PF Port forwarding with pf and PPPoE

I am trying to forward ports on my FreeBSD router. I have recently changed ISPs and now connect using PPPoE. I want to enable access to my flex server remotely

I have added the following to /etc/pf.conf

plex = "32400"

nat on $ext_if from $int_if:network to any -> ($ext_if)

#plex redirect
rdr pass log inet proto tcp from ($ext_if:network) to any port $plex ->

# Plex
pass out quick on $int_if inet proto tcp from any to opis.local port $plex

However, I am unable to connect to my plex sever remotely. I'm not sure why the rules don't work. I think it may be related to using PPPoE.
Make sure to test the connection from outside of your network. Then use tcpdump(1) to see if you're actually receiving the packets on your $ext_if. Then use tcpdump(1) on your $int_if. If you're receiving the packets on $ext_if but get nothing on $int_if you know there's something wrong with your rules.
Because I'm using PPPoE, $ext_if is defined as the virtual interface tun0. I've run tcpdump on this interface, and no traffic shows up.

My device has 2 physical interfaces em1 is the external interface that uses PPPoE to create tun0. em0 is the internal interface that faces my internal network.
I wouldn't think you would need to set up NAT port forwarding (which is actually called PAT) to access Plex remotely, *if* your Plex server and pf machine are the same box. If that is the case then IMHO you do not need to NAT that, just allow port 32400 access on the outside interface address. On the Plex server software you need to have it logged into your account I do believe and another spot to set up remote access (which I never really understood why you have to do in the first place if you didn't want to reach your server via plex.tx site).

If you are using two machines, then yeah PAT on the pf machine is required. Sorry, I'm not a pf guy at all. One last note, coming from a service provider background, most ISPs that do PPPoE use DHCP on that service. So you will have to find a way to keep the connection 'nailed up'. Otherwise if it drops, even just for a second or two, your outside interface public IP address could change.
If you see nothing going out the tun0 interface (and everything being dropped, thus appearing on pflog0), you have to reload the PF ruleset _after_ ppp initiated the connection and created the tun device, or PF will block anything on this device if it appeared after loading the ruleset.

To automate this add an entry to your ppp.linkup:
 shell pfctl -f /etc/pf.conf

This will be executed after connection to "telekom" is made - adjust this to the name of you configuration set in ppp.conf.

We have a branch gateway which also has to connect via pppoe and ~ once a month ppp fails to reload PF after reconnection (german Telekom still enforces a disconnect once every 24h like back in the 1990s :mad:). I suspect this is due to their DSLAM sometimes taking very long to respond (or just blocking any connection/login attempt for a few minutes) and PF being reload before the tun0 interface is up. In this case pf doesn't load any rules (because $ext_if is undefined/not available), which can be detected with a simple script:
if [ `pfctl -sr | wc -l` -lt 1 ]; then
                pfctl -f /etc/pf.conf

I run this once every 10 minutes - it's not pretty, but it does the job and I don't have to spend countless hours with the Telekom hotline, which is pointless as they always blame any problem on your hardware if you're not using their plastic router.
My plex box is different from my gateway machine which is why I need to forward the ports.

I do see random port scans coming to the plex port. I changed it to forward ssh to make it easier to test, and when I tried to connect on what is my public IP address the connection attempt times out, and it doesn't show up in tcpdump.

To me I'm a bit confused, because when I run ifconfig it shows two ip addresses for tun0:

% ifconfig

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500


ether 00:e8:4c:68:1a:f1

hwaddr 00:e8:4c:68:1a:f1

inet netmask 0xffffff00 broadcast


media: Ethernet autoselect (1000baseT <full-duplex>)

status: active



ether 00:e8:4c:68:1a:f2

hwaddr 00:e8:4c:68:1a:f2


media: Ethernet autoselect (1000baseT <full-duplex>)

status: active

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384


inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3

inet netmask 0xff000000


groups: lo

pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160

groups: pflog

tun0: flags=8151<UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST> metric 0 mtu 1480


inet 345.80.38.44 --> 345.80.38.5 netmask 0xffffffff

nd6 options=1<PERFORMNUD>

groups: tun

Opened by PID 96507