Plex Remote Access Repeatedly Enabled / Disabled Bouncing

Plex Media Server Remote Access
1

After many years of no remote access issues… all of a sudden that changed a few days ago.

I’m a Plex Pass user.
Plex version: 1.41.5.9522
Platform: Linux (docker) 6.1.118-Unraid

Problem: After upgrading Plex 3 days ago, my remote access goes green for about 3 seconds under settings and then changes to red stating “Not available outside your network”.

  • Tautulli remote access monitor repeatedly alerts remote access up and down.
  • I’ve always been configured in Plex settings with manual port 32400 and with Relay disabled.
  • Remote port shows open when checking from cloud tools.
  • Opnsense firewall NAT and port forwarding working, shows successfully ingress traffic connecting to Plex docker IP.
  • I’m not double NAT.
  • canyouseeme.org is successful on port 32400
  • What’s odd is, most remote users cannot connect, but when I test from my phone on cellular network and separate work connection, the Plex app and web app connects fine…
  • For example, one of my remote friends has multiple devices in his house (using same src IP), some of them connect and not all of them after the recent Plex upgrade. This scenario holds true to other remote friends.
  • I checked Plex debug and verbose logs and nothing is jumping out at me…

Any help would be appreciated!

2

This is my related post on the Opnsense forums:

3

You want Hybrid for your manual port forward to work.

A one to one rule is only necessary if you have multiple public ip’s mapped to internal ip’s.

You will have to include logs if you want to support that it is a Plex issue.

4

I’m already using hybrid outbound NAT mode on the on the Opnsense.
Is that what you are referring to?

5

This is what I see now on my Plex server settings > remote access page. It’s now showing remote access is fully available, but I no longer see my local to public IP mapping in the middle section.

Screenshot_20250329-165350
Screenshot_20250329-165350851×588 82.3 KB

When I click Apply for the manual port, it hangs indefinitely and shows “Connecting…”

6

Turning off NAT reflection on the Opnsense got me past the Plex remote access hanging with “Connecting…” when applying manual port 32400.

With NAT reflection off, Plex remote access settings now shows my private-IP:32400 < public-IP: 32400 correctly, but it bounces between remote access connected to disconnected. It only remains connected fully accessible for 3 seconds.

7

A possible workaround and overall security improvement, I will move to Swag (ngnix) using port 443 instead of 32400.
I’ll report back tomorrow with update…

8

So I moved away from Plex remote-access with manual port 32400 and over to Swag (ngnix) using port 443 with custom Plex network URL defined.
However, some of my friends can connect and other cannot…

9

I’m narrowing it down, still on Swag (ngnix) , when Plex is unavailable remotely using custom URL on Port 443, my other nginx web apps are also inaccessible remotely. Due to this, the issue is now pointing more to my Opnsense firewall side or nginx config…

10

Seems like a lot of effort when Plex’s mechanism usually works really well especially with the new clients being released.

If you restart Plex the network startup will appear in the Plex Media Server.log within 3 minutes. Look for DNS or Pub Sub failures.

11

If you read up on my previous replies here, you’ll see that I was using the native Plex remote access manual port 32400 for many years without issue.
However something changed in the last week either between my Opnsense firewall firmware update or Plex docker updates, causing it to break.
I have restarted Plex numerous times and analyzed the Logs with and without verbose and debugging levels enabled. I’m not seeing any thing indicating the cause.
Moving to nginx on Port 433 with Plex custom URL actually simplifies things and reduces the attack surface. However the inherent issue is following this configuration.
It’s very odd, I’m not able to reproduce the issue when on full tunnel VPN simulating remote access, or on cellular carrier from mobile phone. Also half of my remote users can connect and the other half cannot, while I see all traffic hitting my firewall interface logs being allowed.

12

Thank you all who responded with Enrichening info.!
Whats odd is, remote access to my Plex and my other web-apps via ngnix ARE successful from these ISP’s:

:white_check_mark: Verizon
:white_check_mark: Comporium
:white_check_mark: TMobile
:white_check_mark: Cyber Assets Fzco
:white_check_mark: Cogent
:white_check_mark: Palo Alto Networks

However,

  • For the other users that cannot reach my web-apps via Swag NGNIX behind Opnsense, I see the rdr nat and Wan rule logs reflect their connecting src IP being allowed in live logs…
  • I don’t see any IP bans in Fail2Ban either for latest tests
  • Frontier, AT&T, and FiOS ISP users: get ERR_TIMED_OUT and cannot get to any of my web-apps.
  • Disabling fail2ban does not resolve issue.
  • Disabling crowdsec does not resolve issue.

For the remote users who cannot access my exposed apps over 443, they get this when doing a ‘curl - v’ against my URL:

Schannel: failed to receive handshake (35)

I’m left scratching my head. Any ideas?

13

RESOLUTION:
Increasing the MTU size from 1492 (longtime setting) to 1500 on my WAN interface and changing the Docker VLAN interface from empty MTU to 1500 as well, resolved the issue for remote clients.
They are now able to connect to Plex and the other web apps.
This appears to be related to kernel updates on Opnsense version 25 for FreeBSD 14 compatible.

Related: WAN MTU on 25.1 issue · Issue #235 · opnsense/src · GitHub

14

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.