Port forward troubleshooting



  • Hi guys,

    Thanks for coming in. I am still in learning curve with Pfsense really. I am very open for the guidance and advise.

    Please see diagram in the attachment. Basically I am setting up the Plex Media to stream audio file within community.
    The problem is I have two Pfsense firewalls in our network. External Firewall and Internal Firewall. Plex Server is locate within Internal Firewall. Plexe Device is use within External Firewall. Plex device is having trouble connecting to the server across Firewall.

    Is it possible get Plex Device within External Firewall network to connect to Plex Server that locate in Internal Firewall?

    Here is some extra information that might help

    External Firewall IP is 192.168.1.XX
    Internal Firewall IP is 192.168.0.XX

    I do not use any Pfsense blocker

    I have tried to set up Port forwarding in NAT but I might did something wrong there.

    Please feel free to throw any commend in there.

    Thank you ever so much again for your help

    ![Direct connection.png](/public/imported_attachments/1/Direct connection.png)
    ![Direct connection.png_thumb](/public/imported_attachments/1/Direct connection.png_thumb)



  • A few port forwards for the various Plex services should be all you need if the basic networking is correct.  If the incoming Plex traffic is all private network space then you also need to disable the Block Private networks option on WAN.

    https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-

    The most important port to make sure your firewall allows is the main TCP port the Plex Media Server uses for communication:
      TCP: 32400 (for access to the Plex Media Server) [required]
    The following ports are also used for different services:
      UDP: 1900 (for access to the Plex DLNA Server)
      TCP: 3005 (for controlling Plex Home Theater via Plex Companion)
      UDP: 5353 (for older Bonjour/Avahi network discovery)
      TCP: 8324 (for controlling Plex for Roku via Plex Companion)
      UDP: 32410, 32412, 32413, 32414 (for current GDM network discovery)
      TCP: 32469 (for access to the Plex DLNA Server)



  • Hi KOM,

    Many  thanks for your replied. I sort of understand that I have to do port forwarding but I am not sure where do I have to set them up.
    According to the diagram. The only Firewall I have to work with is only Internal Firewall, am I right?

    Here is what I did so far:

    I tick off the Block private networks and loop back addresses and Block bogon networks options in WAN

    I created Port forwarding in NAT. Please see my port forwarding in attachment.

    After all this my Plex Device still having indirect connection.

    ![Static set up screen.jpg](/public/imported_attachments/1/Static set up screen.jpg)
    ![Static set up screen.jpg_thumb](/public/imported_attachments/1/Static set up screen.jpg_thumb)



  • You don't create port forwards via static routes.  Undo everything you did there.  Go to Firewall - NAT - Port Forward and create a forward there.



  • Hi Kom,

    I am sorry. The attachment on previous reply was wrong.

    Please see the my update network map in here.

    Also I attach my NAT Port Forwarding configuration in there.

    ![Update Network map.png](/public/imported_attachments/1/Update Network map.png)
    ![Update Network map.png_thumb](/public/imported_attachments/1/Update Network map.png_thumb)
    ![NAT CONFIG TEST TWO.JPG](/public/imported_attachments/1/NAT CONFIG TEST TWO.JPG)
    ![NAT CONFIG TEST TWO.JPG_thumb](/public/imported_attachments/1/NAT CONFIG TEST TWO.JPG_thumb)



  • Your Destination address is wrong.  It should be set to WAN address.  You currently have it set to the LAN IP of your server.



  • Thank you,

    I made changes again. Could you please have a look?

    ![Port Forward second trail.PNG](/public/imported_attachments/1/Port Forward second trail.PNG)
    ![Port Forward second trail.PNG_thumb](/public/imported_attachments/1/Port Forward second trail.PNG_thumb)



  • Is 192.168.1.132 your WAN IP address?



  • Hi Kom,

    I am not sure not if WAN you referring to is WAN port in my Internal Fireawll, External Firewall.

