Make clients autodiscover Jellyfin over your router
from nibbler@discuss.tchncs.de to jellyfin@lemmy.ml on 05 Jun 15:00
https://discuss.tchncs.de/post/61626072

jellyfin.org/docs/general/…/networking/ tells me “Additionally, in local networks, Jellyfin offers various Auto-Discovery services. These will not work outside your local subnet.”

Of course I don’t run jellyfin in my main network, who in his right mind would do such a crazy thing. But of course I want Autodiscovery, because typing in names/IPs sucks.

So this is what one needs to do on his firewall to make it work:

iptables -t mangle -A INPUT -s 10.0.2.0/24 -i family -d 255.255.255.255 -p udp --dport 7359 -j TEE --gateway 10.0.0.39 # copy received broadcast to the jellyfin network
iptables -A FORWARD -i jellyfin -o family -p udp --sport 7359 -j ACCEPT # allow the unicast response

with adjusted interface names and broadcast IPs. Thanks to odi.ch/weblog/posting.php?posting=731 for sharing - and the commenters there for improving.

Edit: My first version was like 7 policies, but things are simpler than I thought… down to two.

#jellyfin

threaded - newest

frongt@lemmy.zip on 05 Jun 15:39 next collapse

Why do you have jellyfin behind an extra firewall?

[deleted] on 05 Jun 18:04 next collapse

.

nibbler@discuss.tchncs.de on 05 Jun 20:56 collapse

High level of segmentation is always beneficial for security. Jellyfin has had quite some security issues in the past [0], so it’s not just a theoretic concern. Also it has a bunch of open ports for those additional services you want to run. Watch-Wise does not even have authentication. Sure, I could setup another reverse proxy, but I prefer to run it via my main reverse proxy that owns 443/tcp on my wan interface.

My family network is for family-member client devices only (mobiles, tablets, laptops and PC). It is client-isolated at least in the WLAN part. TVs and sound system are in another dedicated iot lan/wlan (vlan).

Also I thought over-engineered stuff is part of the self-hosting fun :D

[0] github.com/jellyfin/jellyfin/security

eodur@piefed.social on 06 Jun 11:51 collapse

That would be so helpful. I’ll have to try adapting this to my network.