Hi,
I installed jellyfin and can connect to it from my laptop while on the main lan.
However, my tv, which is on the guest network, cannot access it (neither can my browser when I connect my laptop to the guest network for testing).
I have tried port forwarding on my router (since I did the same for the tv to access pi-hole, which works well), but that's not working.
Any ideas?
˜P.
Configure a Traffic Rule instead.
1 Like
Thanks @AndrewZ. I'll try that. Can you elaborate as to why? What's the difference?
This traffic rule below does not seem to work.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
That should not work. Try this (in /etc/config/firewall):
config rule
option name 'Allow-guest-jellyfin'
list proto 'tcp'
option src 'guest'
option dest 'lan'
option dest_port '8096'
option target 'ACCEPT'
list dest_ip '192.168.8.101'
Please do not use pictures.
1 Like
hmmm... how do I change /etc/config/firewall from the webGUI?
Login via ssh and edit with the vi editor. Or, follow the general logic on the gui to reproduce the demonstrated rule.
Thanks. Getting late in this part of the world, but I'll check real soon.
Meanwhile:
root@GL-MT6000:~# ubus call system board
{
"kernel": "5.15.139",
"hostname": "GL-MT6000",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05-SNAPSHOT",
"revision": "r23001+721-38c150612c",
"target": "mediatek/filogic",
"description": "OpenWrt 23.05-SNAPSHOT r23001+721-38c150612c"
}
}
root@GL-MT6000:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXX'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr 'XXX'
config device
option name 'lan2'
option macaddr 'XXX'
config device
option name 'lan3'
option macaddr 'XXX'
config device
option name 'lan4'
option macaddr 'XXX'
config device
option name 'lan5'
option macaddr 'XXX'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option ip6assign '60'
option isolate '0'
config device
option name 'eth1'
option macaddr 'XXX'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option force_link '0'
option ipv6 '0'
option metric '10'
config interface 'wan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wan'
config interface 'tethering6'
option proto 'dhcpv6'
option disabled '1'
option device '@tethering'
config interface 'wwan6'
option proto 'dhcpv6'
option disabled '1'
option device '@wwan'
config interface 'guest'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option ip6assign '60'
option multicast_querier '1'
option igmp_snooping '0'
option isolate '0'
option bridge_empty '1'
option disabled '0'
config interface 'wwan'
option proto 'dhcp'
option metric '20'
config interface 'secondwan'
option ipv6 '0'
option proto 'dhcp'
option metric '15'
option force_link '0'
config interface 'secondwan6'
option proto 'dhcpv6'
option disabled '1'
option metric '15'
option device '@secondwan'
config interface 'modem_1_1_2_6'
option proto 'dhcpv6'
option disabled '1'
option device '@modem_1_1_2'
config rule 'policy_direct_rt'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule 'policy_default_rt_vpn'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
config rule6 'policy_direct_rt6'
option lookup 'main'
option suppress_prefixlength '0'
option priority '1100'
config rule6 'policy_default_rt_vpn6'
option mark '0x8000/0xc000'
option lookup '8000'
option priority '1101'
option invert '1'
root@GL-MT6000:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '0'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
option localuse '1'
list server '127.0.0.1#5453'
option noresolv '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '720m'
option dhcpv4 'server'
option dhcpv6 'disabled'
option ra 'disabled'
option ra_slaac '1'
option force '1'
option ignore '0'
list dhcp_option '6,192.168.8.101'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain
option name 'console.gl-inet.com'
option ip '192.168.8.1'
config domain
option name 'console.gl-inet.com'
option ip '::ffff:192.168.8.1'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '720m'
option force '1'
option ignore '0'
config dhcp 'secondwan'
option interface 'secondwan'
option ignore '1'
config host
option mac 'XXX'
option ip '192.168.8.101'
option tag 'Raspberry Pi'
root@GL-MT6000:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option flow_offloading '1'
option flow_offloading_hw '1'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
list network 'wwan'
list network 'secondwan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'nat6'
option path '/etc/firewall.nat6'
option reload '1'
config rule 'block_dns'
option name 'block_dns'
option src '*'
option device 'br-*'
option dest_port '53'
option target 'REJECT'
option enabled '0'
config zone
option name 'guest'
option network 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option input 'REJECT'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'Allow-DHCP'
option src 'guest'
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
config rule
option name 'Allow-DNS'
option src 'guest'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
config include 'vpn_server_policy'
option type 'script'
option path '/etc/firewall.vpn_server_policy.sh'
option reload '1'
option enabled '1'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glblock'
option type 'script'
option path '/usr/bin/gl_block.sh'
option reload '1'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config rule 'glnas_ser'
option src 'wan'
option dest_port '6000-6002'
option dest_proto 'tcp'
option target 'DROP'
config rule 'webdav_wan'
option src 'wan'
option dest_port '6008'
option dest_proto 'tcp'
option target 'DROP'
config nat
option name 'Prevent harcoded DNS clients from giving unexpected source error after DNS redirected to Pi-Hole'
list proto 'tcp'
list proto 'udp'
option src 'guest'
option dest_ip '192.168.8.101'
option dest_port '53'
option target 'MASQUERADE'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Allow-guest-pihole'
option family 'ipv4'
option src 'guest'
option src_dport '53'
option dest_ip '192.168.8.101'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Allow-guest-jellyfin'
option family 'ipv4'
option src 'guest'
option src_dport '8096'
option dest_ip '192.168.8.101'
option enabled '0'
It appears you are using firmware that is not from the official OpenWrt project.
When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.
You may find that the best options are:
- Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
- Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
- Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).
If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.
This worked, thanks a lot.
Would be happy to understand why, though. 
The rule allows tcp traffic coming from the guest zone to the Lan zone with a destination address of 192.168.8.101:8096. Your previous attempts were either trying to match traffic going to the router or traffic coming from port 8096. Neither of which were happening here.
Thanks for the explanation, @krazeh. That's clearer now.
Should it then be the same for service discovery and client discovery, as described here? Maybe the traffic should go both ways (or is lan -> guest always allowed)?
It would depend what zone forwardings had been created within the firewall. The only default forwarding in OpenWRT is lan to wan. You would need to add any additional forwarding manually (remembering that forwarding is unidirectional so for bidirectional traffic it needs adding to both zones).
Zone to zone forwarding would allow all traffic to pass. Therefore if you wanted more finely grained control you would instead add relevant traffic rules to allow the required traffic (as has been done with traffic from the guest zone to 192.168.8.101:8096 in the lan zone).
Obviously I can only confirm the above is correct if you're using vanilla OpenWRT. If you're using a third party firmware (even if based on OpenWRT) then there may have been changes made that render the above info incorrect/incomplete.
Makes sense. Unfortunately, I could not find my router in the list of compatible devices, but things worked out for port 8096.
I guess here, for service discovery and client discovery in jellyfin, I don't realise whether it's supposed to go both ways.
For now, I have this at the end of /etc/config/firewall:
config rule
option name 'Allow-guest-jellyfin'
list proto 'tcp'
option src 'guest'
option dest 'lan'
option dest_port '8096'
option target 'ACCEPT'
list dest_ip '192.168.8.101'
config rule
option name 'Allow-guest-jellyfin-service-discovery'
list proto 'udp'
option src 'guest'
option dest 'lan'
option dest_port '1900'
option target 'ACCEPT'
list dest_ip '192.168.8.101'
config rule
option name 'Allow-guest-jellyfin-client-discovery'
list proto 'udp'
option src 'guest'
option dest 'lan'
option dest_port '7359'
option target 'ACCEPT'
list dest_ip '192.168.8.101'
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.