Pfsense blocking Livestream

bmeeks

There is not enough information in your post to give you a theory about why it is being blocked. For starters, is this "plain vanilla" pfSense using the out-of-the-box configuration, or have you added any packages to the installation? If you have added packages, that will likely be your problem (one of them is not configured correctly for your setup).

If you have not added any packages, then you will need to post up firewall rules for folks to take a look at. By default, pfSense will block zero outbound traffic and will block all unsolicited inbound traffic. This is a very secure default setup but should let all traffic from your LAN devices go out unimpeded. Problems happen when folks monkey with the firewall rules without understanding completely how the firewall works.

derreckbercier

My Fault, it's a plain install no a packages added. Just a few nat rules for port fowarding. Seems that rtmp once it starts opens other ports and they are blocked.

bmeeks

@derreckbercier said in Pfsense blocking Livestream:

My Fault, it's a plain install no a packages added. Just a few nat rules for port fowarding. Seems that rtmp once it starts opens other ports and they are blocked.

Assuming your streaming device is on the LAN side (LAN interface) of pfSense, then it is highly unlikely you need any kind of port forward rules to send data out to the web. I assume you have the source of the livestream on your LAN and you are sending it out to some host on the Internet for viewers to consume from. Is that correct, or are you hosting the streaming server behind your firewall? By "streaming server" I mean the box that is receiving the livestream for subsequent storage and then feeding back out to viewers.

I have a livestream setup for our church. The livestream box (an appliance but very similar to a PC in function) connects from the church LAN to an Internet host. That host receives the stream and stores it and makes it available for viewers to "see". We also embed the stream on the church's web site, but all that "embed" consists of is a link to the host and our specific stream URL.

If my guess above about the source and traffic direction is correct, try deleting all the manual NAT port forwards you have created.

derreckbercier

I am hosting the machine behind my firewall that is sending the stream to Livestream and they embed the stream to our webpage. Exactly like your setup for your church. My port fowards are for other equipment to enter into the building such as cameras.

bmeeks

How do you know for sure pfSense is doing the blocking? Have you seen a firewall rule log entry that specifically has the IP address of your streaming source PC in it? Perhaps the real problem is a hardware network issue such as a duplex mismatch on the pfSense ports.

Take a look at the STATUS > INTERFACES page to see if any errors are showing and if the speed and duplex values look right for the switch ports pfSense is connected to.

Also, how can you connect directly to the switch ans bypass pfSense? Normally your firewall is between all of your LAN and the Internet. What exactly is the layout of your network and where is the pfSense firewall in the big picture?

derreckbercier

I have not seen it in the firewall log I can't find any entry for the source in the log whatsoever. the only reason i know where it is going is because i did a packet capture on the lan for the device that is streaming. I know it's the pfsense router because or previous router which i just replaced with pfsense didn't have any issues with the livestream it wasn't as aggresive as this one.

bmeeks

@derreckbercier said in Pfsense blocking Livestream:

I have not seen it in the firewall log I can't find any entry for the source in the log whatsoever. the only reason i know where it is going is because i did a packet capture on the lan for the device that is streaming. I know it's the pfsense router because or previous router which i just replaced with pfsense didn't have any issues with the livestream it wasn't as aggresive as this one.

If you do not see the device's IP address in the pfSense firewall log, then pfSense is not blocking the traffic. Something else is at fault. Assuming pfSense is the only thing between your streaming device and the Internet, then my number one theory is a hardware problem. The most likely one is a NIC port speed/duplex mismatch between the box you have pfSense on and either your WAN connection or the LAN connection. That will cause terrible network performance and very poor streaming quality.

What are you running pfSense on? Is it a Netgate appliance or your own hardware? If your own hardware, what brand of network interface card is it using? What is the speed and duplex capabilities of the switch on your LAN and what type of WAN connection do you have?

derreckbercier

I am running pfsense on a hp computer with a Intel PRO/1000 Pt Dual Port Server Adapter. And you are a godsend, I went back and checked my port speed settings and set my lan to autoselect and boom it started streaming correctly. I had it set to 1000baseTX Full Duplex apparently that was incorrect. Pfsense set my lan port to 1000baseT full duplex and it is working as of right now. Thanks hopefully this is the issue.

derreckbercier

i take that back! lol as soon as we start streaming my upload goes to 0. so i'm trying to figure that out right now.

bmeeks

@derreckbercier said in Pfsense blocking Livestream:

I am running pfsense on a hp computer with a Intel PRO/1000 Pt Dual Port Server Adapter. And you are a godsend, I went back and checked my port speed settings and set my lan to autoselect and boom it started streaming correctly. I had it set to 1000baseTX Full Duplex apparently that was incorrect. Pfsense set my lan port to 1000baseT full duplex and it is working as of right now. Thanks hopefully this is the issue.

Most devices these days need their NIC ports set to "auto" in order to play well together. When one side is "auto" and the other is manually set, they frequently can't work out a connection and each side will assume its "default". The problem is they rarely default to the same settings and thus don't match up.

bmeeks

@derreckbercier said in Pfsense blocking Livestream:

i take that back! lol as soon as we start streaming my upload goes to 0. so i'm trying to figure that out right now.

Your livestream may be saturating your link. What is the upload bandwidth provided by your ISP? Also, TCP is a "first-come first-gets-all" sort of protocol. So a single device can conceivably grab all the bandwidth and starve other devices attempting to send/receive on the link.

derreckbercier

I have a 100mb pipe that's symmetrical.

bmeeks

@derreckbercier said in Pfsense blocking Livestream:

I have a 100mb pipe that's symmetrical.

Well, it should be pretty hard to saturate that link with a typical livestream upload. How big is your audience for this livstream? If several dozens of users are trying to view the stream simultaneously with your upload, then I could see how your download link might approach saturation. That could then impact upload as the ACKs could not get come through from the livestream remote host on a timely basis.

derreckbercier

i've been troubleshooting this, and part of the problem is since switching to pfsense it has given my other networks 1gb access to the niq, my old router only the main lan was at 1gb every other network was at 100mb. So something on my other network is hogging up all the bandwith on that switch and i'm trying to narrow it down. Thanks for everyone's help on this problem so far.

bmeeks

@derreckbercier said in Pfsense blocking Livestream:

i've been troubleshooting this, and part of the problem is since switching to pfsense it has given my other networks 1gb access to the niq, my old router only the main lan was at 1gb every other network was at 100mb. So something on my other network is hogging up all the bandwith on that switch and i'm trying to narrow it down. Thanks for everyone's help on this problem so far.

If you are uploading to a remote streaming host, but then your local LAN clients are simultaneously downloading the stream from that remote host over the same Internet connection, you can use it all up to the point the ACKs from the remote host do not make it back to your streamer PC in a reasonable time. So your streamer PC slows down and slows down and slows down trying to get the connection going. Uploading requires enough bandwidth on the download side for ACKs from the remote receiving end to get through. If you have tons of local users sucking up all the download bandwidth viewing the stream, then nothing is left for your uploading PC to receive its ACKs. Giving those "hungry" local LAN clients a gigabit pipe to suck from will exacerbate the problem. If they were all formerly sharing a 100 megabit pipe into the central switch, they could have been partially moderating each other so that the sum was not overwhelming to your uploading stream.

Don't know your situation precisely, but from your description it sounds like you were uploading to a remote host on the web that your local clients viewed from. Is that true, or do I have it wrong?

If I've correctly guessed your setup, then you can benefit from traffic shaping on pfSense that gives your uploading streamer PC priority bandwidth.