    My Internal Firewall WAN Port is 192.168.1.132 and LAN is 192.168.0.254
    My External Firewall LAN Port is 192.168.1.55 and I have four WAN Ports. All four WAN ports are 10.X.X.X

    Since Plex device is within External Firewall Forwarding to Internal Firewall I should set Port Forward in Internal Firewall by Set destination of WAN Port of Internal Firewall isn't it?



  • WAN is WAN port on int firewall.

    How do you access this Plex dealie anyway?  Web browser or app?  What address are you using to connect?

    I should set Port Forward in Internal Firewall by Set destination of WAN Port of Internal Firewall isn't it?

    Yes.


  • Rebel Alliance Global Moderator

    how many threads you going to open about this?

    https://forum.pfsense.org/index.php?topic=123659.0



  • Hi Johnpoz,

    I opened two topic. I didn't want to mess up the forum type. I opened this one first about Firewall and Port forward but the one I have with you was routing wasn't it? and turn out we keep messaging about port forwarding.



  • Hi Kom,

    I use Plex App to access Plex Media Server.

    Please see my attachment for WAN and LAN information.

    192.168.1.132 is my WAN PORT for internal Firewall

    ![WAN AND LAN IP.JPG](/public/imported_attachments/1/WAN AND LAN IP.JPG)
    ![WAN AND LAN IP.JPG_thumb](/public/imported_attachments/1/WAN AND LAN IP.JPG_thumb)



  • What address are you using to connect?



  • Hi Kom,

    Currently only one device is using for the test to connect to Plex server which IP address is 192.168.1.65
    Subnet Mask is 255.255.255.0



  • I don't see 192.168.1.65 on your network diagram anywhere.  If you are Plex Device and you want to get to a forwarded server, then you need to connect to the WAN that is handling the forward.  Try telling your Plex software to talk to the Plex server at 192.168.1.132.  Internal pfSense (if you have your forwards setup correctly) should forward that traffic to the Plex server behind it.



  • Hello KOM,

    Thank you so much for keeping it up with me.

    Honestly this is my very first time setting Port Forwarding. I have read and learn a lot but never put into practice before.

    I only set up Wifi router behide external firewall but not internal firewall. Whatever Device use Plex App will get IP address from 192.168.1.55 - 192.168.1.254. That's why I didn't put any particular address in diagram.

    I did set Plex Device to put to port 192.168.1.132 which will get redirect to Plex Server which is 192.168.0.61 however it give me error but different kind of Error though



  • What error?  I don't have any experience with Plex so I can't give you more specific advice.  Please go through this list:

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Generally when you have a forward that isn't working, you need to verify several things.  The list above goes over all of them.



  • Hi Kom,

    I totally understand that this is as far as you can go with Pfsense.

    The error said A connection to a Server couldn't be established using the details you provided
    Error code: 401

    I need to go through Plex forum and find out if anyone else has the same experience

    It was a good sign though because when I try to add the server, usually it will load for some time then give me an Error message but since I change setting you suggested me it was different. The connection did right away and pop up the different error message I wrote above. Seem like the connection take place but something wasn't right.

    This question has nothing to do with Pfsense at all but do you know if I have to do anything with Plex Server? I run it on Windows 7.
    I already add Plex port 32400 in Firewall rule on Windows 7.

    Do I have to do anything else?



  • Also is there anyway I could test port forwarding within location network?

    I notice port forwarding tools I could use on-line but that was meant to be testing with my Public IP address and firewall.
    Surely I can't use that to test my local network port forwarding



  • I have zero Plex experience.  Did you forward ALL of the ports listed by the Plex wiki?  There were quite a few of them.  Other than that, use standard troubleshooting.  Check your pfSense firewall logs to see if it's blocking any traffic destined for the Plex server.  Check the Plex server logs or status to see if there is any network or authentication issues it may have logged.  Use the pfSense packet capture to sniff packets on LAN and see if the forwarded traffic is going to the Plex server.



  • Hi Kom,

    I added all the port

    from this list

    https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-

    Still no good news.

    I am going one by one from the list you give me.

    Also I did Netstat -a scan port from pc within Internal Firewall. I don't see port 32400 is on the list though.

