• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Access Jellyfin server on different subnet

General pfSense Questions
5
39
8.7k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    swust
    last edited by May 17, 2022, 5:32 AM

    hi all. i have my jellyfin server on VLAN 1 (home network) and FireTV on VLAN 2 (IoT network). Have set up firewall rules that VLAN 2 can't access anything on VLAN 1. What is the best way to allow FireTV to access the Jellyfin server?

    In my simple mind, I only need to give any devices on IoT Network (VLAN2) access to specific IP address of the Jellyfin server so I tried adding a firewall rules on the IoT Net to have access to the Jellyfin IP address, add a port forward to the Jellyfin but nothing works. What am I missing?

    Thanks in advance.

    1 Reply Last reply Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by May 17, 2022, 12:28 PM

      Yes, you only need to add a single firewall rule to the IoT interface to allow it. pfSense will route that, there is no port forwarding needed.
      The server has to be configured to allow requests from outside it's subnet.
      If clients are not using the servers IP directly then it musy be resolvable be whatever fqdn they are using.

      Steve

      S 1 Reply Last reply May 18, 2022, 12:45 AM Reply Quote 1
      • S
        swust @stephenw10
        last edited by swust May 18, 2022, 12:50 AM May 18, 2022, 12:45 AM

        @stephenw10 thanks for the reply. i added this rule to allow a range of static IPs on my IOT net to my HOME net.

        login-to-view

        This rule is above the rule to block access of the remaining IoT IPs.

        login-to-view

        I thought this would be enough, but I still can't access my HOME network to access my shared drive via Windows' File Explorer.

        Any thoughts what could be missing / wrong?

        Thank you.

        D N 2 Replies Last reply May 18, 2022, 8:29 AM Reply Quote 0
        • D
          darcey @swust
          last edited by darcey May 18, 2022, 8:36 AM May 18, 2022, 8:29 AM

          @swust If the firetv 'discovers' the media server, I believe you need some proxy service to relay between the IoT clients and the server (sorry can't remember the details as I gave up on it and put clients on the same network). Another way might be to give your media server interfaces on multiple networks, one being the IoT vlan.

          S 1 Reply Last reply May 18, 2022, 2:43 PM Reply Quote 1
          • N
            NogBadTheBad @swust
            last edited by NogBadTheBad May 18, 2022, 12:02 PM May 18, 2022, 10:01 AM

            @swust what's Jellyfin running on, do you have an additional network port on the device and the ability to put firewall rules on the device Jellyfin is running on?

            I do something vety similar with my Synology NAS and SMB shares with Infuse.

            https://jellyfin.org/docs/general/networking/index.html#static-ports

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            S 1 Reply Last reply May 18, 2022, 2:46 PM Reply Quote 1
            • S
              stephenw10 Netgate Administrator
              last edited by May 18, 2022, 11:44 AM

              Yes, that rule will allow the connection. But you can see there is no data and no states shown on it. If the client is trying to connect to the server by its IP address directly that will work so it probably isn't.
              How is the client trying to connect?
              If it's some sort of auto discovery then that's just a world of pain across subnets! Unfortunately.

              Steve

              S 1 Reply Last reply May 18, 2022, 2:55 PM Reply Quote 1
              • S
                swust @darcey
                last edited by May 18, 2022, 2:43 PM

                @darcey unfortunately can't even discover the media server. any pointers on how to give the media server interfaces on multiple subnet? i searched but can't seem to find any information.

                J 1 Reply Last reply May 18, 2022, 3:02 PM Reply Quote 0
                • S
                  swust @NogBadTheBad
                  last edited by May 18, 2022, 2:46 PM

                  @nogbadthebad running on Windows PC. i have all the Jellyfin related ports open but still can't access. would you have any link to resource re: what you did with the NAS and SMB share with Infuse?

                  N 1 Reply Last reply May 18, 2022, 3:40 PM Reply Quote 0
                  • S
                    stephenw10 Netgate Administrator @stephenw10
                    last edited by May 18, 2022, 2:55 PM

                    @stephenw10 said in Access Jellyfin server on different subnet:

                    How is the client trying to connect?

