Plex vs pfSense problem.



  • Hi!

    I have pfsense installed as my Firewall-only and recently I installed Plex Media Server. I try to setup Remote Access but I cant get it to work. I have an asus router before pfsense (pfsense NAT is disabled and please, dont ask why I have a router in front of pfsense and not having pfsense as a router, thats the way I want it) and I port forwarded port 32400 from my router to the WAN interface of pfsense and then created a rule for port 32400 to be able to target my Plex Media Server PC.

    I have also other ports forwarded inside my network, allowing its packet traffic with success. The port 32400 is the only port that cannot be opened. I see at pfsense's Firewall log this (when I try to hit plex from outside the network) :

    firewall.png

    Can you please help me?

    thanks lads!


  • LAYER 8

    maybe the rule is wrong, put a screenshot of your nat rule / wan rule


  • LAYER 8 Global Moderator

    So your using pfsense as a downstream transparent firewall, is bridging.. You stated you turned off nat on pfsense..

    If your not bridging, and your clients behind pfsense are on a different network than your upstream router. Your upstream router would need to nat this downstream network to your public. Most soho wifi routers will not do that btw.. Are you running 3rd party firmware on your edge router?

    And if you have a downstream network, that is reached via your normal edge routers lan, then you run into asymmetrical routing issues when you don't nat at the downstream..

    More than happy to help you fix up your network so it works how you want it to... But from the sparse details you have posted, I would say its pretty borked currently.. And yeah your going to have all kinds of issues trying to get anything to work.



  • @kiokoman said in Plex vs pfSense problem.:

    maybe the rule is wrong, put a screenshot of your nat rule / wan rule

    This is the rule..

    da32ce82-5436-41c5-bf52-4e4cd0fbc524-image.png


  • LAYER 8 Global Moderator

    And how would that work exactly? Your block you show is to a 172.16.117.106 address.

    Dude if you want help - your going to have to give us more info... From the description of your network is makes zero sense at all.. If you disabled nat on your pfsense, then traffic would have to be set to go to that plex server address... Which is it the 192.168.2 address or the 172.16 address you show blocked.

    Draw up your network!!!



  • @johnpoz said in Plex vs pfSense problem.:

    And how would that work exactly? Your block you show is to a 172.16.117.106 address.

    Dude if you want help - your going to have to give us more info... From the description of your network is makes zero sense at all.. If you disabled nat on your pfsense, then traffic would have to be set to go to that plex server address... Which is it the 192.168.2 address or the 172.16 address you show blocked.

    Draw up your network!!!

    Hi again, sorry guys, I was at the office, very very busy. I couldnt respond the way I wanted. Here it is!

    e25288e8-0bf4-4ebf-8cca-a67a9993f7de-image.png

    PS : The VM that Plex is installed is 192.168.2.3 (it is not seen in this drawing)

    PS2 : I disabled Firewall Outbound NAT.

    98542280-ffc9-498f-b0a6-d010402fc3b6-image.png

    Also I have this static route on the ASUS router :

    84614281-1a5d-4f43-8bcb-7e73785bd67e-image.png


  • LAYER 8 Global Moderator

    And you have NAT turned off on pfsense?

    So you have setup routing on this asus router? And nat so it can nat this downstream network? There are no hosts on this 172.16.117 network? If so and you want device in this network and your 192.168.2 network to talk to each other your going to run int asymmetrical routing problems.. Unless you do host routing on all devices involved.

    edit: So where did you setup nat for those downstream network in your asus... And how you going to fix the asymmetrical routing issues... Are no clients on this 172 network going to be talking to anything on the 192.168.2 network, and nothing on 192.168.2 talking to anything in 172. network?



  • @johnpoz said in Plex vs pfSense problem.:

    And you have NAT turned off on pfsense?

    There are no hosts on this 172.16.117 network? .

    Yes it is off. And on the ASUS the only host that connects to it, is the pfsense WAN int


  • LAYER 8 Global Moderator

    So how exactly is something from public going to talk to this downstream network?

    So your doing source natting on your port forward in your asus?

    If you have nat turned off on pfsense - then nothing in this 192.168.2 network would be able to talk to the internet unless the asus is natting this 192.168.2 network.



  • @johnpoz The Asus router does all the routing job. I port forwarded many ports for many jobs from the asus router to the pfsense and from pfsense to the corresponding VMs..


  • LAYER 8 Global Moderator

    There is more than routing that is required if nat is off on pfsense... It has to nat that downstream network to for public.

    If your saying this is working for other things behind pfsense.. Then this forwarding for plex is no different than anything else..

    Follow the troubleshooting guide for port forwarding..

    https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

    If you spend more than 1 minute trying to figure out where your port forward problem is, you shouldn't be doing port forwarding because you clearly do not understand how it works..

    Its this simple - does the traffic show up on pfsense wan... Does it send it it on.. This takes 2 seconds to validate with a simple packet capture and click on the can you see me website..

    Show us your port forward, show us your firewall rules.. And show the full picture no clipped shot where we have no idea what your showing, what interface or what might before that, etc.

    If your not doing nat on pfsense - then there is NO point to port forwarding, and it should just be simple firewall rules. Port forwarding only needed if your natting..

    So you should be forwarding at your asus direct to the 192.168.2 address... I don't think your doing what you think your doing to be honest... I have never see a soho router nat downstream networks... How exactly did you turn off nat in pfsense? You just turned off automatic outbound nat and removed all the outbound nat settings?

    disable.png



  • @johnpoz said in Plex vs pfSense problem.:

    If your not doing nat on pfsense - then there is NO point to port forwarding, and it should just be simple firewall rules. Port forwarding only needed if your natting..

    So you should be forwarding at your asus direct to the 192.168.2 address... I don't think your doing what you think your doing to be honest...

    The bold lines are the truth. Thank you. I was very confused and I didnt digest the concept of router vs pfsense that coexist. I changed the IP on the router port forwarding port 32400, from IP 172.16.117.106 (the pfsense WAN intrfc) to IP 192.168.2.3 (the Plex Media Server VM) and that worked.

    I was so frustrated.. gosh..

    Thank you very much @johnpoz and all of you guys.. I feel very ashamed to be honest. What was I thinking??


  • LAYER 8 Global Moderator

    You do understand if you have devices on this 172. network that your using as transit, your going to have asymmetrical problems..

    A downstream router should be connected via a transit network (no hosts on it)... If you have hosts on this 172. network and devices on 192 and 172 are talking to each other (without host routing) your going to run into asymmetrical issues..



  • @johnpoz I will re-design my network when I will find time. I have to clear my thoughts.

    Thank you again.



  • @uxm said in Plex vs pfSense problem.:

    @johnpoz I will re-design my network when I will find time. I have to clear my thoughts.

    Thank you again.

    Maybe this is what you meant by "re-design my network", but I'm going to be that guy and say it... sorry.

    You should remove the ASUS router from your network and run pfsense at your edge. Much easier, if you haven't guessed it already. Unless, it's absolutely necessary to run the ASUS box for some service(s) from your ISP - cable boxes, VOIP phones, TV services, security alarms, etc.

    Jeff


  • LAYER 8 Global Moderator

    Yeah I would remove it as well... But if going to run pfsense downstream, then whatever is front of it needs to be able to support an actual transit network... Which I find highly unlikely with some soho isp box...

    Or its better to just double nat.



  • Thank you all for your help guys. I will check if I can run my ASUS as a modem only. I bought it 200 euros, so it is hard (psychologically) to move it away. haha

    thank you !


Log in to reply