Port 32400 Plex FreeNAS Issue | VPN Setup using pfSense

nak_attack

Yesterday I started to use pfSense router / vpn server instead of the netgear router. Previously on the net gear i used ip address 192.168.1.1 but now with the pfSense i use 192.168.5.1. I went into freenas and updated all the ip address to reflect this change including each jail. Plex previously on my net gear router was at 192.168.1.200:32400/web/index.html and WAS accessible from “outside” my network. Now using the pfSense I went to Firewall > NAT then added a Port Forward with these settings:

If WAN
Proto TCP
Src. addr *
Src. ports *
Dest. addr WAN address
Dest. ports 32400
NAT IP 192.168.5.200
NAT Ports 32400

I tried accessing the server from ‘outside’ my network but plex could not connect to the server. In reading several trouble shooting guides over the past several hours I just can’t seem to get my pfSense device to accomplish the request plex support forums state:

"If your router does not support UPnP or NAT-PMP, you will need to set up a port forward on the router. Once you've set up the port forward, enter the external port number here (note: the internal port number will always be 32400).

Note: Both the "mapped to port" and "manually specify port" numbers must match the external port number used in the port forward in the router as the external port.”

I’ve tried to ‘add’ the port manually and then I ‘checked’  Enabled UPnP & NAT-PMP in Services > UPnP & NAT-PMP settings. Neither of these seem to work. Any advice or direction would be completely appreciated. I believe I’ve run out of options - I feel like I’ve run around this circle of add a port, ping it, use an outside website to test the port (which worked), only to have Plex not be able to connect. I feel like there’s some small step I seem to have overlooked.

Thank you for you time and guidance.

divsys

Your description sounds basically right.

You didn't mention what version of pfsense you're running?

In general I wouldn't enable uPNP unless absolutely necessary (try everything else first) - too much black voodoo becomes possible  :P

Are you sure your server is picking up a 192.168.5.200 address properly?
Will it respond to an internal device on your 192.168.5.0/24 network via port 32400?
Any chance you need to enable TCP/UDP on the NAT rule?
When you test for "external" connectivity, are you actually using a device outside your network or are you just referencing your external WAN address from your LAN?
If the latter, you may have to enable NAT-reflection on the NAT-rule to get the server to respond - it's possible it may not work at all from inside your network referencing your WAN address.

As a test you can try enabling logging on the NAT rule so you can see in "Status->System Logs->Firewall" if the NAT rule is even activating when you try and connect.

Normally port forwarding is very simple to accomplish with pfsense - the descriptions are just long winded  ;)

nak_attack

Divsys - thanks for your reply.

Version:
2.1.3-RELEASE (i386)
built on Thu May 01 15:52:17 EDT 2014
FreeBSD 8.3-RELEASE-p16

1. Are you sure your server is picking up a 192.168.5.200 address properly?
A. Within FreeNAS i assigned this ip address to the jail I created however it does NOT show up in the Status > DHCP leases. So to solve this I went to Services > DHCP server and at the bottom ‘added’ a static mappings for this interface. I copied the mac address from the freenas drive set the ip address to match (192.168.5.200) and saved those settings. But I didn’t work.

2. Will it respond to an internal device on your 192.168.5.0/24 network via port 32400?
A. Forgive my ignorance, however I don’t really know ‘how’ to make it ‘respond’ to the ports/ip address above. Via ssh in my mac, I pinged 192.168.5.0 I get this: 64 bytes from 192.168.5.27: icmp_seq=0 ttl=255 time=16.936 ms (DUP!)
My router address is 192.168.5.1

3. When you test for "external" connectivity, are you actually using a device outside your network or are you just referencing your external WAN address from your LAN?
A.I visited this site: http://www.yougetsignal.com/tools/open-ports/ then entered my wan ip address plus port 32400

4.  If the latter, you may have to enable NAT-reflection on the NAT-rule to get the server to respond - it's possible it may not work at all from inside your network referencing your WAN address.
A. this is way, way over my head. I don’t even know what this does however I did enable the NAT & Proxy option in the NAT reflection area.

