Table of Contents
PFSense - Plex
Plex Settings
In Plex:
Navigate to Settings → Server Settings → Remote Access.
Get the port number used by Plex for remote access.
This is at the Manually specify public port option. Default is port 32400.
NAT Settings
In pfSense:
Navigate to Firewall → NAT → Port Forward.
- Add a new rule and fill it out as follows:
- Interface is WAN, which if you run no VPN may be your only interface.
- Protocol is TCP. If Plex starts using UDP then change this to TCP/UDP.
- Destination is WAN address.
- Destination Port Range is “Other 32400 Other 32400”.
- Redirect target IP is our static Plex Server IP, and our redirect port number is again 32400.
- Description is “Plex”.
When you receive request for port 32400 on the WAN gateway from any source IP or port, redirect it to 192.168.1.5:32400.
NOTE: This Port Forward rule should automatically be added to the Firewall WAN Rules.
It may be prudent to verify that this does exists under Firewall → Rules → WAN, and if not to manually configure such a rule.
How is this different from the NAT rule? Well the NAT rule was telling the firewall how to map an external port to an internal one, so that our machine is reachable from the internet.
But by default pfSense blocks anything that tries to access our internal network without a specific query asking it to, say, request a webpage via https. With this rule we basically tell the firewall to allow through certain traffic that NAT has already redirected. Both must work in tandem to open this port successfully.
Troubleshooting
Reboot Plex
This may fix the “Remote Access” showing with a RED icon instead of with a GREEN icon.
Update DNS Resolver
pfSense includes built in methods of protection against DNS rebinding attacks.
This protection can prevent being able to connect to a Plex Media Server securely on the local network.
To remediate this:
- In pfSense:
- Navigate to Services → DNS Resolver → General Settings.
- Add the following to the Custom Options box on a new line.
server:private-domain: "plex.direct"
- Ensure that other entries in this box are on separate lines.
TODO: This image is wrong. There should only be a single server: word, right at the top. Remove the other one.
NOTE: An alternative method is to have the following entries within the Resolver Custom option:
server:
local-zone: “plex.direct” redirect
local-data: "plex.direct 3600 IN A "
NOTE: An alternative method to overcome the DNS protection is to navigate to System → Advanced → Firewall and NAT.
In Network Address Translation:
- NAT Reflection mode for port forwards: NAT + proxy.
While this works for remote connections, it is not everything needed to get local secure connections working, so this is not the recommended approach to take.
WARNING: When working around DNS rebinding protection this way, your apps and Plex Media Server will typically treat the connections as being from a Remote source.
This can affect which streaming qualities are used, as well as trigger Remote-applicable Server Settings - Bandwidth and Transcoding Limits.
See Bypass pfBlockerNG for specific clients
Use NAT reflection
In pfSense:
Navigate to Firewall → NAT → Port Forward.
Against the same rule created above (the rule named “Plex”):
- Change NAT reflection from “Use System Default” to “Enable (NAT + Proxy)”.
- Apply changes and see if this makes a difference.
Have Plex use Direct Mode
For Plex to work direct, and not in Indirect mode (limited to the quality you can play back to like a 2mbit stream or something)
In Plex:
Navigate to System → Advanced.
Disable DNS Rebind Checks. But try without it first to see.