Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine
-
@HardRooster Did this issue start occurring before or after you set up your VPN on pfsense?
-
Setting up the VPN is something I did immediately, so I don't really have a before/after reference.
I get two behaviors whether I'm routing the TVs through the VPN or not.
If I route the TVs through the VPN, I can browse and load and I don't have any speed issues whatsoever. The only issue is you can't watch anything through a VPN because Netflix/Hulu/etc wont let you. (I wouldn't really want to anyway)
If I route the TVs around the VPN, that's when I get the slows. It's hard to even navigate the menus, and nothing will finish loading to watch. It's as if I'm on dial-up. But there is no VPN warning. It just acts like it's badly throttled. (We don't have data caps, have never had a throttling issue before)
Edit: My wife likes watching QVC, and that's streaming just fine right now, so it's not every streaming service. ... I just switched over to Prime TV, that was also working... I'm just going to test everything...
List of services/channels working or not
Working:
Amazon Prime
QVC
BBC AmericaNot working:
Disney+
Netflix
Hulu
CBS All Access
Hallmark Movies Now -
I'm almost out of ideas honestly. Do you have any crazy traffic shaping set up on an interface?
-
Not unless I did it by accident. I don't really know what traffic shaping is. I had installed pfBlocker, but I uninstalled it for now just to try to troubleshoot this.
-
Hi,
Make a backup of your pfSense setting.
Then reset pfSense to default, WAN should be fine (your upstream router is 10.0.0.0/24) so default LAN would be fine also. You should be connected, right after the initial wizard setting up a time server and pfSense password. Don't change anything else.These are NOT needed neither wanted :
( except if you have some contract with them like your private info against some service ).
-
Yeah, this is almost certainly a DNS issue.
Are you passing those DNS servers to DHCP clients to use directly, in the DHCP server settings?
If not DNS may be broken entirely for some clients since their DNS requests will be forced over the VPN.
By default clients will use the interface address for DNS which is served by Unbound in pfSense. That in turn resolves directly ignoring those DNS servers you have set unless you have set it to forwarding mode. Have you?
It also uses the default route for resolution so if you have allowed the VPN to become the default route then you will have DNS queries from the TVs going over the VPN but streams going directly and Netflix et al can detect that and block you.
Steve
-
scroll down to dns leak protection +1 https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
force the alias you created to use your ISP's dns or quad or similar.
also on the TV itself go to whatismyip.com OR similar. see if its actually still going through the crappy nord tunnel or your wan side?
-
@stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
Yeah, this is almost certainly a DNS issue.
Are you passing those DNS servers to DHCP clients to use directly, in the DHCP server settings?
No, What you saw in the above screenshot is the only part of the DHCP server I messed with, all the settings below that are default pfSense
If not DNS may be broken entirely for some clients since their DNS requests will be forced over the VPN.
I see. I never passed DNS servers through clients before I'm pretty sure, I wouldn't have known how, or why I should.
By default clients will use the interface address for DNS which is served by Unbound in pfSense. That in turn resolves directly ignoring those DNS servers you have set unless you have set it to forwarding mode. Have you?
I had to look up what Unbound was, never heard of it before now. After a quick DDG search, it led me here.
https://docs.netgate.com/pfsense/en/latest/dns/unbound-dns-resolver.html
Not that I hadn't already read it a few times (Understanding this kind of stuff doesn't come naturally to me)
But reading down the list, and thinking about what you said about interfaces, I saw something that made a very dim light come on.
The guide I follwed to set up the VPN had me set this
So what happens if I change it?
Lo and behold it starts working.
Have I broken my privacy now? (I mean any more than it already was because I don't really know what I'm doing) whatsmyip still shows the vpn address on my computer, so I guess it's still working?
-
@bcruze said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
scroll down to dns leak protection +1 https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/
Oooh, that looks useful, I'll dive into that a bit this weekend, thank you.
Edit: I have a question. The guide has you set up two aliases, one for routing traffic through the VPN, and one for routing around it. I only have one alias set up, for the TVs to route around the VPN, I want everything on the network to go through the VPN otherwise, so I didn't bother with an alias. So my question is, will I be able to follow along with the guide if I keep it the way I have it, or do I need two aliases like it's set up in the guide?
-
@HardRooster said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
Have I broken my privacy now?
Probably, if by that you mean are all your DNS queries going out of the WAN where your ISP can see them.
