[solved] Plex server has indirect connection on local network

Server Version#: 1.26.1.5798
Player Version#: Plex Web

When I go to app.plex.tv from my home network and try to access my plex server, it tells me the connection is indirect. Remote access has a green checkmark and says “Fully accessible outside your network”.

I am using docker in bridge network mode. Docker IP is 172.21.0.2, and linux server IP is 192.168.1.4. I forwarded port 32400 on 192.168.1.4 to the docker container. I setup a NAT rule on my router to forward port 32400 on my WAN to port 32400 on 192.168.1.4. I set ADVERTISE_IP to be http://192.168.1.4:32400/, but that doesn’t seem to help. I’ve tried with and without the trailing slash, and https instead of http, but again, no change.

My router does not allow me to connect to the WAN IP on port 32400 from inside my LAN network.

If I go to https://192.168.1.4:32400/web instead, I do not get an indirect connection. Am I supposed to go to the local IP in plex web locally, or is there a way to tell app.plex.tv that the plex server might be on 192.168.1.4. I thought ADVERTISE_IP would do that (the custom server access URLs in the network config), but it doesn’t seem to help.

I can add a NAT redirection proxy to allow the router to translate NAT from inside the LAN to the WAN to go back, but the router docs don’t recommend it, which makes sense because it’s stupid to leave the LAN to go to the WAN to go right back to the LAN. This does remove the indirect connection problem, but I don’t think it’s the correct solution.

So, is there any way to tell app.plex.tv that my server is local and on 192.168.1.4:32400 and not try the WAN IP? Or should I not be using app.plex.tv at home?

Are you unable to use host or macvlan for some reason? Those are simpler.

Did you configure Docker port mapping for the other ports described here?

Might be helpful to share your docker-compose.yaml.

There are other reasons the connection might be indirect. Does your router perform DNS rebinding protection? Excluding the plex.direct domain may also be necessary.

I tried rebuilding the container with host networking, but that made no difference.

This is my docker compose file. I think I’m mapping all the ports.

services:
  plexmediaserver:
    image: plexinc/pms-docker
    container_name: plex
    restart: unless-stopped
    hostname: plex
    ports:
      - 32400:32400/tcp
      - 3005:3005/tcp
      - 8324:8324/tcp
      - 32469:32469/tcp
      - 1900:1900/udp
      - 32410:32410/udp
      - 32412:32412/udp
      - 32413:32413/udp
      - 32414:32414/udp
    environment:
      TZ: America/Indiana/Indianapolis
      ADVERTISE_IP: http://192.168.1.4:32400/
      PLEX_UID: 1000
      PLEX_GID: 1000
      PLEX_CLAIM: claim-XXX
    volumes:
      - /plex/config:/config
      - /plex:/media
      - /tmp:/transcode

I don’t know what DNS rebinding protection means. I’m using pfsense. It uses its own DNS server (unbound) directly. Is app.plex.tv trying to connect to plex.direct? I could tell the router to bind that to 192.168.1.4.

The key thing for me is that if I enable the NAT proxy in the pfsense with NAT redirection, it starts working. I think this is because I can then reach the WAN IP on port 32400 which NAT’s back to 192.168.1.4. This just doesn’t seem to be correct.

PFSENSE DNS RESOLVER
Similarly, if you are using pfSense’s internal DNS resolver service, you’ll want to adjust that configuration. In the pfSense web UI, go to Services > DNS Resolver, click Display Custom Options, and enter the following the the text box:

server:
private-domain: "plex.direct"

Thanks. I don’t understand what this does, but it fixes things.

DNS rebinding protection causes the router to drop any DNS responses that include “local” IP addresses.

It’s a safety feature because most people don’t run servers on their local networks.

Plex uses the plex.direct domain to resolve local services, so you want to un-block that domain.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.