Solved YazFi Not Isolating Guest Network for Plex?

[abracadabra11]

I'll start with the Plex issue to provide some context.

I've been trying to troubleshoot an issue that I have with a Plex server that I'm running in a docker on a Synology NAS and I ran across what seems like strange behavior from my YazFi networks. The problem that I have with the Plex Server is that Android clients (Pixel and Chromebook) can't seem to access the server through the Plex Android app. Those Android clients have no issue reaching the server via web browser and local LAN address.

My network setup is as follows:
RT-AX3000 (main router)
RT-AC68U (AP)
3 Wireless networks (1 [Main], 2-Guests [YazFi], 3-IoT [YazFi] )

Synology NAS connects via ethernet to AP. Android clients connect to whatever router/AP is closest when on Main network and to the main router when on Guest or IoT networks (both managed by Yaz as noted above).

For some reason, enabling remote access in the Plex server menu allows Android clients to connect to the server locally. The server is not actually reachable outside my LAN (tested this), but the setting allows Android clients to reach the server. I'm not entirely sure what the setting does (and can't seem to find documentation on it).

The YazFi specific issue that I've found is that enabling remote access on the Plex Server allows Android clients to reach the server via the Plex app when connected to Guest or IoT networks. Guest network has 1-way to Guest enabled, 2-way to Guest disabled, and Client Isolation disabled; IoT network has 1-way to Guest disabled, 2-way to Guest disabled, and Client Isolation disabled. Attempting to connect via a web browser to the Plex Server is properly blocked when connected via Guest or IoT.

How are devices on Guest and IoT able to reach the server? Shouldn't YazFi be blocking this?

 

[Jack Yaz]

I'll start with the Plex issue to provide some context.

I've been trying to troubleshoot an issue that I have with a Plex server that I'm running in a docker on a Synology NAS and I ran across what seems like strange behavior from my YazFi networks. The problem that I have with the Plex Server is that Android clients (Pixel and Chromebook) can't seem to access the server through the Plex Android app. Those Android clients have no issue reaching the server via web browser and local LAN address.

My network setup is as follows:
RT-AX3000 (main router)
RT-AC68U (AP)
3 Wireless networks (1 [Main], 2-Guests [YazFi], 3-IoT [YazFi] )

Synology NAS connects via ethernet to AP. Android clients connect to whatever router/AP is closest when on Main network and to the main router when on Guest or IoT networks (both managed by Yaz as noted above).

For some reason, enabling remote access in the Plex server menu allows Android clients to connect to the server locally. The server is not actually reachable outside my LAN (tested this), but the setting allows Android clients to reach the server. I'm not entirely sure what the setting does (and can't seem to find documentation on it).

The YazFi specific issue that I've found is that enabling remote access on the Plex Server allows Android clients to reach the server via the Plex app when connected to Guest or IoT networks. Guest network has 1-way to Guest enabled, 2-way to Guest disabled, and Client Isolation disabled; IoT network has 1-way to Guest disabled, 2-way to Guest disabled, and Client Isolation disabled. Attempting to connect via a web browser to the Plex Server is properly blocked when connected via Guest or IoT.

How are devices on Guest and IoT able to reach the server? Shouldn't YazFi be blocking this?

what type of connection does the plex dashboard show when you stream from an android client? i suspect allowing remote access means the clients are coming in via the "public" IP via NAT (without leaving the network) so isn't seen as "direct" traffic

 

[abracadabra11]

what type of connection does the plex dashboard show when you stream from an android client? i suspect allowing remote access means the clients are coming in via the "public" IP via NAT (without leaving the network) so isn't seen as "direct" traffic

Indirect.

 

[abracadabra11]

I didn't quite understand @Jack Yaz's comment about indirect traffic and Plex. After some more reading on Plex's support pages, I now realize that Plex can use their servers as a relay as a workaround for remote access. This effectively changes the server access to an external IP to the network, which is why Plex traffic to the Android clients was working. The relay feature also reduces quality for those clients to 720p/2Mbps max.

 

[Jack Yaz]

I didn't quite understand @Jack Yaz's comment about indirect traffic and Plex. After some more reading on Plex's support pages, I now realize that Plex can use their servers as a relay as a workaround for remote access. This effectively changes the server access to an external IP to the network, which is why Plex traffic to the Android clients was working. The relay feature also reduces quality for those clients to 720p/2Mbps max.

sorry for not getting back to you! that's correct re. relaying - I believe that can be disabled somewhere if desired

 

[abracadabra11]

sorry for not getting back to you! that's correct re. relaying - I believe that can be disabled somewhere if desired

No worries - I wasn't expecting a response. I figured I needed to do some digging once you sent me down the right path.