Amazon Fire TV not working

kejianshi · Sep 25, 2014, 8:28 PM

Do you have the uPNP service running on the interface (LAN)?

mrsunfire · Sep 26, 2014, 3:36 AM

No I don't have. But I also testet it with it running. What I found out: if I go to Advanced - Firewall/NAT and check "disable all packet filtering" and uncheck it again, Fire TV works fine for a short period of time. But at least after 1 hour, it's not working anymore. Is this a bug from pfsense, or what's happening there?

Derelict · Sep 26, 2014, 4:56 AM

What is showing up as blocked in the firewall logs?

mrsunfire · Sep 26, 2014, 5:09 AM

Nothing, thats the problem.

kejianshi · Sep 26, 2014, 5:13 AM

You know what. I bet manual outbound NAT with static port need be set up on basically the entire LAN… (WAN... technically)

Perhaps maybe just 49000 - 65535...

But I'd do the whole LAN at first to see if that fixes the issue and then narrow the ports.

It is a UDP stream after all. Might be the issue, as it so often is.

kejianshi · Sep 26, 2014, 5:21 AM

You may use other protocols, like some games amongst other things, that do not work properly when the source port gets rewritten. To disable this functionality, you need to use the static port option. Click Firewall -> NAT, and the Outbound tab. Click "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save. You will then see a rule at the bottom of the page labeled "Auto created rule for LAN". Click + to copy that rule. Change the rule so it only covers the source IP of your device that needs static port, and any other settings you need. Check the "static port" box on that page, and click Save. Move the rule to the top of the list. Apply changes and this behavior will be disabled.

(copied)

I'd just do the entire 1-65535 at first, just to see if that changes things. Then try to narrow it to only what your service needs.
Be sure to put your rule with static port on top of the list(-;

If this makes no difference, its easy to change back to automatic outbound nat.

mrsunfire · Sep 26, 2014, 5:53 AM

Wich rule do I have to copy and edit?

http://imgur.com/Bu416t5

My LAN is the 192.168.1.0/24, there also is the Fire TV connected to.

kejianshi · Sep 26, 2014, 6:00 AM

You see the very first rule? Hit the + button to the right of it. Then change destination port to 1 - 65535

Then change the description to something like "static port entire lan". Then save the rule. After that, move that rule to top of list.

Be sure to save/apply.

See if it works. Might need a reboot.

Its easy to go back and delete if doesn't work.

kejianshi · Sep 26, 2014, 6:08 AM

P.S. Looks like where there was 500, you should make that blank to catch all ports.

No idea if this will work. Could also be a dlna issue. I hope its this "easy" for you.

mrsunfire · Sep 26, 2014, 6:09 AM

Is there a possibility that I lock out myself with that? I'm connected via WAN right now :D

Trying to set the destination port range to 1-65535 it says "You must supply either a valid port or port alias for the destination port entry."

EDIT: thanks for the tip! I've edited now the first rule and leave the port empty, for cover all ports. Will try that later at home if its fixed. Will report then, thanks a lot till now!

kejianshi · Sep 26, 2014, 6:10 AM

Where it had 500, just make it blank to catch all ports. No - You will not be locked out.

mrsunfire · Sep 26, 2014, 6:12 AM

See edited post above, thanks!

kejianshi · Sep 26, 2014, 6:15 AM

Don't thank me unless it works. Good chance its no effect at all.

mrsunfire · Sep 26, 2014, 6:22 AM

You're right, let's see.

As I setup DMZ yesterday, I let the firewall log everything and found out that Fire TV only connects via port 80 and 443 and (I think it was) 2289 TCP. Also uses 53 as well. But even with everything allowed, it didn't work.
Maybe it's realy an UDP stream problem, don't know. Also requested the Amazon support, they can't help me right now and gave it to the technicals.

Is there any possibility to see whitch ports the Fire TV is using, or trying to use?

kejianshi · Sep 26, 2014, 6:27 AM

I think you are going to find out fire tv will use a ton of random udp ports, but lets see.

Your pfsense setup is far from simple - its possible you have other issues.

mrsunfire · Sep 26, 2014, 6:34 AM

Hm, first issue is if I set the NAT outbound from automatic to manual, IPsec isn't working anymore. So I edited the first rule to any port, and set back to automatic. Is that ok, or whats the difference to manual? Now IPsec is working fine again.

kejianshi · Sep 26, 2014, 6:37 AM

automatic totally ignores any rules you set.

when you get home try it with manual.

If it works, you might want to make a LAN segment just for fire tv.

kejianshi · Sep 26, 2014, 6:48 AM

I'm being stupid - duh…

You can change your first rule to the single IP of fire tv instead of the entire LAN

like 192.168.1.100/32 (replace 100 with whatever your amazon fire device is)

Then static ports will only apply to that 1 device.

mrsunfire · Sep 26, 2014, 6:59 AM

Well I think I need automatic for the IPsec, or not?

kejianshi · Sep 26, 2014, 7:01 AM

Automatic has screwed me more often than not. I don't use it anywhere.

I don't use ipsec though. Still I doubt seriously its required.