PfSense blocking video from NFL sites?
-
Not sure this topic belongs under Firewall, but thought I should start here.
I installed a pfSense 2.3 router a few weeks ago and all is working reasonably well. But I just noticed that I can no longer view videos on my favorite NFL team site, and can't view videos on nfl.com (I believe most or all of the nfl teams get their videos served by the same source as nfl.com.) I get either a black screen or a circle spinning infinitely, similar to what happens with some videos when you block ads. I did not have this problem before installing pfSense (was using a Comcast Business modem/router, which is now in bridged mode.)
I've turned off all ad blocking, privacy and security measures in all my browsers (Chrome, IE, Firefox, Safari, etc.), but none of them can play the videos. This is true on all my devices – Windows, Mac OSX, iPhone and iPad.
However, if I turn off Wi-Fi the iPhone is able to view the videos over cellular. I take that as pretty solid proof that it's a network problem, not a device, browser or OS problem.
The one test I haven't done is to remove the pfSense router and try the Comcast modem as router to confirm that this is indeed a pfSense issue. That involves disrupting the network and doing some reconfiguration, so I'm holding off on that pending answers I might get here.
Note that I can view videos from other sites, like YouTube, and can view the Flash test videos on the Adobe site. I believe nfl.com uses Flash, but there's something in the way they serve videos that's not getting past pfSense.
I can't see anything in my firewall or NAT rules that would cause this, but just to make sure I disabled all the rules I added (which are mostly VPN routing rules) and added blanket pass rules wherever I could. No change. Searching the forums here only turned up one similar issue, but the persons was using Squid, which I'm not.
Does anyone have any idea what could be happening?
-
Proof that the issue was between your LAN and the service, but not your firewall. Try by-passing the firewall entirely and see if the issue persists.
-
OK, now I have proof that the problem is in pfSense or how I have it configured:
-
Disconnected pfSense router from modem and LAN
-
Put modem back in router mode (unbridged)
-
Connected LAN to modem/router
-
No problem viewing nfl.com videos and videos on my favorite team site
-
Disconnected LAN from modem/router
-
Put modem/router back in bridged mode
-
Connected pfSense to modem and LAN
-
Can't view the videos
Thoughts?
-
-
Dude why would pfsense give 2 shits to what video your watching..
So when your using pfsense what packages are you using? pfblocker, snort, proxy, what? Are you using resolver or forwarder?
When you plug in your soho router your doing what exactly for dns? Compared to pfsense.. You sure and the hell not using any sort of ips or pfblocker, etc. etc..
What video you trying to watch.. give us a url to test, etc.
Why is basic troubleshooting like brain surgery around here? It was like asking you to solve one of Hilbert's problems or something.. If there is some video you can not view then give the url to this video.. Does the url of the video even resolve - look at the link your trying to follow and see if resolve via your fav dns tool.. Are you using ipv6 or ipv4 to try and access this video? etc.. Need something more than you use pfsense doesn't work, you use some soho router it works..
-
Dude why would pfsense give 2 shits to what video your watching..
That's the question I'm asking.
So when your using pfsense what packages are you using? pfblocker, snort, proxy, what?
I'm not using any packages.
Are you using resolver or forwarder?
I have both enabled and I've specified a list of public DNS servers in General Setup.
When you plug in your soho router your doing what exactly for dns?
It uses the ISP DNS servers.
Compared to pfsense.. You sure and the hell not using any sort of ips or pfblocker, etc. etc..
Not sure what you mean by this, but I think the answer is no.
What video you trying to watch.. give us a url to test, etc.
Try this one:
http://www.nfl.com/videos/nfl-game-highlights/0ap3000000858999/Chiefs-vs-Texans-highlights-Week-5
Does the url of the video even resolve - look at the link your trying to follow and see if resolve via your fav dns tool.
The link resolves both in my browser and when I enter it into a DNS lookup tool. In other words, the page containing the video displays. Depending on the site and video, sometimes I see a black screen, sometimes I see a spinning circle that normally indicates the video is loading, but it never does. I suppose this could mean that the link to the actual video that's embedded in the page isn't resolving. I've briefly looked at the page source but wasn't able to identify the link to the video. I could spend more time trying to do that.
Are you using ipv6 or ipv4 to try and access this video? etc..
I've tried turning off IPV6 and the videos still won't display, so I guess we can say I'm accessing via IPV4.
-
"I have both enabled and I've specified a list of public DNS servers in General Setup."
Oh my GAWD dude it doesn't work that way!! Which one are you using the resolver in forwarder mode or as resolver? Or the forwarder?
