Firewall rule to allow specific port over WAN interface.



  • Okay so let me first say that I am willing to pay for help. Second I have tried to figure this out on my own for the past week, reading the manual and googleing everything possible. With that here is my problem.

    I would like to have port (32400, plex) specific traffic go out/in on my WAN interface, hold up its not as easy as it sounds. Currently I have VPN (PIA) setup so that all traffic is routed through it. My dilemma is I want all traffic from the server (192.168.12.6) going through the VPN but allow Plex media server (port 32400) WAN access, so that I can access it from the outside. I feel like this is possible, not 100% sure but with the complexity of this software have high hopes.

    I made a temp firewall rule to have my server (192.168.12.6) bypass the VPN just to check to make sure I could get Plex working via WAN, and a NAT rule to portfoward 32400, it worked without a problem.

    I have thought of another solution, which is to just build another VM with just plex running on it and have that set to WAN but it just feels like a waste of computing power to have a dedicated VM for plex.

    My setup:

    I have pfSense 2.2 (latest) running on a VM with PIA setup (https://forum.pfsense.org/index.php?topic=76015.0) with no problems everything works great!

    A seperate VM running a server with plex, among other things.

    Again I would like to have the VM running plex still route all traffic through the VPN (PIA) except plex traffic (port 32400) which I'd like to have go out over WAN.

    Thank you all for your time.

    I take all criticism as constructive.


  • Netgate

    Just make a port forward on WAN port 32400 to 192.168.12.6 with an automatic firewall rule.

    You don't have to worry about the return traffic.  pf will do all that for you.

    The rule on LAN that sends all your traffic over the VPN only comes into play for connections INITIATED by your host.  It has no effect on connections INITIATED by someone on the outside into WAN.



  • Thanks for assisting Derelict!

    I think I have that setup but haven't had any luck, how do I do "with an automatic firewall rule." I took screen shots, maybe I have something configured incorrectly.


  • Netgate

    You have it with that filter rule association at the bottom.  If you look at firewall rules, WAN you should see a corresponding rule with "NAT Plex Server" as the description.

    Are you testing from inside or outside?



  • Thanks, Yes I see the rule created. I have tested from both inside (plex fails to connect) and outside (from my cell phone with plex installed using LTE).


  • Netgate

    Testing from inside will be problematic unless you connect to the inside address.

    Testing from outside should work as long as the inside host has its default gateway set to pfSense and its firewall allows the connections from any IP address.

    See Common problems: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • This was the orginal rule I created when testing my plex server which worked when I bypassed it from the VPN (PIA) so it was working when the server was solely using WAN. But I want to have the server behind the VPN but only allow just plex to go out through WAN. I have pfSense setup so all conections go through PIA unless otherwise specified.

    here's a screenshot if this helps.

    If you'd like me to post any other screenshots to help you let me know!



  • @Derelict:

    Testing from inside will be problematic unless you connect to the inside address.

    Testing from outside should work as long as the inside host has its default gateway set to pfSense and its firewall allows the connections from any IP address.

    See Common problems: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    I know everything is setup correctly on server side because It works when the server is not behind the VPN (I enable the firewall rule I created to bypass the VPN), then when I disable that rule (VPN up on the server) plex cannot connect to the outside


  • Netgate

    I don't think you're hearing me.

    Connections from outside devices into WAN then port forwarded to 192.168.12.6 have NOTHING to do with any rules on LAN nor with outbound NAT.

    Read all of those caveats regarding a WAN interface that is not the default gateway and make sure none apply to you.  Like numbers 10 through 14.  All that talk about reply-to is to ensure that traffic for the connection initiated from the outside is sent back out WAN, not some other gateway (like PIA).

    Look hard at the configuration of the server at 192.168.12.10.  Again referring to the link above and points 1 through 6.


  • Netgate

    @sparks305:

    then when I disable that rule (VPN up on the server) plex cannot connect to the outside

    Connections from the plex server to the outside are handled by a completely different set of rules.  Namely the ones on LAN and outbound NAT.



  • @Derelict:

    I don't think you're hearing me.

    Connections from outside devices into WAN then port forwarded to 192.168.12.6 have NOTHING to do with any rules on LAN nor with outbound NAT.

    Read all of those caveats regarding a WAN interface that is not the default gateway and make sure none apply to you.  Like numbers 10 through 14.  All that talk about reply-to is to ensure that traffic for the connection initiated from the outside is sent back out WAN, not some other gateway (like PIA).

    Look hard at the configuration of the server at 192.168.12.10.  Again referring to the link above and points 1 through 6.

    Thanks I understand what your saying. I do not however understand 10-13 :(


  • Netgate

    It is probably the firewall on the windows host running the plex server.  It probably does not allow connections from remote networks.  Only connections it thinks are local.

    PM me your public IP and I'll test from here.



  • PM'd.

    I checked to verify the server running plex (windows server 2012 RC2) has allow all traffic via software firewall.