Need to create a NAT rule for PLEX streaming



  • My roommate has to have PLEX streaming on port 80 so I tried to create a NAT rule. After creating it and surfing to the public IP I could see my pfsense admin page… not good!  :o How can I make sure the admin console is not available on the WAN and forward port 80 to my nat address 192.168.0.100?


  • Rebel Alliance Global Moderator

    Well for starters where are you coming from when you try and going to your public IP?  From your 192.168.0 network? That is nat reflection or loopback forwarding..  Did you enable that?

    To send traffic from the public internet to 192.168.0.100 (this is the plex address)

    This is all you have to do - see attached.  Under firewall, nat, port forward tab click the little plus button to add a port forward. It will auto create the firewall rule to allow the traffic.  Then validate it from OUTSIDE your network - you can use something like canyouseeme.org

    edit:  My bad I have a typo in my screenshot where I put 192.168.1.100 vs your 192.168.0.100 - but think you should be able to know that is where you put in the IP address of your plex box.




  • Looks like the admin page is actually blocked when coming from an extrenal ip - where do I find "nat reflection or loopback forwarding"?

    I've added in the rule but I cannot test it since I don't use PLEX - have to wait for my roommate on that one - the rule is attached - why is the NAT rule grayed out?





  • Rebel Alliance Global Moderator

    you don't have it enabled..  Do you have the disable checkbox.. You can see if the port is open by going to canyouseeme.org and putting in port 80

    And you sure don't need UDP…

    Why do you want to enable nat reflection?  Its pointless and to be honest shouldn't even be an option ;)  I would not suggest you do anything with it - if you want to hit his plex server - then go to the 192.168.0.100 address since your on that network already..  Create a dns entry in pfsense for plex.yourwhateverlocal.tld and there you go ;)



  • @johnpoz:

    you don't have it enabled..  Do you have the disable checkbox.. You can see if the port is open by going to canyouseeme.org and putting in port 80

    And you sure don't need UDP…

    Why do you want to enable nat reflection?  Its pointless and to be honest shouldn't even be an option ;)  I would not suggest you do anything with it - if you want to hit his plex server - then go to the 192.168.0.100 address since your on that network already..  Create a dns entry in pfsense for plex.yourwhateverlocal.tld and there you go ;)

    Yeap had the rule disabled - forgot I got scared :)

    NAT reflection is what is allowing me to see the admin interface when I type in my pub addr on my lan connected workstation right? I don't like that and I did not enable it. I'd just assume see nothing or what I'm supposed to see form the internet.

    canyouseeme.org does not seem to work due to the double nat I have to have set up right now. 192.168.0.100 is actually another router. If I browse locally I can see the XML for plex. Coming in extrenally I still don't see it… but I'm on my iPad so it could be a iOS thing.


  • Rebel Alliance Global Moderator

    "192.168.0.100 is actually another router."

    Why??  For what possible point could you have to double nat in your own network?  But if your going to forward traffic to another router, then that router would have to forward the traffic to where you want it to go..

    Nat reflection is not on by default, you seeing your pfsense admin interface was because your coming from the inside hitting your public IP and you had a forward setup..

    Why do you have a double nat??  For what possible reason would anyone want that?  Did you need some more ports so you bought another router vs a switch?  You don't know how to use a wifi router as just an AP?  What?



  • Double NAT is due to transition to the new pfsense router. Mt roomates don't want to have to re do their network and they've used dhcp assigned ips. That is a battle for a different day however.

    I still cannot connect externally… Here are the screenshots of the rules I made. Not sure if the webgui listening on port 80 is causing the issue?






  • Forgot to add the old router has port 80 open on it forwarded for the PLEX server behind it.



  • Plex standard/default port is 32400…. each NAT rule should point to Plex_Server_IP:32400.


  • Rebel Alliance Global Moderator

    "Mt roomates don't want to have to re do their network and they've used dhcp assigned ips"

    And who says they would have to redo anything???  Dhcp means they would just get the new IP scheme if you changed..  Or you could just use whatever IP scheme they used if you wanted, etc..

    You have a block rule saying lan users can not go to NA?  Africa, SouthAmerica - where are they coming from?

    Here is the thing port forwarding it really drop dead simple - click click, as I showed you..  If you are having problems with it.. Either the traffic is not on the port you think it is, your not even listening on the port where your sending it, your sending it to the wrong place..  Or the traffic is not even getting to you..

    You clearly have a double nat - for all I know its a triple nat..

    Here - https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    As mentioned on plex - and by wolf the plex port seems to be 32400

    https://support.plex.tv/hc/en-us/articles/200931138-Troubleshooting-Server-Connections



  • @TyMac:

    …and surfing to the public IP I could see my pfsense admin page... not good!

    Additionally, it could be beneficial to allow access to pfSense on HTTPS only.
    This can be set at:  System | Advanced | Admin Access
    Obviously, this doesn't solve your initial problem for which you got great answers already.



  • That is correct, Plex using port TCP 32400.  In Plex GUI under Connect (Show Advanced) Check the checkbox for 'Manually specify port' Make sure its 32400.

    pfSense UPNP doesn't auto create the rule correctly so you will need to setup a NAT rule as state before. I have my dest and redirect port set to 32400. Works with no issues…
    But not sure how this will work being double/tripe NATed...



  • I got a strange issue
    Everything seems to be fine since I upgraded to 2.2

    BUT

    for plex

    Server is mapped to 32400
    I can see the server
    I can navigate
    But no streaming of video …
    With a VPN no issue

    Any idea ?



  • Hi all

    I was trying to do the same. I want to open 80 or 443 and when I check on canyiuseeme.org the port is close. Any advice?

    I followed the how to and I still not able to open a port.


  • Rebel Alliance Global Moderator

    For starters are you behind a NAT?  Did you tread the port forwarding troubleshooting guide?  Did you go through the steps there?

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Does your ISP even allow inbound traffic to 80 or 443.. Many of them may block this because your not allow to run servers on their service - check with your ISP.  Per the troubleshooting guide.. Sniff on your wan in pfsense packet capture, go to canyouseeme.org and generate traffic - do you see it in your sniff.. If not then your behind a nat that is not forwarding to you, or you isp is blocking, etc.