Remote access still won't work. What am I missing?

Hello all! I am trying to configure my server for remote client access, however I am running into an unknown issue. No matter what I do, I can’t seem to get remote access to work. Here’s some background info on my set up:

• Unraid version 6.9.2
• Running the official PMS docker app version 1.25.2.5319
• Secure Network connections: Preferred (tried every setting here with no luck)
• Preferred Network Interface: any

It’s important for me to note that I’m not the network admin for my household, so I’m not familiar with all of the routers and whatnot, but I am working with him to figure out the issue. We tried connecting remotely with the admin checking the firewall logs to see all connections, however no connection attempts popped up using the public IP address for my server. We went ahead and disabled the firewall for my Plex server to see if anything was being blocked, but it still will not connect.

We’ve tried port forwarding to no avail and also, If i understood him correctly, the firewall is the only thing handling NAT, so it shouldn’t be a double-NAT issue.

Not sure were to go from here. Any help is appreciated. Let me know if there is any other information that is needed. Thanks!

Have you tried with Relay? Enable it in Settings → Network → Enable Relay near the bottom with Advanced Options shown.

More information here: Accessing a Server Through Relay

Hi and thanks for the reply! Relay works, but I really want to get remote access working directly since Relay is an option for redundancy. Not to mention the limited bandwidth.

Here’s the page on setting up remote access: Remote Access

I’m assuming you have a single router/firewall between your plex server and the ISP. If you’re not able to get plex working with port forwarding, you might try a point to point vpn, but that’ll still require port forwarding.

Without more specific information about your firewall, that’s all I can say. You’ll need to post details about your router/firewall/ISP configuration for additional assistance on that. There could be a possibility that your ISP is blocking incoming connection requests if they do additional security beyond your router. If that’s the case, you’ll need to log into their system to modify that or contact them about it, assuming you have port forwarding setup correctly.

Is your server connected to a public ip or were you just testing the port forwarding? PMS does not work well on a public facing ip.

Thanks for your help! I’ll try to get those details from the admin tomorrow. For now, here’s what I do know:

• The ISP is AT&T and port 32400 isn’t blocked by them.
• There is a router, however all Port forwarding seems to be handled by the firewall (Cisco firewall device)
• I believe it is a single router and firewall configuration (have to double check this though)

The server is connected to a private IP, however I was under the impression that Plex uses my Public address in order to connect clients directly. For example: Client requests connection → It goes to the Plex worker nodes → Workers redirect the client to my Public facing IP → Router and firewall works together to redirect the request to my private (Plex server) IP. I’m not too knowledgeable about networking so I could be wrong.

Also, here’s some more information.

remote1008×380 157 KB

This is what I see when I try to turn on remote access. I’ve tried manually specifying port 32400 and leaving it default, but both settings aren’t working.

I think the problem might be related to this. The ports should have been forwarded, but it will not connect on canyouseeme. I’ve tried the site out on both my internal and external network to no avail. I’ve also tried checking port 80 of my external IP on the same site, but it still wouldn’t work either. Not sure what this means.

Plex is designed to work on a local area network (LAN) so it expects to have a private ip address. Your ip being a public ip won’t work.

What you need is a router. Connect your incoming to that, then your server to the router. Your public ip should then appear as the 144 address and your private will be whatever your router assigns your server.

Edit - just read up a bit. If someone else handles the local router, they configured it wrong. They are using a private ip address range starting with 144. That is not a valid private ip range.

It is possible that the 144 address could be valid if it’s an IANA assigned address and not being used in private space. I don’t know about Plex not being able to work if it’s not using a private address, but it could cause issues with routing if that address hasn’t been specifically assigned to your organization. If that is the case, then the LAN address space has been setup incorrectly.

It’s a simple task to put a router in place to generate a private IP subnet range, but if there is an issue with the LAN IP range as mentioned above, you will most likely still have a problem and I could be wrong, but I don’t think this would solve the problem for you. I guess the first step would be to find out if the 144… subnet is a valid IP range or not and go from there. If it is valid, then you could put a cheap router in place to try, but it likely wouldn’t be necessary. My guess is MovieFan.Plex is right and it’s likely setup with the wrong address space, which would mean your network is creating a routing issue and an additional router most likely won’t fix it.

However, if you can establish a vpn though that router, the wrong addressing on the LAN wouldn’t matter because you’d bypass it. I don’t know if there would still be an issue or not with getting the tunnel packets back though.

I believe the address PMS will allow for private are hard coded so it doesn’t matter if it’s being used or not. The IPs that are allowed should be those in the 10, 172, and 192 ranges.

@Aquaman and @anon18523487 – Hi! Thank you both so much for your help so far! I feel like we’re close to a solution here. I was able to do some more troubleshooting yesterday with some peculiar results.

