Netflix/Prime not being able to login/connect after sometime
-
@ftani I'm not super good at firewall rules but the three blocking rules that isolate the VLAN's seem pretty straight forward. Guessing you have similar rules for each one of them...
I don't understand that last Pass rule however... It's basically an Allow ALL rule which is something you do not want to have. Not on your default VLAN or any of the other VLAN's. Someone else might chime in here but I'd say remove that rule immediately.Don't see how it would influence your Netflix or Prime login though...
Have you checked the logs when this problem happens? Firewall and DNS Resolver for example
-
@ftani Why is the last rule advanced and why isn't the gateway * ?
-
Hi @gblenn,
It seems that if I don't place this rule to allow everything (that is not blocked) to go whatever destination then this VLAN loses its connectivity to the Internet. I use my gateway as WAN_PPPOE to avoid this VLAN to use my VPN's DNS servers.
What should I user instead of ALL in my source?
Any thoughts?
-
Hi @nogbadthebad,
I use a set gateway to make sure that all outgoing connections using this VLAN uses the DNS servers set for the router and not the one set for the VPN:
Is this correct or am I making a mistake?
-
@ftani hmm I have never used PPPOE but is that a requirement from your ISP? Are you saying that it is possible for you to use DHCP but you don't want the ISP to provide DNS?
Either way, DNS provided by your ISP via DHCP, or PPPOE for that matter, is not used by pfsense unless you specifically tell it to. Also, the DNS servers you specify in that list are only used by pfSense (internal use) and not applied to clients unless you use Forwarding mode in the resolver. IF you do want to use the ISP provided DNS (also via PPP) you need to tick the box down below.
As default pfsense uses Resolver mode which reaches out to root servers, higher up in the hierarchy from those you listed. And unless you specify it in the DHCP Server, all clients will be using these for their DNS.
Not sure why but could it be so that your ISP is blocking these servers, for some reason?
Go into your DHCP Server settings and specify those same DNS Servers in the Server list. After that you need all clients to renew their lease somehow, rebooting or doing ipconfig /release ipconfig /renew. From now on, all clients will be using those DNS servers, regardless of what you have specified elsewhere or what your ISP is offering you.
Then remove (or disable) that firewall rule to see if things work as expected.
-
Using * for the gateway would use the default gateway.
Have you got some PIA connections via Nord / Express VPN, if you follow their instructions it makes the PIA the default gateway, there is an option to don’t pull routes.
You do need the pass rule at the bottom.
-
My guess here is that you have multiple gateways con figured and the system default gateway still set to auto. At some point, after a day of so, you see a gateway event on the main gateway and the system switches the default to another gateway. Whatever that is the Netflix/Prime client objects to traffic coming from it.
The source on the firewall rule should probably be 'LAN net', or whatever that subnet is. But using 'any' there would still work.
-
Hi @stephenw10, @Gblenn and @NogBadTheBad,
I got your point about the gateway and, as a test, I removed all the configuration regarding the OpenVPN client and let's see how it goes.
I'm having issues with the VPN as well as it is constantly going down. A few days ago I was with Nord VPN support and they told me that installing the VPN in the pfSense is not supported for v2.6.0, only up to v2.5.x.
If the VPN configuration was the issue (multiple gateways), it should have been solved now, as I removed it all from the pfSense. If not, I'll restore the backup and try something else.
I'll come back with the results.
-
@ftani said in Netflix/Prime not being able to login/connect after sometime:
they told me that installing the VPN in the pfSense is not supported for v2.6.0, only up to v2.5.x.
They may be conflating that with OpenVPN 2.6 which was only just released a few days ago and isn't in pfSense 2.6. I wouldn't expect any issues connecting from pfSense 2.6.
Steve
-
@ftani said in Netflix/Prime not being able to login/connect after sometime:
Nord VPN support and they told me that installing the VPN in the pfSense is not supported for v2.6.0, only up to v2.5.x.
They don't have a clue - just another example of that.. See the thread around here about their so called "guide"...
-
Mmm, I don't have much confidence!
Their docs cover several pfSense versions (which is quite impressive really) but only up to 2.5.
They probably simply haven't updated them. -
@stephenw10 said in Netflix/Prime not being able to login/connect after sometime:
They probably simply haven't updated them.
Maybe they remove the nonsense about using your self signed gui cert <rolleyes>
-
Hi @johnpoz,
You mentioned the configuration guide from NordVPN is not exactly perfect, do you know where can I find a more useful one? I'd like to have a VLAN with a permanent VPN connection.
-
@ftani Lawrence systems has a good instruction video on setting up OpenVPN. Still on 2.5.2 but I don't think it matters...
https://www.youtube.com/watch?v=ulRgecz0UsQ
One thing I thought of is what he mentions about "Don't pull routes" item in the setup of OpenVPN (around 7:20 min into the video). If suddenly all traffic is going through the VPN, Netflix/Prime may be blocking the server you are going through...And the rules you pasted at the top. I assumed all of them were WAN rules based on the first two which are the typical default blocking of rfc1918/reserved. But I just realized that perhaps you pasted the other 4 rules from the LAN side?
-
Hi @gblenn,
Thanks for the video, I'll definitely check it out. I learned a lot about pfSense by watching his videos when I was doing my setup.
About the rules, I got them from a video from Stefan Rows, it was a video from Udemy but he is also in Youtube.
So, my current rules are:
For the WAN:
For the LAN:
And for the IoT (Home and Guest are similar):
Am I'm configuring it wrong?
-
@ftani Now it starts to make sense, except the two block private networks rules under IOT (and the other VLANs). Those rules only belong on the WAN side, which you already have...
-
Hi, after I removed everything related to the vpn in my settings, both Netfilx and Prime Video had been working for the last few days...
