Firewall Rule - Plex Media Server - Accessing HD Homerun on Different Subnet

Started by Mark_the_Red, February 20, 2025, 09:08:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 20, 2025, 09:08:17 PM
Hello All,
Strange issue.  I have a HD Homerun and I want to connect my Plex Media Server to it.  The problem is Plex Media Server is in a K3s on Truenas and cannot autodetect any device outside of the local subnet.  It is (HD Homerun) connected to the IoT network just fine and I can access it, but Plex Media Server cannot.  I pretty much have default standard firewall rules for my different subnets and everything works fine.

My Question to you Wizards is:  Is this an OPNsense firewall rule issue or a Truenas K3S issue?   If OPNsense is there a firewall rule you can steer me towards?

HDhomerun ip 192.168.3.77
Truenas Plex Ip:  192.168.1.48:32400
router ip: 192.168.2.100

I suspect this is a Truenas issue, but probably somebody here has encountered this before locally and it may be  a OPNsense firewall blocking cross subnet auto ip detection / connections. 

Appreciate the help.
February 21, 2025, 10:26:55 PM #1
Since you can enter the HDHR IP, you don't have to deal with enabling discovery (apparently via a broadcast relay).

As you connect, I would look at the FW live view filtered down to that destination IP and enable the identified traffic.
Streaming seems to involve UDP 5004. Discovery/Control on UDP 65001?

I'm running SiliconDust HW and SW across the board, and I've put all devices involved (tuner, DVR, fire cubes) in the same VLAN...
February 22, 2025, 03:22:43 AM #2 Last Edit: February 22, 2025, 03:30:15 AM by NewMe
I'm fairly sure this is a HDHR issue. I had this problem years ago with HDHRPrime.  I couldn't find an easy solution at the time and had to have devices accessing HDHRP on the same subnet. Maybe SiliconDust have fixed this now.
February 22, 2025, 03:36:06 AM #3
Before I replied, I had done a quick search. There's apparently plenty of people that have Plex and the tuner in separate VLANs.
It's apparently more difficult with the SiliconDust DVR because this one relies entirely on discovery via broadcast.
At least Plex lets you enter an IP for the tuner... So tuner discovery is out of the way.
Figuring out the rest should be simpler.
February 22, 2025, 05:57:32 PM #4 Last Edit: February 22, 2025, 06:13:17 PM by marjohn56
Try mDNS or UDPBroadcastRelay.

Here's mine, I have plex on my IOT VLAN but devices on my primary VLAN can see it. You'll likely need a rule to allow the PLEX server to send the streams to the primary VLAN.

Relay Port 5363
Relay Interfaces Pri, IOT
Broadcast Address 224.0.0.251
Source Address 1.1.1.1
Instance ID 2
Use TTL for ID YES
Description mDNS
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
February 24, 2025, 06:37:13 PM #5
I wanted to say thank you for the help.  Lots to digest here, but I will start with the Firewall rule marjohn56 recommended and respond. 
February 24, 2025, 06:48:07 PM #6
Quote from: EricPerl on February 22, 2025, 03:36:06 AMBefore I replied, I had done a quick search. There's apparently plenty of people that have Plex and the tuner in separate VLANs.
It's apparently more difficult with the SiliconDust DVR because this one relies entirely on discovery via broadcast.
At least Plex lets you enter an IP for the tuner... So tuner discovery is out of the way.
Figuring out the rest should be simpler.

I think my local situation is probably making this more complicated than it needs to be.  I am using the AdguardDNS plugin so I have to look into how the mdns solution can play nice with both operating right now.   The mimugmail version of adguard on opnsense is extremely simple to install and get working, but  how it plays with mdns will have to be trial and error.   To be clear manually entering the ip address of my HDhomerun works for all devices (even IoT devices with no trust status), except the stupid plexmediaserver plugin on Truenas.  Its got to be that k3s setup.  I will try Plexmediaserver as a docker and see if that solves it first.  THe mdns rule I tried did not work, but I will admit I'm a total noob with mdns as of 5 minutes ago learning about it.

 
February 24, 2025, 07:16:32 PM #7
Did you install the os-mdns-repeater plugin? It's pretty easy to configure. Just tick all interfaces that should be visible to each other via mDNS. If you have e.g. an "allow all" rule on LAN nothing else needs to be done for devices on LAN to see mDNS capable devices on all other networks you ticked.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 24, 2025, 08:40:43 PM #8
I did install it and it appeared to install fine.  It didn't solve the problem, but this is not an OPNsense problem at this point.  Sorry to waste your time. 

Its a Kubernetes problem / Truenas  problem that fights you tooth and nail whenever you try to do simple basic networking stuff. 