    If I am not mistaken should port 32400 should be listen when I Netstat -a for port scanning?

    ![NAT Overview.PNG](/public/imported_attachments/1/NAT Overview.PNG)
    ![NAT Overview.PNG_thumb](/public/imported_attachments/1/NAT Overview.PNG_thumb)



  • If I am not mistaken should port 32400 should be listen when I Netstat -a for port scanning?

    No idea, I don't know Plex.  That port isn't in their list, so where did you get the idea that it's required for Plex?  If you can confirm from your firewall logs that nothing is being blocked, and from a packet capture you can see the forwarded traffic leaving the internal pfSense LAN interface, then your problem is with the Plex server and client.


  • Rebel Alliance Global Moderator

    That port isn't in their list

    Huh.. Its the TOP of the list, and really the ONLY Port that needs to be allowed for remote access to plex.. All of those other ports are not needed for remote access and really related to a software firewall running on the plex box itself.

    The most important port to make sure your firewall allows is the main TCP port the Plex Media Server uses for communication..

    TCP: 32400 (for access to the Plex Media Server) [required]

    If your plex server is not listing on 32400, then you must of changed it - or plex isn't even running..  Under the server setting look at the remote settings.. You should see the port its set to.. The default is 32400, unless you changed it that is the port.

    As you can see yes on the machine running plex server doing a netstat should show that port listing.  You should be able to access it via web interface on that port with the url I gave before and you can see in my screen shot.  Can you access that when your on the local network??  Once your outside the pfsense and you have forwarded that port you need to hit the pfsense WAN IP with that port and you should be forwarded to the plex IP you forwarded.

    If works local and not remote.  Then go through the port forward troubleshooting..




  • Huh.. Its the TOP of the list

    OK, so I'm fully braindead today, not just my usual partial.  :-[  My eye skipped over that and went straight to the listy part of the list.



  • Hi Kom,

    That's ok It happens sometime. Thank you again for your help. I will keep you update tomorrow. Somehow I totally mess my server up today.
    Just got it back on-line by miracle.  Tomorrow is another day.



  • Hi Johnpoz,

    Thank you for your guide. I will have a look again tomorrow.

    I didn't do port scan on the Plex server itself but other computer in the same network be hide internal Firewall and I couldn't see the port 32400 in the listing. Will check one more time and let you know.

    Thank you so much.


  • Rebel Alliance Global Moderator

    If you scanned the machine from another machine on the same network as plex, and didn't see 32400 as open.. Then either plex is not running, you changed the port or there is a firewall running on the plex server.

    If you say you disabled or allowed the ports on the windows firewall.. You sure you did it for the correct profile.  Windows has its private/work profile and then a public profile.  So you need to make sure you all the rules for the network profile the windows machine is using.  Or just turn it off all together to be honest.. Your behind a firewall already, so unless you have hostile devices on this network your on.. The software firewall is kind pointless.

    Also you sure your not running some other 3rd party firewall, say if you installed some antivirus many of them have firewalls, etc.

    If you can get to plex from box on the same network as the plex server, then your not going to be able to get to it from pfsense either..



  • Hi guys,

    Sorry for taking so long to write the update. I needed to catch up with some other works.

    Johnpoz, was right about the port scan. I did port Netstat scan on the Plex server. I could see port 32400 is listening on the Plex Machine but for some reason other machine within the same network couldn't see the port.

    I turn off the firewall and anti-virus. That did not make any different. So I thought it was the machine fault so I installed new Plex in different machine but I got the same result.

    Windows machine is using DHCP from the Server (not Pfsense) I don't know if that make any different. I try to put the machine in static in pfsense but I get the same negative result.


  • Rebel Alliance Global Moderator

    Where they get dhcp has ZERO to do with anything..  The only thing about the dhcp server, if the dhcp server lists both the client and plex that are suppose to be on the same network getting a IP from the dhcp server - that says they are on the same layer 2 network.

