Streaming Live TV on Plex Media Server Issues with OPNsense Intrusion Detection Blocking Enabled

On my home network, I host the Plex Media Server software on my server and make use of its Live TV and DVR capabilities. It actually works quite well. To make use of the TV/DVR capability you must have a Plex Pass (monthly, yearly, or lifetime) and a compatible cable box such as any of the HDHomeRun products.

Originally I placed my HDHomeRun Prime device on my IoT network to keep it separate from my server, which I think makes sense since it is essentially an IoT device that infrequently receives updates from the manufacturer. The HDHomeRun is able to phone home to check for firmware updates so the device is not strictly an offline device (unless steps are taken to intentionally block access), which mean the risk of being hacked exists.

I run OPNsense with intrusion detection blocking enabled (IPS mode). I used this configuration for several months without noticing too many issues. The DVR functionality worked great. I tried watching live TV a few times and it seemed ok when I initially tried it. However, when my family tried to stream the Macy’s Thanksgiving Day Parade, the video streaming was horrid. It would constantly glitch and buffer every minute or so. Rebooting the server and the HDHomeRun seemed to help slightly. It simply was not an enjoyable experience. The most baffling part being that the DVR functionality works nearly flawlessly. I have only experienced a few glitches on rare occasions.

I tried adjusting settings on the Apple TV, the iPad, etc and even tried using the native HDHomeRun app on my iPad which seemed slightly smoother but was not perfect. Also, I tried mirroring the iPad on the Apple TV but that was even worse.

Fast forward to New Year’s Eve and watching the Dick Clark’s Rockin’ New Years Eve coverage. No HD video streams would get past the initial buffering. I looked into things such as mDNS to try to propagate the video stream from my IoT network to my server network, but that never seemed to help. It is quite possible I did not have it configured properly, but later I realized it probably would not help at all because the streaming is done through Plex and not a direct connection to the HDHomeRun via multicast.

After a while of thinking and looking up various issues online, I decided to try to see if it was a firewall issue. With intrusion detection turned off, it seemed to work properly. At the same time I was also fiddling with settings on the Plex apps that seemed to help with the streaming (options like Direct Play and the Home Streaming quality settings). While that helped allow the video to play, I had to make a choice of moving the device to the same network as my servers or taking the time to figure out the rule or ruleset causing the trouble. Nothing in the intrusion detection alerts stood out as the problem.

Since I do not currently have the time to troubleshoot the issue (with the holidays and family events), I decided to move the device to the same network as my servers. Perhaps I will revisit it later, but I may just let it live happily next to my server running Plex. I could maybe add some firewall rules to further block access to the device, but I am happy to see that it is working well now even though we use the DVR functionality a lot more than the live TV functionality (we have Netflix and Hulu).

Update: After investigating this streaming video issue, I also wondered if that performance impact of the intrusion detection on the LAN was impacting network throughput especially since I was noticing some issues in throughput while setting up NFS file shares on my network. The performance was about the same or worse than transferring files with SSH/SFTP. I had assumed via research that the bottleneck in transferring files with SFTP was due to the encryption overhead and other performance factors inherent in OpenSSH. However, once I tried transferring files via NFS file shares and had the same performance, I knew there was a problem. Eventually I tried switching the pattern matcher on the intrusion detection settings to Hyperscan. That made a huge difference. I do not even notice a performance impact on the network and it also seems to utilize less of the CPU on my router which is nice. It is quite possible that I would no longer have any issues with my HDHomeRun box being on my IoT network with that change in the pattern matcher. I have not tested that theory yet. It is a little bit of a hassle to switch the network for the cable box because I have to set it back up in Plex.

I noticed after moving the HDHomeRun box to the server network that I no longer needed to make the tweaks I thought I needed to make on my Plex app. I was able to leave Direct Play enabled and leave the quality the maximum for home streaming, which is nice because I do not have to sacrifice quality or have my server transcode every video stream simply because live TV would not work without forcing a lower quality transcode.

The moral of the story: Be careful with enabling intrusion detection with blocking enabled (IPS mode) on your LAN interface. Although intrusion detection is often used on the WAN interface to protect your network from receiving malicious traffic, I still think it is worthwhile to alert or block traffic within your home network since it can help track down potentially issues or threats within your network. It is one more layer of security to have in place to minimize the possibility of network intrusions.