I feel I am getting close to getting Plex working on my new Qubes desktop to replace my old Fedora machine but need some help with firewall rules, or maybe just a reality check.
I have Plexmediaserver in a standalone VM connected to sys-firewall.
Tailscale is installed in standalone and set up on same tailnet with home wifi router.
Plex app is installed on Android TV with IP of 192.168.4.225.
Tailscale subnet route 192.168.4.0/24 is set up and approved on tailnet, I can ping 192.168.4.225 from any device on my tailnet, including from the standalone VM.
My understanding is that all incoming traffic is blocked by default in sys-firewall, which would prevent Plex app on TV from initiating communication with Plexmediaserver in the standalone.
(intended traffic flow is TV > router > tailnet > standalone > Plexmediaserver, bi-directional)
It is also my understanding that these are the ports I should be concerned with:
32400 TCP Inbound Primary Plex Media Server communication port
1900 UDP Bidirectional DLNA/UPnP discovery
5353 UDP Bidirectional Multicast DNS (mDNS) for local network discovery
32410-32414 UDP Bidirectional Plex GDMP (GDM) communication for local network detection
Do I need to set up rules in sys-firewall or somewhere else?
Can you please help me with setting up required rules? (my head is already spinning from getting new Qubes machine up and running, reading about FW right now is a little too advanced for me right now)
Am I out to lunch with my setup idea with respect to Plex?
This should work, not sure why there is some tailscale here, I guess the qubes system and Tv are not always in the same lan.
The only issue you will have with Plex (once you sort the network problems) is that all the backend rendering will be CPU only, this will use a lot of CPU to generate pictures. You might also forget about using transcoding, not sure it will be able to keep up except if you throw it a loooot of CPU.
If the Plex player can handle the stream, there is no issue. Transcoding is useful if you want to provide a smaller sized / different codec stream to use less bandwidth on a mobile phone for instance or old device.
I brought Tailscale into the picture here when being on the same LAN as TV did not work like it did (does) for my old Fedora box, maybe firewall rules will fix this and Tailscale will not be needed.
I have been using Plexmediaserver on my 20-year-old+ machine for a long time now, works just fine for streaming movies and tv-shows, can’t see why my latest new desktop won’t be able to handle it…
‘The redirection is temporary, if you reboot a qube in the network path or the qube itself, the redirection will stop working’
So the script is then a tool for either testing or just to make something work temporarily?
‘qubes firewall blocks all incoming traffic’
Not doubting you of course, but please explain why firewall rules are not in sys-firewall then, what (how) does it do as the network intermediary between the VM and sys-net?
‘you need to open the ports in the standalone’
Just to set me on the right path…
I would be entering qvm-firewall rules in dom0 for my ‘mediaserver’ standalone like this?
qvm-firewall mediaserver list
qvm-firewall mediaserver add accept 32400 tcp
qvm-firewall mediaserver add accept 32469 tcp
If all incoming is blocked by the VM by default, should i not see those rules when entering above command for example?