After upgrading from the latest 24.x to 25.1.3 yesterday, something is going on with my port forward NAT rule for Plex.
Plex shows remote access connected and green for about 3-5sec ,then it changes to 'Not available outside your network'.
Plex settings has always been setup with manual remote access port 32400.
Checking back on the Plex settings page regularly, it's evident that it's repeatedly flip-flopping, which is also evident with my Tautulli notification that monitors Plex remote access status.
Prior to upgrading my firewall, this was not an issue. All NAT and WAN interface rules are the same and no other known changes...
Changing NAT rule from TCP to TCP/UDP doesn't resolve it, which was a test as I know only TCP should be needed.
I am also not doing double NAT.
What's even more odd, I'm not able to reproduce any remote access issues with the Plex app when I simulate a remote connection on my cell phone cellular network or from a different ISP and geo. However, my remote friend is no longer able to connect the Plex from multiple devices.
Also when monitoring the firewall traffic, I see the inbound connections successfully being established on Port 32400/TCP and nothing's getting dropped.
Does your ISP use IPv4 or IPv6?
At the very least I would recommend accessing plex via a reverse proxy. Caddy is a simple reverse proxy to set up and handles certificates etc for you. Yes you will need a domain and a ddns service (unless you have a static public IP address).
Alternatives are accessing over wireguard/tailscale or some people even use cloudflare tunnels, latter may be against cloudflares ToS but these options do not require any open ports.
If you search the plex and selfhosted subreddits you will find lots of posts on how to do these things and they will all be a step up from forwarding a port directly to plex.
If your ISP is IPv4 only (as is mine) have a look at my post here: https://forum.opnsense.org/index.php?topic=45612.msg231178#msg231178
This solved many problems for me post upgrade, one of which was the same Plex remote access problem that you're experiencing
Quote from: sarkyscouser on March 26, 2025, 02:44:45 PMAt the very least I would recommend accessing plex via a reverse proxy. Caddy is a simple reverse proxy to set up and handles certificates etc for you. Yes you will need a domain and a ddns service (unless you have a static public IP address).
Alternatives are accessing over wireguard/tailscale or some people even use cloudflare tunnels, latter may be against cloudflares ToS but these options do not require any open ports.
If you search the plex and selfhosted subreddits you will find lots of posts on how to do these things and they will all be a step up from forwarding a port directly to plex.
I've been port forwarding 32400 (no relay) for the last 7 years on my same static IP from ISP through Opnsense. So I'm very familiar.
I considered using my existing Swag/ngnix docker and switching Plex to direct on port 443,but I'm concerned about throughout limits with ngnix.
The only thing that changed was upgrading opnsense to 25.1 and now on 25.1.3
Any other suggestions?
Quote from: jim1985 on March 26, 2025, 02:53:04 PMIf your ISP is IPv4 only (as is mine) have a look at my post here: https://forum.opnsense.org/index.php?topic=45612.msg231178#msg231178
This solved many problems for me post upgrade, one of which was the same Plex remote access problem that you're experiencing
Thank you for the heads up...
My IPv6 int setting is still properly set to none. The only other custom setting I have for my Wan interface is MTU size of 1492, which has been in place for several years.
Do you have a Plex subscription?
If not, may not pay to research this too much as they are removing remote streaming as a free option.
Did you set the outside port manually via advanced options to the same port you used for the port forward in Plex?
Quote from: nodakbarnes on March 27, 2025, 06:27:01 PMDo you have a Plex subscription?
If not, may not pay to research this too much as they are removing remote streaming as a free option.
Yes, I'm a Plex Pass user for the last 10 years, not the issue.
Quote from: meyergru on March 27, 2025, 06:49:46 PMDid you set the outside port manually via advanced options to the same port you used for the port forward in Plex?
Yes, I stated this the setup in my earlier post in this thread.
No you did not. You stated that you used a port forward. The manual port setup is hidden in Plex unless you check the box.
All seems to point to the Plex side of things, as all looks well and good on the Opnsense side.
But just very much a coincidence this issue started happening right after the upgrade to 25.1 and persists after incremental updates to 25.1.3.
This is my Opnsense settings for Plex NAT and Port Forward, can some validate this for me?
=================
Firewall -> Nat -> Port Forward
From this page click + (add)
No RDR: unchecked
Interface: WAN
TCP/IP Version: IPv4
Protocol: TCP
Source: Any
Source Port Range: any/any
Destination: WAN Address
Destination port range: (other) 32400/32400
Redirect target IP: Plex server internal IP
Redirect target port: (other) 32400
Pool Options: Default
Description: Plex Media Server
NAT Reflection: Enable
Filter Rule Association: Pass
Firewall-> Settings -> Advanced
Reflection for port forwards: checked
Reflection for 1:1: checked
Automatic outbound NAT for Reflection: checked
Firewall Optimization: normal
=================
I posted my issue as well on the Plex forums here:
https://forums.plex.tv/t/plex-remote-access-repeatedly-enabled-disabled-bouncing/910647
I tried with NAT reflection enabled and disabled, no resolution.