The actually privacy you are gaining/losing there is debatable. You are just moving who can see them to the VPN provider and their hosting.But what you could do is pass DNS servers to the TVs to use via DHCP static mappings (which I assume you have set otherwise the policy routing might break):
https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html#static-ip-mappingsThen you can set Unbound back to use the VPN. All other clients will use Unbound, and hence the VPN, but the TVs will use whatever you pass to them via their policy route, which is the WAN gateway.
Steve
-
@stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
But what you could do is pass DNS servers to the TVs to use via DHCP static mappings (which I assume you have set otherwise the policy routing might break):
https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html#static-ip-mappingsSteve
I tried this, but I'm not quite sure how to configure it. It requires that the IP addresses be outside the pool of the current interface. Is that not going to break things since it would need to be on another subnet? 192.168.2.xxx vs 192.168.1.xxx Or am I supposed to shrink my existing pool, and place the static mapping outside that pool, but on the same subnet?
-
Yes, usually the DHCP pool is smaller than the subnet in order to allow for static mappings or statically configured devices.
You probably aren't using 254 dhcp leases so just reduce it by 10 or so.
Steve
-
Hi Folks. I have this issue also. I set the firewall up as shown. But I have a Roku3 and as far as I understand, DHCP is required, so I cant set the IP address to a fixed. Is there another way for me to isolate the Roku traffic? What if I plugged the Roku into its own port on the firewall? Right now I have a switch that the Roku is plugged in to and a home run to the firewall. Thanks in advance for the help.
-
@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
What if I plugged the Roku into its own port on the firewall?
If this port isn't part of a switched set of port on the firewall, this means that this device will live in it's own network, using it's own DHCP server using a different DHCP pool.
@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
DHCP is required, so I cant set the IP address to a fixed. Is there another way for me to isolate the Roku traffic?
Just create a static DHCP lease for it.
These type of lease are - should be - outside the DHCP lease pool.
See what @stephenw10 said just above. -
So, is this it? Put it on its own port AND create a static lease for it ? Or just create a static lease for it and use the firewall ruls for the IP addresses as above?
Currently the OPT ports are configured to bridge to the LAN.
As far as a static DHCP lease, i will have to figure that out. It seems straight forward if the Roku was on its own port, but not sure how to call out the Roku for the DHCP lease. Sorry for the noob questions, thanks for helping. -
@bill1 you call out the devices for static leases by their MAC addresses.
https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html
Jeff
-
@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
but not sure how to call out the Roku for the DHCP lease.
You don't need to touch the roku device.
All you need to know is it's MAC address.
And gues what, if rock obtained a lease in the past - just hook it up and boom .. you have it - you have already all the details needed.It's even better :
Just click on the button, and the "Add static mapping" :
Over here :
you fill in a IPv4 that must be outside of your network's DHCP pool - a host name, so instead of BGTR458755fDRR you can give it a real short easy device name, and a description if needed.
Done.
-
Thanks for the help. This is the saga. I changed the network to 10.1.1.0\24, allocated 10.1.1.10 to 10.1.1.235, Got DNS to config Roku @ 10.1.1.237, and the spare bypass @ 10.1.1.236, Created the Firewall pass rule as shown... and when I tried it, got no internet. Nothing going out the wan, at all. So I screwed around with it, but couldnt get it to work. Rolled back a config version to the 192.168.1.1 network, re-did the DHCP, rules, etc and Everything but Roku was working. So, obviously I am missing something crucial to make my LAN 10.x.x.x based. Any Ideas on this would be helpful.
On the Roku, some stuff works. Some channels from Spectrum, my local provider would not populate. In the channel listing, the channel number would not show, and the programming would not play. The DHCP for the Roku IP address did work.
Then I had to pull the firewall back out and reset everything to get the Roku working again. My next experiment is to try a computer on the other VPN-bypass alias and see what IP address is showing from the outside. Any other ideas? Thanks -
@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
pull the firewall back out
What firewall rule ?
Btw : first make your network usable over WAN. If after a while you know everything works fine, start adding VPN stuff.
If needed, make exceptions, like, among others, Netflix devices -
@Gertjan Thanks for helping. I am trying hard to learn this. Here is what I have done so far. BTW, i started from a complete image with the hardware, pf sense, and PIA
So I start with setting the IP subnet address
then config the DHCP server
leaving the high end addresses for fixed lease
assign the RokuCreate a bypass alias for roku + 1 more
VPN bypass rule (thinking that the destination may not be right)
with gateway setup in advanced
and the WAN rules
What do you think? Am I getting close?
