Accessing Xbox from different subnet

  • Hi All,

    I have all of my media devices on a separate LAN (IOT) from my main LAN. I have all traffic originating from IOT not being able to access my main LAN with specific rules for access above the block rule. I have not issues with any device on IOT accessing what has been allowed accept for Xbox. Xbox won't connect to Plex or specifically to my iphone so I can control it via the Xbox app. What am I missing?

    For some reason I cannot upload the screenshot. So I will write it out.
    IPV4*-- access
    - to iphone
    IPV4* LAN
    IPV4*-IOT to any rule

    I should mention my Xbox is hard wired. When I connect to the same IOT Vlan via wireless on my iphone, there are no issues, and I can connect.

  • Netgate Administrator

    It's probably some DNS failure or trying to use to local service discovery. Media servers love to exclude using IPs directly for some reason.


  • I'm not sure what the problem is. My TV won't connect to my iphone for airplay. However the Plex app connects to Plex. So basically I am having issues with Xbox and my Samsung TV. Here are all the rules on the Lan and on VLAN IOT. It looks like it is configured correctly but maybe the rules are off to route between subnets. Any guidance would be appreciated.

    Protocol Source Port Destination Port Description
    Default Anti-Lockout Rule
    IPv4 TCP/UDP * * 53 (DNS NAT force dns
    IPv4 * LAN net * * * Default allow LAN to any rule

    IPv4 * IOT net * IOT net
    IPv4 * * * Xbox to
    IPv4 * plex_access * * Plex access
    IPv4 * * airplay_devices * Airplay
    IPv4 * IOT net * ! private_ip * Internet access

  • Netgate Administrator

    Ok so the LAN subnet is and IoT subnet is I assume?

    What are those IPs in the rules? What's in those aliases?

    The IoTnet to IoTnet rule can never pass any traffic, that doesn't go through the firewall.

    You don't have a rule to allow IoT devices access to DNS on the interface (if they are using that).

    However you will probably find this fails even if you put a pass all rule on both interfaces. Many protocols favored by media streamers effectively do not work between subnets as they reply on 'discovering' devices and that only works inside the same broadcast domain.
    Plex can work if you configure it correctly. It may be working here though by sending all the traffic via Plex's public IPs. The same as allowing access to Plex if you're in an entirely different location. The Plex app usually reports that though.


  • Yes those are the correct address pools. The xbox app allows you to put in an IP address, so there shouldn't be a reason why my iphone can't find it as per the second rule. I have IOTnet to IOTnet so devices within that subnet can talk to each other and specifically the gateway as pfsense is doing DNS. Plex_access is a list of IOT IP's that can access plex. Airplay_devices are all the IOS device IP's that the TV can access. So it is strange to me my Samsung TV can't se the airplay_devices when the Apple TV connected to a TV upstairs did when I had it. The last rule allows access to anywhere but my 10.0/8 network. And it is also why I added IOTnet to IOTnet.

  • Netgate Administrator

    So you don't need a rule for IoT devices to access each other, they do that directly without going through the firewall.
    The IoTnet to IoTnet rule you have is only allowing access to the IoT interface address as you say.

    I assume the Plex server is in the LAN and the xbox is in IoT, where is the phone you are trying to control it from?
    What is failing? The phone to the xbox or xbox to the server?

    You probably need Avahi to get airplay working across subnets.


  • If I disable the rule of IOTnet to IOTnet, devices on that network cannot reach for DNS. I have a few DNS servers available on the DHCP service. The first is pfsense. The other are my VPN's DNS servers in case I want to use the VPN on the network. I don't want to force pfsense to do DNS like I do on my LAN. Perhaps that's what you mean when you say it allows IOT to access the interface address.

    Plex is on LAN and xbox is on IOT. The iphone is on LAN. Both xbox to my iphone and to Plex is failing. And I don't know why as it is allowed by the rule I created in IOT. I do not have a similar rule in LAN because LAN can access anywhere.

    Regarding airplay, I hooked up my old apple TV to at TV upstairs. I put it on IOT. I can airplay from my iphone on LAN to ATV on IOT with a rule allowing (ATV) to access (iphone). So I don't think it is an airplay across subnets issue unless it is the way Samsung implemented it in their TV. (Edit: So I disabled this rule to see what happened, and I can still access my ATV on IOT from my iphone on LAN. Only by changing the rule from pass to block am I not able to access the ATV. This doesn't make sense as if the rule is disabled this rule, IPv4 * IOT net * ! private_ip * Internet access, should take over and block access.)

  • Netgate Administrator

    Yes that rule is what is passing the DNS traffic as I said but it could be destination IoT-address. It is not passing any other traffic in the IoT subnet.

    I would not expect the AppleTV or the Samsung to need a rule to your phone. The phone is initiating the connection there and that is passed on the LAN. They would only need a connection out to the internet to pull media once the phone has told them what to play.

    You should add allow all rules on IoT as a test and see what still fails.


  • I figured out the airplay issue. I had band steering enabled on my WAP, and I broke out the networks to 2g and 5g. That recognized the TV for airplay. I thought that might fix my xbox issue but no.

    I tried IOTnet to any, and I still can't get my iphone to connect to my xbox.

  • Netgate Administrator

    Nice catch on the airplay.

    OK, so as I suspected it's not firewall rules preventing that traffic between the subnets. Very likely something is using some local discovery protocol that doesn't span subnets there. Try putting your phone in the IoT subnet if you can.

    I would try using Avahi as that's easy to configure. Really need to know what protocol(s) the phone app to xbox connection requires.


  • Thanks for your help. I have Avahi installed, but it is not making this situation work. It seem as though xbox does not want to communicate with anything other than the Internet. Because it is not just the remote but also Plex that cannon connect, which is on the LAN. I've read some other forums that it uses mDNS, which Avahi should be able to make that work.

  • Netgate Administrator

    Yes, that should work with Avahi if it needs mDNS. It may just not be configured correctly.

    None of this stuff is ever expected to work across subnets. Home users just have a flat network and anything else is advanced level wizardry.... right? 😉
    Unfortunately that's how developers of media players/servers seem to think.


Log in to reply