Shared server / firewall issues

General Discussions
1

I have a friend sharing his server with me. This works fine on devices when connected via LTE (phone app/hotspot/etc). This works fine when directly plugged into the ISP router.

It does NOT work when plugged into a firewall. (“permit any any” rule in use for testing) I’ve run wireshark and can see Plex attempting to connect to a private IP 192.168.x.x. I don’t use that space on my network.

This leads me to believe that for whatever reason, Plex is doing a dns lookup and receiving a private address when it should be receiving a public address.

I just can’t find any technical details on how remote Plex connections are supposed to work to further troubleshoot. As this is a fairly “in the weeds” problem it’s not surprising.

For whatever reason, when behind the firewall the Plex app thinks the remote server is local, when it’s not.

Any help appreciated.

2

I looked at your account on Plex.tv

Before your current 172.16.x.x addressing, you were using 192.168.x.x
That server entry had not been deleted so Plex.tv was correctly telling the clients to look for the address range.

I’ve taken the liberty to clear out all your old server entries.

Now, please do the following.

  1. Restart PMS
  2. close the browser tab which is connected to the server and reopen it after the server starts.
  3. Close and reopen any other apps you may have on your devices.
3

Restarted PMS, closed all browser tabs and apps.
Reopened and signed in - received “not authorized” message.
Followed steps here: Why am I locked out of Server Settings and how do I get in? | Plex Support but can’t connect to the “local” server because its on a Synology. Ended up uninstalling/reinstalling the PMS app. - Now my server isn’t shown and I have no way to connect to it.

4

Ok - regained access to the local server… Had to set up an SSH tunnel to the Synology.

Anyways -

Connecting to the friends shared server still is unsuccessful. I’m still seeing the DNS queries to 192-168-1-221.{GUID}.plex.direct, 192-168-1-222.{GUID}.plex.direct and following TCP connections to the same 192.168 addresses whenever I click on the shared server attempting to reload it.

Plex web app debug log shows :


 {
    "type": "log:message",
    "level": 4,
    "message": "[Connections] Testing all 5 connection(s) for {Shared-Server-Name}",
    "time": "2022-07-10T18:19:55.127Z"
  },
...
  {
    "type": "log:message",
    "level": 4,
    "message": "[Connections] Testing connection for {Shared-Server-Name} at https://192-168-1-222.{GUID}.plex.direct:32400/media/providers",
    "time": "2022-07-10T18:19:55.196Z"
  },
  {
    "type": "log:message",
    "level": 4,
    "message": "[Connections] Testing connection for {Shared-Server-Name} at https://192-168-1-221.{GUID}.plex.direct:32400/media/providers",
    "time": "2022-07-10T18:19:55.204Z"
  },
  {
    "type": "log:message",
    "level": 4,
    "message": "[Connections] Testing connection for {Shared-Server-Name} at http://192.168.1.222:32400/media/providers",
    "time": "2022-07-10T18:19:55.208Z"
  },
  {
    "type": "log:message",
    "level": 4,
    "message": "[Connections] Testing connection for {Shared-Server-Name} at http://192.168.1.221:32400/media/providers",
    "time": "2022-07-10T18:19:55.212Z"
  },
  {
    "type": "log:message",
    "level": 4,
    "message": "[Connections] Testing connection for {Shared-Server-Name} at https://184-105-148-89.{GUID}.plex.direct:8443/media/providers",
    "time": "2022-07-10T18:19:55.216Z"
  },
...
  {
    "type": "log:message",
    "level": 1,
    "message": "[Connections] {Shared-Server-Name} is unavailable at https://192-168-1-222.{GUID}.plex.direct:32400/media/providers (Status 0)",
    "time": "2022-07-10T18:20:05.201Z"
  },
  {
    "type": "log:message",
    "level": 4,
    "message": "[Connections] Added insecure fallback connection for {Shared-Server-Name} at http://192.168.1.222:32400",
    "time": "2022-07-10T18:20:05.204Z"
  },
...
  {
    "type": "log:message",
    "level": 1,
    "message": "[Connections] All connections to {Shared-Server-Name} failed",
    "time": "2022-07-10T18:20:05.216Z"
  },

There appears to be some reference to 1he 192.168 range… which may be the actual internal IP of the shared server inside my friends network.

5

On Synology,

  1. Uninstall / Reinstall of the package isn’t going to be helpful. The code and your server info are stored in separate locations.

