Access Jellyfin server on different subnet

swust · May 17, 2022, 5:32 AM

hi all. i have my jellyfin server on VLAN 1 (home network) and FireTV on VLAN 2 (IoT network). Have set up firewall rules that VLAN 2 can't access anything on VLAN 1. What is the best way to allow FireTV to access the Jellyfin server?

In my simple mind, I only need to give any devices on IoT Network (VLAN2) access to specific IP address of the Jellyfin server so I tried adding a firewall rules on the IoT Net to have access to the Jellyfin IP address, add a port forward to the Jellyfin but nothing works. What am I missing?

Thanks in advance.

stephenw10 · May 17, 2022, 12:28 PM

Yes, you only need to add a single firewall rule to the IoT interface to allow it. pfSense will route that, there is no port forwarding needed.
The server has to be configured to allow requests from outside it's subnet.
If clients are not using the servers IP directly then it musy be resolvable be whatever fqdn they are using.

Steve

swust · May 18, 2022, 8:29 AM

@stephenw10 thanks for the reply. i added this rule to allow a range of static IPs on my IOT net to my HOME net.

login-to-view

This rule is above the rule to block access of the remaining IoT IPs.

login-to-view

I thought this would be enough, but I still can't access my HOME network to access my shared drive via Windows' File Explorer.

Any thoughts what could be missing / wrong?

Thank you.

darcey · May 18, 2022, 8:36 AM

@swust If the firetv 'discovers' the media server, I believe you need some proxy service to relay between the IoT clients and the server (sorry can't remember the details as I gave up on it and put clients on the same network). Another way might be to give your media server interfaces on multiple networks, one being the IoT vlan.

NogBadTheBad · May 18, 2022, 2:46 PM

@swust what's Jellyfin running on, do you have an additional network port on the device and the ability to put firewall rules on the device Jellyfin is running on?

I do something vety similar with my Synology NAS and SMB shares with Infuse.

https://jellyfin.org/docs/general/networking/index.html#static-ports

stephenw10 · May 18, 2022, 2:55 PM

Yes, that rule will allow the connection. But you can see there is no data and no states shown on it. If the client is trying to connect to the server by its IP address directly that will work so it probably isn't.
How is the client trying to connect?
If it's some sort of auto discovery then that's just a world of pain across subnets! Unfortunately.

Steve

swust · May 18, 2022, 2:43 PM

@darcey unfortunately can't even discover the media server. any pointers on how to give the media server interfaces on multiple subnet? i searched but can't seem to find any information.

swust · May 18, 2022, 2:46 PM

@nogbadthebad running on Windows PC. i have all the Jellyfin related ports open but still can't access. would you have any link to resource re: what you did with the NAS and SMB share with Infuse?

stephenw10 · May 18, 2022, 2:55 PM

@stephenw10 said in Access Jellyfin server on different subnet:

How is the client trying to connect?

Still that question. ^

swust · May 18, 2022, 3:01 PM

@stephenw10 the client (firetv) connects to the server through the server's IP address. it will try to reach server via http://192.168.x.x:8096. is this what you mean?

johnpoz · May 18, 2022, 3:05 PM

@swust said in Access Jellyfin server on different subnet:

can't even discover the media server.

As already mentioned discovery isn't going to work across subnets..

https://jellyfin.org/docs/general/networking/index.html

Have you just tried connecting to it on its http port by default is

8096/tcp is used by default for HTTP traffic. You can change this in the dashboard.
8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard.

client (firetv) connects

Per the link I provided it mentions issues with some clients and self signed certs, etc. I would suggest you get just plain old http connection working from your browser..

if that is not working - your not forcing traffic out a gateway are you.. This is common user mistake.. Rules on your client pfsense interface forcing traffic out a gateway can prevent access to other local networks.

Can you ping this jellyfin IP even?

swust · May 18, 2022, 3:13 PM

@johnpoz said in Access Jellyfin server on different subnet:

@swust said in Access Jellyfin server on different subnet:

can't even discover the media server.

As already mentioned discovery isn't going to work across subnets..

https://jellyfin.org/docs/general/networking/index.html

Have you just tried connecting to it on its http port by default is
8096/tcp is used by default for HTTP traffic. You can change this in the dashboard.
8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard.
client (firetv) connects

yes i tried this, but doesn't connect.

Per the link I provided it mentions issues with some clients and self signed certs, etc. I would suggest you get just plain old http connection working from your browser..

if that is not working - your not forcing traffic out a gateway are you.. This is common user mistake.. Rules on your client pfsense interface forcing traffic out a gateway can prevent access to other local networks.

