[SOLVED] Plex Port Forward not working

[Bert-Jan]

I'm completely new to OPNsense, just came from Arista NG, who are throwing their Home-users out.
So, apologies if this is a very newbie question

I've installed OPNsense on a miniPC, internet is running fine. I would like to make my Plex Media Server, running on a VM, available to the outside.
I've tried to follow tutorials / YT videos, but I think I'm still missing something.

- Ping to <URL of Plex server> points my external IP address

- Online port check shows that port 32400 is open

- <internal IP addres>:32400 shows PMS is running fine

- Firewall - NAT - Port forward
   Interface: WAN
   TCP/IP Version: IPv4
   Protocol: TCP
   Source: Advanced
   Destination: WAN address
   Destination port range: from 32400 to 32400
   Redirect target IP: Single host or network; <internal IP address>
   Redirect target Port: 32400
   Pool options: Default
   NAT Reflection: Use system default
   Filter rule association: Pass

- Firewall - Rules - WAN
   Action: Pass
   Interface: WAN
   Direction: in
   TCP/IP version: IPv4
   Source: WAN address
   Source port range: from 32400 to 32400
   Schedule: none
   Gateway: default

This does not seem to work; <URL of Plex server>:32400 leads to a time out. Am I overlooking something or doing something stupid?
To quote my robot vacuum; 'I'm stuck, please help'.

   

[Monviech (Cedrik)]

The source of the Firewall rule should be "Any" since you don't know where the traffic will originate from when it hits your WAN interface.

And the Source Port range should be any too, since you don't know which upper port your client will use to connect.

[Bert-Jan]

Thanks fo the reply!
I changed the Source and Soure Port range. Unfortunately, this did not change anything. I still do not get to the Plex server.
Is there anything else that could cause this issue?

I've tried to follow different tutorials/explanations I found online. They do differ, though. This one https://www.wundertech.net/how-to-port-forward-in-opnsense/ and this one https://www.youtube.com/watch?v=i546YF91dHk tell me to use 'WAN address' as Destination.
This one https://www.youtube.com/watch?v=UI5tO1hP2q8&t=1496s tells me to use LAN address as Destination. All for port forwarding to an internal IP address as far as I can tell

Is there any definitive guide for portforwarding in OPNsense 24, aimed at newbies such as myself?

[Monviech (Cedrik)]

Yes there is a guide that I wrote.

But it is not aimed at beginners, it's more for intermediate. But if you follow it carefully you will get port forwarding working, together with NAT reflection.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html#start-of-the-how-to-section

If you have a dynamic IP address you can also choose the "WAN address" as destination, it does not have to be a static IP like 203.0.113.1.

[Bert-Jan]

Allereerst excuses; ik ben zo gewend dat op fora Engels wordt gebruikt, dat ik dat op dit Nederlandse deel van het forum ook deed. Vanaf nu Nederlands.

Dank voor de link naar de instructies!

Wat bij mij afwijkt van de 'norm' is dat ik internet heb via Odido. Odido verlangt bij het gebruik van z'n diensten het inzetten van VLAN's: https://community.odido.nl/thuisnetwerk-539/eigen-modem-wat-zijn-de-vereisten-339306. Wat ik heb gedaan is een VLAN gemaakt, zie bijlage vlan.png, en die toegewezen aan [WAN] bij Interfaces - Assignments. Zie assignments.png. Daarna had ik prima internet verbinding.

Dan de instructies.
Ik heb alle al gemaakte firewall rules en port forward's verwijderd en heb methode 1 geprobeerd. Ik ben daarbij uitgegaan van het bereikbaar maken van de Plex Media Server. Deze draait op 192.168.1.14 op mijn netwerk. Als ik in een browser naar 192.168.1.14:32400 ga kom ik keurig op de Plex server uit.

Bij Firewall - Settings - Advanced
Hier stonden alle genoemde opties al uit.

