Server Version#: 1.16.3.1433-359b06978 on Windows10
Player Version#: all players tried, but moot here. I’m looking at server settings directly.
My setup:
Frontier/Version FiOS router. Wi-fi and all other features disabled. Used only as connection to COAX. I have the DMZ set to route all traffic to IP of personal router which is a pair of Asus RT-AC68U’s running AIMesh. That internal router handles DHCP, firewall etc.
So I have a peculiar problem. I have found some threads that are similar and even read the “troubleshooting” docs. Even though I’m double-natted, I can get direct access without an issue…unless I’m behind my VPN. I run PIA on JUST my server. If I disable the VPN on that system I can direct connect just fine.
I reached out to PIA to see if there was a way to port forward 32400 and they said that they have nodes that can port forward but it’s a dynamic, random port assignment. Theoreticalyl you can take that port for that server and put in as the public port in Plex and it should work…right?
It doesn’t.
I have also set my Asus router to port forward 32400 as well as the PIA assigned port to internal port 32400. Still doesn’t work. The only way I can get a direct connection is by disconnecting my VPN.
Has anyone had a similar setup and issue? What was the work around?
My best guess would be the double NAT is still causing you problems. Can you set the Verizon router to bridge / passthrough mode? Then your Asus router can truly handle all the routing on its own. I’ve had both Xfinity and CenturyLink, both had the ability to set their device in passthrough mode.
Going to try and replicate this issue here at home, I have Xfinity and PIA so it should be fairly similar.
Thanks. The thing is that if I don’t have PIA connected it works just fine. I thought that the DMZ meant the router essentially was just a bridge at that point?
Wouldn’t it be required that the Verizon router act as a router…ish because that’s the only thing that can get the external IP?
Nope! Your Asus router is totally capable of using the external IP.
Right now the device you have from Frontier / Verizon is doing 2 things. Acting as a cable modem and a router - converting the cable (COAX) signal into a signal a router can recognize. The router part of it then gets assigned a public IP and does all your typical router stuff (NAT, DHCP, basic firewall, etc.)
Putting the device in passthrough mode takes out router part of it. The device strictly acts as a cable modem, nothing more. You would then run an Ethernet cable from whatever port is specified in the passthrough mode config (for example mine LAN port 1) to the WAN port of your Asus router.
You might need to go through the Asus router settings and make sure NAT/DHCP/Firewall is all enabled.
What brand of Asus router? I’ll see if I can find the passthrough guide for Frontier/Verizon. Certainly possible they don’t actually publish it or allow it. Xfinity has a step by step guide, but when I did it with CenturyLink it took a whole lot of Googling and trial and error to get it working.
In general it’s easier to do with a cable connection vs DSL, so you should be alright.
It’s not TECHNICALLY static but it runs 24/7. I don’t think the IP has changed internally in a couple years, since I set up the Asus routers. If it did it’s a simple matter of changing which IP on the Actiontec is on the DMZ. There is only a single network client even listed on that Actiontec: the Asus router.
Correct
Correct
Correct
When I log into the server directly (via Splashtop…it’s headless) the only factor that seems to matter for direct connection is whether PIA is connected or not. I’m watching the server dashboard directly in the web app (on the server via Splashtop) to see what it’s doing in different trials. I get direct server connections in all tested scenarios (local or remote) as long as PIA is disconnected on the server.
I was traveling the last couple weeks so I was using remote connections on the road on 4K Firesticks etc while PIA was connected. Now that I’m home the only option I have to try “remote” is my work laptop on my LAN, but over my corporate VPN. It works without issue even on VPN, but it forces an insecure, relay connection on corporate VPN and my bandwidth is limited which forces a transcode. I’m OK with that because I know it’s related to the VPN on my CLIENT system, not the server. The server still shows direct as long as PIA is off on the server. If I disconnect the VPN on laptop client I can direct play 1080/Atmos without transcoding.
I get a direct connection and can generally direct play even 4K/Atmos movies on my LAN (all my players are compatible) as long as the server PIA is off. If PIA is connected I can still direct play on my LAN (I think PIA is a split tunnel) and get a secure server connection but all my remote stuff is relayed.
