Newbie - Need help with Port Forwarding.

  • Hi,

    I just got pfsense up and running so I'm still learning.  Attached is my first attempt at port forwarding for my Plex app.  However, I'm doing something wrong because is not working.

    Can someone point me in the right direction? 

  • I never got this to work and ended up enabling UPnP & NAT-PMP.  With this enabled, the app was able to access the web.

  • LAYER 8 Global Moderator

    The app accessing the web has ZERO to do with you access it remotely..

    Do you mean the testing of remote access in plex and the little green check mark?

    Your rule looks correct.. But without seeing what your wan rules were/are its quite possible rule for your nat was below something that blocked it.  Or you were testing from internally and would need nat reflection for that to work.  There is also the whole thing with plex and rebinding protection as well.

    Did you go through the troubleshooting guide?

    To be honest I see zero reason to forward this - do you have guests that use up your bandwidth watching your plex?  Or is this just for you to access while your away from home or while your on your cell data plan?  If so the more secure way to do it would be a vpn connection.  This is how access my plex while away..

  • Yes, I'm working with Plex to get the green box enabled for external access for remote user viewing.  Being that I'm not familiar with this yet, I see your point about the order. I will probably go back and test some more this week. Would you consider upnp a security risk?  I enabled it just to make things work, but I'm not sure this is how I want to keep it? My goal is to make everything as secure as possible.

  • LAYER 8 Global Moderator

    Is UpnP a security risk??  Hmmm lets think about it for a second.. A protocol that is allowed to open up ports in your firewall to allow for unsolicited inbound traffic without any form of auth or identification.. Why would that be of concern?? hmmmm <grin>Did you atleast lock id down to say only the IP of of your plex could only open up ports inbound to the plex?

    Plex needs exactly 1 port inbound.  There is zero reason to allow upnp to do that.

    "My goal is to make everything as secure as possible."

    And opening up the whole internet to your plex server seems like a way to go about that ;)  The secure way to go about accessing your plex while remote would be to vpn into your network..  This would require secure authentication from a device you installed the openvpn client on with the cert, etc. etc.  And then even then could be locked down to only access your plex if you so desired.  So that would magnitudes more secure then just allowing the whole internet into your plex server.. With the only form of auth the username and password you have set - and the security of the service serving it up..</grin>

  • Thanks for the "Learning".  Your sarcasm is both welcomed and appreciated.  :)

    I'm back in testing mode.  UPnP has been disabled, and the port forwarding rule from earlier re enabled.  I attached both LAN / WAN screen shots from Firewall > Rules > LAN.  The rules here, (besides Plex) were already there by default.  I'm not sure if I should be doing anything with this?  Also, I attached my IP info.  I see IPv6 stuff here, and I believe it's all disabled?  Not sure if that could be causing a problem?

    Thank you for the help,….......... and patience.

  • LAYER 8 Global Moderator

    Do you have something in front of pfsense doing nat?  I doubt it if you say UPnP worked..

    I see no hits on your plex rule on your wan.. So to me nothing has tried to access it.. Or there would be something there vs 0/0… Simple test to see if your port forwarding is working is go to and put in your port and make sure its using your actual public IP.. Does it show open??

    So for example I opened up my plex from the outside for a quick test.

    The rfc1918 and bogon are on by default -- they should not be causing you problems unless your behind a nat for pfsense wan. You do not see them in my rules because I don't think there is any valid reason for them..  All they do is block things from hitting your forwarded/allowed ports.  Neither bogon and rfc1918 can actually route on the internet ;)  So while yes they are typical rules you see on a wan.  I just don't seem them as useful I remove them to keep my wan rules easier to read ;)

    As to your ipv6.. Sure it could be causing you a problem if your plex is trying to use ipv6 and you don't have that open..

    Personally if your not going to be actively using ipv6 - I would turn it off.. Disable it on your devices until such time you spend the time to set it up correctly.  You can see that your PC has an IPv6 and also has teredo (ipv6 conversion tech over ipv4).. MS in their infinite wisdom thought every machine should have 3 different ways to tunnel ipv6 over ipv4 along with native dual stack.. isatap, teredo and 6to4.. arrrghhhh..

    My machine normal workstation doesn't have ipv6 enabled - click and it can if I want to test something with it, etc.  There are only a few devices on my network that have it on all the time.  My ntp server that serves up ntp to the pool has it on for example..  But in general its off unless I am playing with it.. But for example if you come over and use my guest network your phone will get and use an IPv6 IP, etc.

    edit: And 2nd pic you can see I turned it off again.. Because its NOT secure to open my plex server to the whole freaking internet ;)

  • There is nothing in-front of pfsense besides the modem.  pfsense is connected directly from the modem > Into LAN1, then out LAN2 to my switch.  I tested the port @ and it was successful.

    As a test, (and yes, I know, not secure), I changed the RDP listening port on one of my machines.  Configured port forwarding.  Remoted into my machine at work to see it I could RDP in.  And it worked.  So that tells me again, that port forwarding is working.  So, I guess I'm chasing a ghost here and must be an issue with my Plex machine?  But that doesn't explain why upnp worked, and port forwarding isn't?

  • Ok!  I'm finally up an running.  I thought my old router was powered off, but it wasn't.  It was still on the network.  I'm guessing, somehow, it was interfering with the new pfsense setup.

    Either way, this was a learning experience.


  • LAYER 8 Global Moderator

    Was is running dhcp??  Did it have the same IP as pfsense?  How exactly what it connected in your network?

Log in to reply