[How to] pfSense with NordVPN + Plex + Xbox + uPNP
Last two weeks I've been figuring out how to get pfSense up and running with NordVPN while keeping Remote Access on my Plex Media Server and an open NAT connection to my Xbox One X working. I wanted to keep using uPNP to keep administration to a minimum. After spending a lot of time on searching the internet and reading many guides and posts, I managed to get it all working. Just wanted to share it to anybody who is interested.
This 'How to' is based on a clean install of pfSense. Your miles may vary if you implement it in combination with other configuration.
NordVPN already has an excellent guide in how to configure their service on pfSense. Only problem is that they assume that you want to route all traffic through VPN. However, uPNP (or port forwarding if you want to do it manually) will not work through their VPN service. So we have to make one tiny adjustment to their guide.
The rest of the guide is spot on, just remember to move your new NordVPN NAT rule (Firewall - NAT - Outbound) way down as displayed in the guide (new NAT rules will be placed on top of existing NAT rules but NAT rules are applied top to bottom so the order is important). I have added a picture how my NAT rules look like later on in this How to under section 'NAT rules'
Static DHCP lease / manual IP address
We don't like to change our uPNP rules all the time when the IP address of the Xbox or the Plex Media Server changes. Therefor, we need a static DHCP address or manually configure the IP address of our devices we want to use in combination with uPNP. Below is where you can find the DHCP Leases and the button to change it to static. My Xbox already has a static lease (wired and wireless)
As mentioned before, I like uPNP for administrative reasons. I know people are against it because of security but that is another topic. I have set my uPNP as shown in the picture below. Make sure you select your WAN and LAN interface correctly. I also found guides that mention that the IP address should be in the format of 192.168.1.21/32 but that didn't work for me. It is possible to not select the Default Deny option but then the uPNP list will fill up with devices that try to use uPNP but are blocked by the firewall rule created later on.
I like to keep thing clean and tidy. Don't like to make the same rule for the same kind of device so I made some aliases for my devices. For example, if you have multiple Plex Media Servers, just add the new host to the alias and the same rules will apply to that server.
The aliases will fill the corresponding table with the correct IP addresses. Below is an example for Plex_Sites.
The Xbox does not like dynamic NAT ports so it is important to change that to static. I did the same for my Plex Media Server but that is optional. I used the aliases as a source. These rules will not open specific ports, it just makes the ports, created by uPNP, static.
The result should look like this. Notice the rules for Plex_Group and Xbox_Group are on the top while the NordVPN rule is almost (!) at the bottom. Don't place the NordVPN rule under your 'Auto created rule - LAN to WAN' as all your traffic will try to default NAT out your WAN interface instead of the NordVPN interface.
So the NAT rules are in place but to be allowed to get it out the correct interface, we have to add two more firewall rules. Notice that the rules are located above the 'Default allow LAN to any rule'
The two pictures below show the firewall rule for Plex in more detail. Notice the aliases used in source and destination. Make sure to click Display Advanced to change the Gateway
This should do the trick. Your Plex server don't need a manual port now and will still be accessible from outside. Also your Xbox will have an open NAT.
how well is the XBOX working for you i just searched for my older post for XBOX and just found yours
the way i did it to get xbox one to get OPEN on the WAN to bypass NordVPN
i did it ... and i just skimmed over yours so im sure i have similar... as i spent hours days weeks trying to get to work.. and soooo many reboots.. and mac address clear on xbox etc
i had figured this out last year took me a hell of a time... to get it right as nordvpn couldnt help me... you choose the Deny button thats the only thing i never did it will work to without it...
but i have question for your Plex what are the Plex Sites and why did you need to pass it ... is that for the Plex Pass
@comet424 My Xbox One X still has an open NAT after many reboots. It is going out through the WAN using uPNP so no need to open ports manually. No issues found so far.
The Plex_Sites alias is made to redirect traffic for these sites over the WAN link (instead of the VPN). So only if the Plex_Group wants to go to the Plex_Sites it will go over the WAN. For other sites, the VPN is used.
@Chris78 ya i have the same setup like i mentioned minus i never did the Check off Deny button.. as when i did it there was not documentation and trying different ideas.. came up same as yours... but i found i had to also add what you seen above deny any other interfaces.. i found it was still double nating if i didnt put the blocks pre the allow...
only thing i wish was easier if the ACL's you didnt have to do if it could be in the Alias's so you dont have to type in the UnPnP but its not like your adding 50 devices anyways lol..
as for the plex ah gotcha... for me i dont have Plex Pass to allow me to remote access.. so all i do is OpenVPN into PFsense so i have access to the network and then can use Plex like i was right at home.. but since my internet isnt that fast i dont bother... but thats cool idea you got too
@comet424 I just wanted uPNP to work over the WAN to prevent opening ports manually. And as mentioned, you can also choose not to deny uPNP by default as long as you prevent devices to use the WAN that you want over the VPN (like P2P clients) using FW rules. The Deny by default makes it a bit cleaner in my opinion.
ah ok i added a Fall over for P2P so if Nord Goes down it cant leak internet and start using the WAN.. had to adding a Floating Rule... this way IF Nord goes down i can still use internet but it denys it to the P2P and my guest network router