Access Jellyfin server on different subnet
-
@swust said in Access Jellyfin server on different subnet:
i didn't include in the screenshot above.
Why? If you want help - you need to show us your rules. Also helpful leaving the interface the rules are on in the screenshot as well..
@darcey said in Access Jellyfin server on different subnet:
Are you sure your laptop normally responds to ICMP
This could be it sure - windows firewall out of the box is not going to answer ping from another network.
Also any return traffic is allowed by the firewall via the state.. So doesn't matter what rules are on the destination network, you could have zero rules and answer to some traffic would be allowed by pfsense via the state it created when it allowed the traffic. While icmp is actually a stateless protocol - pfsense does create a state to track it.
Here is me pinging something in dmz network from my lan network.
I do not allow my dmz talk to my lan, but lan can talk to dmz - so pinging dmz works, as long as the devices in the dmz answer.
Notice the rule on dmz that specifically rejects talking to other rfc1918 networks, yet my ping to it works just fine.
-
I figured it out! having read all your comments, i somehow thought of my ESET firewall on the jellyfin server. it's what been rejecting connection. Jellyfin now can access the server, and my Laptop can also access the server. my initial pfsense firewall rules were fine. the full set below, work flawlessly.
Thanks a lot for all your inputs, much appreciated!
-
@swust said in Access Jellyfin server on different subnet:
I figured it out! having read all your comments, i somehow thought of my ESET firewall on the jellyfin server. it's what been rejecting connection.
Aha! Good news.
Does this mean you've also successfully played back content, served up by jellyfin, on your firetv yet? And done so without doing the SSDP/autodiscovery proxy thing for the IoT LAN?
Then I might get one of these firetv devices ;-) -
@swust what exactly are you pointing devices in your iot for dns.. They sure can't be using pfsense since your blocking that access in first rule. Ah unless you don't have 53 in the ports list on that rule.
Your also sending everything out your vpn, so saying allow internet below that is pointless. so even dns would need to go out your vpn..
-
@darcey said in Access Jellyfin server on different subnet:
@swust said in Access Jellyfin server on different subnet:
I figured it out! having read all your comments, i somehow thought of my ESET firewall on the jellyfin server. it's what been rejecting connection.
Aha! Good news.
Does this mean you've also successfully played back content, served up by jellyfin, on your firetv yet? And done so without doing the SSDP/autodiscovery proxy thing for the IoT LAN?
Then I might get one of these firetv devices ;-)yes I can play everything from the server on both my FireTV and Cube. I am running Kodi on both, I can set the IP of the server directly via Jellyfin addon for Kodi. I'm not sure if discovery would work. I tested on my phone and upon installing, it doesn't automatically search the same way it usually does. But I can simply input the server IP address and it works fine.
-
@johnpoz said in Access Jellyfin server on different subnet:
@swust what exactly are you pointing devices in your iot for dns.. They sure can't be using pfsense since your blocking that access in first rule. Ah unless you don't have 53 in the ports list on that rule.
I'm not sure about this, I didn't specifically changed anything. I don't have port 53 in the first rule, only 22 and 443. Should I though?
I am using DNS Forwarder rather than Resolver, the ISP in Indonesia has some sort of censorship so we have to use their specific DNS otherwise it won't work.
Your also sending everything out your vpn, so saying allow internet below that is pointless. so even dns would need to go out your vpn..
Makes sense. I didn't think about this, but I need to keep this, sometimes I need to turn the VPN off because some local sites doesn't work, or PIA is extremely slow.
-
@swust
Thanks. I'd like a compact media player that doesn't rely soley on SSDP (like the smart tv does). That would make IoT/server separation cleaner IMO. -
@swust said in Access Jellyfin server on different subnet:
sometimes I need to turn the VPN off because some local sites doesn't work
Better way would rule above the vpn rule to allow those sites, or rule above that has specific device not use the vpn etc..
-
@darcey said in Access Jellyfin server on different subnet:
@swust
Thanks. I'd like a compact media player that doesn't rely soley on SSDP (like the smart tv does). That would make IoT/server separation cleaner IMO.If you're an Apple type, I'd recommend an Apple TV with the Infuse app.
https://firecore.com/infuse
-
@nogbadthebad Thanks for the suggestion. It's a bit more than my needs justify right now.
I'm looking for a basic (cheap compact) consumer playback device that can:- Access a DNLA media server from a typed URL. No reliance on autodiscover.
- Support media navigation from a tv remote (via CEC passthrough).
- Amazon prime video support a bonus.
I guess this is something like Kodi on a raspberry pi, but I wonder if firetv stick will manage it.
Currently I spin up minidlna containers on network where needed and mount the media library RO in the container. But the OPs setup made me curious.
-
I guess this is something like Kodi on a raspberry pi, but I wonder if firetv stick will manage it.
i've been using Cube and FireTV with Kodi via SMB shares for years and it's been very good. only recently discovered Jellyfin, which is nicer since my library is centralized, and the trakt.tv addon is great to managed watched status. Media navigation with TV remote worked flawlessly on my Samsung TV, though to exit Kodi, gotta go through the kodi menu rather than just using the back button on the TV remote.
-
@johnpoz said in Access Jellyfin server on different subnet:
@swust said in Access Jellyfin server on different subnet:
sometimes I need to turn the VPN off because some local sites doesn't work
Better way would rule above the vpn rule to allow those sites, or rule above that has specific device not use the vpn etc..
thought about that but those sites are few and random, so i thought it's easier to just kill the VPN temporarily if i need to access to sites which is very infrequent.
-
@swust even if infrequent, once you create the rule for those things you don't want to use the vpn for.. Its a one time thing, and then you don't have to worry about disable vpn any time you need to access those. That is what I would do - but hey you do you.. Either way works.
-
@johnpoz said in Access Jellyfin server on different subnet:
@swust even if infrequent, once you create the rule for those things you don't want to use the vpn for.. Its a one time thing, and then you don't have to worry about disable vpn any time you need to access those. That is what I would do - but hey you do you.. Either way works.
good suggestions. i've been tinkering, and this gives me the idea to NOT route my netflix via VPN which screwed up the geo-location available content . is it possible to also exclude specific website or domain or application in pfsense firewall rules? i can't find any reference for this.
-
You can only policy route by IP addresses or aliases containing multiple IP addresses.
So mostly it depends if you can create a list of the destination you want to allow. There are some ways you can attempt to do that, the easiest is to use pfBlocker to create and update an alias for, for example, Netflix using their AS number:
It's not perfect though, you will find some traffic is incorrectly routed.
Steve
-
@swust said in Access Jellyfin server on different subnet:
NOT route my netflix via VPN which screwed up the geo-location available content
Well that is normally easier done vs source IP, ie your firestick or roku or amazonTV, just set its IP to policy route.
Policy route via CDNs where IPs change all the time could be problematic - the AS alias with pfblocker could allow you to route all IPs for a company out the way you want..
-
I see. pfBlocker is on my list to learn next. Will start looking into it and explore. Will come back to you guys and the forum if there're questions in the future
thanks for the input