Plex not working outside the network

AndyRH

I have a simple NAT rule in pfSense and it works for me. My ATT gateway has pfSense in the DMZ so all ports are sent to pfSense.
It may take a packet capture to know for sure which system is rejecting the port.

Does vodafone have a DMZ option?

Owen82

Did your NAT rule also create a firewall rule? I think there is an option towards the botton of the NAT rule settings where you can see the associated "Filter rule association" (i just checked :) ).

AndyRH

Yes, there is a NAT rule and FW rule.

johnpoz

I have been running plex behind pfsense for years. And have many many people using it remotely.. And yes for last few years this has been on my synology nas (ds918+) Which works great btw.. Low power nas, with decent enough umph to handle multiple clients on 1080..

If can you see me . org test on 32400 is not working.. Then something wrong.. First test is to validate traffic actually gets to your pfsense wan. I use a different external port than internal - but this doesn't really matter for the sake of discussion. Lets call it security through obscurity ;) This is a way I can see what is just scanning or plex, and who are my true clients.

While running the test from the external - sniff on your wan and validate that traffic gets there.

No offense - but can we see these rules.. Users quite often say they did X, but find out they really did A+B^12x42

Do have any floating rules? What version of pfsense are you on? Do you have multiple wan? There is a known issues with port forwards and multiple wan only working with default gateway, etc. Do you have rule on top of the rule that allows that could block?

Do you get a green check mark in plex?

I currently use different external port, but it sends to plex on 32400..

Are you using say pfblocker auto rules to block countries? Or Ips - notice I use in my rules pfblocker to limit who can talk to plex. I have added to this list the status checking IPs they use to see if your plex is open.

I allow only US Ips, and the IPs from external check I do with status cake to notify me if plex goes down, and the IP that plex uses to check if plex is available remotely - these IPs sometimes change. Here is that url https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt

Is plex actually seeing your correct public IP? If you are routing traffic out a vpn for example - plex might think its X, while your real wan is Y.. Remote clients trying to go to X would never get to your plex.. Notice the IP plex is showing for its external in the remote setting.. Mine starts with 64, but that is my actual pfsense wan IP..

mcury

@johnpoz said in Plex not working outside the network:

I allow only US Ips, and the IPs from external check I do with status cake to notify me if plex goes down, and the IP that plex uses to check if plex is available remotely - these IPs sometimes change. Here is that url https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt

Hey, those are the best tips ever...
Just copied your setup

Just not using the statuscake, to be honest didn't understand what it does..

johnpoz

Its a free service that can monitor stuff, ping, tcp ports, etc. And will send you alert if goes down. This way I know if my plex goes offline, and can fix before my friends and family start asking me why plex isn't working ;)

mcury

Very useful indeed.. I thought that my setup was good before... :)

johnpoz

Only thing is - if you limit IPs like US only, etc. Their IPs change now and then - so they could send you a false down alert.. So use their dynamic list they provide to make sure the IPs they might test from are allowed to talk to plex.

mcury

Only thing is - if you limit IPs like US only, etc. Their IPs change now and then - so they could send you a false down alert.. So use their dynamic list they provide to make sure the IPs they might test from are allowed to talk to plex.

Already set :)

johnpoz

You might also want to enable plex own checks to see that plex is available remote. Or plex itself might think its not available remotely - and you get stuck doing relay mode for remote users.

edit: Oh you have that one - if you want to use status cake you would want to add their ips

mcury

@johnpoz said in Plex not working outside the network:

You might also want to enable plex own checks to see that plex is available remote. Or plex itself might think its not available remotely - and you get stuck doing relay mode for remote users.

Already set :)

edit: Oh you have that one - if you want to use status cake you would want to add their ips

I'll add it, opened their website and it seems that I need an account to proceed, still checking how to proceed

johnpoz

Yeah you need an account - but they have a free tier that allows quite a few checks - its just some limitations on how many ips can check you, and from where - and how often you can check etc.

I just use the free service and have multiple things being checked not just plex.

edit: Here are my current tests

mcury

How I didn't hear about this service earlier? Man, that's very useful indeed..
It doesn't matter how I improve my network, there is always a last mile..

johnpoz

You can also setup status pages that your users can access and see if a service is up or down

They use to allow for custom urls on that - but that became a pro only feature - but non custom url still works for your users.

