CGNAT Questions

My ISP only offers us CGNAT. Not a problem for me until I need to connect in externally. Well I’m hosting Plex so I need to. I was thinking maybe a reverse proxy but I’m not familiar with how they actually work. I have static IP’s at work and a few of them are not being used for anything so I’m wondering if I can utilize one of those somehow. Any suggestions would be GREATLY appreciated. Thanks!

A reverse proxy would work in this case because Plex uses HTTP. Another option is simply to use port forwarding (NAT).

In either case, you would need a server with a public IP address and decent (symmetric) internet connection. You can rent a VPS for that or use a server at your work if that is an option for you. Then you need a VPN connection between this server and your Plex server’s network and a couple of static routes.

For VPN I recommend Wireguard or OpenVPN. You could also use Tailscale. For reverse proxy, I personally use Traefik, but nginx and HAProxy will aso work. I recommend running the proxy in a container, but you don’t have to.

Also you’re not the first person to encounter this problem. Maybe you’ll find some more directions here:

1 Like

Oh, and I almost forgot: Yay IPv6!


IPv6 is not the universal answer for some CGNAT, I don’t think this works for T-Mobile.

If you work from home, and get a letter from your employer, then T-Mobile might bless you with a B2B account (same money), and with a B2B they may be able to give you a static outward facing IP address (not a NAT or CGNAT address). I’m trying to figure out if I can con a local store into setting that up for me, I’ll pay the extra for a static IP.

B2B also allows bring your own device, like say the Chester Tech Cheetah (need to check my firmware again, he keeps adding cool things). Web search for a link, easy to find, there are different versions that work better with some carriers so I suggest an email, the guy is SUPER helpful!!!

As far as setting up personal services from a work IP, I’d not recommend it unless you own the business.

I’m on Starlink. No offering of a real public IP without upgrading to a much more expensive package. I do see that I have my own IPv6 address but I’d really like to figure out a way to do this with IPv4. If i can just get Plex going, that’s all I’m concerned about. Remoting into work isn’t an issue. Wireguard gets me in just fine on CGNAT since I don’t need anything coming in.

I’d like to try and do something with a VPN to my work since I have available public IP’s there not being used for anything.

Wireguard service at work running from pfSense CE 2.7

Could you (would you want to) use the free tier at Zerotier? It bounces your connection through their servers so it should get out of the CGNAT and form a network with your remote endpoint. I think other people have talked about doing the same with the free tier and Tom might have a video on setting it up.

Wiregaurd, openVPN, etc. should work with the server (host) at the static IP, I did this at work for a while.

Another alternative, what about a teamviewer personal account to a workstation back at home. It again bounces through their servers and might be fast enough to do what you need.

1 Like

On the topic of using a reverse proxy in front of Plex: I tried this the other day (with Traefik) while in the process of moving my Plex install from the debian package to a container and I really cannot recommend it. Plex wouldn’t respect the X-Forwarded-For header, resulting in the address of the reverse proxy shown for all clients. I also had trouble with connections from the local network (remote play was fine), which I believe is related to the Custom Server URL setting and the way server discovery works. Also, curiously, Plex uses the same port (32400 by default) for both HTTP and HTTPS, which makes things more complicated with a reverse proxy. With a simple port forward to the container everything works fine.

Seems like I’m going to see a lot of down sides to running plex behind a proxy. I’m considering just moving my Plex server to a location with a public IP. Just seems like a lot can break and doesn’t seem to be a stable setup from what I’ve read. I’ve got access to a fiber connection at 200 up and down. I have unused IP’s as well. Thinking that’s what I’m going to do. Really wish Starlink would offer public IP’s to their base package.

my 2 cents … install tailscale on the plex server, then tailscale on any client u want to access plex from … job done, 15 mins work :slight_smile:

1 Like

I’ve decided to use Tailscale for this project. My firewall at home at the firewalls at work are both pfSense. I can use Tailscale to accomplish this with ease, it seems. I’ll will post back to share my results. Thank you to everyone who gave me info!!

OK I have tailscale installed and setup. I’ve tested Site to Site functionality between 2 pfSense CE boxes. One at work with a public IP and mine behind CGNAT. ACL’s in tailscale are set to allow all to communicate. What’s the best way to access plex remotely without installing the tailscale app on whatever device wanting access? I cannot access it using the TS ip:34200. I’m assuming something needs to be done to let tailscale see the plex port. Services tab on my tailscale admin page don’t show any services

Got it working! Decided to use Tailscale Funnel to forward 32400 from the Plex server to the TS URL and IP. Set the URL in my Plex server for access via the TS URL. Works perfectly so far. Any thoughts or changes anyone would make?