https://jellyfin.org/docs/general/post-install/networking/ tells me “Additionally, in local networks, Jellyfin offers various Auto-Discovery services. These will not work outside your local subnet.”

Of course I don’t run jellyfin in my main network, who in his right mind would do such a crazy thing. But of course I want Autodiscovery, because typing in names/IPs sucks.

So this is what one needs to do on his firewall to make it work:

iptables -t mangle -A INPUT -s 10.0.2.0/24 -i family -d 255.255.255.255 -p udp --dport 7359 -j TEE --gateway 10.0.0.39 # copy received broadcast to the jellyfin network
iptables -A FORWARD -i jellyfin -o family -p udp --sport 7359 -j ACCEPT # allow the unicast response

with adjusted interface names and broadcast IPs. Thanks to https://odi.ch/weblog/posting.php?posting=731 for sharing - and the commenters there for improving.

Edit: My first version was like 7 policies, but things are simpler than I thought… down to two.