As for the logs, I did enable them but I don’t have the slights clue as to what I’m suppose to look for or if something is wrong.

I got the Plex server to become ‘viewable’ locally but this is the error message i got from plex:
"You have successfully signed your server in to Plex, but we were unable to reach it from outside your network.”

Not really sure what else to do. Seems like all the options I selected are done correctly and especially with your help I’m certain of that.

divsys

Ok, just so we're both clear:

Your Plex server is running on a FreeNAS box on your LAN network that you've setup with an address of 192.168.5.200 right?

To test the "internal" connectivity you'd try a "ping 192.168.5.200" from ssh on your mac, if you get a response the Plex is alive on the LAN.
(reading further in your reply, you indicated that the Plex is "viewable" locally so I'm guessing this will be OK).

A quick Google search seems to indicate that you want TCP and UDP set for the NAT rule: under Firewall->NAT edit the rule to forward port 32400 and make sure Protocol is set to "TCP/UDP"

If you're still having issues, please post a screen shot of your NAT rules and your Firewall->WAN rules.

Keep at it, pfsense is well worth any initial pain once you start to see it's capabilites :)

nak_attack

divsys, thanks for you continued patience and help.

Your Plex server is running on a FreeNAS box on your LAN network that you've setup with an address of 192.168.5.200 right?

A. Yes. It is. But for some reason yesterday I stated earlier that it was viewable on my network however that is not the case.

Note Previously when I used the net gear router and I installed the jails on my freeNas server, I use to see the jails as ‘attached devices’ on my router under the ip address I gave each plugin / jail. Now with the pfsense, all I see is the address of the FreeNas server and NOT the jails. Could this be part of the problem as to why I can’t port forward a static ip that doesn’t show up in the ‘attached devices’ list??

To test the "internal" connectivity you'd try a "ping 192.168.5.200" from ssh on your mac, if you get a response the Plex is alive on the LAN.

A. I did ping it successfully.
PING 192.168.5.200 (192.168.5.200): 56 data bytes
64 bytes from 192.168.5.200: icmp_seq=0 ttl=64 time=3.253 ms
64 bytes from 192.168.5.200: icmp_seq=1 ttl=64 time=0.781 ms
64 bytes from 192.168.5.200: icmp_seq=2 ttl=64 time=3.174 ms
64 bytes from 192.168.5.200: icmp_seq=3 ttl=64 time=3.220 ms
64 bytes from 192.168.5.200: icmp_seq=4 ttl=64 time=3.475 ms
64 bytes from 192.168.5.200: icmp_seq=5 ttl=64 time=0.618 ms

My settings under Firewall > NAT ARE set to TCP/UDP. See enclosed screenshot of this and the WAN & Plex rules.

I keep hearing from a lot of people that once I get this working correctly - it’ll be the best setup! Getting it set up correctly at least with the knowledge I have is the problem!  :D

Once this starts working I’m gonna have to set up my VPN….ugh...not looking forward to that yet!!

divsys

I haven't played with FreeNAS specifically or Plex for that matter, but your description gives us some clues:

A. Yes. It is. But for some reason yesterday I stated earlier that it was viewable on my network however that is not the case.

Note Previously when I used the net gear router and I installed the jails on my freeNas server, I use to see the jails as ‘attached devices’ on my router under the ip address I gave each plugin / jail. Now with the pfsense, all I see is the address of the FreeNas server and NOT the jails. Could this be part of the problem as to why I can’t port forward a static ip that doesn’t show up in the ‘attached devices’ list??

….........

A. I did ping it successfully.
PING 192.168.5.200 (192.168.5.200): 56 data bytes
64 bytes from 192.168.5.200: icmp_seq=0 ttl=64 time=3.253 ms
64 bytes from 192.168.5.200: icmp_seq=1 ttl=64 time=0.781 ms

My settings under Firewall > NAT ARE set to TCP/UDP. See enclosed screenshot of this and the WAN & Plex rules.