                    Still that question. ^

                    S 1 Reply Last reply May 18, 2022, 3:01 PM Reply Quote 1
                    • S
                      swust @stephenw10
                      last edited by May 18, 2022, 3:01 PM

                      @stephenw10 the client (firetv) connects to the server through the server's IP address. it will try to reach server via http://192.168.x.x:8096. is this what you mean?

                      D 1 Reply Last reply May 18, 2022, 3:18 PM Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator @swust
                        last edited by johnpoz May 18, 2022, 3:05 PM May 18, 2022, 3:02 PM

                        @swust said in Access Jellyfin server on different subnet:

                        can't even discover the media server.

                        As already mentioned discovery isn't going to work across subnets..

                        https://jellyfin.org/docs/general/networking/index.html

                        Have you just tried connecting to it on its http port by default is

                        8096/tcp is used by default for HTTP traffic. You can change this in the dashboard.
                        8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard.
                        

                        client (firetv) connects

                        Per the link I provided it mentions issues with some clients and self signed certs, etc. I would suggest you get just plain old http connection working from your browser..

                        if that is not working - your not forcing traffic out a gateway are you.. This is common user mistake.. Rules on your client pfsense interface forcing traffic out a gateway can prevent access to other local networks.

                        Can you ping this jellyfin IP even?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        S 1 Reply Last reply May 18, 2022, 3:13 PM Reply Quote 1
                        • S
                          swust @johnpoz
                          last edited by May 18, 2022, 3:13 PM

                          @johnpoz said in Access Jellyfin server on different subnet:

                          @swust said in Access Jellyfin server on different subnet:

                          can't even discover the media server.

                          As already mentioned discovery isn't going to work across subnets..

                          https://jellyfin.org/docs/general/networking/index.html

                          Have you just tried connecting to it on its http port by default is

                          8096/tcp is used by default for HTTP traffic. You can change this in the dashboard.
                          8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard.
                          

                          client (firetv) connects

                          yes i tried this, but doesn't connect.

                          Per the link I provided it mentions issues with some clients and self signed certs, etc. I would suggest you get just plain old http connection working from your browser..

                          if that is not working - your not forcing traffic out a gateway are you.. This is common user mistake.. Rules on your client pfsense interface forcing traffic out a gateway can prevent access to other local networks.

                          Can you ping this jellyfin IP even?

                          I can't ping the jellyfin IP. I'm not very well versed on this so I don't quite get what you mean by forcing traffic out a gateway. Perhaps easier to show you what firewall rules i have under the IoT VLAN below.

                          The HOME VLAN which I am trying to reach from IoT VLAN also have the Block Incoming rules.

                          Is there any rule I have here that is the problem?

                          login-to-view

                          J S 2 Replies Last reply May 18, 2022, 3:23 PM Reply Quote 0
                          • D
                            darcey @swust
                            last edited by darcey May 18, 2022, 3:23 PM May 18, 2022, 3:18 PM

                            @swust said in Access Jellyfin server on different subnet:

                            @stephenw10 the client (firetv) connects to the server through the server's IP address. it will try to reach server via http://192.168.x.x:8096. is this what you mean?

                            I have not used firetv but if it is like any of the very limited number of media player devices I have tried, it relies on some sort of autodiscovery to find local media servers and does not provide a method to specify media server host addresses.
                            If firetv does allow you to do the latter, then your firewall rules should suffice and your problem exists elsewhere.
                            But if it does require autodiscover (SSDP/UPNP), that only works across the same subnet. With media server on another network, the auto discover broadcast traffic must be proxied (on the client network) and forwarded to a nominated media server (specified in proxy setup).

                            EDIT: I just saw the mention of no ping so I guess you're problem is something more fundamental at this point.

                            1 Reply Last reply Reply Quote 1
                            • J
                              johnpoz LAYER 8 Global Moderator @swust
                              last edited by May 18, 2022, 3:23 PM

                              @swust Well your rules you post, on your iot interface.. doesn't even show any evaluations that 0/0 there.

                              What is in your jellyfin alias?

                              What is the jellyfin IP? Why not create a IPv4 any any rule to your jellyfin IP.. Can you now ping it from your iot vlan?

