PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs

usedtolosing

You have to enable IPV6 from lan to wan.

I had the same issue. My guess is that it is part of the anti-VPN measures Netflix et Al have put in place

Yanik

@ccnewb
Hey,
Are you using DNS Resolver?

Gertjan

@yanik @usedtolosing : why are you replying against a 4 years old thread ?

usedtolosing

@gertjan because I found a solution, and I had a problem.

Google still returns search results for old threads.

Why are you replying to a 4 year old thread?

Gertjan

@usedtolosing said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:

Google still returns search results for old threads.

pfSense, dated 4 years ago has close to nothing to do with pfSense today.
Like applying a Windows XP solution on Wiondows 10.
Are you using a pfSense version from 2017 ?

truetype

@usedtolosing
How did you enable IPv6 from LAN to WAN?
This thread may be old, but it's still an Issue with Chromecast 4th gen and Netflix. Although it works when I make a floating rule to pass all for the Chromecast.

incith

@truetype said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:

@usedtolosing
How did you enable IPv6 from LAN to WAN?
This thread may be old, but it's still an Issue with Chromecast 4th gen and Netflix. Although it works when I make a floating rule to pass all for the Chromecast.

Yup, I am facing this crazy issue tonight.

Netflix will not let my android login. If I switch off of using pfSense DNS then it works immediately every time.

This is so bizarre. There is nothing in the firewall logs. Nothing. Even pcap is useless, it's like it doesn't show any traffic because the client never gets a DNS response for Netflix. So it never tries to connect.

It is 100% something with DNS. Even if I connect to another vlan it's the same problem. I disabled all firewalling, everything, changed firewall to use Google DNS...last resort would be to try disabling caching I guess.

I'm a senior network admin and this problem is driving me crazy.

Edit: enabling DNS forwarding mode fixes the issue. This is definitely some kind of unbound issue....SO weird.

incith

After some further reading this appears to be due to ECS responses - which adds geolocation type data to the DNS query. Unbound seems to be having some problems with that in pfSense.

When googling e.g 'unbound netflix' more information seems to be coming up. Unbound does support ECS but I've no idea how to go about enabling that in pfSense.

Some workarounds are to set forwarding zones for specific hostnames so that it always sends queries for those domains to upstream servers (hence why forwarding mode works immediately). But it gets cumbersome as Netflix has many hostnames.

E.g:

forward-zone: name: "netflix.com"
forward-addr: 8.8.8.8

From https://www.reddit.com/r/pihole/comments/n5ne6b/pihole_unbound_netflix_issues/

Gertjan

@incith

If people /networks that use pfSense as a firewall router had issues using 'netflix.com' then this would be a hot, ongoing issue on this forum, the unbound support forum, etc.
Actually, every FreeBSD user, as FreeBSD uses unbound by default, would face the issue.
And more : Netflix itself is one of FreeBSD's biggest FreeBSD users .....

So, I say it upfront : sorry for not being able to help, but : what did you do to not making it work ?
It's not hard to create a default pfSrnse installation : after install, connect the WAN.
LAN : same thing - don't use any VLAN stuff... keep the one and only default LAN firewall rule.
Just change the password.
Do not add or change anything related to DNS, as pfSense uses unbound, a solver, so nothing (like zero) is needed to make DNS work.

netflix works ....
Now, get your setup back to what it is now .... netflix doesn't work.

You've found the issue ;)

stephenw10

So this is not an IPv6 specific issue?

I've never seen an issue logging into Neflix with an Android based smart TV behind pfSense here. It could be regional I guess.

incith

@stephenw10 I don't have a Chromecast, specifically this seems to be android phones.

As to why just android phones .. I don't know.

Definitely a DNS thing and not an ipv6 thing.

johnpoz

@incith Only android devices I have is a tablet, and firetv stick thing - I just checked both - and no issues accessing netflix. While I have ipv6 via a HE tunnel, the network my firetv and tablet are on don't have Ipv6 enabled.

provels

@stephenw10 said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:

It could be regional I guess.