Toggled these settings:
NAT Rule:
NAT Reflection: Enable / Disabled
Filter Rule Association: Pass / none
Firewall-> Settings -> Advanced
Reflection for port forwards: checked / unchecked
Reflection for 1:1: checked / unchecked
Automatic outbound NAT for Reflection: checked / unchecked
Firewall Optimization: normal
=====
I'm stumped on what broke this after years of no issue...
The port forward settings look right for a port forward to a specific port, and this:
QuoteWhat's even more odd, I'm not able to reproduce any remote access issues with the Plex app when I simulate a remote connection on my cell phone cellular network or from a different ISP and geo. However, my remote friend is no longer able to connect the Plex from multiple devices.
Also when monitoring the firewall traffic, I see the inbound connections successfully being established on Port 32400/TCP and nothing's getting dropped.
suggests that it is working fine. Maybe either plex side, or your friend's side has a problem.
UPDATE:
As a test, I switched from Plex remote access manual port forward using 32400 to Swag docker (ngnix) over port 443. Therefore, I properly disabled the remote-access settings on the Plex server and entered my URL under network settings as required.
***It works for me locally, from my cellular phone carrier off WIFI, and also from a work device that's on a full-tunnel VPN out of a Chicago location.
***Also, my other web apps using Swag (ngnix) are fine and remotely accessible as well for me over from all the same remote connections...
HOWEVER, my remote users continue to NOT be able to connect to Plex or my other web-apps via Swag (ngnix) from certain not all, ISP's, it hangs and eventually they get error in browser:
ERR_TIMED_OUT
I see the traffic in the firewall logs WAN interface with rdr rule label and its allowed.
I ruled out fail2ban, crowdsec, and zenarmor as being causes. Issue persists with those services uninstalled and disabled...
Any other ideas?
I too run Plex.
I have two NAT's one for static NAT outbound and one for the incoming NAT (aka Port Forward).
I have a static WAN address assigned by my ISP.
Outbound static NAT- I have my firewall NAT outbound in Hybrid mode.
Firewall > NAT > Outbound - I have added a manual static IP address for my Plex server (say 192.168.1.88)
- I have a static outbound NAT for Plex.
**** Like this ****
Interface: WAN
Source: 192.168.1.88 (my Plex server LAN IP address)
Destination: *
Destination Port: *
NAT Address: Interface Address
NAT Port: *
Static Port: YES
Description: Static NAT for Plex Out
Inbound port forward NAT- Firewall > NAT > Port Forward
- I have added a port forward for me Plex server (say 192.168.1.88)
**** Like this ****
Interface: WAN
Proto: TCP
Address: *
Ports: *
Address: This Firewall
Ports: the static port number you set inside Plex, typically 32400
IP: 192.168.1.88 (my Plex server LAN IP address)
Ports: the static port number you set inside Plex, typically 32400, the same as the first "Ports"
NAT Address: Interface Address
Description: WAN to Plex IN
This works for me great! I do not used "One-to-One" NAT at all.
I will be making a blog entry about this eventually, but if you use Traefik as your reverse proxy, you can setup a TCP match for your plex.direct FQDN that Plex uses and allow a TLS passthrough that will finally show your remote availabilty as always Green
It is literally THIS ^ that causes the issue (and I have ran Nginx reverse proxy, got green, but it would fall off almost immediately.
I port forward 443 to 443, and 80 to 80 for the Traefik setup, and in Traefik if they are requesting my plex subdomain on 443 or 80 I forward them to 32400, and if they request the '*.*.plex.direct' fqdn, I have Traefik TCP (not HTTP) TLS passthrough (they are using their own Digicert SSL Cert) the connection to 32400 to the Plex server. ^_^
Thank you all who responded with Enrichening info.!
Whats odd is, remote access to my Plex and my other web apps via ngnix is successful from these ISP's:
✅ Verizon
✅ Comporium
✅ TMobile
✅ Cyber Assets Fzco
✅ Cogent
✅ Palo Alto Networks
However,
For the other users that cannot reach my web-apps via Swag NGNIX behind Opnsense, I see the rdr nat and Wan rule logs reflect their connecting src IP being allowed in live logs...
* I don't see any IP bans in Fail2Ban either for latest tests
* Frontier, AT&T, and FiOS ISP users: get ERR_TIMED_OUT and cannot get to any of my web-apps.
* Disabling fail2ban does not resolve issue.
* Disabling crowdsec does not resolve issue.
For the remote users who cannot access my exposed apps over 443, they get this when doing a 'curl - v' against my URL:
Schannel: failed to receive handshake (35)
I'm left scratching my head. Any ideas?
This looks like it might be related to an MTU size on my WAN and Docker vlan interfaces since upgrading to 25.x.
After some testing, I lowered the MTU from 1492 to 1472 on both interfaces and as a result, one of my remote clients can now connect to Plex via web client.
More Troubleshooting needed...
RESOLUTION:
Increasing the MTU size from 1492 (longtime setting) to 1500 on my WAN interface and changing the Docker VLAN interface from empty MTU to 1500 as well, resolved the issue for remote clients. They are now able to connect to Plex and the other web apps.
This appears to be related to kernel updates on Opnsense version 25 for FreeBSD 14 compatible.
Related: https://github.com/opnsense/src/issues/235