Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine
-
Not entirely sure where to post this since I can't really identify the source of the problem.
I have an alias set up to allow my TVs to bypass the VPN I'm running on my router.
The TV in the bedroom is a FireTV, and I can stream any service from there just fine. (Edit: No I can't, it has the same issues as the other TV)
The Roku TV in the living room however, is refusing to stream on a couple services. Netflix gives me the 2-5 error, which seems to indicate some kind of network problem. But if I go to the TVs settings, and do a connectivity test, I get the full capacity of my Internet connection. I even pulled the ethernet from the back, connected it to my laptop and did another speed test, and it was fine there as well.
I've tried rebooting the router. I even tried running the TV through the VPN, by taking it out of the alias list, and curiously, it connected to Netflix just fine, and was as fast as you would expect, but you get the normal "You can't use a VPN" warning Netflix throws you...which is why I have the alias to bypass it. But otherwise, it connects quickly when running through the VPN. It's just off the VPN that it's slow, and seems to selectively allow certain services to work fine, and to gimp the others.
Ideas?
-
How are you policy routing the traffic? An alias of the local IP addresses of the TVs?
It looks like something is still going via the VPN and causing a problem. Or it's something more basic at the network level like an MTU issue perhaps. That would probably affect your test client too though.
Steve
-
Yes, I just put the IPs of the televisions into an alias, then assign that alias to a firewall rule to bypass the VPN and use the default gateway. It's how I did it on my last install.
Just went back into the bedroom, and now it's behaving the same as the other TV, so it's definitely a network thing, not a TV issue.
login-to-view
continued...
login-to-view -
This is going to just be a shot in the dark but what DNS servers are you using? I have issues while using streaming devices with anything other than my ISP's DNS servers.
-
I've never manually entered my ISP's DNS before, so unless one of these is them, shrug emoji?
-
@HardRooster If your WAN interface is picking up an address using DHCP, your can check this setting found under the System - General Setup section:
Make sure that DHCP is handing out the IP address of your LAN interface as the DNS server. Reboot your Roku and see if there is any change.
-
Looks like I'm already there.
Edit, extra screen shot
-
@HardRooster Did this issue start occurring before or after you set up your VPN on pfsense?
-
Setting up the VPN is something I did immediately, so I don't really have a before/after reference.
I get two behaviors whether I'm routing the TVs through the VPN or not.
If I route the TVs through the VPN, I can browse and load and I don't have any speed issues whatsoever. The only issue is you can't watch anything through a VPN because Netflix/Hulu/etc wont let you. (I wouldn't really want to anyway)
If I route the TVs around the VPN, that's when I get the slows. It's hard to even navigate the menus, and nothing will finish loading to watch. It's as if I'm on dial-up. But there is no VPN warning. It just acts like it's badly throttled. (We don't have data caps, have never had a throttling issue before)
Edit: My wife likes watching QVC, and that's streaming just fine right now, so it's not every streaming service. ... I just switched over to Prime TV, that was also working... I'm just going to test everything...
List of services/channels working or not
Working:
Amazon Prime
QVC
BBC AmericaNot working:
Disney+
Netflix
Hulu
CBS All Access
Hallmark Movies Now -
I'm almost out of ideas honestly. Do you have any crazy traffic shaping set up on an interface?
-
Not unless I did it by accident. I don't really know what traffic shaping is. I had installed pfBlocker, but I uninstalled it for now just to try to troubleshoot this.
-
Hi,
Make a backup of your pfSense setting.
Then reset pfSense to default, WAN should be fine (your upstream router is 10.0.0.0/24) so default LAN would be fine also. You should be connected, right after the initial wizard setting up a time server and pfSense password. Don't change anything else.These are NOT needed neither wanted :
login-to-view( except if you have some contract with them like your private info against some service ).
-
Yeah, this is almost certainly a DNS issue.
Are you passing those DNS servers to DHCP clients to use directly, in the DHCP server settings?
If not DNS may be broken entirely for some clients since their DNS requests will be forced over the VPN.
