PBR - Port Forwarding - Wireguard VPN - R7800 - Plex

G'day all,

I'm looking for some guidance with my R7800. I'm using one of @hnyman 22.03 snapshots. I'm mainly using Luci however, happy to connect via SSH if that is going to be more suitable.

My router is connected to a VPN provider using Wireguard. Using Policy Based Routing (PBR), I have two Win10 PCs accessing the web via the Wireguard interface. The rest of the connections are direct to the internet using the WAN interface. This seems to work ok.

On one of the Win10 PCs, I have Plex Media Server (PMS) installed and would like it to connect directly to the internet via port 32400 and not via the Wireguard interface. I have setup Port Forwarding under the Firewall rules and have also added a rule to PBR to allow port 32400 through to the Win10 PC via WAN.


image

I can't seem to get a direct connection to my PMS from outside my network using this method. I'm sure I'm butchering this somehow and was wondering if someone can shed some light on what I'm doing wrong, how to fix it or a better way to do this.

Remove the destination port(s) option from the policy.

2 Likes

I'll give it a go. Fingers crossed.

There're a few things to do with dhcp/dnsmasq config which also affects Plex being able to connect directly, so you need to post your /etc/config/dhcp here.

As far as pbr is concerned in this case, I can't quite make the screenshots you posted, but the following two policies being placed first should allow Plex to connect directly in your case:

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'ignore'
	option dest_addr 'plex.tv my.plexapp.com'

config policy
	option name 'NAS WAN Remote Ports'
	option interface 'ignore'
	option src_addr '192.168.1.101' # <----- IP of your Windows with Plex
	option dest_port '32400'

You may also want to try using the (less secure) miniupnpd (at least initially) if you're struggling to punch a hole in the firewall for Plex.

Here's my /etc/config/dhcp

My pbr appears to be correct, I think. I've got "src_port" instead of "dest_port". Have I got that around the wrong way? It's below as well.

dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.1.20'
        list server '1.1.1.1'
        list rebind_domain '/plex.direct/'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list dhcp_option '6,192.168.1.20,1.1.1.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'NoVPN'
        option interface 'NoVPN'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,1.1.1.2'

config dhcp 'Kids'
        option interface 'Kids'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.20,1.1.1.3,1.0.0.3'

config dhcp 'Guest'
        option interface 'Guest'
        option start '100'
        option limit '150'
        option leasetime '3h'
        list dhcp_option '6,192.168.1.20,1.1.1.2,1.0.0.2'

config dhcp 'IOT'
        option interface 'IOT'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,192.168.1.20,1.1.1.3,1.0.0.3'

config host
        option name 'HTPC'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.99'

config host
        option name 'pihole-dns'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.1.20'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'Office'
        option dns '1'
        option ip '192.168.1.88'

pbr

config pbr 'config'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'none'
        option ipv6_enabled '0'
        list ignored_interface 'vpnserver'
        list ignored_interface 'wgserver'
        option boot_timeout '30'
        option rule_create_option 'add'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        option enabled '1'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com'

config policy
        option name 'NoVPN Network'
        option src_addr '192.168.123.1/24'
        option interface 'wan'

config policy
        option name 'Plex'
        option src_addr '192.168.1.99'
        option src_port '32400'
        option proto 'tcp udp'
        option interface 'wan'

config policy
        option name 'VPN'
        option interface 'WG'
        option src_addr '192.168.1.99 192.168.1.88'

I may be wrong here, but I believe it needs to be set to 0 for plex remote to work. That is in addition to the two policies which need to be at the top I've posted before.

1 Like