So i finally got Plex and Ombi working the way i wanted on Unraid (official Plex docker image) and decided I wasn't happy forwarding ports from Pfsense to my services especially since I'm not aware of how good the hardening of these apps are (Ombi for example is development platform with constant changes so it was a risk to put it out in the open to get hacked) . I have friends and family outside of my network that access the plex box and i also gave them access to my Ombi Plex requests so I could automate their requests for movies and tv shows (started to become a pain to answer txt messages and get stuff for them in the library). I thought i would share my settings for anyone that may find it useful. Now i have both services available outside without any port forwards and Haproxy (reverse proxy) taking the requests and being intermediary to the internal server/ports.
caveat - I'm not a programmer, nor am i very well versed with Command Line for Pfsense/Haproxy or SSH. I know basic stuff to get things going but prefer to handle things on the GUI front end. So this solution should cater to those people.
Some basic requirements:
- Setup a DNS name (either dynamic or static) online. I use google domains at $12/year to host my own domain name. You can choose a free service of your choice.
- I have PFsense dynamic DNS service pointing to google domains to change the IP address as and when my ISP decides to change my Public IP. You can use any DYN service of your choice. I went ahead and created two pointers on google plex.xxxx.com and plexrequests.xxxx.com and both point to my single global IP that my internet provider has assigned to my router.
- Install HAproxy package on Pfsense (duh!) and enable it in the Haproxy settings page.
Configuration:
Plex server>Settings>Remote access
1. keep the default port standard of 32400 but enable the manual overide. IF you try to get Plex to connect automatically it will try to use uPnP on your firewall. Don't do this.
Plex server>Settings>Network>Custom server access URLS
here you need to enter http://plex.xxxx.com:32400 or whatever your DYN DNS name you chose when you registered that Pfsense is using to register with dyn dns service.
Pfsense HaProxy Settings:
Create 2 Backends (for Ombi and Plex). If you have just Plex, create a single backend to the server
Create 2 Frontends (if you want Ombi and Plex). If you just have Plex, then create a single frontend.
For plex backend service - give it a name, and under server list add an entry, mark it active, forward to address+port and enter your plex internal IP address and port 32400. Choose Health check as none and save.
For Plex Frontend service - give it name, mark it active, choose WAN address, port 32400, type choose TCP from dropdown and choose default backend name from dropdown that you created above.
Finally (almost there) Create a Firewall rule that allows TCP traffic on 32400 port received on your wan to go to the firewall so that it goes to the frontend you just created:
Action: Pass
Interface: WAN
Address family: IPv4
Protocol: TCP
Source: Any
Destination: This firewall (self)
Port range: Other: 32400 To Other 32400
Hit save and you are done.
you may need to retart plex (it behaves a bit funny) and you should see under Plex settings that it reports fully available outside on the manual port. It will go to Plex.tv and report its new url configuration and should be DNS addressable from the outside world.
To test I usually use my Phone with 4G connection only (no wifi) so i know what i see is what everyone outside my network will see. If plex.tv on phone browser reports direct connection, you are good to go. You can fire up the plex app on android and check that it connects up fine as well.
Let me know if you need more information. I apologize for the long post.
My final todo is to remove the 32400 from the url completely and have it go directly on port 80, but i seem to have a clash with my ombi service and i havent quite figured it out.