Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs

    Scheduled Pinned Locked Moved General pfSense Questions
    43 Posts 15 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      usedtolosing
      last edited by

      You have to enable IPV6 from lan to wan.

      I had the same issue. My guess is that it is part of the anti-VPN measures Netflix et Al have put in place

      T 1 Reply Last reply Reply Quote 0
      • YanikY
        Yanik @CCNewb
        last edited by

        @ccnewb
        Hey,
        Are you using DNS Resolver?

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @Yanik
          last edited by

          @yanik @usedtolosing : why are you replying against a 4 years old thread ?

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • U
            usedtolosing
            last edited by

            @gertjan because I found a solution, and I had a problem.

            Google still returns search results for old threads.

            Why are you replying to a 4 year old thread?

            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @usedtolosing
              last edited by

              @usedtolosing said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:

              Google still returns search results for old threads.

              pfSense, dated 4 years ago has close to nothing to do with pfSense today.
              Like applying a Windows XP solution on Wiondows 10.
              Are you using a pfSense version from 2017 ?

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • T
                truetype @usedtolosing
                last edited by

                @usedtolosing
                How did you enable IPv6 from LAN to WAN?
                This thread may be old, but it's still an Issue with Chromecast 4th gen and Netflix. Although it works when I make a floating rule to pass all for the Chromecast.

                I 1 Reply Last reply Reply Quote 0
                • I
                  incith @truetype
                  last edited by incith

                  @truetype said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:

                  @usedtolosing
                  How did you enable IPv6 from LAN to WAN?
                  This thread may be old, but it's still an Issue with Chromecast 4th gen and Netflix. Although it works when I make a floating rule to pass all for the Chromecast.

                  Yup, I am facing this crazy issue tonight.

                  Netflix will not let my android login. If I switch off of using pfSense DNS then it works immediately every time.

                  This is so bizarre. There is nothing in the firewall logs. Nothing. Even pcap is useless, it's like it doesn't show any traffic because the client never gets a DNS response for Netflix. So it never tries to connect.

                  It is 100% something with DNS. Even if I connect to another vlan it's the same problem. I disabled all firewalling, everything, changed firewall to use Google DNS...last resort would be to try disabling caching I guess.

                  I'm a senior network admin and this problem is driving me crazy.

                  Edit: enabling DNS forwarding mode fixes the issue. This is definitely some kind of unbound issue....SO weird.

                  I 1 Reply Last reply Reply Quote 0
                  • I
                    incith @incith
                    last edited by incith

                    After some further reading this appears to be due to ECS responses - which adds geolocation type data to the DNS query. Unbound seems to be having some problems with that in pfSense.

                    When googling e.g 'unbound netflix' more information seems to be coming up. Unbound does support ECS but I've no idea how to go about enabling that in pfSense.

                    Some workarounds are to set forwarding zones for specific hostnames so that it always sends queries for those domains to upstream servers (hence why forwarding mode works immediately). But it gets cumbersome as Netflix has many hostnames.

                    E.g:

                    forward-zone: name: "netflix.com"
                    forward-addr: 8.8.8.8
                    

                    From https://www.reddit.com/r/pihole/comments/n5ne6b/pihole_unbound_netflix_issues/

                    GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @incith
                      last edited by

                      @incith

                      ebbebd21-9b24-4ef0-bcd8-1e0506fcaab7-image.png

                      If people /networks that use pfSense as a firewall router had issues using 'netflix.com' then this would be a hot, ongoing issue on this forum, the unbound support forum, etc.
                      Actually, every FreeBSD user, as FreeBSD uses unbound by default, would face the issue.
                      And more : Netflix itself is one of FreeBSD's biggest FreeBSD users .....

                      So, I say it upfront : sorry for not being able to help, but : what did you do to not making it work ?
                      It's not hard to create a default pfSrnse installation : after install, connect the WAN.
                      LAN : same thing - don't use any VLAN stuff... keep the one and only default LAN firewall rule.
                      Just change the password.
                      Do not add or change anything related to DNS, as pfSense uses unbound, a solver, so nothing (like zero) is needed to make DNS work.

                      netflix works ....
                      Now, get your setup back to what it is now .... netflix doesn't work.

                      You've found the issue ;)

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        So this is not an IPv6 specific issue?

                        I've never seen an issue logging into Neflix with an Android based smart TV behind pfSense here. It could be regional I guess.

                        I provelsP 2 Replies Last reply Reply Quote 0
                        • I
                          incith @stephenw10
                          last edited by

                          @stephenw10 I don't have a Chromecast, specifically this seems to be android phones.

                          As to why just android phones .. I don't know.

                          Definitely a DNS thing and not an ipv6 thing.

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @incith
                            last edited by

                            @incith Only android devices I have is a tablet, and firetv stick thing - I just checked both - and no issues accessing netflix. While I have ipv6 via a HE tunnel, the network my firetv and tablet are on don't have Ipv6 enabled.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            I 1 Reply Last reply Reply Quote 0
                            • provelsP
                              provels @stephenw10
                              last edited by

                              @stephenw10 said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:

                              It could be regional I guess.

