I’ve run out of ideas trying to get custom DNS entries to work locally. I want plex.home.arpa to navigate to my self-hosted server at 192.168.1.11:32400, but I get the DNS Rebind attack pfSense page. I don’t want to worry about any of the certs/SSL stuff for now.
I’ve tried disabling DNS Rebinding Checks to (via System / Advanced / Admin Access checking Disable DNS Rebinding Checks), but that just navigates to 192.168.1.1 (pfSense admin page).
I did try that out, but cannot get to my Plex server via plex.home.arpa. Now, it just doesn’t load with a connection timeout (instead of getting a DNS Rebind attack page), so changing the System / Advanced / Admin Access / TCP Port did affect that, but DNS is still not working.
The way I like to handle HAProxy on pfSense is to assign a VIP to the proxy, that way your router can keep listening on port 80/443 at its primary IP address and all proxy traffic goes to it’s own IP. I eventually switched from using the pfSense plugin and now have a separate HAProxy VM, so having that separate IP address already made the move over really easy.
As a troubleshooting step, what does the HAProxy stats page say about your plex backend? There might be hints to be found there.
It’s been a while since I’ve used plex, but isn’t port 32400 expecting a TLS connection?
Oh, are you saying using plex.home.arpa won’t work unless I get certificates and a personal domain registered? I really was hoping to use home.arpa as the domain (which I thought was a reserved name via RFC 8375: Special-Use Domain ‘home.arpa.’).
Perhaps I’ve miscommunicated something, but I don’t care about getting certificates to work. I just want DNS to direct my requests to the correct server.
Or perhaps I’m just uninformed and DNS only works with certificates? I was under the impression that certificates were optional security for DNS, but it could still work without certificates.
Just set a DNS override in Unboud pointing plex.home.arpa to the local IP of your Plex server and let the clients connect directly to it.
You don’t need to proxy the connection through HA proxy if you don’t care about valid certificates. The clients will then use the self-signed certificates provided by your Plex server, which is perfectly fine if you are only using it locally. The only downside is that browsers will complain about the self-signed certificate, and you will have to do an extra click to confirm that you are fine with that.
Technically, you don’t even need to add a DNS record, as you could just use your Plex servers IP address as an URL instead of plex.home.arpa, which would work just as well in a home network.
DNS will work prefecty fine without certificates, and you don’t need to encrypt DNS queries in a home network, and even if you wanted to do that, you wouldn’t use HA Proxy for that.
HA Proxy is for proxying the actual traffic and optionally encrypting it with valid certificates. DNS is for the clients to know what IP to connect to when they request a domain name like plex.home.arpa, and this DNS lookup is done before the client connects to the server, at which point HA Proxy may or may not come into play.
You could encrypt your local DNS traffic by enabling the DNS over TLS server in pfSense, but that’s a hole different topic, and usually not necessary in a home network: Configuring DNS over TLS | pfSense Documentation
Ok, thanks. Your answer explains things a bit more clearly for me. I guess I’ll just not use HAProxy. I was trying to avoid having to specify the port, and assumed HAProxy handled that with the port configured in the Backend.
I disabled HAProxy and changed the DNS record in the Services / DNS Resolver / General Settings / Host Overrides to the server’s IP (i.e. 192.168.1.11) and am able to successfully access plex via plex.home.arpa:32400. I guess it would be kinda tricky to not require the user to specify the port.
Browser bookmarks are a thing, and apps on TVs and streaming boxes aren’t usually something you have to set up on a daily basis
Hmm, if this means you’re thinking of fiddling with NAT rules to rewrite the port, please don’t. The better, or really only proper way of doing this is to use a reverse proxy, which I suppose brings us back to square one.
However, there are still a number of different ways to approach this, i.e. different places to set up the reverse proxy and different products to use.
One option would be to actually use HA Proxy on pfsense, which you can also run with self-signed certificates if you’re only using it on your local network and don’t want to buy a domain name. I can’t provide you with a step-by-step guide on how to set this up, but it’s essentially the same process as shown in Tom’s video, with some different settings for SSL, generating self-signed certificates, and of course without the ACME/Let’s Encrypt part.
Or, and this is probably what I would do in your situation, just install Apache (or NGINX) directly on the Plex server, and create a VirtualHost with SeverName plex.home.arpa listening on port 443, with self-signed certificates and a reverse proxy configuration pointing to 127.0.0.1:32400.
You could of course also set up Apache, NGINX or HA Proxy on a separate server, but this only starts making sense if you are running a lot of services with a high volume of connections and traffic.
This is what I did that works. However, my local domain is a registered domain (home.mydomain.com) with letsencrypt for ssl; but it may work for your case, i.e., local domain without SSL. Pls try and let me know whether it works.
On HAProxy frontend, you add LAN Address to the “External Address” section with port 80 (mine is 443). This will tell HAProxy to listen to requests from local LAN too, in addition to listening to WAN 443 only.
On Services–>DNS Resolver–>General Settings, Network Interfaces: select both WAN and LAN (or ALL), not just WAN, so resolver will work with requests from LAN interface too.
Ensure that your PC is using your pfSense as your sole DNS server.
That’s it and this is the workflow:
In browser, you enter url: plex.home.arpa
your browser will try to resolve it by using pfsense dns resolver. DNS resolver will check host overrides section first and found plex.home.arpa that points to 192.168.1.1 (that hosts HAProxy). As HAProxy is also listening to requests from local LAN, it will accept the request and continue to lookup for matching frontend and backend.
