Only allow two IP's to access Minecraft Server

FrankZappa

Do I have this set up right on NAT?

johnpoz

@FrankZappa yeah looks right to me.. But you say it works if you just use 32400..

Or you can not get anything to work direct?

Take pfsense out of the equation by validate that pfsense sends the data on..

Sniff on your wan - validate you see traffic to your 32495 port.. Then sniff on your lan and do the same test, do you see pfsense send the syn on to port 32400 for 192.168.1.20

You can do it at same time with say tcpdump and 2 sessions to pfsense via ssh..

one listens on your wan interface, lets say igb0

tcpdump -i igb0 -n port 32495

and on your lan where plex sits say igb1

tcpdump -i igb1 -n port 32400

Now go to can you see me -- what do you get??

if you see it hit your wan on 32495, but send nothing out to 32400 then you got something wrong in pfsense.

If you don't see anything hit your wan on 32495 - something wrong upstream

If you see it send on to 32400 but you get no answer - then you have some issue downstream of pfsense.

FrankZappa

@johnpoz johnpoz.. been at this for a couple days trying to dial it in to no avail. I did what you recommended above with packet captures. Here's what I have:

WAN test with PLEX Remote and Can you see me.

10:53:14.496547 IP 44.207.218.81.40689 > 68.MyWAN.32495: tcp 0
10:53:15.562202 IP 44.207.218.81.40689 > 68.MyWAN.32495: tcp 0
10:53:16.602176 IP 44.207.218.81.40689 > 68.MyWAN.32495: tcp 0
10:53:17.632175 IP 44.207.218.81.40689 > 68.MyWAN.32495: tcp 0
10:53:18.682236 IP 44.207.218.81.40689 > 68.MyWAN.32495: tcp 0
10:56:25.681142 IP 52.202.215.126.41151 > 68.MyWAN.32495: tcp 0
10:56:26.680782 IP 52.202.215.126.41151 > 68.MyWAN.32495: tcp 0
10:56:28.684811 IP 52.202.215.126.41151 > 68.MyWAN.32495: tcp 0

LAN Test with Plex Remote and Can You See Me

11:02:54.581188 IP 44.207.218.81.53948 > 192.168.1.20.32400: tcp 0
11:02:55.591987 IP 44.207.218.81.53948 > 192.168.1.20.32400: tcp 0
11:02:56.632087 IP 44.207.218.81.53948 > 192.168.1.20.32400: tcp 0
11:02:57.672008 IP 44.207.218.81.53948 > 192.168.1.20.32400: tcp 0
11:02:58.711944 IP 44.207.218.81.53948 > 192.168.1.20.32400: tcp 0
11:14:53.717656 IP 52.202.215.126.52624 > 192.168.1.20.32400: tcp 0
11:14:54.716369 IP 52.202.215.126.52624 > 192.168.1.20.32400: tcp 0
11:14:56.720307 IP 52.202.215.126.52624 > 192.168.1.20.32400: tcp 0

Not sure why I still get the "Not available outside your network" error on Plex. I even temporarily disabled pfBlocker. That didn't fix it either. Thoughts?

johnpoz

@FrankZappa you can see that pfsense does send on your traffic to 192.168.1.20 on port 32400.. But you get no answer. So no its never going to work, but pfsense is doing what it was told to do.. Pfsense can do nothing if your plex is not answering.

There is a firewall on your plex host blocking plex from seeing the traffic?, plex is sending the traffic in answer somewhere else? Or plex is not even running.

Or there is some other something on your lan side network that prevents plex from seeing the traffic - but clearly pfsense sent it on. You might want to verify that pfsense is sending it to the right IP, maybe your plex is no longer on 192.168.1.20? Or maybe the mac address plex has for 192.168.1.20 is not the right mac.

But from that sniff, clearly pfsense sent the traffic on to 192.168.1.20

FrankZappa

@johnpoz I have my Plex Server running on a QNAP NAS (Same LAN IP). Not sure if that makes a difference.

johnpoz

@FrankZappa well most nases have a firewall - I would check there.. But no its never going to work if your plex doesn't send an answer back to pfsense.

FrankZappa

@johnpoz That was it!!!!! I turned off the firewall on my QNAP and now Plex Remote Access works! I'll be damned. I wasn't double NAT'd, but I sure as hell was double fire walled. Now I have to figure out how to allow traffic through the NAS firewall to my Plex server. The QNAP firewall rules are even harder to figure out than pfSense firewall rules.

johnpoz

@FrankZappa I personally don't see any reason to run firewall on your nas, your behind pfsense.. So unless you have some reason to firewall stuff that is on the same network as your nas from talking to your nas what purpose does it it have?

You can prevent anything on your other local networks from talking to the nas via firewall rules on pfsense.

As to stuff from the internet talking to your nas, say like plex that is running on it - they wouldn't be able to do that unless you specifically allow and set it up on pfsense. So what does your nas firewall bring to the table? Other than something else to configure..

example - none of my other networks can talk to the nas unless I allow it, I have a vlan that all my rokus sit for example, the only thing they can talk to my nas for is plex on port 32400. Since it sits on a different network.

What would be the point of setting that up in pfsense to allow only that, and then have to allow that as well on the nas firewall?

FrankZappa

@johnpoz Agreed. In fact, I was wondering the same thing i.e. why do I need a NAS firewall if pfSense is doing all the heavy lifting? I'm pretty sure I already have my pfSense network set up the way you mentioned. I have a regular LAN (main Network), IOT LAN, and a Guest LAN. The IOT LAN and Guest LAN can NOT talk to the regular LAN. However, I have it set up so my regular LAN CAN talk to IOT LAN and the Guest LAN, in case I need to configure from my PC. Anyway, many thanks again. It was your idea to check my NAS firewall, which I never even thought about.

johnpoz

@FrankZappa glad you finally got it sorted.. packet capture can be your best tool.. So you can for sure see what is happening, or not happening.