Looks like I have the same problem without even going through pfsense. See attached..
edit: So currently pfsense is out of the picture, while I was using unbound in resolver mode. But I do go through pihole first, so I have changed over my box to direct go to googledns and flushed clients dns and cache and still have the problem.. So now let me look into what the problem is.
edit2: Ok so flushed browser cache as well, and now video is working. Pic 2.. So lets see if can figure out what the problem is.. But off the top I would say something not resolving or behind blocked in pihole or my unbound blocking.. maybe a problem with some sites dnssec?
edit3: Well its not unbound when I take the blocking out.. Let me put that back… You sure your not using any sort of blocking like pfblocker or pihole you running.. Pointing direct to unbound as resolver with dnssec I don't seem to be having any issues...
edit4: Well what do you know -- look what was being blocked by my script and pihole.. pic 3
So let me remove that from the block listing I had.. And see what happens.
edit5: Well look at that - removed my blocking on pfsense, and pointed direct to pfsense and all videos working just fine.. And now that s0.2mdn.net resolves as well..
dig @192.168.9.6 s0.2mdn.net
; <<>> DiG 9.11.2 <<>> @192.168.9.6 s0.2mdn.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53447
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;s0.2mdn.net. IN A;; ANSWER SECTION:
s0.2mdn.net. 3387 IN CNAME s0-2mdn-net.l.google.com.
s0-2mdn-net.l.google.com. 3387 IN A 172.217.4.230;; Query time: 1 msec
;; SERVER: 192.168.9.6#53(192.168.9.6)
;; WHEN: Mon Oct 09 04:21:27 Central Daylight Time 2017
;; MSG SIZE rcvd: 94So why not do a query from your machine for that.. Does that resolve? Because if I just block that.. then video fails.
So when using pihole and that fqdn is blocked... No video!! Other videos work - but not that hou highlight one.. Which since since that domain is a CDN that is used to load ad content, its quite logical that if your not going to load the ad then not going to show you the video.. See this all the time.. So you must be using something to block the ads.. Be it pihole, pfblocker would be my guess to what your using..
-
"I have both enabled and I've specified a list of public DNS servers in General Setup."
Oh my GAWD dude it doesn't work that way!! Which one are you using the resolver in forwarder mode or as resolver? Or the forwarder?
OK, clearly I don't understand how the forwarder and resolver work. I've discovered that's part of the problem.
As you may recall, I use a VPN. One of its unique features is a thing called TrackStop, which is an ad and malware blocker (does other protective things as well.)
But of course I knew this and tested the nfl.com videos on devices that were not going through the VPN. The videos were still blocked.
But when you suggested I'm not using the forwarder and resolver correctly, and demonstrated that ad blocking is the root cause, I suspected something I had noticed earlier: whenever the OpenVPN client is running and the VPN interface is enabled, the VPN website is being used for DNS (there's a "DNS leak test" on the VPN website that detects the DNS IP, and it's a VPN IP.) Of course, this is true for all devices on my network, not just devices that go through the VPN.
So, I turned off the OpenVPN client and disabled the VPN interface. Sure enough, the DNS leak test detects the two public DNS servers I've configured in General Settings, and I'm able to play the nfl.com videos. It has to be the VPN ad blocker that was the problem all along, but I didn't realize it was active on DNS searches.
Earlier I had noticed the DNS leak test was showing a VPN IP, but I didn't think it was the problem because when I turned off the VPN I still couldn't play the videos. That's because, unbeknownst to me, the latest Firefox update slipped in a "temporary extension" that I believe is blocking ads. This time I used a clean copy of Chrome and the videos played as long as the public DNS servers were being used.
When I first noticed the VPN IP being used for DNS, I tried to configure the forwarder and resolver to use only the WAN for DNS, but it didn't work. No matter how I set the forwarder and resolver interfaces, the VPN IP ended up being used for DNS. Only shutting down the VPN client or interface would stop that.
But just now I rebooted pfSense and now the public DNS servers are showing up as the DNS servers in the leak test, not the VPN. I'm completely confused about how pfSense chooses the interface for DNS and how to configure the forwarder and resolver – or if I should use both or one or neither. What I'd really like to do is route DNS searches for non-VPN clients to the two public DNS servers and route DNS searches for VPN clients through the VPN. But I don't see a way to do that. If it's not possible, I want the two public DNS servers to be used regardless of whether clients are going through the DNS or not.
Can you explain the forwarder and resolver and/or help me configure this correctly?