diff --git a/hosts/router.home.ts.hillion.co.uk/default.nix b/hosts/router.home.ts.hillion.co.uk/default.nix
index d16e218..8a59746 100644
--- a/hosts/router.home.ts.hillion.co.uk/default.nix
+++ b/hosts/router.home.ts.hillion.co.uk/default.nix
@@ -96,6 +96,8 @@
                 "eth2",
               } ct state established,related counter accept comment "Allow established back to LANs"
 
+              ip daddr 10.64.50.20 tcp dport 32400 counter accept comment "Plex"
+
               ip daddr 10.64.50.20 tcp dport 8444 counter accept comment "Chia"
               ip daddr 10.64.50.20 tcp dport 28967 counter accept comment "zfs.tywin.storj"
               ip daddr 10.64.50.20 udp dport 28967 counter accept comment "zfs.tywin.storj"
@@ -111,6 +113,9 @@
           table ip nat {
             chain prerouting {
               type nat hook prerouting priority filter; policy accept;
+
+              iifname eth0 tcp dport 32400 counter dnat to 10.64.50.20
+
               iifname eth0 tcp dport 8444 counter dnat to 10.64.50.20
               iifname eth0 tcp dport 28967 counter dnat to 10.64.50.20
               iifname eth0 udp dport 28967 counter dnat to 10.64.50.20
diff --git a/hosts/tywin.storage.ts.hillion.co.uk/default.nix b/hosts/tywin.storage.ts.hillion.co.uk/default.nix
index 00659d1..6a1a0b2 100644
--- a/hosts/tywin.storage.ts.hillion.co.uk/default.nix
+++ b/hosts/tywin.storage.ts.hillion.co.uk/default.nix
@@ -251,6 +251,13 @@
       tvPath = "/data/media/tv";
     };
 
+    ## Plex
+    users.users.plex.extraGroups = [ "mediaaccess" ];
+    services.plex = {
+      enable = true;
+      openFirewall = true;
+    };
+
     ## Firewall
     networking.firewall.interfaces."tailscale0".allowedTCPPorts = [
       80 # Caddy (restic.tywin.storage.ts.)