Plex over two LANs video Judder / LAN to LAN routing issue - pls help



  • Hi,
    I am not a networking guy so excuse my lack of correct terminology. I managed to get pfsense up and running and on the whole everything is good.
    I have one particular problem i have no clue on how to solve.

    WAN

    • i have a 50M cable connection
    • i use openvpn for all traffic except my voip phone and work laptop. (seems to work ok)

    LAN

    • i have two lans
        20.x where my nas and work machines are
        30.x where my android media devices, dvd, etc are.

    I don't have any VLANs, etc setup.

    HD youtube video play fine from both networks. no video Judder or audio stuttering
    all devices on the 20.x network have no problem to play HD movies from the OMV NAS (Plex) on the 20.x of course.

    The problem is on the 30.x network.
    the devices when playing HD videos from the Plex server have no audio problems but the video skips/hops frames and is therefore not smooth to watch.

    Would really appreciate some guidance on how to resolve this.

    cheers



  • It's likely because your stream is going out through your WAN and back into your second LAN causing Plex to transcode your stream. In other words your 2 LAN subnets by default can't communicate with each other and it's working as it should.



  • I guessed  it was probably something like that as I have;

    • ports open from LAN B -> A
    • basically everything open from LAN A -> B

    but default gateway is setup to go to OpenVPN

    can i create a route from LAN B -> A to bypass the OpenVPN but still retain the port blocking rules?

    obviously i don't want any LAN to LAN traffic to have to go out via the WAN or VPN.



  • Actually i don't think that should happen right….

    Green (20.x) Rules
    Src: GreenNet          Dst: LocalSub          Ports: AllowedOutLAN                Gateway: *
    Src: GreenNet          Dst: !LocalSub        Ports: AllowedOutWAN              Gateway: VPN

    Blue (30.x) Rules
    Src: BlueNet          Dst: LocalSub          Ports: AllowedOutLAN                  Gateway: *
    Src: BlueNet          Dst: !LocalSub        Ports: AllowedOutWAN                  Gateway: VPN


  • Rebel Alliance Global Moderator

    well how are you accessing plex?  if using like plex.direct you would resolve to a public IP.  There is a whole about making plex a private domain all over the place for pfsense

    private-domain: "plex.direct"

    Or just access the server via its local name.  For example my plex runs on storage.local.lan - this is how I access so via web http://storage.local.lan:32400  via any app on my phone or tablet use storage.local.lan

    Your rules look fine for allowing access without going out the vpn as long as your allowedoutlan ports include your 32400 port for plex, or if you changed it.  Do a traceroute to how your accessing your plex, what does it show for your trace?



  • hey john, it is definitely going out over the wan, but i don't understand why.

    LAN:Green (media server, internal LAN 192.168.1.x)
    LAN:Blue (media players, playstation, LAN 192.168.2.x
    WAN: Red
    VPN: OpenVPN

    Floating Rules - Quick
    Interface:      Green/Blue
    Protocol:        TCP/UDP
    Direction:      Any
    Source:          LocalLAN Alias
    Source Port:  *
    Destination:  LocalLAN Alias
    Ports:            LocalLAN_Ports Alias
    Gateway:      *

    Interface:      Green/Blue
    Protocol:        ICMP
    Direction:      Any
    Source:          LocalLAN Alias
    Source Port:  *
    Destination:  LocalLAN Alias
    Ports:            *
    Gateway:      *

    Interface:      Green/Blue
    Protocol:        ICMP
    Direction:      Any
    Source:          LocalLAN Alias
    Source Port:  *
    Destination:  !LocalLAN Alias
    Ports:            *
    Gateway:      OpenVPN_GW

    Green Rules
    Interface:      Green/Blue
    Protocol:        TCP/UDP
    Direction:      Any
    Source:          LocalLAN Alias
    Source Port:  *
    Destination:  !LocalLAN Alias
    Ports:            LocalWAN_Ports Alias
    Gateway:      OpenVPN

    Green Rules
    Interface:      Green/Blue
    Protocol:        TCP/UDP
    Direction:      Any
    Source:          LocalLAN Alias
    Source Port:  *
    Destination:  !LocalLAN Alias
    Ports:            LocalWAN_Ports Alias
    Gateway:      OpenVPN

    LocalLAN_Ports Alias includes 33434:33464

    Linux Green -> Blue
    traceroute bluedevice = 1 hops via green_fw_int ** gateway 12.2ms but then 30 hop timeout **
    traceroute -I bluedevice = 1 hops via green_fw_int ** instant name resolution repeatedly 8ms to gw 10ms to device**

    Linux Green -> Green
    traceroute greendevice = 0 hops no gateway ** instant name resolution repeatedly but completion on 2nd successive attempt takes 2-3s but trip is .211ms **
    traceroute -I greendevice = 0 hops via green_fw_int ** instant name resolution repeatedly 0.16ms to device**

    Linux Blue -> Green
    traceroute -I greendevice = 1 hops via blue_fw_int ** instant name resolution repeatedly 15ms to gw 22ms to device**
    traceroute greendevice = 2 hops via blue_fw_int ** instant name resolution and completion on first attempt repeatedly **
    traceroute greendevice = 2 hops via blue_fw_int ** instant name resolution repeatedly but completion on 2nd successive attempt takes 2-3s but trip is .211ms **

    could it be going on the 2nd attempt out the VPN/WAN?

    • how can i find / provide this?
    • is there something wrong in the logic of my rules above?
    • or, is this possibly a packet loss problem…but how can i check it?

  • Rebel Alliance Global Moderator

    Why are you putting rules on your floating tab???

    Please post up you rules so they are easy to read – ie screenshots!!  Are so much quicker to get..  See my example..

    Also without the details of the aliases - can not even tell what you wan those rules to do even..




  • why would/should i not use floating rules?

    e.g. DNS 53 for both lan interfaces.

    instead of two rules,  i can make one floating rule.

    Isn't that better for management, or is there some other reason i shouldn't do that?


  • Rebel Alliance Global Moderator

    Its easy to see quickly your rules if on their own interfaces.  To be honest easier to setup as well for source and destination.

    Floating rules make sense if you need to do outbound rules.  Or you need some rule that is common that applies to all interfaces sure, floating rules apply before rules on the interface.

    And with you using aliases and not posting the details of those it makes it very difficult to make heads or tails of your rules.