Strange Activity from Network Interface

Plex Media Server Remote Access
,
1

Server Version#:1.22.2.4264-b275c4330
Player Version#:1.29.1.1974-a65b3ef3

Hi,

I have recently set up a Plex Media Server with the intention of remotely accessing live TV streams via installed TV Tuners.

To my surprise setting up and configuring Plex to locate and utilise both my Hauppauge HVR-5525 PCIe Tuner card also and my Hauppauge Dual HD Twin USB Tuner was most straightforward with UK DVB-T2 (Freeview) signals received and the Electronic Program Guide downloaded providing viewable live UK TV on Plex devices when connected through both external TV antenna sources.

Setting up “Remote Access” however has proved rather troublesome and I would greatly appreciate some guidance from the forum ‘experts’ as to what I might be doing wrong here.

Some Background Detail

My Plex Media Server is installed on to a high specification Windows 10 64 Bit Desktop PC operating on the X299 platform. The PC has Dual LAN utilising integrated Aquantia® AQC111C 5 GbE and Intel® I219V GbE Ethernet Adapters as well as an integral Wi-Fi utilising an Intel® AX200 802.11ax Wi-Fi 6 Adapter. All of these adapters connect to my Network and then to the internet beyond through an Asus RT-AX88U Wi-Fi 6 Router/Draytek Vigor 130 VDSL Modem setup configured to use a VPN Client with certain devices individually configured to bypass the VPN Tunnel when a ‘public’ IP Address is indicated.

For the purposes of the Plex “Remote Access” for example the Intel® I219V GbE Ethernet Adapter was configured as such using it’s discrete static IP Address (192.168.XXX.15). Additionally, the Router is configured to ‘forward’ Internal and External Ports 32400 for both TCP & UDP Protocols again using the Intel GbE adapter 192.168.XXX.15.

Plex is “Fully accessible outside of my network” and also remotely accessible as such (for test purposes) on an iPhone 8 Plus. I am thus confident that the above router settings are successful in permitting Plex access as intended.

My problem comes with the settings of the Plex Media Server itself where I have attempted to configure the Intel® I219V GbE Ethernet Adapter within ‘Network’ settings page to act as the default network interface for Plex to use, restarting the Plex Media Server following applying the setting. Additionally, Port 32400 is manually specified and applied from the ‘Remote Access’ settings page.

NB. I am aware of the Warning that specifies when "…Remote Access enabled and are having Plex automatically map the port (as opposed to specifying a port manually), then Plex Media Server has no control over which network interface is used for an automatically-mapped port. Thus, it’s possible that Remote Access connections could come through an interface other than the one specified here. Also, of the Note: “A restart of Plex Media Server is required for a change in the settings to take effect.” Accordingly both of these conditions have been satisfied.

The following unusual conditions occur whenever the Media Server is restarted:

  1. Plex indicates that it is no longer “Fully accessible outside of my network” and the Plex Port section displays the Static IP Address of the VPN’d Aquantia® AQC111C 5 GbE adapter (192.168.XXX.16:32400) and the ‘Public’ IP (xxx.xxx.xxx.xxx:32400) is that of the VPN where the AQC111C routes through the VPN Tunnel and so clearly fails the Public Accessibility test as indicated by the accompanying ‘Red X’.

  2. Strangely, if I then click ‘Apply’ against the already checked ‘manually specify public port’ with it’s value of 32400 already set from before. This now returns with Plex is “Fully accessible outside of my network” once more however the Plex Port section continues to display the incorrect Static IP Address of the Aquantia® AQC111C 5 GbE adapter (192.168.XXX.16:32400) and the ‘Public’ IP (xxx.xxx.xxx.xxx:32400) address of the VPN, though this time the red “X” is replaced by the green arrow. Despite the ‘Public IP’ representing that of the VPN routed adapter, access from the iPhone was successful including the Live TV Streams all of which seems oddly contradictive.