    If your machine connected to same switch or wifi and they both have 192.168.1.x address they are on the same network.  So unless you have isolation mode on and there is wifi involved?  Or your running a private vlan on your switch.  There is nothing keeping these devices from talking to each other.

    Can you ping the plex box from this other machine on the plex network?

    If you can not ping the plex machine, then your not really on the same network or plex is running a firewall.  Can you validate that plex mac address.  Once you try and ping the plex server from another machine on that network if it does not answer then look in the clients mac table

    arp -a

    if you do not see the mac of the plex IP, then your prob not on the same network.  Even if there was a firewall running on plex that blocked ping you would still be able to arp for it..

    If you can not even talk to the plex from teh same netework as the plex, then no amount of port forwarding is going to allow access.



  • Hi Johnpoz,

    Thank you for keeping it up with me. Almost give up honestly.

    @johnpoz:

    Can you ping the plex box from this other machine on the plex network?

    Plex Server behind internal Firewall has got no WiFi involve at all. I could ping Plex machine from another machine in the same network without any problem. I can also access Plex media via web-app and get Nearby connection within same network.

    However, when I do Netstat -a from other machine I do not see Port 32400. I only see port 32400 on Plex Machine when I scan.

    Please see detail below

    This is the port scan from Plex Machine

    This is the port scan from second machine behind internal firewall same network as Plex machine
    I couldn't see port 32400 in there

    I can ping Plex machine without a problem


    I just want to double check again with NAT Port Forwarding setting.

    Is the Port forward setting correct? I mean do I have to do anything else apart from configure in

    Firewall > NAT

    Do I need to touch anything else like gateway?

    It's a good idea to check with my switch though. Never actually have a look at it.

    Thank you again Johnpoz

    Kind regards

    Luke


  • Rebel Alliance Global Moderator

    Dude lets go over this yet again!!!  if you can not get to plex from a machine also on 192.168.0 there is NO amount of port forwarding that is going to get an outside machine to get to it..

    Not sure what you think netstat does, but it sure and the F does not scan a remote machine.. It would show you if machine you ran it on had a connection to machine B..

    If plex is listening on 32400, and you from a machine on the same network can not get get to the web interface using that port.. I the url I gave using your IP not mine.. If that does not come up then you have a firewall running on the plex or plex is just not working.  Does plex work from the plex server itself?

    your port forward is fine, other than normally just use the drop down wan address vs putting in the IP of the wan address.. If your wan address changes that could break your port forward.  Also when using single port don't normally put in twice on the dest.. like your doing a range.

    If you wanted to scan the plex machine to see if 32400 was open from a machine then you would scan with say nmap

    Here is scan of my plex machine for the plex port.  From a different machine, 192.168.9.100 in my case.

    
    > nmap -p 32400 192.168.9.8
    
    Starting Nmap 7.40 ( https://nmap.org ) at 2017-01-14 04:53 Central Standard Time
    Nmap scan report for storage.local.lan (192.168.9.8)
    Host is up (0.00088s latency).
    PORT      STATE SERVICE
    32400/tcp open  plex
    MAC Address: 00:0C:29:48:2D:09 (VMware)
    
    Nmap done: 1 IP address (1 host up) scanned in 0.45 seconds
    
    


  • Hi Johnpoz,

    Here is my Nmap scan from second machine to Plex Server

    It seem like I could scan 32400 port from second machine. I am able to connect to plex server from web app as well. Of course this only work within the same network with plex.

    Also I check my main switch. Under VLan there are two option which is Port-Based VLAN  and IEEE 802.1Q VLAN.
    Currently it's tick on Port-Based VLAN. I am not sure if it does make the different here. Could you please let me know of what you think?


  • Rebel Alliance Global Moderator

    if you can access plex from your local network that plex is on, then follow the port forwarding troubleshooting guide..

    How are we on page 3 when this is so freaking simple to troubleshoot.  If you give me remote access into your pfsense have it figure out in a few minutes.

    Sniff at your wan, do you see the traffic, sniff on your lan (interface that is connected to plex network) do you see the traffic going to plex?  Do you see an answer?