                              I have READ that they are not VPN friendly. Carry on.
                              And greetings from The Future!

                              Peder

                              MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                              BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                              1 Reply Last reply Reply Quote 0
                              • I
                                incith @johnpoz
                                last edited by

                                @johnpoz For me it was specifically logging in. It worked fine until I logged out, then the sign on screen would not come back on first launch (clear data on app).

                                I also noticed the Netflix app aggressively trying to use 8.8.8.8 and 8.8.4.4 but I had external DNS blocked.

                                Unblocking those did not resolve the issue either.
                                Also was happening on wife's phone. I had full dnssec enabled, not sure if that matters.

                                On my phone, specifying public DNS servers would immediately present the login page again. But no matter what I did on pfSense it would never work.

                                Occasionally, one time, out of dozens of attempts if would load the login screen - but only once. Second attempt back to nothing. It's like every now and then after flushing the cache I'd get the very first DNS response that perhaps has ecs data. I had dnssec enabled etc etc, and tls DNS. Even disabling all of that didn't work.

                                Disabled pfblocker, suricata, arpwatch, etc. Nothing worked. Nothing in the logs at all (just the 8.8.8.8 being blocked originally - and I was like "oh this will be an easy fix...I'll just allow Google DNS." Nope.)

                                Honestly, this is slightly out of my realm but I am 100% convinced it is DNS related.

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Mmm, FireTV and GoogleTV (or whatever they were calling it) are both Android based and I'd expect to hit something like this.

                                  It's possible they use a different (older?) version of the Netflix app which doesn't include this 'feature' I guess.

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @incith
                                    last edited by

                                    @incith said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:

                                    due to ECS responses - which adds geolocation type data to the DNS query. Unbound seems to be having some problems with that in pfSense.

                                    The module is not enabled in unbound that is on pfsense AFAIK, and testing points to that being the case.. So for example if I do a query to pfsense to

                                    $ dig TXT whoami.ds.akahelp.net @192.168.9.253 +short
                                    "ns" "209.snipped"
                                    

                                    This is my IP where the query came from.. but listed as NS since yeah that would be the IP where the query came from when resolving. If I query say 8.8.8.8 I get back

                                    $ dig TXT whoami.ds.akahelp.net @8.8.8.8 +short
                                    "ip" "209.snipped"
                                    "ecs" "209.snipped/24/24"
                                    "ns" "172.253.192.78"
                                    

                                    Where the ecs is the /24 my IP is on.. the IP is reported as my public IP, also correct, and the ns is whatever google ns actually did the query to get the record.

                                    Not sure why you think that should cause you not to be able to connect to netflix?

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    I 1 Reply Last reply Reply Quote 0
                                    • I
                                      incith @johnpoz
                                      last edited by

                                      @johnpoz again it doesn't appear to be the actual 'connection to netflix', either it can't locate an appropriate regional login server or who knows. I haven't investigated that far.

                                      In my testing, this was the solution, and seemingly for others online as well - the only common variable being ECS.

                                      If there was something else blocking the connection I would have seen it in pcaps or etc. The fact it works immediately when forwarding DNS requests...

                                      If not ECS, it will STILL be a DNS issue of some kind. My money is on ECS.

                                      Netflix does a ton of anti-vpn stuff from what I've read and I feel this is the likely reason - but that's just a guess. Since they don't know where you're connecting from in the ecs they reject it.

                                      I johnpozJ 2 Replies Last reply Reply Quote 0
                                      • I
                                        incith @incith
                                        last edited by

                                        I'd be more than happy to reproduce the results if wanted. Any insight I can provide, I will.

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          I agree, it's probably DNS. It's always DNS! 😉

                                          There's a lot of speculation that it's ECS but I don't see any actual proof of that in some brief searching. Yet.

                                          provelsP 1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator @incith
                                            last edited by johnpoz

                                            @incith so again, ecs is not a thing with current unbound installed on pfsense

                                            I just logged out of my netflix client on my android tablet.. I have a block to any other dns, and yup the stupid client is trying to use google pretty hard.. But its blocked, and the only dns it can use is my local dns.. Which just resolves.

                                            block.jpg

                                            And able to login to netflix just fine on the tablet, even though blocking google, and not sending any ecs..

                                            While you very well could have a dns related problem, I highly doubt its a ecs problem - because well unbound isn't going to be sending any ecs info, since the module is not enabled in the one on pfsense. And you sure do not need to send that info to be able to login to netflix..

                                            If you believe its a dns related problem - simple sniff of your clients dns traffic, see what it asks for, see what doesn't get answered.. Packet capture on pfsense for your clients IP on port 53.. Is there something its asking of dns that doesn't get answered?

                                            Along with looking at dns, you could just capture all the clients traffic - is there something other than google dns its trying to talk to that doesn't get answered..

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            I 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.