This suggests to me two possibilities:

a) The Media Server is using the ‘VPN bypassing’ Intel® I219V GbE Ethernet Adapter as intended whilst erroneously displaying the connection settings relative to the (non active) Aquantia® AQC111C network interface?

b) The Media Server is using the Aquantia AQC111C yet somehow bypassing the VPN Tunnel. The reported VPN ‘Public Address’ suggests otherwise however and yet at the same time it is perplexing that the Public VPN Address is displayed with the green arrow when as I understand it this should fail to establish a valid connection?

Unfortunately I cannot understand why either should be so, nor how I might identify which network interface is actually in play here.

All assistance gratefully appreciated,

Many thanks,

PC Pilot

2

HI,

Let me see if can get my head around this.

You have 3 NICs in the same PC all on the same subnet and pointing at the same gateway.
You have your router running a VPN tunnel and your PC is not aware of the existence of the VPN
You have split tunnelling active on the router with some sort of filter in place to direct traffic over the VPN v local connection
You want PMS to bind to the i219V adapter using the x.x.x.15 address?
The router port forward is to x.x.x.15:32400 (BTW, you can stop forwarding UDP, only TCP is needed)
You’ve manually specified the port in PMS. and bound x.x.x.15 to be the preferred adapter.

What you are seeing in practice is everything comes up over the x.x.x.16 adapter and VPN so it’s ignoring your x.x.x.15 config? The first time is comes up, it’s sad, post a refresh it’s happy, but just now how you want it to.

And just to be crystal, i assume you want Plex to router over the i219 which will not go over the VPN?

I can’t really clarify your suspicions yet.

Questions i have
What network is the iPhone on?
How exactly is the split tunnelling configuration setup?
How is the routing table on the router configured?
Hows it the routing table on the PC configured?
PMS logs would be helpful so we can follow alone with what PMS is actually thinking.

have you tried setting the external port of forward to be values other than 32400 so you can better tell them apart? (ie, locally forward WANIP:12345 to x.x.x.15:32400 and on the VPN VPNWANIP:54321 to x.x.x.16:32400 - the port setting in plex will also then become much more relevant)

as a general comment, having a single machine with multiple interfaces on the same subnet is bad voodoo, it’s always going to try and mess something up somewhere, is there any reason you could not put one of them onto a seperate subnet and router that entire subnet out over the vpn?

Re the connection test, you need to also consider that it also involves the client location in the test. So you can have it fail from clientA and simultaneously work from clientB based on the clients ability to connect the server, not the servers ability to be connected. (aka, the server could be fine, and the client could still be working through routing etc)

3

Hi Bob,

…and thank you for your swift response, please accept my apologies for my lack network knowledge!

You have indeed summarised correctly, 3 NIC’s, Same PC, Same Subnet all directed to the Same Gateway. Not sure what you mean by “PC is not aware of the existence of the VPN”?? I have configured a VPN Tunnel on the Asus Router (latest Merlin firmware) with a set of policy rules configured such that all LAN client devices are directed through the tunnel with the exception of specific devices which are directed to bypass the VPN. The I219V Adapter is specified as my preferred adapter for PMS (also a good example of a ‘bypass’ client) selected (bound?) from the ‘Network’ settings page of PMS. The router is further configured to forward port 32400 for 192.168.XXX.15. Your advice concerning TCP is noted and approriate revisions will certainly be adopted.

I can provide some additional information which may be relevant. At the time of installing the 30.03.21 PMS update (1.22.2.4264-b275c4330) it had the effect (albeit temporarily) of resolving the reported condition. With the adapter correctly reported as 192.168.xxx.15, the Public IP was also displayed correctly and full outside accessibility reported. Whilst this situation survived experimental restarts of PMS it did not survive system restart reverting to the situation initially reported. Also I have configured an IPV6 address (thinking of future proofing) don’t know how this influences matters, if at all?? If you think of anything else I will readily confirm the setup. The router is fairly sophisticated with numerous configuration parameters and 2 years in I’m still coming to terms with much of it!!

To confirm, on PMS "What I am are seeing in practice is everything ‘is reported’ (remote access settings page) as the x.x.x.16 adapter and public is the VPN. Not clear if it’s ignoring the x.x.x.15 config or just merely ‘reporting’ that it is! The PMS is set to ‘Start at Windows Login’ at which point it reports fail (sad), post a refresh of Manual Port (refresh button) successful (happy) but continues to report wrong NIC and Public IP.

