Having a heck of a time getting HAproxy set up

I don’t know why I’m having so much trouble with this - especially after watching Tom’s video on this. Although his examples weren’t exactly what I’m working with, the principles should still be the same.

So, I’ve got a FQDN - myhost.mydomain.com. I’m trying to hit my PLEX server through that FQDN. My PLEX server is running on a VM and I can access it within my LAN at Further, from another machine on my LAN, “nslookup myhost.mydomain.com” shows:

Server: netgate.home.arpa
Name: myhost.mydomain.com

This tells me that my domain resolver in pfSense is operating correctly, right?

Now, here at my house, I’m running pfSense as a VM. On that same physical machine exists a Linux VM from which I run all of my dockerized media apps. The IP of said VM is If I SSH into that VM, then enter the same nslookup query, it returns:

Non-authoritative answer:
Name: myhost.mydomain.com
Address: 100.xxx.xxx.176

I replaced those numbers with x’s, but that’s my WAN. Is this normal behavior? Shouldn’t the output of nslookup be the same?

Anyhow… I’ve got ACME set up just like in Tom’s video and the cert appears to have gone through and is valid. On to HAproxy.
Here is my front and back end. Keep in mind, I can reach PLEX from within my LAN at and that is an http, not https.

What have I overlooked?

I have never tried to get Plex working with HAProxy, not sure if it will work.

For local use myhost.mydomain.com should point to HAProxy/pfSense in DNS resolver. So in your case. And in HAProxy frontend listen address set to LAN Address and port to 443 assuming you want to use HTTPS since you have certs setup.
That’s how mine’s set up at least.

If you want it externally accessible I think you can remove the DNS resolver entry and make the domain point to your Public IP wherever you manage your domain. Set HAProxy listen address to WAN address port 443 and select ‘Pure NAT’ NATReflection mode in System / Advanced / Firewall & NAT

Can you screenshot your haproxy configs? I’ve got it set up according to your instructions and still no-go. something must be jacked. I’ve never had this much trouble R-Proxying a service. That’s why I thought it must be plex, but that makes not sense because connectivity is connectivity.

Here are my DNSResolver, backend and frontend configs. I have it set up for local access only.

Dang. I just set mine up just like yours and no go. The HAproxy gods are frowning upon me lol.

Did you add an allow firewall rule?

WAN rule


this is probably my issue. I’m trying to set the LAN rule now but I don’t see “HTTP_HTTPS” as an option. I can select either but not both.

That’s an alias I made with ports 80 and 443

You know, I really need to work on my understanding of firewall rules. I have only a very basic understanding of them. I need to get to a point where I can read the rules to myself in English. It took me a really long time before I understood subnets.

Question for you: In pfSense, what’s the difference between NAT and rules under the firewall section? For reference, I know what NAT is and how it works, why we need it etc… But sometimes when set up something under the NAT section, it asks if you want to add an associated firewall rule, and that confuses me. Mind answering that?

I’ll read up on how aliases work in pfSense in the meantime now that I know what I’m looking for.


NAT happens before firewalling so you still need to allow the traffic through with a firewall rule. You can create an associated rule when setting up NAT that’s linked to the NAT rule. If you make any changes to the NAT rule it automatically updates the firewall rule for you.