As an experiment in the middle of typing this I decided to remote into the computer of a family member out of state and install the latest PMP. It seems to play fine when PIA is off on my server. I am able to direct play 1080, but due to bandwidth limitations on their end sometimes it transcodes. It is a direct secure connection though as long as PIA is disabled on server.
I found this interesting in the article you sent:
If your ONT is connected to the Actiontec MI424WR router via Coax (Nothing will be connected to the routers white WAN Ethernet port), the MI424WR is required due to the Coax connection. You may wish to contact Verizon and request that your ONT connection is changed from Coax to Ethernet. If this is done, the following procedure can be used.
Ethernet connection to the ONT:
However, if the ONT is connected to the MI424WR via Ethernet (An Ethernet cable will be connected to the routers white WAN Ethernet port), then in most cases even though the MI424WR cannot be bridged, it can be removed and another router substituted for it.
I wonder if that means an Ethernet cable can be plugged into the ONT and I can get rid of the Actiontec on my own? I am doubtful that I can just call Frontier and ask them to run new Ethernet cable for me with no value add for them…lol
I set up a similar scenario at my place with the same results - couldn’t get direct connect to work while PIA was on. Which I suppose makes sense…? You mentioned the only solution I could think of - port forwarding through both the router and through PIA.
Ok…next idea. No idea if it will work, might kill bandwidth, idk. I’ll try it tonight. This is going to depend on your ASUS router and if it has VPN Server capabilities. I run Merlin on my RT N66U which adds the VPN server capability.
I’ll do all of this with PIA enabled on the Plex server.
I’m going to create a simple OpenVPN profile on the Asus VPN server, tell it to use the same IP’s for clients as what my regular LAN is…download the config file and load it in to OpenVPN on my laptop. I’ll go to Starbucks or something, get on their wifi, then open Plex. With OpenVPN disabled, I’d expect to see the indirect connection to plex. Then I’ll enable OpenVPN…in theory making me pretty much a part of my LAN back home. I’d then expect Plex to show directly connected.
But this doesn’t solve the issue of streaming to a Firestick so maybe this is pointless.
For your last point - I guess it wouldn’t hurt to ask if they could set you up with Ethernet from the ONT instead of coax. I wouldn’t think you could just switch it on your own…not sure how long the cable run is from the ONT to your setup.
Maybe try bringing your Asus over to the ONT - unplugging the coax, then connecting via Ethernet? I’d assume they have to activate the Ethernet port though…who knows.
I think it worked for me…? The script had a couple lines that threw an error, but right now I have PIA turned on, and have a direct connection to Plex from here at the office.
We’ll see if it stays like this over the next few weeks.
@KaraokeAmerica alright done testing over the past few days - the instruction here worked for me. PIA is always on, and I am able to get a direct connection when remote.
Sorry for the slow response. Is this the instruction that you used ultimately?
Did you download the BAT file and use it or did you make your own from that text?
I’m extra cautious because these instructions seems to be all over the place, but from 4 years ago. I want to make sure I am using the latest, safest version.
Yes, that is what I used. I downloaded the BAT file and opened it up to see what it was actually doing. Looks like it’s nothing more than a DNS lookup for the Plex servers, then adding a persistent route to your routing table telling all Plex traffic to use your regular default gateway instead of the VPN tunnel.
Yes. Three ways. One, when you’re accessing it remotely, you should show a direct connection instead of indirect. Second way is from your host running Plex. I’ll paste in what I’m talking about below, but we can check the traffic routing to see any Plex traffic not go over the VPN. Third, when looking at the Remote Access setting on the Plex server, it should show as enabled and available.
These traces are all from my Plex server, with PIA enabled for all internet traffic. This is the path when I go to google. Only looking at the first hop here-
> C:\WINDOWS\system32>tracert 8.8.8.8
>
> Tracing route to dns.google [8.8.8.8]
> over a maximum of 30 hops:
>
> 1 13 ms 11 ms 11 ms 10.30.11.1
10.30.11.1 is my PIA gateway IP. Now watch a trace to one of the Plex IP’s returned from the DNS lookup the batch file runs.