                              And your clearly routing traffic out your vpn gateway.. So if your rule to allow jellyfin is not matching the traffic, your traffic would go out your vpn gateway..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 1
                              • S
                                stephenw10 Netgate Administrator @swust
                                last edited by May 18, 2022, 3:35 PM

                                @swust said in Access Jellyfin server on different subnet:

                                I can't ping the jellyfin IP.

                                That's because your firewall rule (which still shows 0 states and 0 traffic) is passing TCP and UDP only. Change the protocol to 'any' and that will include icmp. Or add a rule to pass icmp specifically.

                                J 1 Reply Last reply May 18, 2022, 3:39 PM Reply Quote 2
                                • J
                                  johnpoz LAYER 8 Global Moderator @stephenw10
                                  last edited by May 18, 2022, 3:39 PM

                                  @stephenw10 looks like he is limiting to ports in a a jellyfin alias as well. So icmp wouldn't work even if it was a any any rule vs just tcp/udp.

                                  Since there is zero evaluations on that rule - either he has the wrong ports in that alias, or its not actually populated at all. But if it had the jellyfin http port, he should be able to access it. Or atleast show a evaluation on it vs 0/0

                                  Possible he had an existing state going out his vpn connection?

                                  I would create a IPv4 any any rule to your jellyfin IP, and make sure all states are clear in your state table to your jellyfin IP.. And then you should be able to ping it an access it via http or https.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  1 Reply Last reply Reply Quote 1
                                  • N
                                    NogBadTheBad @swust
                                    last edited by NogBadTheBad May 18, 2022, 5:50 PM May 18, 2022, 3:40 PM

                                    @swust said in Access Jellyfin server on different subnet:

                                    @nogbadthebad running on Windows PC. i have all the Jellyfin related ports open but still can't access. would you have any link to resource re: what you did with the NAS and SMB share with Infuse?

                                    My NAS has 4 ethernet interfaces, the main one is on the USER vlan ( vlan 2 ), an additional interface is connected to the IOT vlan ( vlan 4 ) and there are firewall rules on the NAS to only enable SMB access for the AppleTV devices, so traffic doesn't traverse the pfSense firewall.

                                    login-to-view

                                    Andy

                                    1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                                    1 Reply Last reply Reply Quote 1
                                    • S
                                      stephenw10 Netgate Administrator
                                      last edited by May 18, 2022, 3:53 PM

                                      If you set the protocol to anything other than tcp and/or udp the ports are removed anyway. 😉

                                      J 1 Reply Last reply May 18, 2022, 4:01 PM Reply Quote 1
                                      • J
                                        johnpoz LAYER 8 Global Moderator @stephenw10
                                        last edited by May 18, 2022, 4:01 PM

                                        @stephenw10 true ;)

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          swust
                                          last edited by May 19, 2022, 3:08 AM

                                          @stephenw10 @johnpoz

                                          my jellyfin server IP is 192.168.20.10. I have the allow ICMP rule at the top that i didn't include in the screenshot above. the jellyfin port alias includes the http/https port 8096/8920.

                                          Since I can't use the FireTV to ping out and diagnose, I use a Laptop as client on IoT VLAN to test if I can access Jellyfin server on HOME VLAN. so I redo the rules to allow all traffic from IoT VLAN to HOME VLAN , deactivate all the block rules and VPN routing. also reset states. reboot.

                                          login-to-view

                                          HOME VLAN
                                          Jellyfin Server can ping all devices on IoT VLAN (including the FireTV client!), but can't ping my Laptop that's on the IoT VLAN.

                                          IoT VLAN
                                          The Laptop can ping all devices on IoT VLAN, the pfsense addresses on both LAN (192.168.10.1) and HOME VLAN (192.168.20.1), but can't ping my PCs on HOME VLAN.

                                          I thought this should be straightforward but it doesn't work! I suspect there's something on my Laptop. Is there any troubleshooting steps I can go through to figure this out?

                                          Thanks all @stephenw10 @darcey @NogBadTheBad @johnpoz for your help! amazing community support!

                                          D J 3 Replies Last reply May 19, 2022, 4:38 AM Reply Quote 0
                                          3 out of 39
                                          • First post
                                            3/39
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.