Unable to forward Plex for direct connection

Hello Eric Gosselin,

Thank you for reaching out to the community, could you please share the configuration of the DNAT which you created with the DNAT Server assistant. Also ensure the plex services is running on the internal server and is accessible locally. 

Hi Vivek, 

thank for the answer.  The configuration I created is pretty straight forward.  I specified the following ;

-Internal Plex server at address 172.16.2.2,

-The wan address : 137.175.20.20

-the service used for the rules : TCP SOURCE : 55000 TCP DEST : 32400  UDP SOURCE : 55000  TCP DEST : 32400

From there, the DNAT assistant created the firewall rule and the DNAT, REFLEXIVE NAT and LOOPBACK.

Do I need to specify a service in the DNAT or I must put 'Any' ?

I wonder if the service I created for Plex is correct.  I did choose port 55000 in TCP/UDP to port 32400.

Hey Eric Gosselin,

Do not put service as "ANY" it is not recommended, it will be open and vulnerable. Specify the services.

Could you share a screen shot for the service object when you create one...  

Stumbled upon this whle searching for something else but quick comment. I wanted to ask if you are confident that the source port is 55000? It's much more common to have the source port be 1-65535 and destination port be 32400 in your case.

Hi!

Can you send a screenshot of the Service, NAT and Firewall Rules?
On the Plex Service you created over the Firewall you need to leave the source port as 1:65535, or else the policy won't work since It's expecting the client to reach the Firewall while using the source port (itself) on 55000.

Meanwhile the Destination port is 32400, which is the default for Plex (Plex uses only TCP/32400 for remote access.). It should look like this: 

If you need assistance, I can send two example screenshots of a Firewall & NAT Policy which will work as expected with Plex.

Thanks!

Hi Vivek, i remove ''Any'' from the service and replace it by 1:65335 for the source port and 32400 for the destination.  Maybe it's I don't understand it well, but can you explain me the difference between the ''Any'' and 1:65535 ?  I mean, if I specify 1:65535, does the firewall will forward any source port to the 32400 ? 

Hi Vivek, i remove ''Any'' from the service and replace it by 1:65335 for the source port and 32400 for the destination.  Maybe it's I don't understand it well, but can you explain me the difference between the ''Any'' and 1:65535 ?  I mean, if I specify 1:65535, does the firewall will forward any source port to the 32400 ? 

Hey Eric Gosselin, 

ANY = 1:65535 

As in the world there are only 65,535 ports available. So by ANY it means any port falling in the range of 1:65535. 

So For example if you are browsing to google.com, then you know that the google.com uses https Port i.e. 443. 

So, the service object for 443 i.e. HTTPS traffic would be as follows: 

Source range of Ports will be 1:65535. and destination Port will be just 443. 

In your case it is plex so source range of ports will be 1:65535 and destination will be 32400. 

Thank, so it's not a security issue to put 1:65535 on the source port and put 32400 for the destination ?  Sorry, I relatively newbie to the rules in Sophos :) 

Nope source could be any, as for any machine originating the traffic would pick up a random port, so yes you are safe and it is not a security issue...

But when it comes to a destination port, "ANY" is not recommended. Better mention an explicit service only or it could be a range of ports depending upon the destination server's requirement. 

Thank you so much for the explanation, now I will have much more ease to create my rules in my XG :)

You're welcome Eric Gosselin