  2. Looking at your account now shows 1 server. The server does not yet have a certificate.

  3. Knowing that I reset your account certificate tells me PMS doesn’t realize it needs one.
    – STOP Plex
    – Open FileStation
    – Navigate: PlexMediaServer/AppData/Plex Media Server/Cache
    REMOVE cert-v2.p12
    – Start PMS

  4. Give it a minute to get the new cert

  5. open the server by using the Synology LAN IP only (http://172.168.0.3:32400/web)

There is nothing on your account which has any remnant of 192.168.x.x therefore something you have… which does look like the shared servers name ID string.

6

You’ve modified the logs, but I assume Shared-Server-Name is your friend’s server? And the guid is for theirs, not yours?

A Plex client will receive a list of all addresses the server might be reachable on. That includes the local address on its local network, any public address that has been detected, and any additional custom address that have been registered.

Private addresses aren’t filtered out, nor should they be.

The client will attempt a connection to each of those addresses, using whichever works.

That log looks 100% normal, except for the stuff you’ve removed. :slight_smile:

Are you able to access his server via the external address URL in a web browser? I don’t see a success or failure message for that address.

7

There is no cert-v2.p12 file. The only .p12 file is certificate.p12

8

Correct, logs were sanitized.

Shared-Server-Name is my friends server name which is remote.
guid is the GUID string from his server as well

9

@KJCJK

Sorry, I forgot they were going to change the naming.

Please delete that P12

10

PMS stopped
Certificate deleted
PMS started

Issue remains. - Still seeing 192.168.1.221 and 192.168.1.222

11

That’s the weird thing - If I connect directly to the ISP router, I have no issues connecting to the shared server.

12

For your friend’s shared server? Normal. Don’t fight with that. You’re expected to see those when attempting to connect to his server.

If you can’t connect to his external address, that’s a different issue. Not related to your server. Figure out why you can’t connect to his external address.

Can you load it in a browser?

13

Please ignore those 192.168.x.x addresses for now.

I can confirm your server now has a valid certificate.

I am sending you a PM of what Plex.tv sees for your server

Need to confirm that you and the server are on the same LAN subnet ?

14

@ChuckPa and @KJCJK I’m confused.

@KJCJK is YOUR server working correctly?

15

@ChuckPa
My PC is on 172.16.1.0/24
My PMS is on 172.16.0.0/24

My PC can reach my PMS locally without issue.

@Volts

My server is working correctly now.

The original issue:

When I am located behind a firewall on the 172.16.1.0/24 network I am unable to connect to a remote, shared server. If I disconnect from the firewall and connect to directly to the ISP router, I am able to connect and load the shared server.

I have a ‘permit all’ rule in the firewall so its not an ACL blocking anything.

16

ALL STOP.

Can’t do that.

The PC is on a different network. Your Synology will always think it’s remote.
Because you don’t have Remote Access enabled yet, your Plex/web browser can’t see it.

Change the PC to be on the same 172.16.0.x subnet

If you NEED both 172.16.0.x AND 172.16.1.x to be used,

  1. Synology Control Panel
  2. Network Interface
  3. Change the netmask to be /23 (255.255.254.0)
17

I think there is a disconnect - There is a completely separate server across the internet which I am having issues with.

18

Please explain.

The synology you’re working on is in a geographically different location ?

19

Ok so I’m not addressing anything related to certs or your server or local access, @ChuckPa is the man for that.

Just for remote access to the Friend’s server. It doesn’t involve your local server at all. Seeing private IPs is normal and can be ignored.

So to investigate only the your-firewall-breaks-access-to-his-server issue, what does the web client log say regarding the connection test to his public address?

What happens if you browse directly to that full address in a browser?

What’s this firewall device anyway?

20

The Synology running PMS named ‘Plex’ with an IP of 172.16.0.3 on my account is local.

There is another Synology running PMS. We can call this ‘BOB’. I don’t know what the internal or external IP of ‘BOB’ is. ‘BOB’ is in a differently geographical location.

If I open the Plex app on my phone while using cellular/LTE - I can connect to ‘BOB’ fine.
If I open the plex web app on my PC directly connected to the ISP router - I can connect to ‘BOB’ fine.
If I open the plex web app on my PC connected behind a firewall - I cannot connect to ‘BOB’

I don’t know what the public IP of ‘BOB’ is, I’ll try to find that - one moment.

The firewall is a Palo Alto 440.