Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine

    Scheduled Pinned Locked Moved General pfSense Questions
    62 Posts 8 Posters 13.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JakenShakes
      last edited by JakenShakes

      @HardRooster Did this issue start occurring before or after you set up your VPN on pfsense?

      H 1 Reply Last reply Reply Quote 0
      • H
        HardRooster @JakenShakes
        last edited by HardRooster

        @JakenShakes

        Setting up the VPN is something I did immediately, so I don't really have a before/after reference.

        I get two behaviors whether I'm routing the TVs through the VPN or not.

        If I route the TVs through the VPN, I can browse and load and I don't have any speed issues whatsoever. The only issue is you can't watch anything through a VPN because Netflix/Hulu/etc wont let you. (I wouldn't really want to anyway)

        If I route the TVs around the VPN, that's when I get the slows. It's hard to even navigate the menus, and nothing will finish loading to watch. It's as if I'm on dial-up. But there is no VPN warning. It just acts like it's badly throttled. (We don't have data caps, have never had a throttling issue before)

        Edit: My wife likes watching QVC, and that's streaming just fine right now, so it's not every streaming service. ... I just switched over to Prime TV, that was also working... I'm just going to test everything...

        List of services/channels working or not

        Working:
        Amazon Prime
        QVC
        BBC America

        Not working:
        Disney+
        Netflix
        Hulu
        CBS All Access
        Hallmark Movies Now

        J 1 Reply Last reply Reply Quote 0
        • J
          JakenShakes @HardRooster
          last edited by

          @HardRooster

          I'm almost out of ideas honestly. Do you have any crazy traffic shaping set up on an interface?

          H 1 Reply Last reply Reply Quote 0
          • H
            HardRooster @JakenShakes
            last edited by

            @JakenShakes

            Not unless I did it by accident. I don't really know what traffic shaping is. I had installed pfBlocker, but I uninstalled it for now just to try to troubleshoot this.

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              Hi,

              Make a backup of your pfSense setting.
              Then reset pfSense to default, WAN should be fine (your upstream router is 10.0.0.0/24) so default LAN would be fine also. You should be connected, right after the initial wizard setting up a time server and pfSense password. Don't change anything else.

              These are NOT needed neither wanted :
              1a410ab9-9d9f-4a0b-a8e9-01049793bc9d-image.png

              ( except if you have some contract with them like your private info against some service ).

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yeah, this is almost certainly a DNS issue.

                Are you passing those DNS servers to DHCP clients to use directly, in the DHCP server settings?

                If not DNS may be broken entirely for some clients since their DNS requests will be forced over the VPN.

                By default clients will use the interface address for DNS which is served by Unbound in pfSense. That in turn resolves directly ignoring those DNS servers you have set unless you have set it to forwarding mode. Have you?

                It also uses the default route for resolution so if you have allowed the VPN to become the default route then you will have DNS queries from the TVs going over the VPN but streams going directly and Netflix et al can detect that and block you.

                Steve

                H 1 Reply Last reply Reply Quote 0
                • B
                  bcruze
                  last edited by bcruze

                  scroll down to dns leak protection +1 https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/

                  force the alias you created to use your ISP's dns or quad or similar.

                  also on the TV itself go to whatismyip.com OR similar. see if its actually still going through the crappy nord tunnel or your wan side?

                  H 1 Reply Last reply Reply Quote 0
                  • H
                    HardRooster @stephenw10
                    last edited by

                    @stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

                    Yeah, this is almost certainly a DNS issue.

                    Are you passing those DNS servers to DHCP clients to use directly, in the DHCP server settings?

                    No, What you saw in the above screenshot is the only part of the DHCP server I messed with, all the settings below that are default pfSense

                    If not DNS may be broken entirely for some clients since their DNS requests will be forced over the VPN.

                    I see. I never passed DNS servers through clients before I'm pretty sure, I wouldn't have known how, or why I should.

                    By default clients will use the interface address for DNS which is served by Unbound in pfSense. That in turn resolves directly ignoring those DNS servers you have set unless you have set it to forwarding mode. Have you?

                    I had to look up what Unbound was, never heard of it before now. After a quick DDG search, it led me here.

                    https://docs.netgate.com/pfsense/en/latest/dns/unbound-dns-resolver.html

                    Not that I hadn't already read it a few times (Understanding this kind of stuff doesn't come naturally to me)

                    But reading down the list, and thinking about what you said about interfaces, I saw something that made a very dim light come on.

                    The guide I follwed to set up the VPN had me set this
                    07571659-5b64-4425-8ed9-e9beaba53810-image.png

                    So what happens if I change it?
                    be3fec77-eec9-45e5-a81e-1afa621f427c-image.png

                    Lo and behold it starts working.

                    Have I broken my privacy now? (I mean any more than it already was because I don't really know what I'm doing) whatsmyip still shows the vpn address on my computer, so I guess it's still working?

                    stephenw10S 1 Reply Last reply Reply Quote 0
                    • H
                      HardRooster @bcruze
                      last edited by HardRooster

                      @bcruze said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

                      scroll down to dns leak protection +1 https://www.techhelpguides.com/2017/06/12/ultimate-pfsense-openvpn-guide/

                      Oooh, that looks useful, I'll dive into that a bit this weekend, thank you.