I have READ that they are not VPN friendly. Carry on.
And greetings from The Future!

incith

@johnpoz For me it was specifically logging in. It worked fine until I logged out, then the sign on screen would not come back on first launch (clear data on app).

I also noticed the Netflix app aggressively trying to use 8.8.8.8 and 8.8.4.4 but I had external DNS blocked.

Unblocking those did not resolve the issue either.
Also was happening on wife's phone. I had full dnssec enabled, not sure if that matters.

On my phone, specifying public DNS servers would immediately present the login page again. But no matter what I did on pfSense it would never work.

Occasionally, one time, out of dozens of attempts if would load the login screen - but only once. Second attempt back to nothing. It's like every now and then after flushing the cache I'd get the very first DNS response that perhaps has ecs data. I had dnssec enabled etc etc, and tls DNS. Even disabling all of that didn't work.

Disabled pfblocker, suricata, arpwatch, etc. Nothing worked. Nothing in the logs at all (just the 8.8.8.8 being blocked originally - and I was like "oh this will be an easy fix...I'll just allow Google DNS." Nope.)

Honestly, this is slightly out of my realm but I am 100% convinced it is DNS related.

stephenw10

Mmm, FireTV and GoogleTV (or whatever they were calling it) are both Android based and I'd expect to hit something like this.

It's possible they use a different (older?) version of the Netflix app which doesn't include this 'feature' I guess.

johnpoz

@incith said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:

due to ECS responses - which adds geolocation type data to the DNS query. Unbound seems to be having some problems with that in pfSense.

The module is not enabled in unbound that is on pfsense AFAIK, and testing points to that being the case.. So for example if I do a query to pfsense to

$ dig TXT whoami.ds.akahelp.net @192.168.9.253 +short
"ns" "209.snipped"

This is my IP where the query came from.. but listed as NS since yeah that would be the IP where the query came from when resolving. If I query say 8.8.8.8 I get back

$ dig TXT whoami.ds.akahelp.net @8.8.8.8 +short
"ip" "209.snipped"
"ecs" "209.snipped/24/24"
"ns" "172.253.192.78"

Where the ecs is the /24 my IP is on.. the IP is reported as my public IP, also correct, and the ns is whatever google ns actually did the query to get the record.

Not sure why you think that should cause you not to be able to connect to netflix?

incith

@johnpoz again it doesn't appear to be the actual 'connection to netflix', either it can't locate an appropriate regional login server or who knows. I haven't investigated that far.

In my testing, this was the solution, and seemingly for others online as well - the only common variable being ECS.

If there was something else blocking the connection I would have seen it in pcaps or etc. The fact it works immediately when forwarding DNS requests...

If not ECS, it will STILL be a DNS issue of some kind. My money is on ECS.

Netflix does a ton of anti-vpn stuff from what I've read and I feel this is the likely reason - but that's just a guess. Since they don't know where you're connecting from in the ecs they reject it.

incith

I'd be more than happy to reproduce the results if wanted. Any insight I can provide, I will.

stephenw10

I agree, it's probably DNS. It's always DNS!

There's a lot of speculation that it's ECS but I don't see any actual proof of that in some brief searching. Yet.

johnpoz

@incith so again, ecs is not a thing with current unbound installed on pfsense

I just logged out of my netflix client on my android tablet.. I have a block to any other dns, and yup the stupid client is trying to use google pretty hard.. But its blocked, and the only dns it can use is my local dns.. Which just resolves.

And able to login to netflix just fine on the tablet, even though blocking google, and not sending any ecs..

While you very well could have a dns related problem, I highly doubt its a ecs problem - because well unbound isn't going to be sending any ecs info, since the module is not enabled in the one on pfsense. And you sure do not need to send that info to be able to login to netflix..

If you believe its a dns related problem - simple sniff of your clients dns traffic, see what it asks for, see what doesn't get answered.. Packet capture on pfsense for your clients IP on port 53.. Is there something its asking of dns that doesn't get answered?

Along with looking at dns, you could just capture all the clients traffic - is there something other than google dns its trying to talk to that doesn't get answered..