Another one you might look into - also free is uptimerobot

mcury

Based on your rules showed in a previous topic (no ICMP just plex port), they keep sending TCP SYN to the port configured to confirm if its opened.. Even better because if the WAN remains UP but the service goes down, they will track and keep a history of it..

johnpoz

Exactly - I have another test, that home that just pings my IP to see if my internet is up. But the tcp test tells me if plex went down, but my internet is still up.

More often than not its actual internet that goes down - but plex now and then does hang or crash, etc.

Or maybe I dicked with the rules and messed up remote access to plex, etc. Its great to have both tests internet, and then specific service.

mcury

That is useful to me as well, here where I live the Internet goes down everyday.. I'm not sure if its cabling here inside the building or if it's the ISP itself, I don't hear other users complaining so much as I do..

More often than not its actual internet that goes down - but plex now and then does hang or crash, etc.

A very fast troubleshooting that you could do through your phone

Or maybe I dicked with the rules and messed up remote access to plex, etc. Its great to have both tests internet, and then specific service.

Who never did it? :)

johnpoz

@mcury said in Plex not working outside the network:

Who never did it? :)

Exactly ;) hehehe - so its good to know very quickly if plex is no longer available when you might be playing with rules, etc.

And yeah you can see pretty easy right on your phone if total internet is down, or just something wrong with plex.. Great service - and very usable even at the free level.

iampowerslave

@johnpoz Is it OK to just NAT stuff out? I have had my share of opening ports. Unless you are using another obvious anti scan tool, snort, etc, you'll get traffic from anywhere straight to your NAS for it to handle, how do you secure that?

Instead of doing that I just VPN in.

johnpoz

Plex is pretty secure on its own.. You have to auth through their service, and you can now enable 2fa if you want.

I limit who can hit my open ports using pfblocker, only US ips - I at one time had the users give me their public IPs. But this was just to difficult for typical users ;)

And they change, and then they can't access from their phones while on cell data, etc. And some of them travel about, my one buddy spends time down in FL for example at different Air BnBs - yeah he is crazy during covid.. But he still wants to access my plex ;)

Part of the reason I put mine on a different port then 32400 on external - was to be able to see how many scans just to 32400.. I don't see any in the last 24 hours, 2000 log entries..

Yes if it was just you - by all means vpn in to your network vs exposure - agree 100%.. But then I have family that just has shit isp wifi router, and their tv is connected to the wifi.. How am I going to get them to setup a vpn to my pfsense.. I sure and the F am not going to spend the time, effort and most likely my own money to do that..

If your concern - then don't expose.. I am not that concerned. And I want to be able to share with my friends and family - and relay (outbound only is too slow 1 or 2mbps limit if your plex pass - I am), and locking to their ips while that would be next best option to vpn is too much work.. With all things related to security it always comes down to level of security vs ease of use..

Same goes for my request system, while this also requires login. I limit these standard port 443 to US ips. This is where my users are, and also behind a reverse proxy, and if you don't send the correct headers for the actual fqdn - you don't get connected. So this prevents random scans just scanning to an IP on 443. You can setup this restriction in haproxy.

example here is from external to my wan IP where 443 is sent to my ombi and overseerr request systems based on the fqdn used in the headers. If you don't have a valid name - you don't get past the reverse proxy

My biggest concern really is my plex users have shit plex passwords ;) And their account could get compromised. But I log all IPs, and get notifications of new IPs that connected (tautulli can do this). If I see some odd out of area for where that friend is, I contact them and ask, etc..

example

One of my friends came from a new IP.. Geo location is correct for him - He is in Chicago, and that IP is owned by comcast, his ISP.. So most likely his IP just changed.. No real reason to dig into that any further.. But if was not his isp, and was not somewhere in the area where I know he lives I would reach out to him, hey were using plex at that time watching this movie, etc.

This also keeps them from sharing their accounts with their friends ;) heheh That very well could be some friend of his, that he shared his account with. But I know him quite well, if I didn't he wouldn't have access to my plex. And he knows better to share his account, etc.

Yes security requires vigilance.