Can you ping this jellyfin IP even?

I can't ping the jellyfin IP. I'm not very well versed on this so I don't quite get what you mean by forcing traffic out a gateway. Perhaps easier to show you what firewall rules i have under the IoT VLAN below.

The HOME VLAN which I am trying to reach from IoT VLAN also have the Block Incoming rules.

Is there any rule I have here that is the problem?

login-to-view

darcey · May 18, 2022, 3:23 PM

@swust said in Access Jellyfin server on different subnet:

@stephenw10 the client (firetv) connects to the server through the server's IP address. it will try to reach server via http://192.168.x.x:8096. is this what you mean?

I have not used firetv but if it is like any of the very limited number of media player devices I have tried, it relies on some sort of autodiscovery to find local media servers and does not provide a method to specify media server host addresses.
If firetv does allow you to do the latter, then your firewall rules should suffice and your problem exists elsewhere.
But if it does require autodiscover (SSDP/UPNP), that only works across the same subnet. With media server on another network, the auto discover broadcast traffic must be proxied (on the client network) and forwarded to a nominated media server (specified in proxy setup).

EDIT: I just saw the mention of no ping so I guess you're problem is something more fundamental at this point.

johnpoz · May 18, 2022, 3:23 PM

@swust Well your rules you post, on your iot interface.. doesn't even show any evaluations that 0/0 there.

What is in your jellyfin alias?

What is the jellyfin IP? Why not create a IPv4 any any rule to your jellyfin IP.. Can you now ping it from your iot vlan?

And your clearly routing traffic out your vpn gateway.. So if your rule to allow jellyfin is not matching the traffic, your traffic would go out your vpn gateway..

stephenw10 · May 18, 2022, 3:35 PM

@swust said in Access Jellyfin server on different subnet:

I can't ping the jellyfin IP.

That's because your firewall rule (which still shows 0 states and 0 traffic) is passing TCP and UDP only. Change the protocol to 'any' and that will include icmp. Or add a rule to pass icmp specifically.

johnpoz · May 18, 2022, 3:39 PM

@stephenw10 looks like he is limiting to ports in a a jellyfin alias as well. So icmp wouldn't work even if it was a any any rule vs just tcp/udp.

Since there is zero evaluations on that rule - either he has the wrong ports in that alias, or its not actually populated at all. But if it had the jellyfin http port, he should be able to access it. Or atleast show a evaluation on it vs 0/0

Possible he had an existing state going out his vpn connection?

I would create a IPv4 any any rule to your jellyfin IP, and make sure all states are clear in your state table to your jellyfin IP.. And then you should be able to ping it an access it via http or https.

NogBadTheBad · May 18, 2022, 5:50 PM

@swust said in Access Jellyfin server on different subnet:

@nogbadthebad running on Windows PC. i have all the Jellyfin related ports open but still can't access. would you have any link to resource re: what you did with the NAS and SMB share with Infuse?

My NAS has 4 ethernet interfaces, the main one is on the USER vlan ( vlan 2 ), an additional interface is connected to the IOT vlan ( vlan 4 ) and there are firewall rules on the NAS to only enable SMB access for the AppleTV devices, so traffic doesn't traverse the pfSense firewall.

login-to-view

stephenw10 · May 18, 2022, 3:53 PM

If you set the protocol to anything other than tcp and/or udp the ports are removed anyway.

johnpoz · May 18, 2022, 4:01 PM

@stephenw10 true ;)

swust · May 19, 2022, 3:08 AM

@stephenw10 @johnpoz

my jellyfin server IP is 192.168.20.10. I have the allow ICMP rule at the top that i didn't include in the screenshot above. the jellyfin port alias includes the http/https port 8096/8920.

Since I can't use the FireTV to ping out and diagnose, I use a Laptop as client on IoT VLAN to test if I can access Jellyfin server on HOME VLAN. so I redo the rules to allow all traffic from IoT VLAN to HOME VLAN , deactivate all the block rules and VPN routing. also reset states. reboot.

login-to-view

HOME VLAN
Jellyfin Server can ping all devices on IoT VLAN (including the FireTV client!), but can't ping my Laptop that's on the IoT VLAN.

IoT VLAN
The Laptop can ping all devices on IoT VLAN, the pfsense addresses on both LAN (192.168.10.1) and HOME VLAN (192.168.20.1), but can't ping my PCs on HOME VLAN.

I thought this should be straightforward but it doesn't work! I suspect there's something on my Laptop. Is there any troubleshooting steps I can go through to figure this out?

Thanks all @stephenw10 @darcey @NogBadTheBad @johnpoz for your help! amazing community support!