New to pfsense, subnet issues, NAT reflection?

I am still too new to networking to properly state the issue I am having as I don’t know all the correct terminology, but I am having an issue where tautulli (a plex monitoring service based on python) is not able to see my plex server which is running on the same box. I point it towards its own IP (192.168.35.5), or even localhost, neither work. If I point it at my public IP, it works… this is very confusing to me. It used to work fine on my google wifi LAN prior to yesterday when I went pfsense.

Another issue that I believe to be related, I have deluge (torrent client) set up in a vm on my “homelab” subnet which is also where my plex vm lives, call it the .35 network. The subnet mydesktops and other devices live on is the .30 network. From the .30 network, the deluge daemons are not visible to my deluge client, as in the deluge application I have running on my macbook will not see the deluge server as online when I attempt to connect to “192.168.35.10” when my macbook is on the .30 subnet. IF I spin up a VM inside the .35 network, everything works as expected, and everything worked 100% normally prior to pfsense when I had a flat network.

Any help would be appreciated as I set up pfsense in an attempt to learn more about networking, become more fluent in the terminology, as well as just gain a better understanding of networking. Is this somehow related to upnp not being turned on? Is there a form of upnp that is just for internal subnets?

Current settings possibly affecting this:
Nat reflection turned on to Pure Nat
Enable NAT Reflection for 1:1 NAT
Enable automatic outbound NAT for Reflection
DNS Resolver is off, DNS forwarder is on (I use a pihole, which I have pfsense pointed to for DNS as primary, maybe there is a better way to set this up?).

Reading this: https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html it looks like maybe I should attempt split DNS vs NAT reflection?

Turning on DNS Forwarder settings:

DHCP Registration
Static DHCP

did not help. Very confused why the deluge daemon seems to not be able to traverse the subnets, my firewall rules are totally open between the two:

That said, I do wonder if I should turn off all ipv6 functionality now that I see there is traffic going as ipv6. All I know is I don’t know anything about ipv6, which may be compounding issues for myself.

My suggestion is if you are new to this, start off with the basics first, just get pfsense working with your two LANS, ensure you can get internet access and your rules are working for cross LAN comms as you need it. It ought to work almost out of the box on the default LAN. Just layer on the features that you need, you don’t need pihole use the pihole list in pfblocker. If you are not using IPv6 reject it.

So, if your Plex and Tautulli application are running on the same host OS, that traffic doesn’t actually leave the network card of the machine. 127.0.0.1 is a loopback IP that can be used in place of localhost or its RFC1918 address. It wouldn’t make much sense to me that it would work when passing through from the public IP of your router, but you should probably make sure it’s not something obvious like a host OS Firewall or an AV potentially (not sure what OS your host is running).

Looking very vaguely at some documentation, I see it looks like Tautulli tries to connect to port 32400, so I’d do a netstat and make sure that port is listening on your host.

Everything seems to be working besides this. I can SSH into things across the subnets, I was able to get plex working across the subnets (I believe nat reflection helped this, I think PLEX still technically things my nvidia shield’s subnet is not local, but pfsense just points it back inward, so I get full LAN speed, and thus can stream at full quality). All of my homelab VM’s and ESXi host are working as expected and have comms to eachother and out to the net, the only issue I am currently experiencing is the tautulli/plex issue, and the deluge daemon issue.

I did just set WAN to “none” for IPv6, I believe that would no longer assign me an ipv6 address and it would work as though it was only ipv4? And the pfblocker idea is a good one, I will look into that. I assume pfblocker is a plugin… Should be a good solution, thanks!

Oh, also, I do have Avahi running as well so mDNS works across subnets. Also seems to be working as expected.

They are on the same host, correct. Host being Ubuntu Server 18.04. I did try 127.0.0.1, that is what I incorrectly meant above when I said I used localhost. I suppose those are different things terminologically - one more new vocab word!

I did have to open 32400 to that VM’s IP as a WAN rule so I can stream plex outside my LAN which is working as anticipated. That tells me the port on the host is working, correct? Hmm, I did play with some tautulli things before this change, maybe it was actually borked by something else. I will investigate further.

Hmm, I am getting this error, but I am genuinely not sure what this means seeing as it all worked fine prior to pfsense. May be a tatutlli forum post…
Server found but unable to connect websocket.

Actually if you crack open /etc/hosts you should see an entry for ‘localhost’ which translates directly to a loopback ip haha. So technically they are one in the same as far as your OS is concerned haha.

One thing you could do is try installing Tautillus on a different box to verify it isn’t something with your install!

1 Like

Any idea on the deluge issue I am seeing? I am not sure why I wouldn’t be able to hit the server from a different subnet.

Do you maybe have a drawing of your topology you can provide? Basically, assuming you’re using vlans and your PFSense box is acting as your gateway for your networks setting up basic inter-vlan communication is pretty simple.

  1. Create vlan on PFSense
  2. Create vlan interface in PFSense - assign gateway ip to each vlan int
  3. Assign vlans to physical port on your PFSense box - I use an SG-1100 appliance that has an SOC, so this looks a bit different for me than if you had your own hardware
  4. Create rule to allow any traffic out on the vlan interface in the firewall
  5. Setup switchport that is connected to PFSense box as a trunk
  6. Set proper access port vlans for your switchports connected to your hosts
  7. Make sure both hosts are set to not block icmp echo_requests and test using ping

Its an incredibly simple layout thus far, but I don’t know what site/program folks use to create the fancy little topology drawings of networks.

That said, its an old PC with a quad port intel NIC. em0 us WAN, em1 is my “LAN” and em2 is my “homelab”. LAN is .30, homelab is .35.

I have rules in the firewall to allow any on both subnets.

I am not actually using vlans, I just have my main network switch plugged into em1 so all things are on that subnet, and my esxi host plugged into em2. Eventually I will get some managed switches and play around more, but I didn’t want to get too carried away too quickly. I believe the correct terminology is they are set up as individual interfaces.

I am not sure I understand what 5. and 6. are. Switchport? access port?

I can ping across subnets, I can ssh across, SMB is working, webUI’s from the homelab are workign in the lan subnet (such as tuatulli, pihole, etc).

They are some terms you’ll run into when you eventually dive into the world of managed network switches, no need to worry about it right now since you’re just using your pfsense box with multiple interfaces.

Since you’ve established you have connectivity between your LANs and have a rule to allow all traffic from each of your LANs I would check out your deluge application host OS firewall and make sure it is allowing that communication inbound. It’s usually something simple when everything else seems to be working!

Hmm, ufw is inactive, and beyond that I am not sure what to check. What I don’t understand is I can get to it within its own subnet just fine which is why I am thinking its an issue with pfsense/the network setup. But I am not sure what issue that could be. Hmm, maybe within the deluge setup there is some flag to only allow connection from the same subnet, it runs in a docker container, I will take a look at the yml… maybe that would shed some insight.

@SpookyJosh it was the container itself! Sweet.

There was an argument for LAN=, just had edit it from LAN=192.168.35.0/24 to LAN=192.168.35.0/24,192.168.30.0/24… simple fix, glad it wasn’t a networking issue.

Thanks for the help and pointers! Now to try and figure out what Plex and Tautulli are doing wrong…

1 Like

Well, one thing you can do is check your PFSense logs. Under status > system logs you can check out things like firewall logs to see if packets are being blocked there!

That’s awesome you got it resolved! It’s usually something simple, sometimes you just need to step away for a bit and come back with a clean slate.

1 Like