I would not expect a port forward to be required there as Plex can usually be accessed from anywhere, even externally.
UPnP is disabled by default in pfSense and you should leave it that way unless you have a very good reason not to. Plex can open port forwards in the firewall to allow access otherwise.
Usually when people device their network like you have it is for security. Consider what would happen if one of your cameras was found to have a vulnerability and was hacked for example. What would that give anyone access to?
You probably want firewall rules on the 192.168.2.1 interface in pfSense that allow only the required access outbound. So the cameras may not need any external access or maybe only to a known IP or set of IPs. Wifi IoT style devices may not need any access to to the LAN subnet. Though maybe you want Alexa to be able to control Hive....
What you want to do is allow only the traffic that is needed and segregate devices as much as possible to mitigate any security issues should they occur.
Does your access point allow for multiple SSIDs / VLANs?
If so I would create more so you can separate general access devices like laptops and tablets from IoT devices like cameras and Alexa.
Currently you have separated devices simply by wired or wifi and that might not be the best way. The Hive and Hue hubs are IoT devices. I would want those on a separate subnet to desktop PCs and servers if possible.
Steve
