• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[How to] pfSense with NordVPN + Plex + Xbox + uPNP

OpenVPN
open nat vpn xbox plex upnp
3
8
3.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    Chris78
    last edited by Chris78 Mar 13, 2019, 1:44 PM Mar 13, 2019, 1:27 PM

    Last two weeks I've been figuring out how to get pfSense up and running with NordVPN while keeping Remote Access on my Plex Media Server and an open NAT connection to my Xbox One X working. I wanted to keep using uPNP to keep administration to a minimum. After spending a lot of time on searching the internet and reading many guides and posts, I managed to get it all working. Just wanted to share it to anybody who is interested.

    This 'How to' is based on a clean install of pfSense. Your miles may vary if you implement it in combination with other configuration.

    NordVPN

    NordVPN already has an excellent guide in how to configure their service on pfSense. Only problem is that they assume that you want to route all traffic through VPN. However, uPNP (or port forwarding if you want to do it manually) will not work through their VPN service. So we have to make one tiny adjustment to their guide.

    login-to-view

    The rest of the guide is spot on, just remember to move your new NordVPN NAT rule (Firewall - NAT - Outbound) way down as displayed in the guide (new NAT rules will be placed on top of existing NAT rules but NAT rules are applied top to bottom so the order is important). I have added a picture how my NAT rules look like later on in this How to under section 'NAT rules'

    Static DHCP lease / manual IP address

    We don't like to change our uPNP rules all the time when the IP address of the Xbox or the Plex Media Server changes. Therefor, we need a static DHCP address or manually configure the IP address of our devices we want to use in combination with uPNP. Below is where you can find the DHCP Leases and the button to change it to static. My Xbox already has a static lease (wired and wireless)

    login-to-view

    uPNP

    As mentioned before, I like uPNP for administrative reasons. I know people are against it because of security but that is another topic. I have set my uPNP as shown in the picture below. Make sure you select your WAN and LAN interface correctly. I also found guides that mention that the IP address should be in the format of 192.168.1.21/32 but that didn't work for me. It is possible to not select the Default Deny option but then the uPNP list will fill up with devices that try to use uPNP but are blocked by the firewall rule created later on.

    login-to-view

    Aliases

    I like to keep thing clean and tidy. Don't like to make the same rule for the same kind of device so I made some aliases for my devices. For example, if you have multiple Plex Media Servers, just add the new host to the alias and the same rules will apply to that server.

    login-to-view

    The aliases will fill the corresponding table with the correct IP addresses. Below is an example for Plex_Sites.

    login-to-view

    NAT rules

    The Xbox does not like dynamic NAT ports so it is important to change that to static. I did the same for my Plex Media Server but that is optional. I used the aliases as a source. These rules will not open specific ports, it just makes the ports, created by uPNP, static.

    login-to-view

    The result should look like this. Notice the rules for Plex_Group and Xbox_Group are on the top while the NordVPN rule is almost (!) at the bottom. Don't place the NordVPN rule under your 'Auto created rule - LAN to WAN' as all your traffic will try to default NAT out your WAN interface instead of the NordVPN interface.

    login-to-view

    Firewall

    So the NAT rules are in place but to be allowed to get it out the correct interface, we have to add two more firewall rules. Notice that the rules are located above the 'Default allow LAN to any rule'

    login-to-view

    The two pictures below show the firewall rule for Plex in more detail. Notice the aliases used in source and destination. Make sure to click Display Advanced to change the Gateway

    login-to-view

    login-to-view

    This should do the trick. Your Plex server don't need a manual port now and will still be accessible from outside. Also your Xbox will have an open NAT.

    Cheers!

    Chris

    1 Reply Last reply Reply Quote 1
    • C
      comet424
      last edited by Mar 20, 2019, 2:20 AM

      how well is the XBOX working for you i just searched for my older post for XBOX and just found yours

      the way i did it to get xbox one to get OPEN on the WAN to bypass NordVPN
      i did it ... and i just skimmed over yours so im sure i have similar... as i spent hours days weeks trying to get to work.. and soooo many reboots.. and mac address clear on xbox etc

      login-to-view login-to-view login-to-view

      C 1 Reply Last reply Mar 21, 2019, 11:45 AM Reply Quote 0
      • C
        comet424
        last edited by Mar 21, 2019, 11:24 AM

        i had figured this out last year took me a hell of a time... to get it right as nordvpn couldnt help me... you choose the Deny button thats the only thing i never did it will work to without it...

        but i have question for your Plex what are the Plex Sites and why did you need to pass it ... is that for the Plex Pass

        1 Reply Last reply Reply Quote 0
        • C
          Chris78 @comet424
          last edited by Chris78 Mar 21, 2019, 11:50 AM Mar 21, 2019, 11:45 AM

          @comet424 My Xbox One X still has an open NAT after many reboots. It is going out through the WAN using uPNP so no need to open ports manually. No issues found so far.

          The Plex_Sites alias is made to redirect traffic for these sites over the WAN link (instead of the VPN). So only if the Plex_Group wants to go to the Plex_Sites it will go over the WAN. For other sites, the VPN is used.

          My PMS server (Windows server) will use uPNP over the WAN towards plex.tv to enable Remote Access. But if the same server is going to Google.com, it will go over the VPN.

          1 Reply Last reply Reply Quote 0
          • C
            comet424
            last edited by comet424 Mar 21, 2019, 11:53 AM Mar 21, 2019, 11:50 AM

            @Chris78 ya i have the same setup like i mentioned minus i never did the Check off Deny button.. as when i did it there was not documentation and trying different ideas.. came up same as yours... but i found i had to also add what you seen above deny any other interfaces.. i found it was still double nating if i didnt put the blocks pre the allow...
            only thing i wish was easier if the ACL's you didnt have to do if it could be in the Alias's so you dont have to type in the UnPnP but its not like your adding 50 devices anyways lol..

            as for the plex ah gotcha... for me i dont have Plex Pass to allow me to remote access.. so all i do is OpenVPN into PFsense so i have access to the network and then can use Plex like i was right at home.. but since my internet isnt that fast i dont bother... but thats cool idea you got too

            C 1 Reply Last reply Mar 21, 2019, 11:59 AM Reply Quote 0
            • C
              Chris78 @comet424
              last edited by Mar 21, 2019, 11:59 AM

              @comet424 I just wanted uPNP to work over the WAN to prevent opening ports manually. And as mentioned, you can also choose not to deny uPNP by default as long as you prevent devices to use the WAN that you want over the VPN (like P2P clients) using FW rules. The Deny by default makes it a bit cleaner in my opinion.

              1 Reply Last reply Reply Quote 0
              • C
                comet424
                last edited by Mar 21, 2019, 12:05 PM

                ah ok i added a Fall over for P2P so if Nord Goes down it cant leak internet and start using the WAN.. had to adding a Floating Rule... this way IF Nord goes down i can still use internet but it denys it to the P2P and my guest network router

                1 Reply Last reply Reply Quote 0
                • A
                  Airbag888
                  last edited by Dec 21, 2021, 9:40 PM

                  @Chris78 Sorry to sort of resurrect this.. I went through all of the instructions , my intent was to have all traffic go through the VPN yet no luck :(
                  Could pfBlockerNG be the cause?
                  I'll admit this is a LOT of steps to go through and so much could go wrong

                  Thank you

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.