https://jellyfin.org/docs/general/post-install/networking/ tells me “Additionally, in local networks, Jellyfin offers various Auto-Discovery services. These will not work outside your local subnet.”
Of course I don’t run jellyfin in my main network, who in his right mind would do such a crazy thing. But of course I want Autodiscovery, because typing in names/IPs sucks.
So this is what one needs to do on his firewall to make it work:
iptables -t mangle -A INPUT -s 10.0.2.0/24 -i family -d 255.255.255.255 -p udp --dport 7359 -j TEE --gateway 10.0.0.39 # copy received broadcast to the jellyfin network
iptables -A FORWARD -i jellyfin -o family -p udp --sport 7359 -j ACCEPT # allow the unicast response
with adjusted interface names and broadcast IPs. Thanks to https://odi.ch/weblog/posting.php?posting=731 for sharing - and the commenters there for improving.
Edit: My first version was like 7 policies, but things are simpler than I thought… down to two.
Why do you have jellyfin behind an extra firewall?
High level of segmentation is always beneficial for security. Jellyfin has had quite some security issues in the past [0], so it’s not just a theoretic concern. Also it has a bunch of open ports for those additional services you want to run. Watch-Wise does not even have authentication. Sure, I could setup another reverse proxy, but I prefer to run it via my main reverse proxy that owns 443/tcp on my wan interface.
My family network is for family-member client devices only (mobiles, tablets, laptops and PC). It is client-isolated at least in the WLAN part. TVs and sound system are in another dedicated iot lan/wlan (vlan).
Also I thought over-engineered stuff is part of the self-hosting fun :D
[0] https://github.com/jellyfin/jellyfin/security
deleted by creator