Pfsense + HAProxy + Letsencrypt + Cloudflare + Plex (LAN impacts)

I have followed this guide and it has been working great.

However, I have a question regarding direct LAN connections. How can this setup be modified so that the Pfsense router will route LAN based requests to “” back through the same frontends setup in this tutorial? In other words, I believe LAN based players are attempting to connect to “” and going out to an internet DNS what in turn sends them back through cloudfare and ultimately back through the pfsense setup described. How can this be simplified by allowing the LAN plex players to route directly to the LAN based plex server backends?


If you want to point to your Plex instance, add a host override in the DNS Resolver. If you’re doing that you probably also want to disable rebind protection for that domain by adding the following to the custom options:

private-domain: ""

See the Plex Support for more info on that.

How can i test if this is working correctly?

When I try to “ping” it resolves to my WAN IP and not my LAN IP

what is the syntax for multiple private-domiains?

private-domain: “
private-domain: “

Still having issues with this setup.

I am using pfsense + haproxy + letsencrypt + cloudfare + uraid (plex docker)

Everything works fine except for syncing (downloading) content to a device using the plex app WHILE i am on my own LAN. As soon as a leave my network (ex: coffee shop wifi) and connect to my plex server I can sync content. Steaming content works fine in all situations. Just sync seems to fail.

I have examined the logs and the sync seems to attempt but then just stalls out. Even in verbose logging, not much more information. I would like to rule out this “” connection as I have also been suspicious that even streaming is not taking a direct route while on my lan.

When i try to ping “” it resolves to my WAN address and not my LAN.

From the plex forums:
Related Page : pfSense: DNS Rebinding Protections

The instructions state that when using pfsense the above mentioned custom server setting should provide a rebinding protection exception.

Could this be the issue?
Perhaps the HaProxy frontEnd “Listen address” should instead be changed to “Any” to support both WAN + LAN frontEnd traffic instead of just WAN as the instructional video suggested? Would this cause any adverse effect?