PfSense/TrueNAS Scale/Ombi

menethoran

Hey-lo folks.
Just came into the PfSense world (so im a bit of a Noob) but, i got my system up and running, 2 segregated networks, wifi, Plex is up and running (getting that working made me really proud).

Anyway, im having a heck of a time getting Ombi open to the world. Im not sure if its a firewall issue or a NAT issue. Ombi runs as a TrueNAS Scale application (so, essentially a docker or a KVM i guess is better explanation). I have local access to the application, but for the life of me, it doesnt seem to matter what i do, i can not gain access to Ombi from outside my local network (honestly, i assumed it was going to be a walk in the park compared to Plex)...

As a Noob, i dont now all the details that would be helpful for you guys to know... but im happy to supply any/all info that would help.

There are no VLans, I have 1 interface for WAN, 1 interface for "LAN1" and 1 interface for "LAN2". Lan1 = 192.168.1.X, Lan2 = 192.168.2.X.
TrueNAS lies at: 192.168.2.2
Apps are assigned under that IP as well (ill be honest, im also brand new to TureNAS scale, was a huge Core user until i migrated a few days ago)
I do have a NAT rule setup as:
<Linked/WAN/TCP///WAN Ad/1-65535/192.168.2.2/1-65535>
(hope thats understandable, i can send a screen shot if it isnt.)

Anyway, any and all help is greatly appreciated!

ddbnj

@menethoran

You should decide if you want to access your network from a self hosted VPN and port forward only that port to the VPN service... or open ports from the evil internet directly to your NAS, and then Ombi.

Once you make that decision, someone here can help.

-Devan

johnpoz

@menethoran said in PfSense/TrueNAS Scale/Ombi:

1-65535/192.168.2.2/1-65535>

So you forwarded all ports to 2.2 ?? That is problematic - just forward the port you app is going to be using.

I run overseerr (alt to ombi) now on my as as docker, but ran them both for a while even I started with ombi and moved ot overseerr.. I believe the ombi default port is 3759

You sure your truenas isn't a jail, and how are you accessing it locally. What port do you use, what IP? http://what:what?

To access something remotely, you setup a port forward. To the port and protocol your device is listening on. The firewall rule should be auto created on the wan when you do that. You just need to make sure the wan rule is proper in place in regards to your other wan rules. If any, or floating rules that might be blocking.

So you have another rule for your plex, which uses 32400? Or you think it should work under your forward every port setup?

Troubleshooting port forwards.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

A stumbling block many users run into is trying to test their shiny new forward from some box on their local network. For that to work nat reflection would have to be setup, you really need to test from outside your network for port forwards.

menethoran

@ddbnj willnot be running through a VPN until much further down the line. AND that is something im not totally unfamiliar with getting to work (tunneling and whatnot). Right now, im just trying to get the network running right and stable before breaking more things :)

menethoran

@johnpoz Sorry, i may have misspoken a tiny bit. I didnt forward all ports. I needed to allow NAT to handle all ports headed to 2.2 for Plex to work (i may be able to dial that in a bit and am happy to test (especially today as the wife is on a work field trip, so i can break things and it only affects me).

Ombi is running in what is essentially a jail (its a docker VM, a KVM to be exact). which probably means its double NATed.

Yes, i have a specific firewall rules for Plex (and for Ombi). but im confused as Plex and Ombi are both set up in exactly the same fashion on TrueNAS (both are KVM dockers, both are going to have the same NAT situations, both exist on the same system. (Plex also uses a bunch of other ports that i needed to forward to finally get it to work right). I think ill try dialing in the NAT side to just the plex and ombi ports for now rather than all (all was where i started just to get plex working). As far as opening all the ports, again, not SUPER worried about it. Ive got fairly strong keys on everything and there is nothing there yet that is of any real importance.

And lastly, i am testing from outside my network to gain access... (well, i start local and span out from there when testing. so, usually, ill test locally, if it works, test from same laptop but try to hit it from external IP, then to cloudflare and finally, ill turn wifi off on my phone and try to connect that way. right now i am stuck at only works locally.

johnpoz

@menethoran said in PfSense/TrueNAS Scale/Ombi:

I didnt forward all ports.

What did you do then? What is this suppose to be?

<Linked/WAN/TCP///WAN Ad/1-65535/192.168.2.2/1-65535>

both exist on the same system.

But they wouldn't be using the same ports, even if they are the same IP on your network.. Plex would be 32400, which I do not is even possible to change. And ombi would be 3759..

menethoran

@johnpoz
Sorry, im REALLY new to this :)

I "Port Forwarded" specific ports under "Firewall Rules"

The listed string above was a NAT rule (again, super Noob here and i dont ENTIRELY understand the difference)

BUT: on the upside, im up and running 100% now. (i needed to adjust the NAT rules as i wrong them incorrectly, treating them more like straight port-forwarding instead of target redirection (i know... those sound the same, and im probably calling the wrong things the wrong things...)

On the upper upside, because i figured out Ombi, it also let me easily configure the other services im running.

Guys, I REALLY REALLY appreciate the help. you may not have given the answer, but you definitely brought up points that pointed me in the direction i needed to go!

Lastly: If an admin sees this post, it should be moved to NAT (as ultimately, that was what was the solution, and the problem)

johnpoz

@menethoran moved..

Where you thinking outbound nat, 1:1 nat? I am not sure..

But if something is behind pfsense on port xyz, and you want something to hit your pfsense wan IP on port, and get forwarded to say 192.168.1.100:abc - then port forward is the common term used

https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forwards