The important points are:

1. Your firewall rules look mostly OK, the only change I would make is under Firewall->NAT->Plexserver, change the Destination Type to "WAN address".
2. You can ping 192.168.5.200, the FreeNAS NIC is responding to pings, and LAN devices (your mac) know how to find it - Good
3. Plex is not viewable on the LAN, that's a problem since it's not likely to respond from the outside (WAN) until it listens on the inside (LAN)

You described setting up (multiple ?) Plex instances in Jails under FreeNAS.
Do you assign different IP addresses for each Jail or does FreeNAS use one NIC address (192.168.5.200) and some other mechanism to know that port 32400 traffic if for the Plex Jail?

My guess at this point is you're missing something in the Plex/FreeNAS setup as far changing the LAN addresses goes.  I'd work on making Plex useable on the LAN first.

I keep hearing from a lot of people that once I get this working correctly - it’ll be the best setup! Getting it set up correctly at least with the knowledge I have is the problem!  :D

Once this starts working I’m gonna have to set up my VPN….ugh...not looking forward to that yet!!

A lot of people (in this case) are very right  ;)
Don't worry about the knowledge you have  (or don't have) you're definitely on the right track to solving your setup, and understanding it better.

The VPN side doesn't have to be too hard, we'll help you out once the basics are working :D

nak_attack

divsys….great news - I’ve got the Plex server working and the port opened correctly!! Thank you so much for all your help!

For anyone else experience a similar problem here’s what I did:

I upgraded / changed router utilizing pfSense from a standard NetGear router. Doing so caused many problems within my FreeNAS server. I had to change the router ip address on the server and in each jail. I also successfully (with the help and guidance of divsys  ;D) successfully mapped the correct port to work for Plex.

I can’t point my finger on what exactly made it all work, but I’m sure it was a combination of things: settings in my router that needed to be corrected and I then removed each jail and plugin then REINSTALLED them all while checking to see if they work before I moved onto the next one. Hope this helps!

Now onto figuring out the VPN!!! (not really looking forward to that)  :-\

Any advice on which post might be the most useful? I’m using the viscosity app on my mac and openVPN software on pfSense & iPhone.

divsys

Welcome to the ranks of successful pfsense implementors ;D

Glad it worked out ( I knew you could do it  ;) )

Now as for OpenVPN < deep breath >…

Here's my Readers Digest version of implementing a Road Warrior ( laptops, iphones, etc) OpenVPN in pfsense:

(I) Create certificates
You'll need to create 2 pieces for the OpenVPN server plus 1 piece for every device you wish to have connect.

• The Certificate Authority - "master" certificate used to create all others.
    "System->Cert Manager->CA click on '+' to add new certificate see 'Certificate_Authority_OVPN1.png'"

• The Server Certificate - OpenVPN servers certificate
    "System->Cert Manager->Certificates click on '+' to add new certificate, see 'Certificate_Server_OVPN1.png'"

-The Device Certificate - Used by the device which connects (laptop, iphone, etc). One per each device.
  "System->Cert Manager->Certificates click on '+' to add new certificate, see 'Certificate_Laptop_OVPN1.png'"

(II) Create the Road Warrior Server

• Make a new OpenVpn server in pfsense.
    "VPN->OpenVPN->Server click on '+' to add new server, see 'OpenVPN_ Server_defn.png'"

(III) Setup the needed rules

• Allow access to the external OpenVPN port
    "Firewall->Rules->WAN click on '+' to add new rule, see 'OpenVPN_ WAN_rule.png'"

• Allow OpenVPN traffic
    "Firewall->Rules-OpenVPN click on '+' to add new rule, see 'OpenVPN_ VPN_rule.png'"

continued…..


divsys

….continued

At this point you should have a running Road Warrior server on pfsense.  Now you need to connect to it.

(IV) Setup the export packages (iphone, etc)

• There's a great package that greatly simplifies the install process for devices called "OpenVPN Client Export Utility"
    "System->Packages->Available Packages click on '+' at the end of the 'OpenVPN Client Export Utility' line"

(V) Setup the laptop (iphone, etc)

-The export utility makes it easy to install a device via a browser.
-On the laptop browse to "192.168.5.1" (or the LAN address of your pfsense box)
-Login
Go to "VPN->OpenVPN->Client Export, see 'OpenVPN_ Client Export Utility1.png '"

-You should be able to click on the install package you need to import a configuration into your laptop.