> C:\WINDOWS\system32>tracert 99.80.231.223
>
> Tracing route to ec2-99-80-231-223.eu-west-1.compute.amazonaws.com [99.80.231.223]
> over a maximum of 30 hops:
>
> 1 1 ms 12 ms <1 ms 192.168.1.1
The first hop is my own router, not the PIA VPN tunnel.
You can further see it in the routing table on the Plex server. Look for the persistent routes at the bottom.
> C:\WINDOWS\system32>route print
> ===================================================================
> Interface List
> 6...00 ff 28 f3 fb 21 ......Private Internet Access Network Adapter
> 17...54 ee 75 5b 7c df ......Intel(R) Ethernet Connection (3) I218-LM
> 16...5c e0 c5 c2 f3 04 ......Microsoft Wi-Fi Direct Virtual Adapter
> 3...5e e0 c5 c2 f3 03 ......Microsoft Wi-Fi Direct Virtual Adapter #2
> 4...5c e0 c5 c2 f3 03 ......Intel(R) Dual Band Wireless-AC 7265
> 5...5c e0 c5 c2 f3 07 ......Bluetooth Device (Personal Area Network)
> 1...........................Software Loopback Interface 1
> ===================================================================
>
> IPv4 Route Table
> ===================================================================
> Active Routes:
> Network Destination Netmask Gateway Interface Metric
> 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 306
> 0.0.0.0 128.0.0.0 10.30.11.5 10.30.11.6 3
> 10.30.11.1 255.255.255.255 10.30.11.5 10.30.11.6 3
> 10.30.11.4 255.255.255.252 On-link 10.30.11.6 259
> 10.30.11.6 255.255.255.255 On-link 10.30.11.6 259
> 10.30.11.7 255.255.255.255 On-link 10.30.11.6 259
> 66.115.168.14 255.255.255.255 192.168.1.1 192.168.1.5 50
> 99.80.231.0 255.255.255.0 192.168.1.1 192.168.1.5 51
> 99.80.231.220 255.255.255.252 192.168.1.1 192.168.1.5 51
> 99.80.242.240 255.255.255.252 192.168.1.1 192.168.1.5 51
> 99.81.213.0 255.255.255.0 192.168.1.1 192.168.1.5 51
> 99.81.213.164 255.255.255.252 192.168.1.1 192.168.1.5 51
> 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
> 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
> 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
> 128.0.0.0 128.0.0.0 10.30.11.5 10.30.11.6 3
> 192.168.1.0 255.255.255.0 On-link 192.168.1.5 306
> 192.168.1.5 255.255.255.255 On-link 192.168.1.5 306
> 192.168.1.255 255.255.255.255 On-link 192.168.1.5 306
> 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
> 224.0.0.0 240.0.0.0 On-link 10.30.11.6 259
> 224.0.0.0 240.0.0.0 On-link 192.168.1.5 306
> 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
> 255.255.255.255 255.255.255.255 On-link 10.30.11.6 259
> 255.255.255.255 255.255.255.255 On-link 192.168.1.5 306
> ===================================================================
> Persistent Routes:
> Network Address Netmask Gateway Address Metric
> 99.80.231.223 255.255.255.252 192.168.1.1 1
> 99.81.213.165 255.255.255.252 192.168.1.1 1
> 99.80.242.242 255.255.255.252 192.168.1.1 1
> 99.80.231.0 255.255.255.0 192.168.1.1 1
> 99.81.213.0 255.255.255.0 192.168.1.1 1
> 0.0.0.0 0.0.0.0 192.168.1.1 Default
> ===================================================================
Those 99.x.x.x addresses are all the Plex internet servers that the batch file looks up.
So we can see that any traffic destined for Plex will not use the VPN. I think it mentions it in the guide, but you still do need to enable port forwarding on your router to your Plex server. I used the option to define my own public Plex port (32401 is a good choice). I forward any internet traffic coming in on that port, destined for port 32400, to my Plex server.
