Plex Remote access or Internet access I currently can't have both.

[Egligible@gmail.com]

I have been trying to get this to work for a while and have tried every post I can find for getting remote plex to work with OPNsense. I am running plex on the following server:
AMD Ryzen 7 5800X 8-Core Processor
64.0 GB RAM
LAN: Realtek USB 2.5GbE hardwire connection
64-bit Windows 11 Pro 23H2 OS build 22631.4602 (I have other programs that need windows..., they are not the problem)

OPNsense running on Minisforum MS-01 (on bare metal for now):
Software Versions:
OPNsense 24.7.11_2-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

CPU: 12th Gen Intel(R) Core(TM) i9-12900H
RAM: 32GB (less than 7% currently used according to OPNsense)
10GbE optical to LAN switch
2.5GbE Intel WAN to modem (connected at 1GbE, Charter 600Mb/s internet)


The last guide I tried got me the closest, followed the guide https://forum.opnsense.org/index.php?topic=40273.0 and it worked, but it made it so PLEX remote access was the only thing that could communicate outside my network (internet didn't work for any device). I narrowed it down to the last part being the problem.

Firewall-> Settings -> Advanced
Reflection for port forwards: checked
Reflection for 1:1: checked
Automatic outbound NAT for Reflection: checked
Firewall Optimization: normal

When I  have "Reflection for port forwards" and/or "Automatic outbound NAT for Reflection" checked then my internet goes down for everything but remote plex. even devices on Wi-Fi. Reflection for 1:1 and Firewall Optimization don't affect it and are set as checked and normal.

I did just find out my external Wan IP ends in .228.8 (https://www.top10vpn.com/tools/what-is-my-ip/) and my WAN IP from OPNsense ends in .228.1 (first parts of the IP address are the same). This is new for my location as 1 month ago they were the same. So I assume Charter is Double-NATing me now?
I am not sure how to set up port forward in Charters modem (don't know if I can even get into it). I'm assuming if I can get the 2 problems above in OPNsense worked out I won't need access to the modem, but I don't know how to fix OPNsense.

Please Help!
Thanks

[marjohn56]

There is nothing funky with this, it's really simple. Get rid of the reflection for port forward, you don't need it. So undo what you have done and just do this:

In the Plex interface go to Remote access select show advanced and manually specify the public port and apply, I use 54444, use that or pick a port somewhere around that number.

Next go to Opnsense, select Firewall/Port Forward and add a new rule.

Interface: WAN
TCP/IP: IPv4
Destination: WAN address
Destination Port Range: Select OTHER for both from and to and enter 54444 or the port you have used in both.
Redirect Target IP: Your plex server IP, in my case 10.4.15.100
Description: Plex

That's it, nothing else. Apply and save that lot and then go back to your plex server page and you should see the server is now accessible.

[Egligible@gmail.com]

Sadly it didn't work. I also set "Redirect target port" to 54444 and triple checked the server IP address. (which I have my firewall set (static) as it is the DNS also (unboundDNS))

[marjohn56]

On the Plex Remote access page, is it showing "Fully accessible outside your network" ?

[marjohn56]

Sorry, did you set the redirect target port to 32400 in the Port Forward of Opnsense, I appear to have not mentioned that. If not, set the Redirect target port to (other)  and the port number to 32400.

[Egligible@gmail.com]

It says I don't have remote access.  And I tried 32400 and 54444 neither worked.

Plex will show green and say I can access remotely for a couple of seconds and then switch to red and say that it's inaccessible.

[AhnHEL]

You have your Port Forward rule like this?

WAN     TCP     *     *     WAN ADDRESS     54444     10.4.15.100     32400     PLEX Remote Access

And at the bottom of that Port Forward you added the 'associated filter rule'?

And in Plex you checked off Manually specify public port to 54444 and applied?


Do you have any blocks to European servers?  These 2 IPs are the Sources for the Plex Remote Access Check, both of them originate from Ireland as per the Plex Troubleshooting page; 54.170.120.91 and 46.51.207.89.

https://support.plex.tv/articles/200931138-troubleshooting-remote-access/?utm_campaign=Plex%20Apps&utm_medium=Plex%20Web&utm_source=Plex%20Apps

https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt

[Egligible@gmail.com]

I have everything set as you said. still not working. I didn't have the associated filter rule applied as I had created my own, but it is now checked. I came from an old Firebox firewall and I had to set everything manually in it. It worked for about 5 seconds then stopped again.

I don't think I have the servers blocked. I had originally installed CrowdSec but have stopped it in Lobby>Dashboard. Could it still have some part working to block?

[marjohn56]

There's something odd going on that's for sure. At this point I would back up your config and reset or re-install Opnsense. Get the basics working, i.e. get a working router and the first thing you then do is the plex stuff. You can then use the restore function in System:Configuration:Backups to restore any other config settings you have one by one, testing your plex instance after every step. Chances are it will stay working as I've had oddities like that myself.

Just as a stupid idea, first try disabling the firewall on the windows PC that you are using as a plex server.

[Egligible@gmail.com]

Thanks! I was afraid I was going to have to try and re-install. sadly it wasn't windows firewall. I created an exception in it a while ago just in case that was it. I did try disabling it, just in case I had misconfigured the exception. I am not sure I will have time to re-do the firewall for 1-2 weeks. I will post back with the results.

[Egligible@gmail.com]

It's FIXED!

Thanks to everyone who took their time and helped me figure this out.

Whenever I do a reinstall/reset I go through and copy down all settings I changed/added to make sure I have them, just in case the backup fails for some reason (I've had a backup fail before). In doing so I found the error in section "Firewall: Automation: Source NAT" "PLEX" "Interface" set to LAN instead of WAN. I'm not sure when or how that happened.

The one benefit to all of this is I am now just a little more familiar with OPNsense than I was with my firebox T20 firewall.

[marjohn56]

Glad you have it fixed. All mistakes are learning curves, I know, I've made a few myself. However, from time to time you do just get wierdos and a complete re-install and import of the config fixes it.