I cannot understand why I can access my HDhomerun from EVERY device in the house via its IPaddress but Plex cannot and will not do so even when I enter it manually.   

I then started down trying to install plexmediaserver within dockge, which resoundedly defeated me in trying to mount network media via docker compose.  Sigh.
 Chatgpt is clueless and incorrect.

This is a (me) / Truenas problem gentlemen.  Us normies just can't have nice things.   Appreciate the help.  OPNsense is working great.
February 24, 2025, 09:16:00 PM #9
There was evidence in online posts that mDNS was NOT used.
A pure broadcast seemed to be used for discovery.

But discovery is out of way since the OP can specify the IP.
From that point on, I would think that observing FW traffic should be enough.

Arguably, Kubernetes + Truenas add complexity.
This said, observing some traffic entering the FW (interface of Truenas) would indicate that part of the setup is correct.
It's obvious the issue is at the source if there's no traffic.

Reply traffic is more difficult to observe (packet capture) but it shouldn't be rocket-science after the request traffic is identified from the previous step.
February 24, 2025, 10:01:25 PM #10
"There was evidence.."?  I don't understand the post.  Tell me what else I need to install to make mDNS "installed".  Pic related is what downloading the plugin creates on 25.7 appears to look like.   

I tried every possible permutation of the ip4 subnet argument point.   Leaving it blank does nothing else.   My truenas server is 192.168.1.48 with PLex on port 32400.  The HD Homerun is on 192.168.3.77 (different subnet) no idea on the port it uses. 
February 25, 2025, 12:02:50 AM #11
Putting your devices on the blocklist might not be the proper way, I think.

Anyway, I don't know HD Homerun, but according Wikipedia it uses DLNA.

I struggled to get DLNA working across pfSense and connect my TV to the server years ago. The DLNA server runs in an LXC. I then put it into a separate VLAN and bridged it on the router to the IoT subnet, where my TV is connected to.
From the TV I had to allow TCP/UDP 1900 + 8200 to the DLNA server and UDP 1900 to 239.255.255.250.

So the TV advertises its presence via SSDP obviously.
Hence, maybe you can also get this work with the UDP Broadcastrelay plugin. I never tried. But you will need to set the broadcast IP to 239.255.255.250 and the port to 1900 then.
February 25, 2025, 06:58:04 AM #12
Quote from: Mark_the_Red on February 24, 2025, 10:01:25 PM"There was evidence.."?  I don't understand the post.  Tell me what else I need to install to make mDNS "installed".  Pic related is what downloading the plugin creates on 25.7 appears to look like.   

I tried every possible permutation of the ip4 subnet argument point.   Leaving it blank does nothing else.   My truenas server is 192.168.1.48 with PLex on port 32400.  The HD Homerun is on 192.168.3.77 (different subnet) no idea on the port it uses. 

My cursory research on Plex HDHR comm indicated that mDNS is not used.
Instead, the discovery relied on a UDP broadcast. A broadcast relay would be necessary for that.
But again, since you can input the IP, discovery is irrelevant (FWIW, the HDHR DVR does not have that feature).

I already posted about ports used, again based on cursory research.
But I wouldn't create rules purely based on that research, because it lacked depth and consistency (possibly because of different HW or versions).

It's not that hard to look at the FW live view as you attempt to connect.
You have the destination IP on top of it. You can filter down if there's too much noise.
If traffic is blocked, create a rule to allow it.
At some point, you should see a IN request on the interface corresponding to plex, followed by an OUT on the interface corresponding to the tuner.

If you see that but nothing really happens on Plex, you'll need to hunt for reply traffic with packet captures (interfaces > diagnostics).
February 26, 2025, 05:22:43 PM #13
Just as an update, some super helpful guy over on Plex explained the problem pretty well and how what I am experiencing is expected.
https://forums.plex.tv/t/live-dvr-plex-media-server-cant-detect-hd-homerun-over-different-subnet-to-server/906937/2

Neither him nor I could explain why my firewall doesn't show ANY traffic between subnets for this process when watching the live view.   I am just not qualified at this time to delve into the why or how within OPNsense over a relatively peripheral network need right now.   I am sure its some obscure Linux permission issue on Truenas or the k3s environment regarding ports.

Just thought I would share this here as the Plex expert explained in good detail the network protocols plex / hdhomerun use to communicate to each other.
February 26, 2025, 09:46:20 PM #14
Can you see and use the Plex server from a device on the same VLAN as the Plex server? If yes then there is no reason why with the use of UDPBroadcastrelay and a firewall rule you cannot get it to work across VLANs.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
Print
Go Up Pages1
User actions