I am setting up an IoT vlan (wired and wireless) for my IoT devices and am trying to just mentally think through how this works - I enjoy networking, but I am not good at it yet and these homelab type projects are part of the learning.
My current setup is I have a plex server running in subnet 192.168.1.x, I am setting up a secure vlan with 192.168.2.x. Seemingly the vlan is working, ubiquity AP is set up and when I use that wifi, I can’t ping from IoT to secure LAN subnets, and I can get out the WAN (theoretically pfsense is set up correctly!) but I am running into a mental hurdle… My plex box is a VM under ESXi, so I can add vlans to it and such as additional interfaces if I needed, and I have not gone and put all my IoT things on the new network yet, but the hurdle is would my nvidia Shield TV which will be on the IoT vlan be able to access content on the secure subnet. I assume no, so how do I go about this? I could add an interface in ESXi to my plex VM and put it on both the secure subnet and IoT subnet, but in my mind that defeats the purpose of this. Is there a way to only allow the port plex needs?
I guess I am just not sure how to proceed in a “smart and secure” way. I am not actually overly concerned about IoT devices, but I enjoy a project and this is the one I am currently tackling - and the learning along the way is a large part of it, thus why I want to do this “correctly”.
Thanks for the help!
1 Like
PLEX and the IoT things should all be on the same network to work properly.
2 Likes
So I would need to add the Plex server to the same vlan. Is that not a potential security hole I will be creating? Plex runs on Ubuntu server, with SMB connections out to Freenas which necessitates it also living on my “secure” freenas subnet as well. I can add the Plex both to both subnets, just not sure how secure that is.
I do have avahi running on freenas, and currently my Plex box is on a different subnet then my nvidia shield tv which is what I stream with and it works fine, but I also have wide open firewall rules between those two subnets unlike what the IoT subnet would be.
The more secure way would be for the Plex system to have multiple network interfaces and only bind the Plex services to the adapter connected to IoT and the shares to the other adapter.
This sounds like exactly what I’m after! At least now I have googlable terms to try and figure out how to actually do that as I currently have no idea.
Another option is to setup plex up under its own domain name. That way when devices are accessing it, they either access it locally (through local dns resolution) or by going out and then reflexive nat coming back in.
Oh, I like this idea as well. Not sure how to execute on this idea though, do you happen to have any example documentation? Possibly a quick google search will help me.
I believe there is an actually setting to specify local subnets so Plex treats them as local network. Settings>Network then scroll down to “LAN Networks”
Well, I am not sure this is the fully correct secure solution, but I was able to get it all working via just allowing the specific Plex ports required + avahi. I have plex on my secure subnet, IoT devices that want to play Plex content on my IoT subnet. IoT has a block all to “Private Network” setting the in the firewall, then I explicitly allow only the Plex client device IP’s and ports through, and it all seems to be happy.
I tried adding an additional NIC to my plex server, Plex didn’t love that… not entirely sure why. But this seems to work, and I would call this relative security since I am only allowing Android TV clients to connect only to my plex server IP, and only on the specific ports Plex uses. If anyone has any feedback on how this is a false sense of security, that would be useful to understand. As originally stated, most of this is just for learning and fun, but I would like to understand as much as possible if anyone has feedback to provide 
I have Plex running on my Proxmox server. In proxmox I a network connection to a user on FreeNAS that only has access to my movie/TV folders. From there, the drive is piped into the Plex VM and just mounts as a local drive in the /mnt folder. So, Plex thinks it is local, but it is actually on the file server, but the Plex server has no idea. The Plex server for the network is only connected to my IoT VLAN.
As far as I know, this is the only way to have the plex server on the IoT network with out routing through my firewall and exposing my file server to that network. I think my logic is sound, but maybe others can verify or disprove that.
I have it set up similarly, as far as the Ubuntu VM hosting Plex having data SMB mounted to /mnt from a freenas share.
But currently my Ubuntu VM is living within my secure homelab VLAN as I am not sure how to do it any differently. If I want Ubuntu to be able to SMB mount the freenas share, it has to be able to access the homelab vlan, so it would have to live on the same subnet or have ports opened up to allow traffic.
So I have it living in my homelab subnet, and have allow rules in my firewall to only allow my nvidia shield TV to communicate with my Ubuntu Plex VM, and only on the specific ports.
So like you, I think this is a relatively secure approach. Theoretically something along the lines of putting Plex in its own namespace in Ubuntu (but I don’t fully understand how this works…) and have that namespace be on the iot subnet with the VM itself being on the homelab subnet. That would let Plex see the freenas data as a local folder in /mnt but put Plex on the iot vlan. I assume this would be more secure, but I 1) don’t know how to do this 2) don’t know enough to know if this is more secure or not.