When I toggle on enable remote access on my Plex server, this is what happens in the background:

Jan 02, 2022 18:40:02.773 [0x1504cdb14b38] DEBUG - MyPlex: Toggling server publish state.
Jan 02, 2022 18:40:02.773 [0x1504cdb14b38] DEBUG - MyPlex: start public ip check and mapping - current mapped state: 'Mapped - Not Published (Not Reachable)'.
Jan 02, 2022 18:40:02.773 [0x1504cdb14b38] DEBUG - MyPlex: mapping state set to 'Not Mapped'.
Jan 02, 2022 18:40:02.773 [0x1504cdb14b38] DEBUG - PublicAddressManager: Starting.
Jan 02, 2022 18:40:02.773 [0x1504cdb14b38] DEBUG - PublicAddressManager: Obtaining public address and mapping port.
Jan 02, 2022 18:40:02.773 [0x1504cc251b38] DEBUG - PublicAddressManager: Obtaining public IP.
Jan 02, 2022 18:40:02.773 [0x1504cc251b38] DEBUG - HTTP requesting GET http://plex.tv/pms/:/ip
Jan 02, 2022 18:40:03.099 [0x1504cc251b38] DEBUG - HTTP/2.0 (0.3s) 200 response from GET http://plex.tv/pms/:/ip
Jan 02, 2022 18:40:03.099 [0x1504cc251b38] DEBUG - PublicAddressManager: Got public IP from http://plex.tv: 107.X.X.X
Jan 02, 2022 18:40:28.713 [0x1504cc251b38] DEBUG - HTTP requesting GET https://107-X-X-X.[stuff].plex.direct:32400/identity
Jan 02, 2022 18:40:31.718 [0x1504cc251b38] DEBUG - MyPlex: Sending Server Info to myPlex (user=m*******************.com, ip=**[This is blank for some reason. Shouldn't my IP be listed here?]**, port=32400)

Jan 02, 2022 18:40:31.880 [0x1504cc251b38] DEBUG - MyPlex: Published Mapping State response was 201
Jan 02, 2022 18:40:31.880 [0x1504cc251b38] DEBUG - MyPlex: Got response for [stuff] ~ registered 107.X.X.X:32400
Jan 02, 2022 18:40:31.880 [0x1504cc251b38] DEBUG - MyPlex: updating mapped state - current state: 'Mapped - Not Published'
Jan 02, 2022 18:40:31.880 [0x1504cc251b38] DEBUG - MyPlex: mapping state set to 'Mapped - Publishing'.
Jan 02, 2022 18:40:31.880 [0x1504cc251b38] DEBUG - MyPlex: async reachability check - current mapped state: 'Mapped - Publishing'.
Jan 02, 2022 18:40:31.880 [0x1504cc251b38] DEBUG - MyPlex: Requesting reachability check.

Jan 02, 2022 18:40:37.171 [0x1504cc6d6b38] DEBUG - EventSource: Got event [data] '<Message address="107.X.X.X" port="32400" asyncIdentifier="[stuff]" connectivity="0" command="notifyConnectivity"/>'
Jan 02, 2022 18:40:37.171 [0x1504cc6d6b38] DEBUG - PubSub: Got notified of reachability for async identifier [stuff]: 0 for 107.X.X.X:32400 (responded in 5142 ms)
Jan 02, 2022 18:40:37.171 [0x1504cc6d6b38] DEBUG - MyPlex: reachability check - current mapping state: 'Mapped - Publishing'.
Jan 02, 2022 18:40:37.171 [0x1504cc6d6b38] DEBUG - MyPlex: mapping state set to 'Mapped - Not Published (Not Reachable)'.

(Some stuff has been sanitized above. Please let me know if I missed anything)

From the looks of it, Plex ends up pulling the correct public IP and tries to see it it’s reachable on port 32400, however it’s not. That led me to believe that maybe something was blocking the connection, so me and the admin took a look at it.

When it comes to the firewall, my understanding is that it is the first point of contact on the network and it handles NAT and port forwarding. My admin has stated that it is the only device that handles NAT so it shouldn’t be a double NAT situation. We did a packet trace for both the private (144.x.x.x) and public (107.x.x.x) address and external items are able to connect using port 32400, so the port isn’t blocked.

So we decided to try to connect to my server externally using Plex Web and the Plex IOS app and monitor the results. First, we tried monitoring the network for the worker IP addresses that Plex has here. But there was no connect attempt from any of them. We then decided to monitor port 32400 to see any connections, but nothing tried. The only way we were able to see a connection attempt is if I typed in my public IP and the Plex port in the device web browsers. (Like this: 107.x.x.x:32400)

Now we’re both a little confused. What method does Plex use to directly connect clients to my network? I though it used the public IP and Plex port, but now I don’t know.

As for both of your posts regarding my private (144.x.x.x) IP. I didn’t know that was an issue. Do you think it may be the reason why Plex isn’t showing a connection at all on the firewall?

Tl;dr – Plex pulls my public IP and tries to connect at port 32400, but says it’s not reachable. Packet tracing shows that it is reachable and when I try to connect to my server externally on the Plex web and IOS apps there is no hit on my firewall. How does Plex directly connect clients to my server?

