If you use NGINX proxy manager you’ll also be able to use a FQDN with SSL for your local services without them being exposed to the internet. It means your local users won’t see the scary insecure page when they access services.
You can even set your public dns records to have Plex.yourdomain.tld point to the local IP of NGINX - removing the need for local dns entirely. That way if you do need to access a service outside with tailscale; their subnet router feature will just work out of the box.
Porkbun are still offering a free .dev or .app domain if you don’t already have one: https://porkbun.com/event/freeappdevdomain
I use letsencrypt a lot, if firewalls are an issue I’ll use dns authentication.
If you are struggling and need a quick fix, the free tier of zero ssl will do a similar thing
https://zerossl.com/
I used it to get a cert for my printer