FTP server, but it is what it is.
You are trying to do this by spoofing that you are locally connected to the same lan as Plex because your ISP does not allow you to use port forwarding. This is why you get the indirect connection. Your devices cannot connect to Plex through the public IP your internet connection uses. So understanding this the issue is not really a Plex issue but a networking issue.
I didn’t really want to use the it works for me argument. But I do have 2 nics on my Plex, one for my PCs and mobile devices, one for my hdhomerun tuners (I don’t want them advertised on my primary lan) both LANs can route to the internet. Only my eth0 address is accessable to the public internet through port forwarding. However when use any local network is selected in Plex is selected a Device on the second lan will be detected as local.
So this leads me to believe the app that your vpn provider uses is not able to route all connections to the private network it creates for all apps.
Can you even get to your plex’s 172.28 address from the browser on your phone when you are not home? If that won’t even work the app won’t either.
It’s really not. What’s being lost here is why Plex is doing things the way they are. In order for them to provide free, secure (HTTPS-based) connections for remote clients to your server, certain conditions must exist. One of those conditions is that connections must be possible to a known address, via a URL which is generated by Plex and which is secured by a freely-provided wildcard cert dedicated your *.plex.direct host as outlined above.
The way that they determine which IP address to use for remote connections is to determine the source address used from your server to their own (MyPlex messages in your logging). It has nothing to do with the preferred interface you pick in your server settings. That is used solely for determining what it uses for local connections.
Using the method I described earlier in this thread for determining what connection resources are published on Plex’s servers, you can see what your remote IP address is. You need to use that connection information to ensure port forwarding to that address/port combination is configured properly on your router. If this represents a VPN server, either by a 3rd-party provider or something you manage, the forwarding needs to be performed there.
Alternatively, Plex provides a completely separate mechanism to provide remote access to a server: Custom server access URLs. This allows one to manually configure the URL which Plex publishes for public access to a server. One still needs to provide port forwarding for connections to the published address to the internal server, but it allows for finer-grained controls over exactly what is used for such remote connections. Again, this is configured completely separately of remote access; indeed, remote access is generally disabled when using this other mechanism.
At this point, I’d recommend that you completely restate your use case, explaining exactly what your network topology looks like, and from where you expect to see connections. Include the source networks in this description, including IP address examples.
I was going to request a similar thing - restate the goal, including little obvious dumb details.
Or even better, draw a picture.
I don’t expect Plex to automatically register a VPN adapter. But it should be easy to add the IP as a custom server access URL.
(It shouldn’t be necessary to craft the URL as mentioned above. http://ip.ad.dr.es:32400 should be enough. These days Plex will automatically add the cert and UUID details. But can we start with a “dumb” restatement of the problem?)
Right here in my hand I have an iPhone with WiFi turned off (only cellular connection) and ZeroTier VPN connected. I’m not at the location where the Plex server is. Yes, I can still connect to PMS. When I connect via the web browser, Dashboard shows me as a 172.28.x.x IP address connecting locally.
On the same device, with the same connection, opening Plex client and connecting to the same server, it shows me as an indirect connection. Why?
The only clue I can find is by looking at the Plex directory,. This is what is shows for that client (X = redacted)
<Device name="XXXXXXXXXXXX" product="Plex for iOS" productVersion="8.11.1"
platform="iOS" platformVersion="15.4" device="iPhone"
clientIdentifier="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
createdAt="XXXXXXXXXX" lastSeenAt="XXXXXXXXXX"
provides="client,controller,sync-target,player,pubsub-player,provider-playback"
owned="1" publicAddress="XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX"
publicAddressMatches="0" presence="0">
<Connection protocol="http" address="10.0.0.X" port="32500"
uri="http://10.0.0.X:32500" local="1"/>
Why does that “Connection protocol” line have a 10.0.0.x address? I can only guess because the first time that specific device ever ran Plex, it was on WiFi and had that 10.0.0.x address. But obviously, that’s not the address it has currently. Plex sees my most recent address was the IPv6 address from my cellular provider. And the Plex server still sees it as 172.28.x.x address.
So why is this directory not updating, or why can’t I control what’s in the Plex directory to remove incorrect information and enter the correct information? If there was some way to get this “Connection protocol” to list the 172.28.x.x address, maybe PMS to see it as a local client.
Regardless, I believe my previous point stands: remote Plex access works from anywhere, anytime, from any device using a web browser. It’s a failing for a dedicated application to not be able to accomplish at least this much.
PS - Happy Thanksgiving, thank you for your continued advice