  • Hi Johnpoz,

    I am sorry for leaving it this long. I hope you are doing well.

    I haven't give up yet. I did get some help from a good friend, he was confused by the issue as well.
    What we found out was strange that the computer within Internal Firewall able to ping any devices in External Firewall but it wouldn't work in return.

    WAN for internal firewall is 192.168.1.132
    LAN is 192.168.0.254

    Anything pass 192.168.0.254 via 192.168.1.132 is not a problem at all

    If connection pass 192.168.1.132 visa 192.168.0.254 is a problem. Is it possible that I am having issue with DNS here?

    It seem like DNS is not solving the subnet. Why I think this because in  PDC server DNS forwarders, it sets to look up DNS at 192.168.0.254.
    At Forwarders page it showing that 192.168.0.254 is unable to resolve however I still get green tick icon.

    Could you please let me know of what you think?


  • Rebel Alliance Global Moderator

    "WAN for internal firewall is 192.168.1.132
    LAN is 192.168.0.254 "

    So you have another NAT firewall in front of pfsense??  Did you forward 32400 to pfsense wan.

    Pfsense can not forward something it does not see..  This is why you sniff on pfsense wan to see if the traffic even gets to pfsense to forward..



  • Hi Johnpoz,

    I see what you mean. I used laptop from outside Internal Firewall to ping 192.168.1.132 (Internal Firewall WAN port)
    The result was timed out.
    Somehow even device within same Subnet can't see 192.168.1.132. My laptop IP is 192.168.1.174.

    I mean what should I do from here? I am so blank at this point.


  • Rebel Alliance Global Moderator

    Do you have access to this external firewall?  What is it exactly?  Out of the box pfsense does not allow ping either.

    Your steps from here would be to forward the traffic you want to pfsense wan IP on this firewall in front, or remove it..  Why can pfsense not be your edge firewall/router..

    Why don't you draw your network for starters.. So external of this firewall is 182.168.1/???  There has to be something that has pubic IP on it..  How many nats deep are you before you get to your plex??

    Normally it would look like this.. Traffic from internet hits your public IP in this example 24.1.2.3 on some port.. You forward that port to something inside, plex for example in this example 192.168.0.100..  You have at min a double nat going on…




  • Yes, I have access to External Firewall.

    We set up External firewall to merge four broadband together. External Firewall is 192.168.1.XXX
    Please see picture below.

    First I thought it was Plex port that I have had issue with so I create VPN from Internal firewall. Let say the IP address for VPN is 192.168.0.104

    I set port forward in Internal Firewall as

    Interface WAN
    Destination WAN Address
    Destination Port range From port '' PPTP to port PPTP

    Redirect target IP 192.168.0.104
    Redirect target port PPTP

    External Firewall port forwarding;

    Interface LAN
    Destination LAN address
    Destination Port range from port ''PPTP'' to port ''PPTP

    Redirect target IP 192.168.1.132
    Redirect target port PPTP

    Still it didn't work though.

    I am trying to get machine between External Firewall and Internal Firewall to communicate with machine within internal Firewall.

    I only have two NAT rules in Internal Firewall which are port forwarding

    ![Update Network map.png](/public/imported_attachments/1/Update Network map.png)
    ![Update Network map.png_thumb](/public/imported_attachments/1/Update Network map.png_thumb)


  • Rebel Alliance Global Moderator

    what does external firewall have to do with hitting your plex server from this device on what amounts to a transit network?  For starters there should be nothing on a transit network.  Why do you not have all your devices behind pfsense with transit to your external firewall?

    Also why can pfsense just not manage all your isp connections?

    Anyhoo.  For you to access your plex server from your client.. Just hit pfsense IP at 192.168.1.132 port 32400, which you then forward to 192.168.0.61

    If your trying to hit some external IP to get forwarded back in your also now doing a nat reflection, with an asymmetrical routing concern since your client is in the transit network.  You will also need to make sure your not blocking rfc1918 on pfsense wan..

    But if you just point your client too pfsense wan IP on the port you want and the forward is setup correctly you will have no issues.