By default clients will use the interface address for DNS which is served by Unbound in pfSense. That in turn resolves directly ignoring those DNS servers you have set unless you have set it to forwarding mode. Have you?
It also uses the default route for resolution so if you have allowed the VPN to become the default route then you will have DNS queries from the TVs going over the VPN but streams going directly and Netflix et al can detect that and block you.
Steve
-
scroll down to dns leak protection +1 https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
force the alias you created to use your ISP's dns or quad or similar.
also on the TV itself go to whatismyip.com OR similar. see if its actually still going through the crappy nord tunnel or your wan side?
-
@stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
Yeah, this is almost certainly a DNS issue.
Are you passing those DNS servers to DHCP clients to use directly, in the DHCP server settings?
No, What you saw in the above screenshot is the only part of the DHCP server I messed with, all the settings below that are default pfSense
If not DNS may be broken entirely for some clients since their DNS requests will be forced over the VPN.
I see. I never passed DNS servers through clients before I'm pretty sure, I wouldn't have known how, or why I should.
By default clients will use the interface address for DNS which is served by Unbound in pfSense. That in turn resolves directly ignoring those DNS servers you have set unless you have set it to forwarding mode. Have you?
I had to look up what Unbound was, never heard of it before now. After a quick DDG search, it led me here.
https://docs.netgate.com/pfsense/en/latest/dns/unbound-dns-resolver.html
Not that I hadn't already read it a few times (Understanding this kind of stuff doesn't come naturally to me)
But reading down the list, and thinking about what you said about interfaces, I saw something that made a very dim light come on.
The guide I follwed to set up the VPN had me set this
login-to-viewSo what happens if I change it?
login-to-viewLo and behold it starts working.
Have I broken my privacy now? (I mean any more than it already was because I don't really know what I'm doing) whatsmyip still shows the vpn address on my computer, so I guess it's still working?
-
@bcruze said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
scroll down to dns leak protection +1 https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
Oooh, that looks useful, I'll dive into that a bit this weekend, thank you.
Edit: I have a question. The guide has you set up two aliases, one for routing traffic through the VPN, and one for routing around it. I only have one alias set up, for the TVs to route around the VPN, I want everything on the network to go through the VPN otherwise, so I didn't bother with an alias. So my question is, will I be able to follow along with the guide if I keep it the way I have it, or do I need two aliases like it's set up in the guide?
-
@HardRooster said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
Have I broken my privacy now?
Probably, if by that you mean are all your DNS queries going out of the WAN where your ISP can see them.
The actually privacy you are gaining/losing there is debatable. You are just moving who can see them to the VPN provider and their hosting.But what you could do is pass DNS servers to the TVs to use via DHCP static mappings (which I assume you have set otherwise the policy routing might break):
https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html#static-ip-mappingsThen you can set Unbound back to use the VPN. All other clients will use Unbound, and hence the VPN, but the TVs will use whatever you pass to them via their policy route, which is the WAN gateway.
Steve
-
@stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
But what you could do is pass DNS servers to the TVs to use via DHCP static mappings (which I assume you have set otherwise the policy routing might break):
https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html#static-ip-mappingsSteve
I tried this, but I'm not quite sure how to configure it. It requires that the IP addresses be outside the pool of the current interface. Is that not going to break things since it would need to be on another subnet? 192.168.2.xxx vs 192.168.1.xxx Or am I supposed to shrink my existing pool, and place the static mapping outside that pool, but on the same subnet?
-
Yes, usually the DHCP pool is smaller than the subnet in order to allow for static mappings or statically configured devices.
You probably aren't using 254 dhcp leases so just reduce it by 10 or so.
Steve
-
Hi Folks. I have this issue also. I set the firewall up as shown. But I have a Roku3 and as far as I understand, DHCP is required, so I cant set the IP address to a fixed. Is there another way for me to isolate the Roku traffic? What if I plugged the Roku into its own port on the firewall? Right now I have a switch that the Roku is plugged in to and a home run to the firewall. Thanks in advance for the help.