To clarify in respect of your questions:

My ideal is for Plex to route via I219V which is set to bypass VPN. All others via ACQ111C LAN or AX200 Wi-Fi 6.

The iPhone is on the same network (Wi-Fi 6) connecting via the AX200 adapter 192.168.xxx.17 but I have also experimented with connection via 4G (cell connection) with Wi-Fi temporarily disabled and this also permits access to my PMS and suggests successul access is reporting accurately?

The split tunnelling is configured by a set of (strict) policy rules such that all LAN client devices are directed through the tunnel (192.168.xxx.0/24 on VPN interface) with the exception of those specified devices which are listed as being directed to the WAN interface and thus bypass the VPN tunnel.

Could you elaborate upon your query “How is the routing table on the router configured?” What exactly I am looking for? Dito for “How is the routing table on the PC configured?”

PMS Logs seems a sensible plan, but would depend upon need to securely post/redact/filter. Further guidance would be appreciated.

I haven’t tried a different port number value. Do I understand you correctly that you propose the addition of an additional forward for the ACQ111C adapter (192.168.xxx.16) using a different Port value (say 32100?) as this adapter is routed through the tunnel and hence reflects VPNWANIP… ??

I appreciate your comment surrounding single machine with multiple network interfaces on the same subnet being bad voodoo and is quite indicative of my somewhat limited network experience! On principle I see no reason why certain devices might not be assigned to a different subnet. For example so as to gain access to the GUI of the VDSL modem whilst behind the AX88U necessitated configuring it on to a separate subnet and I have also, for security considerations, configured some defined Wi-Fi guest networks onto their own exclusive subnets. The only issue I can forsee is that I am a member of an audience research panel which monitors TV viewing and recently added screening via a network attached anonomous focal meter. I was advised by the technician who installed it that there would be no problem as all monitored devices (they are anonomously monitored for type of Stream (not actual viewed content/address) i.e. YouTube, NetFlixs etc) are on the same subnet!

I am certainly open to any best practice guidance to achieve the same desired results whilst achieving appropriate security. Ideally I would like to configure the setup such that all browsers and external connections in general (VPNWAN internet) utilise either the ACQ111C adapter (.16 - LAN) or AX200 Wi-Fi 6 adapter (.17 - WiFi) routed through the VPN and for devices which specifically require direct WAN access such as Plex and WinTV extend, both of which require remote access through WAN. Any other thoughts or observations are welcome.

Thanks for your interest all assistance is greatly appreciated.

Regards,

PC Pilot

4

sorry, didn’t see your reply to this…

It could be neither, it could be that your router and PC have decided that the way to send traffic to the .15 address is via the .16 nic, so everything can be configured but it decides that the cable plugged into the .15 nic has a lower priority than the cable in the .16 Nic. (e.g., that NIC is bigger and faster, send it that way) PMS is only an app, there is only so much say network wise it can have in what the OS decides to do with its traffic.

I think your best cource of action here is to (2 options)

  1. disable wireless on the server, it’s fine to have wireless adapters and wired adapters active on the same subnet just try never to have them both active on the same device at the same time.
  2. move the i219 to a new subnet, connected to the router
  3. keep PMS bound to the i219, move anything else you want to that subnet and this should also enable you to simplify your policy routing (ie, subnet1, VPN, subnet2, WAN)
  4. setup the routing on the router to route between the subnets (it may just do this automagically)
  5. sort out any intra-subnet firewall rules you need, and the NAT rules for the new subnet.
  6. update the PMS config to configure all your local subnets as “local”
  7. not sure what to do about the audience research stuff, it just won’t see plex traffic if it needs to be same subnet.

or

  1. disable the wifi on the server
  2. pull the cable out of the i219v and stop using it

IPv6 shouldn’t matter.

Yes, that is a good test.

More if you do this.

