Plex remote access not working with PBR

Hi all,

I recently updated to 23.05.02/3 from a much older snapshot build where I had Plex working with policy routing without issue (though I had the same issues initially too). However, despite everything I have tried like restarting the Plex server/NAS, adjusting PBR rules and restarting the router...remote access will not work reliably.

From what I can tell PBR is working for everything but Plex from the settings below, such as if I change a device IP to be within the 100/27 range it will route traffic through the VPN. You will also notice that my NAS with Plex on it is within this range (10.1.1.100). However, the top rule for the port Plex uses should override that?
Just to add, in the previous setup, I had this in reverse where the default gateway was the VPN and anything with a certain CIDR (assigned by DHCP) would route to WAN.

I can see no issue with the firewall port forwarding either as if I check whether the external port for Plex I use is open it shows it is. I have also confirmed this by going to my WAN IP:(Plex port), which takes me directly to my server homepage.
I wonder if this means that the issue isn't with PBR but more with the Plex servers...?

Let me know if you need any more info other than the below or any ideas on this please :slight_smile:

Luci PBR config

PBR config

config pbr 'config'
	option enabled '1'
	option verbosity '2'
	option strict_enforcement '0'
	option resolver_set 'dnsmasq.nftset'
	list resolver_instance '*'
	option ipv6_enabled '1'
	list ignored_interface 'vpnserver'
	option nft_file_support '0'
	option boot_timeout '30'
	option rule_create_option 'add'
	option procd_boot_delay '0'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	option nft_set_auto_merge '1'
	option nft_set_counter '1'
	option nft_set_flags_interval '1'
	option nft_set_flags_timeout '0'
	option nft_set_policy 'performance'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.wg_server_and_client'
	option enabled '0'

config policy
	option name 'Ignore Local Requests'
	option interface 'ignore'
	option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
	option enabled '0'

config policy
	option name 'Plex/Emby Local Server'
	option interface 'wan'
	option src_port '8096 8920 32400'
	option enabled '0'

config policy
	option name 'Plex/Emby Remote Servers'
	option interface 'wan'
	option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
	option enabled '0'

config policy
	option name 'Plex'
	option src_addr '10.1.1.100'
	option src_port '32400'
	option interface 'wan'

config policy
	option name 'Plex Remote'
	option dest_addr 'plex.tv plexapp.com'
	option interface 'wan'

config policy
	option name 'Transmission'
	option src_addr '10.1.1.100'
	option src_port '9091'
	option interface 'wan'

config policy
	option name 'QNAP Web'
	option src_addr '10.1.1.100'
	option src_port '8080'
	option proto 'tcp'
	option interface 'wan'

config policy
	option name 'VPN Devices'
	option src_addr '10.1.1.100/27'
	option interface 'vpn_wg'

config policy
	option name 'Local Subnet'
	option src_addr '10.1.1.0/26'
	option interface 'wan'
	option enabled '0'

config policy
	option name 'PS Remote'
	option src_addr '10.1.1.50'
	option interface 'wan'
	option enabled '0'

Firewall config

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn_fw'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'vpn_wg'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Plex'
	list proto 'tcp'
	option src 'wan'
	option src_dport '30500'
	option dest_ip '10.1.1.100'
	option dest_port '32400'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Transmission'
	option src 'wan'
	option src_dport '50511'
	option dest_ip '10.1.1.100'
	option dest_port '9091'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS Remote'
	option src 'wan'
	option src_dport '987'
	option dest_ip '10.1.1.50'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'PS Remote 2'
	option src 'wan'
	option src_dport '9295-9304'
	option dest_ip '10.1.1.50'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'QNAP Web'
	list proto 'tcp'
	option src 'wan'
	option src_dport '8080'
	option dest_ip '10.1.1.100'
	option dest_port '8080'

config forwarding
	option src 'lan'
	option dest 'vpn_fw'

The old vpn-policy-routing config should still be present on your system, maybe post/compare it to the migrated pbr config?

Hey @stangri - quite right of course, it's on the other partition, which I keep as a backup for now.

I recreated the settings in PBR based on these settings but ended up reversing how it was done before, which seemed more efficient. Previously the default gateway was the VPN and policy routing would route anything assigned by DHCP to WAN.

Now the default gateway is the WAN interface (also seems to be an IPv6 interface too) and PBR will only route a specific subnet range to the VPN interface.

See below for the original config:

config vpn-policy-routing 'config'
	option verbosity '2'
	option ipset_enabled '1'
	option strict_enforcement '1'
	option enabled '1'
	option udp_proto_enabled '1'

config policy
	option comment 'Plex Remote Servers'
	option gateway 'wan'
	option remote_address 'plex.tv my.plexapp.com'
	option interface 'wan'

config policy
	option comment 'Local Subnet'
	option gateway 'wan'
	option local_address '10.1.1.0/26'
	option interface 'wan'

config policy
	option interface 'wan'
	option comment 'Transmission'
	option local_address '10.1.1.100'
	option local_port '9091'

config policy
	option interface 'wan'
	option local_address '10.1.1.100'
	option local_port '32400'
	option comment 'PLEX'

config policy
	option interface 'wan'
	option comment 'QNAP'
	option local_address '10.1.1.100'
	option local_port '8080'

EDIT: For now it seems to work for about 24 hours until Plex starts picking up the wrong IP again. So it might be more an issue with Plex than the router and PBR.

Have you considered just excluding the 10.1.1.100 machine from the vpn_wg policy? Or moving it to 10.1.1.99 address? That way you won't need any pbr policies for it.

Ah, it's because the NAS (.100) is used for torrents, so I at least need that going through the VPN. From what I have looked into it's difficult to cover the range of ports so safer to include everything except for certain services/ports like Plex.

I've just noticed the Transmission policy also goes thru wan, that's why I asked.

I don't have a good answer for you then, I use the similar settings in my setup and sometimes Remote Access is green and sometimes it's red.

If you find a more reliable solution, please make sure to post it here.

Ah fair point, that's just for the remote access port to it I believe, so I can connect to it remotely via RemoteGUI installed on other devices.

Somehow it has been working and stable since yesterday though, when I set the remote port on the policy to 30500. However, that resulted in Plex finding the correct IP but still saying it could not connect. When I undid this and went back to the local port it has since connected and stayed that way.

I expect if I restart the router or perhaps change a device IP to be within the VPN range it may break it again though :frowning:

Still appreciate the help and your knowledge on this though :slight_smile:

I've had a thought that maybe the issue is that the IP addresses for plex domains get purged from the nft set/ipset at some point after pbr restart and/or Plex is no longer accessing the resources by the domain name and uses hardcoded IP addresses instead.

If former, maybe switching to a pbr version supporting nft_file_mode and enabling it in settings will help a bit.

If you have an opportunity, I'd compare the content of nft set/ipset when the remote connections work and do not work to rule out that theory.

I've never had a good luck getting a qualified reply on Plex forums, but maybe you can get some feedback there (especially if you're on a paid subscription).

If you can find out what fixes flakey remote connection reporting in Plex, please let me know so I can make the necessary adjustments in the config/README.

Yeh, good thinking I can certainly check that if/when it breaks again. The old version I was running I think did use IP tables, whereas the latest build/version I am on only seems to support nft.

For now, it's still working but I will see what happens in the next few days if I restart the router and get a comparison. Would a /etc/init.d/pbr status be enough? if not I may need to look up how to query nft sets :slight_smile:

I know what you mean about Plex forums too, my post on there got one reply from a moderator only to say that when he checked it was working at the time :confused:

1 Like