RTMP streaming is blocked
-
I expercienced that RTMP streaming get's blocked.
I started a topic in the past (locked now) but the problem remained.
rtmp, rtmpt, rmtpe, … all are blocked.In one of the video's I'm trying to access, I get a Server not found: rtmpt://.... error.
Pfsense uses the squid proxy, tried already transparant and non transparant mode.
The Squid filter has been turned of for testing purpose and I allowed (temporally) all TCP/UDP traffic from * to * on LAN and WAN with allow IP-options but still the streaming gets blocked.A tcpdump of one computer trying to access such a stream is included.
I tried both tests on this page and got this outcome:
WIN 11,4,402,265
RMTP Default Success 47.8s
RMTP Port 1935 Failed 15.4s
RMTP Port 80 Failed 15.4s
RMTP Port 443 Failed 15.4s
RMTPT (Tunneling) Default Success 2.7s
RMTPT (Tunneling) Port 80 Success 2.7s
RMTPT (Tunneling) Port 443 Success 2.7s
RMTPT (Tunneling) Port 1935 Success 2.7sWIN 11,4,402,265
RTMP DEFAULT TimeOut
RTMP 80 Failed
RTMP 443 Failed
RTMP 1935 Failed
RTMPT DEFAULT Success
RTMPT 80 Success
RTMPT 443 Success
RTMPT 1935 Success
packetcapture_klazoid.txt -
I did a clean install of pfSense (2.1 snapshot) and installed Squid as proxy (port 8080). With this setup I'm unable to watch any movie from this page: http://www.deredactie.be/cm/vrtnieuws/mediatheek
I'm starting to wonder if it my/pfsense faults or a faulty setup of the way the website tries to stream the data over rtmp.
-
From behind a 2.0.1 Nano install I am seeing:
WIN 11,3,300,271 RMTP Default Success 2s RMTP Port 1935 Success 2s RMTP Port 80 Success 2s RMTP Port 443 Success 2s RMTPT (Tunneling) Default Success 5.8s RMTPT (Tunneling) Port 80 Success 5.6s RMTPT (Tunneling) Port 443 Success 6.2s RMTPT (Tunneling) Port 1935 Success 6.2s
WIN 11,3,300,271 RTMP DEFAULT Success RTMP 80 Success RTMP 443 Success RTMP 1935 Success RTMPT DEFAULT Success RTMPT 80 Success RTMPT 443 Success RTMPT 1935 Success
Not running Squid.
Steve
-
running on win7 x64 box in firefox, behind pfsense
2.1-BETA0 (i386)
built on Thu Sep 13 04:24:49 EDT 2012
FreeBSD 8.3-RELEASE-p4
With gitsync as of a couple of days ago.Not using any proxies at all in pfsense.
WIN 11,4,402,265 RMTP Default Success 1.3s RMTP Port 1935 Success 1.4s RMTP Port 80 Success 1.4s RMTP Port 443 Success 1.3s RMTPT (Tunneling) Default Success 2.8s RMTPT (Tunneling) Port 80 Success 2.8s RMTPT (Tunneling) Port 443 Success 2.9s RMTPT (Tunneling) Port 1935 Success 2.9s
WIN 11,4,402,265 RTMP DEFAULT Success RTMP 80 Success RTMP 443 Success RTMP 1935 Success RTMPT DEFAULT Success RTMPT 80 Success RTMPT 443 Success RTMPT 1935 Success
Looks like all those test pass for me. You behind any sort of double nat?
-
Modem is connected directly on pfSense WAN card, all pc's on same LAN subnet. So I guess I have a single NAT (automatic).
The strange part: Last week, I contacted the publisher of the website. They said they wouldn't change a thing and suddenly (same day of the mail) the movies started to work. I didn't change a thing… My joy wasn't of long duration when I noticed the movies get blocked again since yesterday. This time I have proof they changed something. The standard "server not found rtmpt://" is changed by a custom error message: "This video could not be played. Maybe there is a service on the network that makes it impossible for you to view the movies (ie. corporate firewall)."
Conclusion: if they want, they can make it work for me, apparantly they dont for some reason. Don't know what I can try more since I've tested this already with an allow * to * rule.
edit
I have now tracked the problem down to the squid proxy. I was able to get the movie working in transparant mode but this is a setting I prefer not to use...
This topic seems related to this problem: http://serverfault.com/questions/264079/force-rtmp-streams-playing-flash-to-be-requested-via-proxy-server
I've added 'acl Safe_ports port 1935' to the custom options but this didn't work.
-
"Modem is connected directly on pfSense WAN card"
Depends if what your calling a "modem" is really a modem and not a gateway. What is your pfsense wan IP, does it start with 10.x.x.x, 192.168.x.x or 172.16-31.x.x ?
"I have now tracked the problem down to the squid proxy"
thought you said they could make it work for you since they changed something?
-
In the linked forum threads it says that server side configuration can determine whether or not flash respects local proxy settings. Running squid transparently ensures all traffic is proxied (or allowed to pass).
Presumably the problem here is that flash ignores the proxy settings and attempts to connect directly. This fails because you are blocking this traffic? You would see this in the logs. Since rtmp traffic attempts initially to use a high port you could just allow that.
Or try some sort of SOCKS encapsulation as the thread suggests.Steve
-
"Modem is connected directly on pfSense WAN card"
Depends if what your calling a "modem" is really a modem and not a gateway. What is your pfsense wan IP, does it start with 10.x.x.x, 192.168.x.x or 172.16-31.x.x ?
"I have now tracked the problem down to the squid proxy"
thought you said they could make it work for you since they changed something?
Modem is the real cable modem. IP of wan is 81.x.x.x
If you watch the tests in the first post, you see the tunneling of rtmp isn't blocked. I guess they didn't use tunneling in the past, turned it on for a moment (the moment it worked for me) and now turned it back off.
From what i've read flash ignores proxy settings and tries to use port 1935, 80 or 443 and if this doesn't work alot of website will try to send the data in a capsulated http packet. They don't use that method for some reason. I've tried to add port 1935 to the squid savelist but that didn't fix it.