VPNWANIP:32100 forwards to .16:32400
WANIP:32400 forwards to .15:32400

That way if you put 32400 into the manual config box in plex and it works, you know its coming via the WANIP, if it works when 32100 is in the box, you know its coming via VPN.

5

Hi Bob,

Thank you again for your considered and thought provoking reply!

Interestingly, your comment has brought something else to mind which I had totally forgotten and importantly suspect may be somewhat implicated. It could perhaps also explain my confusion as to why the PMS Network Setting “Preferred network interface” was misbehaving when its obvious purpose seemed precisely tailored for just these sort of multi-adapter issues?

Sometime prior to configuring PMS, whilst looking to resolve an unrelated VPN issue where the default adapter kept randomly reverting instead of routing directly via the VPN as intended, I received some guidance to ‘adjust the sequencing’ of the adapters. This involved assigning each of the adapters their own priority ‘metric’ which I must confess to having completely overlooked until prompted by your reply.

Accordingly, the metric values assigned (as suggested to me at that time) are as follows:

IPV4: Aquantia AQC111C Adapter - Interface metric: 4, Intel I219-V Adapter - Interface metric: 8 & Intel AX200 WiFi 6 Adapter - Interface metric: 12

IPV6: Aquantia AQC111C Adapter - Interface metric: 4, Intel I219-V Adapter - Interface metric: 6 & Intel AX200 WiFi 6 Adapter - Interface metric: 6

Unfortunately I do not understand the significance of these values and regrettably I can no longer put my hands on the original source and thus have no idea whether these are correct or not, whether the IPV6 values should be the same as those for IPV4 or conflict in some way. If my suspicions turn out to be correct here, it may be useful to include general advice on how to check/properly configure these IPV4/IPV6 metrics in accordance with best practice to achieve reliable PMS remote access. Once again your advice and guidance in this regard would be particularly welcome.

To clarify, similar to the PMS situation the original intention was to direct ‘browser traffic’ via the VPN IP (AQC111C .16 adapter) leaving the WAN IP (I219-V .15 adapter) exclusively for any WAN access to enable connection directly with the ISP account and email services which simply would not function via the VPN IP. Subsequently, as I became more conversant with the myriad of router settings offered by the advanced Merlin firmware, SMTP was directed to bypass the tunnel and thus the metric configuration had (or so I thought) become obsolete by default.

Returning to your response:

I think that I understand the ‘work around’ guidance you have kindly provided and summarise briefly below:

Course of action…

  1. Disable the WiFi Adapter - Understood (again the metrics were an attempt to be a form of work around I guess)

  2. Move Intel I219-V Adapter to say .XYX.15 (again the metrics were an attempt to be a form of work around I guess)

  3. Bind all applications requiring WAN IP to .XYX.15 (Can the/a browser be selected to chose the adapter whether WAN IP or VPN IP is required? I am assuming that this is not possible on a different subnet?)

  4. Can you clarify/elaborate what you mean? Apologies for being so ignorant!

  5. Can you clarify/elaborate what you mean? Apologies for being so ignorant!

  6. Can you clarify/elaborate what you mean? Apologies for being so ignorant!

  7. I will contact the technician in due course to look into this.

Does the metric stuff change this at all??

Cell test - Understood

Thanks again, your help is very much appreciated.

Very best regards,

PC Pilot

6

Think of metrics as a toll charge on a toll road and it doesn’t really matter what the specific numbers are, it maters what they are relative to each other. You’ve told windows that you AQC111C adapter is the cheapest path so windows is going to put all traffic over that path and basically ignore they other 2 adapters unless something specifically tells it not to, or something bad happens to the AQC111C. Windows normally automatically sets these so not sure why you have been advised to manually change them (the automated order would still have all traffic going over the AqC111C as its the fastest card → The Automatic Metric feature for IPv4 routes - Windows Server | Microsoft Learn)

What are you actually trying to achieve by having multiple NICs active in the single machine? You’re heading down the path of having a very complicated network setup that will need constant thought every time you add/change/delete a device and it’s going to be a constant source of grief for you with the level of knowledge you have around networking. If we know what your goal is, there is lots of network stuff online we can direct you to to build up that knowledge.

7

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.