====== PFSense - Plex ======

===== Plex Settings =====

In Plex:

Navigate to **Settings -> Server Settings -> Remote Access**.

{{:pfsense:plex_public_port.png?800|}}

Get the port number used by Plex for remote access.  

This is at the **Manually specify public port** option.  Default is port 32400.



----

===== NAT Settings =====

In pfSense:

Navigate to **Firewall -> NAT -> Port Forward**.

  * Add a new rule and fill it out as follows:
    * **Interface** is WAN, which if you run no VPN may be your only interface.
    * **Protocol** is TCP.  If Plex starts using UDP then change this to TCP/UDP.
    * **Destination** is WAN address.
    * **Destination Port Range** is  "Other  32400  Other  32400".
    * **Redirect target IP** is our static Plex Server IP, and our redirect port number is again 32400.
    * **Description** is "Plex".

{{:pfsense:pfsense_firewall_nat_portforward_plex.png?800|}}

When you receive request for port 32400 on the WAN gateway from any source IP or port, redirect it to 192.168.1.5:32400.

<WRAP important>
**NOTE:**  This Port Forward rule should automatically be added to the Firewall WAN Rules.



It may be prudent to verify that this does exists under **Firewall -> Rules -> WAN**, and if not to manually configure such a rule.

How is this different from the NAT rule?  Well the NAT rule was telling the firewall how to map an external port to an internal one, so that our machine is reachable from the internet.

But by default pfSense blocks anything that tries to access our internal network without a specific query asking it to, say, request a webpage via https.  With this rule we basically tell the firewall to allow through certain traffic that NAT has already redirected.  Both must work in tandem to open this port successfully.
</WRAP>

----

===== Troubleshooting =====

==== Reboot Plex ====

This may fix the "Remote Access" showing with a RED icon instead of with a GREEN icon.

----

==== Update DNS Resolver ====

pfSense includes built in methods of [[https://docs.netgate.com/pfsense/en/latest/dns/unbound-dns-resolver.html|protection]] against [[https://en.wikipedia.org/wiki/DNS_rebinding|DNS rebinding attacks]].

This protection can prevent being able to connect to a Plex Media Server securely on the local network.

To remediate this:

  * In pfSense:
  * Navigate to **Services -> DNS Resolver -> General Settings**.
  * Add the following to the **Custom Options** box on a new line. <code>
server:private-domain: "plex.direct"
</code>

  * Ensure that other entries in this box are on separate lines.

{{:pfsense:pfsense_dns_resolver_custom_options.png?800|}}


<WRAP todo>
**TODO:**  This image is wrong.  There should only be a single **server:** word, right at the top.  Remove the other one.
</WRAP>

<WRAP info>
**NOTE: ** An alternative method is to have the following entries within the Resolver Custom option:

<code>
server:
    local-zone: “plex.direct” redirect
    local-data: "plex.direct 3600 IN A "
</code>

</WRAP>

<WRAP info>
**NOTE:**  An alternative method to overcome the DNS protection is to navigate to **System -> Advanced -> Firewall and NAT**.

In **Network Address Translation**:

  * NAT Reflection mode for port forwards:  **NAT + proxy**.

While this works for remote connections, it is not everything needed to get local secure connections working, so this is not the recommended approach to take.

</WRAP>

<WRAP important>
**WARNING:** When working around DNS rebinding protection this way, your apps and Plex Media Server will typically treat the connections as being from a **Remote** source.

This can affect which streaming qualities are used, as well as trigger Remote-applicable Server Settings - Bandwidth and Transcoding Limits.

</WRAP>

----

See [[PFSense:pfBlockerNG:Bypass pfBlockerNG for specific clients|Bypass pfBlockerNG for specific clients]]

----



==== Use NAT reflection ====

In pfSense:

Navigate to **Firewall -> NAT -> Port Forward**.

Against the same rule created above (the rule named "Plex"):

  * Change **NAT reflection** from "Use System Default" to "Enable (NAT + Proxy)".
  * Apply changes and see if this makes a difference.

----

==== Have Plex use Direct Mode ====

For Plex to work direct, and not in Indirect mode (limited to the quality you can play back to like a 2mbit stream or something) 

In Plex:

Navigate to **System -> Advanced**.

Disable DNS Rebind Checks.  But try without it first to see.

----

===== References =====

https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

https://docs.netgate.com/pfsense/en/latest/dns/unbound-dns-resolver.html

https://en.wikipedia.org/wiki/DNS_rebinding

https://support.plex.tv/articles/200931138-troubleshooting-remote-access/