Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlockerNG preventing PBS channel on Roku 4 from Working

    Scheduled Pinned Locked Moved pfBlockerNG
    9 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • XentrkX
      Xentrk
      last edited by

      I have 2.4.2-RELEASE-p1 installed.

      The PBS Channel App on my Roku stopped working recently when using pfBlockerNG.  I am able to select the channel and browse the selection of shows.  Once I select a show, a spinning symbol starts to spin and then returns to the main Roku menu.  May be similar to the issue I reported back in June 2017 here https://forum.pfsense.org/index.php?topic=132129.msg726771#msg726771

      Disabling DNSBL has no impact on the issue.  On the Roku, PBS does work if I turn off pfBlockerNG.  PBS does not work if I have pfBlockerNG turned.  What is strange is that the PBS channel works fine on the Amazon Fire Stick. 
      The PBS channel on the Roku works if I connect it to my Asus Router.  This router uses the host-based ad blocking solution called AB-Solution.

      I am at a loss at how to troubleshoot the issue.  Nothing obvious appears in the Alerts page.  Any ideas are welcome.

      pfSense 2.4.4_2 | Intel i5-3450 @ 3.10GHz  | AES-NI enabled |  pfBlockerNG | Snort
      Blog Site: https://x3mtek.com || GitHub: https://github.com/Xentrk

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Try to run a tcpdump whilst loading the PBS Channel on the Roku (Change the "re1" to your interface)

        tcpdump -nnvli re1 port 53 | grep -B1 'A 10.10.10.1'
        

        It might help find out which domain is being blocked that is causing the Roku to not load the page…

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • XentrkX
          Xentrk
          last edited by

          Thank you for the help!

          Before testing, I disabled pfBlockerNG and DNSBL. This time, it did not fix the issue.  Turning off pfBlocker worked three times in my testing. So this adds more to the mystery.

          I had to modify the command slightly.

           tcpdump -nvli ovpnc1 port 53 -w log.pcap | grep -B1 'A 10.10.10.1'
          ``` 
          
          I see queries in the pcap file to r53-api-vip.pbs.org. I get one ping reply, then it hangs:
          
          

          ping r53-api-vip.pbs.org
          PING r53-api-vip.pbs.org (54.243.141.179): 56 data bytes

          
          Windows ping
          

          Pinging r53-api-vip.pbs.org [54.243.141.179] with 32 bytes of data:
          Request timed out.
          Request timed out.
          Request timed out.
          Request timed out.

          
          I see some query requests to reports.crashlytics.com.  A ping reports.crashlytics.com does the same thing.  When viewing the details in Wireshark, the Query responses all state there is no error though. I believe these are both Amazon domains. I do have a firewall rule to route Amazon AWS traffic thru my private VPN server.  But I also have the same rule on the Asus. I disabled the rule and PBS worked! I then re-enabled the rule and PBS broke again.  I disabled the rule and this time, it did not work.  I repeated this several times and could not get it working again. At first, I thought I might be onto something.  :o However, there is another LAN rule that points the Roku to the same VPN server as the Amazon AWS rule.
          
          I got the same ping replies when routing traffic over the WAN.
          
          On the Asus router, I get ping replies for these domains. I also tried pinging several well known domains and got the expected responses.

          pfSense 2.4.4_2 | Intel i5-3450 @ 3.10GHz  | AES-NI enabled |  pfBlockerNG | Snort
          Blog Site: https://x3mtek.com || GitHub: https://github.com/Xentrk

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            It could also be a CNAME that is blocked, so you need to review what domains were blocked…  Also if you are using any IP block lists, it could be blocked by one of those rules...

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • F
              f34rinc
              last edited by

              I ended up just assigning a static DHCP lease to my Roku and giving it third party DNS server to bypass DNSBL.

              I NAT all DNS traffic from every device besides the Roku to pfSense to prevent anything else from using third party DNS servers.

              2018-01-05_11-12-15_firefox.png
              2018-01-05_11-12-15_firefox.png_thumb
              2018-01-05_11-12-46_firefox.png
              2018-01-05_11-12-46_firefox.png_thumb
              2018-01-05_11-21-03_firefox.png
              2018-01-05_11-21-03_firefox.png_thumb

              1 Reply Last reply Reply Quote 0
              • XentrkX
                Xentrk
                last edited by

                Thank you for posting the config @f34rinc.

                The solution was to remove the Host Overrides in DNS Resolver for the following domains in DNSBL Custom Domain White List:

                b.scorecardresearch.com
                b.scorecardresearch.com.edgesuite.net
                pubads.g.doubleclick.net
                partnerad.l.doubleclick.net

                This solution had worked previously per my link in the OP.

                @BBCan177, how come the DNSL Alert Log reports the IF and Source as unknown?  Is there a setting I need to configure?  I still see IF and Source information from some LAN clients.

                Thank you!

                unknown.PNG
                unknown.PNG_thumb

                pfSense 2.4.4_2 | Intel i5-3450 @ 3.10GHz  | AES-NI enabled |  pfBlockerNG | Snort
                Blog Site: https://x3mtek.com || GitHub: https://github.com/Xentrk

                1 Reply Last reply Reply Quote 0
                • F
                  f34rinc
                  last edited by

                  @Xentrk:

                  how come the DNSL Alert Log reports the IF and Source as unknown?  Is there a setting I need to configure?  I still see IF and Source information from some LAN clients.

                  I do believe the 'unknown' issue is due to the way HTTPS blocks were handled.

                  1 Reply Last reply Reply Quote 1
                  • XentrkX
                    Xentrk
                    last edited by

                    I route most of the traffic thru VPN tunnel.  So that may be the reason as well.

                    pfSense 2.4.4_2 | Intel i5-3450 @ 3.10GHz  | AES-NI enabled |  pfBlockerNG | Snort
                    Blog Site: https://x3mtek.com || GitHub: https://github.com/Xentrk

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator
                      last edited by

                      @Xentrk:

                      @BBCan177, how come the DNSL Alert Log reports the IF and Source as unknown?  Is there a setting I need to configure?  I still see IF and Source information from some LAN clients.

                      This is already addressed in the upcoming release…

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.