Bij Firewall - NAT - Port Forward
Ik heb geen DMZ, dus ik heb de regels als volgt ingevoerd

Interface: LAN, WAN
Protocol: TCP
Source: Any
Source port range: Any
Destination: <externe IPadres> zoals dat wordt weergegeven in het dasboard bij WAN (en in bij ipchicken.com)
Destination port range: 32400
Redirect target IP: 192.168.1.14
Redirect target port: 32400
Description: Reflection NAT Rule Plex 32400
NAT Reflection: Use system default
Filter Rule Association: Add associated filter rule

Nadat ik op Save heb geklikt en op Apply zie ik bij Firewall - NAT - Port Forward en bij Firewall Rules- Floating de situatie zoals in de bijlages.

Helaas: Als ik nu in de browser naar <extern IPadres>:32400 ga krijg ik nog steeds een time-out

Zie ik nog iets over het hoofd? Gooit de manier waarop ik een VLAN heb ingezet roet in het eten?
Alvast weer dank voor alle hulp!

[Bert-Jan]

Oké, ik ben officieel een sukkel.
Port forwarding werkt wél. Ik heb er bij het testen geen moment aan gedacht om te testen buiten mijn eigen netwerk. Ik opende een browser en ging naar https://<URL van Plex server>:32400 en kreeg een time-out. Het is niet bij me opgekomen dat dit niet de juiste manier van testen was, omdat dit bij de vorige firewall (Arista) gewoon werkte.

Vanochtend had ik een brainwave en teste via een 4G hotspot. Werkte meteen. Pfff.. Ik heb geen idee waarom de URL op mijn eigen netwerk een time-out geeft, maar da's iets voor een andere thread

@Monviech Dank voor de uitgebreide hulp en de uitstekende handleiding!

[Monviech (Cedrik)]

Sorry I'm not from NL. I just helped cause the threat started in english and I didnt notice it was in the NL forum.

But to complete this:

If your client and the Plex Server are in the same subnet, you need hairpin NAT. Thats why the timeout happens. You got reflection NAT working now, but you need an additional Outbound NAT rule for traffic inside the same subnet. Thats also explained in the docs I have linked.

Your prior firewall might have done that automatically.

[Bert-Jan]

My apologies, first I made the mistake of writing in English in a Dutch subforum, and then I assumed that you must be Dutch, although you replied in English.

Again thanks for the help and the excellent documentation. When I set up port forwarding I looked at hairpin NAT, but couldn't get it to work, and then forgot about it  ::)

I still cannot get it to work though. Since I do not have a DMZ I set it up like this

Interface: LAN (as I don't have a DMZ and the Plex server is of course on the LAN)

Protocol: TCP

Source Address: 192.168.1.0/24

Source port: Any

Destination Address: Plex (an alias for 192.168.1.14. However, when I don't use the alias and type the IP address, that address is changed into 192.168.1.0/24 after saving.)

Destination Port: 32400

Translation / Target: 192.168.1.254 (As a gateway on the LAN seemed to be needed, I created a LAN gateway in System - Gateways - Configuration. See screenshot for details

I'm sorry for the newbie questions. I was reminded by this post https://forum.opnsense.org/index.php?topic=39556.0 (sorry, In German) that a basic knowledge of networking should be present before starting out with OPNsense. However, for me this is a hobby, and I do learn a lot from answers by people like you.

[Monviech (Cedrik)]

Oh no, you don't need a LAN gateway for the Hairpin NAT rule.

You use the "Interface Address" of the LAN. (In your case it should be called "LAN address" as alias). The one you have configured for the LAN adapter in the OPNsense.

Otherwise your rule should be fine with what you did.

[Bert-Jan]

That worked brilliantly! Thanks again for the help!
I'll close this thread as my issue with port forwarding has been fully resolved.

I'll either ask any of the other questions about OPNsense that are sure to follow either in Dutch in this forum or in de English forum where traffic is heavier.