I think the 144 address could well be an issue. @anon18523487 seems adamant that you must have a private IP. I don’t know about that either way. However, if you’re using a public IP (144.x.x.x) as a private IP, then you could have routing issues. The problem is that IP range exists somewhere else and internet routers have routes that direct traffic to those IPs. A router may see that as something that needs to be routed to where the IP range really exists as opposed to try to get it into your private area because routers generally choose the shortest path (if using OSPF). There could have been an inadvertent conflict setup due to using a public subnet range in private space. I would speak with your admin about this to find out why you’re using that range and see if it makes send to switch to an actual private range.

@Aquaman Thanks for the explanation! I am going to talk to my Admin asap and try to get it changed.

While that will probably be an issue down the line, the current issue is Plex is not using my public address (107.x.x.x) to connect clients to my server. We’ve monitored the firewall using both my public IP and port 32400 (which I specified my server to use), but we’re getting no hits when trying out remote access.

Do you know of any resource that shows exactly what Plex does behind the scenes to connect clients to my server? Thanks!

Edit:

Also, is there a list of IPs and ports that Plex uses for connecting remote clients?

We’ve monitored the network for the worker addresses found in a link on the ‘troubleshooting remote access’ help page under the IPs being blocked section.

We’ve also monitored the network for the ports found here.

We had no hits so far.

If your admin is using a router with Firewall, he’s need to make sure the the port is open in the firewall and that he is forwarding that port to your assigned IP.

Right now, I can’t even ping that 107 address, which means the router is not setup to accept random pings. Having that enabled temporarily would help with diagnostics. Otherwise, he would need to setup an open port and a port forward to a machine that can accept the ping, like your Plex server. Right now those things are closed.

This really sounds like your admin has not setup the LAN properly to forward calls to the server back to your Plex server. For Plex remote access to work, you only need 1 port open. 32400 is what most use to match the internal port, but it can be anything. I personally don’t use 32400. There are some unscrupulous people out there who just ping every IP at port 32400 to see if there is a Plex server.

Plex is not using my public address (107.x.x.x) to connect clients to my server.

Your server needs to send that IP up to Plex.tv, then Plex.tv will verify it’s correct, then clients get that IP from Plex.tv. Your server isn’t making it pass these first 2 steps so clients will not know to use that IP. This matches my inability to ping that 107 address.

If you’re getting no hits, that might fit with my explanation of those packets being routed elsewhere for the 144 IP space. They’re never coming to your router.

The way routing works is it uses physical addresses (MAC) to send packets wrapped in an Ethernet frame. These ethernet frames are what routers are forwarding based on ARP tables. The tables in the routers link the IP addresses to the MAC addresses so they can send the packets to the appropriate physical address or to the next hop (router). If it’s looking for a 144 address, it’s getting routed elsewhere. You wouldn’t see that traffic hitting your firewall’s external interface.

The reason you’re able to send packets out of your network, like a web browser, and get those packets back is because you are establishing a TCP session with the website you are visiting. You have an active connection that was initiated from inside your network, so your router is having those packets sent back to it, using it’s 107 public IP address. I don’t know what the deal is if 107 is specified as your public IP range and 144 as the private on the remote settings page. It’s possible plex doesn’t know how to resolve that and is trying to send it straight to 144. From this page, if your server does actually have a public IP, they show the loopback address of 127.0.0.1 for the private address. I don’t know if that example was intentional or just an example to represent IP addresses.

It sounds like any private range can be used. Here is a list from IANA. Private-Use ranges are:

• 10.0.0.0/8
• 172.16.0.0/12
• 192.168.0.0/16

You can use any subnet within these ranges for private ranges. I believe your registration of your plex server with your plex account will identify the public IP and port needed to get it there, assuming your network is setup correctly.

To ping the WAN side of the router, you’ll want to accept ICMP echo requests and allow replies. However, this test could still be inconclusive if you’re having a routing issue caused by hosting public IPs in private space. You would want to ping the 144 IP addresses with some form of packet capture turned on to see if those packets are actually coming to your outer router and are being allowed into the 144 network. You won’t be able to ping an inner IP address unless you port forward ICMP packets through your router as well. You could run wireshark or netmon on the server side to see the incoming packets. Depending on your firewall, you might also be able to view logs on that to see the traffic. If you’re running linux you could use tcpdump.

Finally was able to figure this out!

We created a DMZ for my Plex server and have it running up there. We also changed the private address to an address within the proper private address range. Thanks @anon18523487 and @Aquaman for all your help!

Here is what we put into the Cisco ASA firewall to allow my server to communicate:

object network [Your Plex server name here]
host [your plex server private IP here]
description [description for your server]

object service 32400_out
service tcp source eq 32400
object service 32400_in
service tcp source eq 32400

nat (inside,outside)source static [Plex server name] interface service 32400_in 32400_out

access-list outside_access_in extended permit tcp any object [Plex Server name] eq
32400_in log

Cheers mate.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.