Access Jellyfin server on different subnet
-
@swust said in Access Jellyfin server on different subnet:
can't even discover the media server.
As already mentioned discovery isn't going to work across subnets..
https://jellyfin.org/docs/general/networking/index.html
Have you just tried connecting to it on its http port by default is
8096/tcp is used by default for HTTP traffic. You can change this in the dashboard. 8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard.client (firetv) connects
Per the link I provided it mentions issues with some clients and self signed certs, etc. I would suggest you get just plain old http connection working from your browser..
if that is not working - your not forcing traffic out a gateway are you.. This is common user mistake.. Rules on your client pfsense interface forcing traffic out a gateway can prevent access to other local networks.
Can you ping this jellyfin IP even?
-
@johnpoz said in Access Jellyfin server on different subnet:
@swust said in Access Jellyfin server on different subnet:
can't even discover the media server.
As already mentioned discovery isn't going to work across subnets..
https://jellyfin.org/docs/general/networking/index.html
Have you just tried connecting to it on its http port by default is
8096/tcp is used by default for HTTP traffic. You can change this in the dashboard. 8920/tcp is used by default for HTTPS traffic. You can change this in the dashboard.client (firetv) connects
yes i tried this, but doesn't connect.
Per the link I provided it mentions issues with some clients and self signed certs, etc. I would suggest you get just plain old http connection working from your browser..
if that is not working - your not forcing traffic out a gateway are you.. This is common user mistake.. Rules on your client pfsense interface forcing traffic out a gateway can prevent access to other local networks.
Can you ping this jellyfin IP even?
I can't ping the jellyfin IP. I'm not very well versed on this so I don't quite get what you mean by forcing traffic out a gateway. Perhaps easier to show you what firewall rules i have under the IoT VLAN below.
The HOME VLAN which I am trying to reach from IoT VLAN also have the Block Incoming rules.
Is there any rule I have here that is the problem?
-
@swust said in Access Jellyfin server on different subnet:
@stephenw10 the client (firetv) connects to the server through the server's IP address. it will try to reach server via http://192.168.x.x:8096. is this what you mean?
I have not used firetv but if it is like any of the very limited number of media player devices I have tried, it relies on some sort of autodiscovery to find local media servers and does not provide a method to specify media server host addresses.
If firetv does allow you to do the latter, then your firewall rules should suffice and your problem exists elsewhere.
But if it does require autodiscover (SSDP/UPNP), that only works across the same subnet. With media server on another network, the auto discover broadcast traffic must be proxied (on the client network) and forwarded to a nominated media server (specified in proxy setup).EDIT: I just saw the mention of no ping so I guess you're problem is something more fundamental at this point.
-
@swust Well your rules you post, on your iot interface.. doesn't even show any evaluations that 0/0 there.
What is in your jellyfin alias?
What is the jellyfin IP? Why not create a IPv4 any any rule to your jellyfin IP.. Can you now ping it from your iot vlan?
And your clearly routing traffic out your vpn gateway.. So if your rule to allow jellyfin is not matching the traffic, your traffic would go out your vpn gateway..
-
@swust said in Access Jellyfin server on different subnet:
I can't ping the jellyfin IP.
That's because your firewall rule (which still shows 0 states and 0 traffic) is passing TCP and UDP only. Change the protocol to 'any' and that will include icmp. Or add a rule to pass icmp specifically.
-
@stephenw10 looks like he is limiting to ports in a a jellyfin alias as well. So icmp wouldn't work even if it was a any any rule vs just tcp/udp.
Since there is zero evaluations on that rule - either he has the wrong ports in that alias, or its not actually populated at all. But if it had the jellyfin http port, he should be able to access it. Or atleast show a evaluation on it vs 0/0
Possible he had an existing state going out his vpn connection?
I would create a IPv4 any any rule to your jellyfin IP, and make sure all states are clear in your state table to your jellyfin IP.. And then you should be able to ping it an access it via http or https.
-
@swust said in Access Jellyfin server on different subnet:
@nogbadthebad running on Windows PC. i have all the Jellyfin related ports open but still can't access. would you have any link to resource re: what you did with the NAS and SMB share with Infuse?
My NAS has 4 ethernet interfaces, the main one is on the USER vlan ( vlan 2 ), an additional interface is connected to the IOT vlan ( vlan 4 ) and there are firewall rules on the NAS to only enable SMB access for the AppleTV devices, so traffic doesn't traverse the pfSense firewall.
-
If you set the protocol to anything other than tcp and/or udp the ports are removed anyway.
-
@stephenw10 true ;)
-
my jellyfin server IP is 192.168.20.10. I have the allow ICMP rule at the top that i didn't include in the screenshot above. the jellyfin port alias includes the http/https port 8096/8920.
Since I can't use the FireTV to ping out and diagnose, I use a Laptop as client on IoT VLAN to test if I can access Jellyfin server on HOME VLAN. so I redo the rules to allow all traffic from IoT VLAN to HOME VLAN , deactivate all the block rules and VPN routing. also reset states. reboot.