Once you've setup the laptop you connect to pfsense via the OpenVPN client and your laptop will have full access to the LAN network from an outside connection.

It may look daunting, but if you go one step at a time you'll get it up and running.

Let us know how it goes for you ;D


nak_attack

divsys, all i can really say is THANK YOU! Your detailed explanation along with easy to follow instructions were invaluable - I got my VPN working!!!!  ;D ;D ;D ;D ;D ;D

I was able to successfully log in from my iPad, iPhone and MacBook Pro! Keep in mind that I did the test within my own network but all of the settings gave me no errors. Furthermore, I was able to test out my iPhone away from my network and that did work too!

Questions:

1. While away from my LAN I attempted to connect using my iPhone and I was NOT able to connect to 192.168.5.200:32400/web - my Plex Media Server. It just dawned on me that maybe i didn’t need to specific the port because the port forwarding rule would have worked? I was able to connect to the VPN while I was away from my LAN however now that I’m home I can’t seem to connect - it keeps saying ’timed out'. Is this because I’m using dyndns.org while on my LAN because dyndns can only be used outside the LAN?

2. For my iPad and MBP I didn’t choose the dyndns.org - but my home IP is visible. Should I change these two certs so that I use only dyndns.org?

3. What’s the difference and more importantly if you know between dyndns.org, Private Tunnel & Tunnelblick? Do I need all of them? Should I pay for their individual services? My understanding of Private Tunnel is that it ‘spoofs’ you ip (or as they like to say ‘hides it’) from the world. But when I used Tunnelblick I was not able to tunnel into my LAN because the IP they gave me was nothing close to what I entered into dyndns.

Hopefully my madness makes sense….and again...and again...thank you sooooooo much for all your help and patience!!!

I really couldn’t have done this without your guidance and support!  ;D

divsys

I was able to successfully log in from my iPad, iPhone and MacBook Pro! Keep in mind that I did the test within my own network but all of the settings gave me no errors. Furthermore, I was able to test out my iPhone away from my network and that did work too!

1. While away from my LAN I attempted to connect using my iPhone and I was NOT able to connect to 192.168.5.200:32400/web - my Plex Media Server. It just dawned on me that maybe i didn’t need to specific the port because the port forwarding rule would have worked? I was able to connect to the VPN while I was away from my LAN however now that I’m home I can’t seem to connect - it keeps saying ’timed out'. Is this because I’m using dyndns.org while on my LAN because dyndns can only be used outside the LAN?

The basic idea with OpenVPN is that it lets you work as if you were connected at home on your private network.  That's what V.P.N. stands for - Virtual Private Network.  As far as all your other programs are concerned, you're still at home once the connection is established.  The only thing to keep in mind is that your connection to home is across the internet, and is only as good as the weakest link in your "chain" to home. If your wireless at the coffee shop is bad or, the internet is having a slow day, your connection will be affected.  Just remember, when outside, you have to fire up Viscosity (or whatever VPN client you're using) first then do everything else on your home network.

In short, on your iPhone just connect to the Plex box the same way you would if you were at home without VPN. It should work.

2. For my iPad and MBP I didn’t choose the dyndns.org - but my home IP is visible. Should I change these two certs so that I use only dyndns.org?

In general I use DDNS for my connections. Depending on your ISP your WAN address may change hourly, weekly, or never.  For now, you're probably OK but you should go back and download your configuration file from pfsense again. This time choose the Dynamic DNS option.

3. What’s the difference and more importantly if you know between dyndns.org, Private Tunnel & Tunnelblick? Do I need all of them? Should I pay for their individual services? My understanding of Private Tunnel is that it ‘spoofs’ you ip (or as they like to say ‘hides it’) from the world. But when I used Tunnelblick I was not able to tunnel into my LAN because the IP they gave me was nothing close to what I entered into dyndns.

