Floating rules, Plex, and redirected ports
-
Hello! Tonight I integrated my pfSense box into my network with success, demoting the wireless router to just be an AP. For the most part, everything is working… so that's a sign that the work I did so far paid off.
However, I can't get Plex to work, and what I discovered is that I really didn't figure out firewall rules and NAT at all like I thought I did. :( So instead of ripping everything out, I'm appealing here to see if someone can walk me through what I need to do.
Here's my situation:
A) Plex server inside the fw/NAT is listening on the standard port 32400. Let's say its IP is 192.168.1.22
B) The public (custom) port is 42300. This is manually configured in my Plex account. So pfSense needs to route traffic targeted to the public WAN IP and port 42300 to the internal 192.168.1.22:32400
C) I have pfBlockerNG installed in pfSense. Because of this, my research has turned up that I need to use a floating rule for Plex.It doesn't help that sometimes there can be a delay of many minutes before Plex picks up on the new settings and is happy. This makes trial-and-error testing rather difficult when I'm not 100% of what I'm doing to begin with. I've tried various versions of things based upon various interpretations of the docs and other hints from my Google searching, to no avail. I'm also a bit confused about how when I make the rule a "floating" rule, I'm unable to associate it with the NAT rule and what the significance/ramifications of that is. But that gets to fundamental pfSense stuff that I'm just not fully understanding yet.
So: as an educational exercise, can someone demonstrate to me what the proper settings are in pfSense for my situation? In the future I will certainly be needing more rules and such and I'm hoping these early examples will help me understand the concepts and how things work in pfSense.
Thanks!
-
I don't have a solution for you but you might wish to change plex settings locally instead of using the plex.tv site as that would mean all changes are updated immediately.
-
Further research suggests that my issue might actually be related to DNS rebinding attack prevention. There are some tweaks there to be made for Plex. I'll be trying that tonight.
I'd still appreciate understanding exactly WHAT I should be putting in for port forwarding rules though as I'm only 90% certain I'm doing it correctly. That way if I continue to have issues I know to look elsewhere.
-
"my research has turned up that I need to use a floating rule for Plex."
No you do not need to use a floating rule.. Not sure where you got that idea.. Are you using pfblocker? Are you letting it adjust rules?
I run plex behind pfsense, and let both my sons access it.. You sure and the hell do not need to do anything in floating. You will most likely want to put in the plex.direct as private so you remove rebinding protection from this domain, etc..
I have rules setup to allow their specific IPs into my port forward, and also allow the netblocks from plex etc.. So that their testing if my port is open works, etc. And if any issues then they can always do the redirecting access through the plex network - even though this restricts the bandwidth available, etc. Say for example they are coming from a different IP then what I have listed as their home connections.
Not a fan of opening up my plex server to whole freaking public internet - which is why I have it restricted to specific IPs and blocks.
-
No you do not need to use a floating rule.. Not sure where you got that idea.. Are you using pfblocker? Are you letting it adjust rules?
I provided the link to where I got that idea. :D Here: https://forums.plex.tv/discussion/69526/pfsense-port-forwarding-issues
I have pfBlockerNG installed, and that is the source (supposedly) of needing to use floating rules. Has to do with rule order. I did try leaving pfBlockerNG disabled for the time being however while I try to get Plex working properly, so I haven't done anything w/ rules from pfBlockerNG.
You will most likely want to put in the plex.direct as private so you remove rebinding protection from this domain, etc..
I'm starting to suspect this is the source of my issues, and that I had the port forwarding set up properly originally. I will test this tonight when I get home.
-
If I am not mistaken, you would go to Firewall > NAT and setup a rule similar to the following…
Interface = WAN
Destination = Any
Destination Port Range = Other/42300
Redirect Target IP = PLEX Server
Redirect Target Port = Other/32400That should work fine, if I am not mistaken.
However, pfBlocker makes things a headache... That thread on the plex forum you linked is rather old, not sure how relevant the information is in it today.
@johnpoz, care to share the block of addresses that do the scans to see if the PLEX server is there? I have been using PFBlocker and quite a few addresses doing the scan are blocked and every day I seem to run into another one that's blocked doing scans to see if PLEX is alive and kicking.
-
Here are blocks I have listed from plex
54.224.0.0/12
54.160.0.0/12
54.228.0.0/15
54.144.0.0/12
54.194.0.0/15All I did was run the test in plex.. And look on firewall for what IP was blocked when it failed.. Did a whois for the IP to get the block it was in and then allow that. This might not be all of them.. And they could be different in your area fo the world, etc.
But its simple enough to get them.. Just look in your firewall for the traffic that is blocked when you click the test port in plex and it fails, etc.
-
Something between adding the DNS Rebinding entry and enabling NAT reflection for this one rule allowed Plex to be happy again, so I'm all set. Next: OpenVPN!
Thanks, everyone.
-
You sue do not need nat reflection.. The whole point of plex direct, and why its a problem with rebinding is it returns your rfc1918 address.. So you woudl never be hitting put wan to get reflected back in.
-
You sue do not need nat reflection.. The whole point of plex direct, and why its a problem with rebinding is it returns your rfc1918 address.. So you woudl never be hitting put wan to get reflected back in.
Ok good to know. I'll try turning it off sometime when no one is using it and see if it still works. Thanks