HOME VLAN
Jellyfin Server can ping all devices on IoT VLAN (including the FireTV client!), but can't ping my Laptop that's on the IoT VLAN.IoT VLAN
The Laptop can ping all devices on IoT VLAN, the pfsense addresses on both LAN (192.168.10.1) and HOME VLAN (192.168.20.1), but can't ping my PCs on HOME VLAN.I thought this should be straightforward but it doesn't work! I suspect there's something on my Laptop. Is there any troubleshooting steps I can go through to figure this out?
Thanks all @stephenw10 @darcey @NogBadTheBad @johnpoz for your help! amazing community support!
-
My understanding is the firewall operates upon traffic entering an interface from outside. So, either your rules are blocking echoreq entering via IOT or echoreply returning via HOME. That or some policy based rule is sending the traffic elsewhere at some point on its journey through the firewall.
It may help to log some default drops:
Temporarily add an explicit block/log rule at the end of the firewall rules for both HOME and IOT interfaces. See if/where ICMP traffic (or other traffic of interest) may be getting blocked. Or I think you can turn on default drop logging somewhere. You can then filter the firewall log view. -
@swust said in Access Jellyfin server on different subnet:
Jellyfin Server can ping all devices on IoT VLAN (including the FireTV client!), but can't ping my Laptop that's on the IoT VLAN.
Are you sure your laptop normally responds to ICMP or other protocols for that matter? May be it is in some public network mode.
-
@swust said in Access Jellyfin server on different subnet:
i didn't include in the screenshot above.
Why? If you want help - you need to show us your rules. Also helpful leaving the interface the rules are on in the screenshot as well..
@darcey said in Access Jellyfin server on different subnet:
Are you sure your laptop normally responds to ICMP
This could be it sure - windows firewall out of the box is not going to answer ping from another network.
Also any return traffic is allowed by the firewall via the state.. So doesn't matter what rules are on the destination network, you could have zero rules and answer to some traffic would be allowed by pfsense via the state it created when it allowed the traffic. While icmp is actually a stateless protocol - pfsense does create a state to track it.
Here is me pinging something in dmz network from my lan network.
I do not allow my dmz talk to my lan, but lan can talk to dmz - so pinging dmz works, as long as the devices in the dmz answer.
Notice the rule on dmz that specifically rejects talking to other rfc1918 networks, yet my ping to it works just fine.
-
I figured it out! having read all your comments, i somehow thought of my ESET firewall on the jellyfin server. it's what been rejecting connection. Jellyfin now can access the server, and my Laptop can also access the server. my initial pfsense firewall rules were fine. the full set below, work flawlessly.
Thanks a lot for all your inputs, much appreciated!
-
@swust said in Access Jellyfin server on different subnet:
I figured it out! having read all your comments, i somehow thought of my ESET firewall on the jellyfin server. it's what been rejecting connection.
Aha! Good news.
Does this mean you've also successfully played back content, served up by jellyfin, on your firetv yet? And done so without doing the SSDP/autodiscovery proxy thing for the IoT LAN?
Then I might get one of these firetv devices ;-) -
@swust what exactly are you pointing devices in your iot for dns.. They sure can't be using pfsense since your blocking that access in first rule. Ah unless you don't have 53 in the ports list on that rule.
Your also sending everything out your vpn, so saying allow internet below that is pointless. so even dns would need to go out your vpn..
-
@darcey said in Access Jellyfin server on different subnet:
@swust said in Access Jellyfin server on different subnet:
I figured it out! having read all your comments, i somehow thought of my ESET firewall on the jellyfin server. it's what been rejecting connection.
Aha! Good news.
Does this mean you've also successfully played back content, served up by jellyfin, on your firetv yet? And done so without doing the SSDP/autodiscovery proxy thing for the IoT LAN?
Then I might get one of these firetv devices ;-)yes I can play everything from the server on both my FireTV and Cube. I am running Kodi on both, I can set the IP of the server directly via Jellyfin addon for Kodi. I'm not sure if discovery would work. I tested on my phone and upon installing, it doesn't automatically search the same way it usually does. But I can simply input the server IP address and it works fine.
-
@johnpoz said in Access Jellyfin server on different subnet:
@swust what exactly are you pointing devices in your iot for dns.. They sure can't be using pfsense since your blocking that access in first rule. Ah unless you don't have 53 in the ports list on that rule.
I'm not sure about this, I didn't specifically changed anything. I don't have port 53 in the first rule, only 22 and 443. Should I though?
I am using DNS Forwarder rather than Resolver, the ISP in Indonesia has some sort of censorship so we have to use their specific DNS otherwise it won't work.
Your also sending everything out your vpn, so saying allow internet below that is pointless. so even dns would need to go out your vpn..
Makes sense. I didn't think about this, but I need to keep this, sometimes I need to turn the VPN off because some local sites doesn't work, or PIA is extremely slow.
-
@swust
Thanks. I'd like a compact media player that doesn't rely soley on SSDP (like the smart tv does). That would make IoT/server separation cleaner IMO. -
@swust said in Access Jellyfin server on different subnet:
sometimes I need to turn the VPN off because some local sites doesn't work
Better way would rule above the vpn rule to allow those sites, or rule above that has specific device not use the vpn etc..