• One's a dessert topping and one's a floor wax (sorry baaaaad joke)  ::)

Tunnelblick and Viscosity are just two variants of OpenVPN clients.  If I remember, Tunnelblick is free and Viscosity is pay but cheap ($9??) . Just pick one or the other, whichever works best for you.  Both need a configuration file from pfsense's client export to work properly.

Private Tunnel is a pay for service that lets you "hide" your home WAN address when you surf the net.  Useful if you're in a country that limits your access to web sites based on where it thinks your WAN address "comes from" - probably doesn't apply to you (??).  Some use these services to hide their (nefarious) surfing history on the net, YMMV….

dyndns.org  is the service that translates your current physical WAN IP address into a domain name (text you can remember).  Dyndns is one of many services available to do this. They've recently dropped their free services and have gone to all pay.  There's lots of others that work well, I use freedns.afraid.org.  pfsense works with many of these services so that if your physical WAN address changes from your ISP, pfsense automatically updates the domain name to match.

Hopefully my madness makes sense….and again...and again...thank you sooooooo much for all your help and patience!!!

I really couldn’t have done this without your guidance and support!  ;D

What's a little madness among friends.

I'm perfectly happy to take all the credit, seeing as you did all the work  8)

JeGr

I'd add: if you have your VPN working I see no need for DynDNS and an active Port Forwarding rule. Other then you want to let the world view your plex server (if there's no layer of authentication) ;)
When your VPN is up, you're "back inside your Home LAN" so no need for a port forwarding there.

divsys

I agree on the port forwarding in general, I don't like to open anything to the outside world in my firewall unless needed.  That said, the Plex login service seems to have a central facility that needs to be able to talk to the local box to provide some features (I am not a Plex expert by any means).

The DynDNS is definitely needed if only to give the OVPN clients an address to "call home".

nak_attack

Thank you all of your help and suggestions!

CURRENT SETUP:

MBP - OpenVPN - Works!
iPad - OpenVPN - Works!
iPhone - OpenVPN - Works!

I chose to pay $9 for Viscosity app over Tunnelblick for my MBP.

I like the idea of using PrivateTunnel - whereas it would ‘hide’ my ip while using VPN - really don’t like the idea of putting my ‘public’ ip out in the world - I don’t publish my home address on anything either - I’m just weird that way or cautious. Anyways, do any of you know how I can integrate PrivateTunnel into my current setup using OpenVPN & DynDNS work. As I understand it, PrivateTunnel will provide you a choice of ip address from all around the world. I use dyndns currently and have it set to use my home ip address. I’m not really sure why I even pay for the DynDNS account other than that was recommended to me sometime ago.

ISSUE:
I’m really confused. I feel like the more I research this the more confusing it becomes! I’m not sure what steps I need to take to integrate PrivateTunnel, DynDNS and OpenVPN to work together. Any advice would be helpful. Please keep in mind that this is my very first VPN setup - so remember that I’ve still got diapers on!  ;D

divsys

Good to see things are up and running.  :)

I'm definitely NOT an expert on setting up PrivateTunnel type connections, but I see they have a fairly basic How-To on their site for pfsense.  From what I can see, this type of setup will effectively "hide" your true IP address for outgoing connections from your home LAN (ie. while you're at home, a web page would get PrivateTunnel's assigned IP address instead of your home IP).

As far as the RoadWarrior OpenVPN (connecting into home from the beach, shall we say) I don't see a particular advantage to the PrivateTunnel setup, whether you use DynDNS or simply an address given you by PrivateTunnel, your iPhone still needs to know what address to use for an OpenVPN connection.  And by extension, if your iPhone knows, "someone else" can know too.  In the end I don't see a huge benefit from trying to force the RoadWarrior side of your setup through PrivateTunnel.

The outgoing setup does look fairly straightforward.

Keep at it and let us know how it goes ;)

s3tix

I made a quick blog post, any questions message me! Hope this helps some of you

https://s3tix.wordpress.com/2016/06/12/plex-remote-access-with-pfsense/