                      Edit: I have a question. The guide has you set up two aliases, one for routing traffic through the VPN, and one for routing around it. I only have one alias set up, for the TVs to route around the VPN, I want everything on the network to go through the VPN otherwise, so I didn't bother with an alias. So my question is, will I be able to follow along with the guide if I keep it the way I have it, or do I need two aliases like it's set up in the guide?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator @HardRooster
                        last edited by

                        @HardRooster said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

                        Have I broken my privacy now?

                        Probably, if by that you mean are all your DNS queries going out of the WAN where your ISP can see them.
                        The actually privacy you are gaining/losing there is debatable. You are just moving who can see them to the VPN provider and their hosting.

                        But what you could do is pass DNS servers to the TVs to use via DHCP static mappings (which I assume you have set otherwise the policy routing might break):
                        https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html#static-ip-mappings

                        Then you can set Unbound back to use the VPN. All other clients will use Unbound, and hence the VPN, but the TVs will use whatever you pass to them via their policy route, which is the WAN gateway.

                        Steve

                        H 1 Reply Last reply Reply Quote 0
                        • H
                          HardRooster @stephenw10
                          last edited by

                          @stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

                          But what you could do is pass DNS servers to the TVs to use via DHCP static mappings (which I assume you have set otherwise the policy routing might break):
                          https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html#static-ip-mappings

                          Steve

                          I tried this, but I'm not quite sure how to configure it. It requires that the IP addresses be outside the pool of the current interface. Is that not going to break things since it would need to be on another subnet? 192.168.2.xxx vs 192.168.1.xxx Or am I supposed to shrink my existing pool, and place the static mapping outside that pool, but on the same subnet?

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Yes, usually the DHCP pool is smaller than the subnet in order to allow for static mappings or statically configured devices.

                            You probably aren't using 254 dhcp leases so just reduce it by 10 or so.

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • B
                              bill1 @HardRooster
                              last edited by

                              Hi Folks. I have this issue also. I set the firewall up as shown. But I have a Roku3 and as far as I understand, DHCP is required, so I cant set the IP address to a fixed. Is there another way for me to isolate the Roku traffic? What if I plugged the Roku into its own port on the firewall? Right now I have a switch that the Roku is plugged in to and a home run to the firewall. Thanks in advance for the help.

                              GertjanG 1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan @bill1
                                last edited by

                                @bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

                                What if I plugged the Roku into its own port on the firewall?

                                If this port isn't part of a switched set of port on the firewall, this means that this device will live in it's own network, using it's own DHCP server using a different DHCP pool.

                                @bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

                                DHCP is required, so I cant set the IP address to a fixed. Is there another way for me to isolate the Roku traffic?

                                Just create a static DHCP lease for it.
                                These type of lease are - should be - outside the DHCP lease pool.
                                See what @stephenw10 said just above.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                B 1 Reply Last reply Reply Quote 0
                                • B
                                  bill1 @Gertjan
                                  last edited by

                                  So, is this it? Put it on its own port AND create a static lease for it ? Or just create a static lease for it and use the firewall ruls for the IP addresses as above?
                                  Currently the OPT ports are configured to bridge to the LAN.
                                  As far as a static DHCP lease, i will have to figure that out. It seems straight forward if the Roku was on its own port, but not sure how to call out the Roku for the DHCP lease. Sorry for the noob questions, thanks for helping.

                                  A GertjanG 2 Replies Last reply Reply Quote 0
                                  • A
                                    akuma1x @bill1
                                    last edited by

                                    @bill1 you call out the devices for static leases by their MAC addresses.

                                    https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html

                                    Jeff

                                    1 Reply Last reply Reply Quote 1
                                    • GertjanG
                                      Gertjan @bill1
                                      last edited by

                                      @bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

                                      but not sure how to call out the Roku for the DHCP lease.

                                      You don't need to touch the roku device.

                                      All you need to know is it's MAC address.
                                      And gues what, if rock obtained a lease in the past - just hook it up and boom .. you have it - you have already all the details needed.

                                      It's even better :

                                      Just click on the button, and the "Add static mapping" :

                                      2b9529fb-761c-4001-88f0-2e8de0a80612-image.png

                                      Over here :

                                      368bbb91-a40b-4706-9f3a-7cdf68a70c53-image.png

                                      you fill in a IPv4 that must be outside of your network's DHCP pool - a host name, so instead of BGTR458755fDRR you can give it a real short easy device name, and a description if needed.

                                      Done.

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      B 1 Reply Last reply Reply Quote 0
                                      • B
                                        bill1 @Gertjan
                                        last edited by

                                        Thanks for the help. This is the saga. I changed the network to 10.1.1.0\24, allocated 10.1.1.10 to 10.1.1.235, Got DNS to config Roku @ 10.1.1.237, and the spare bypass @ 10.1.1.236, Created the Firewall pass rule as shown... and when I tried it, got no internet. Nothing going out the wan, at all. So I screwed around with it, but couldnt get it to work. Rolled back a config version to the 192.168.1.1 network, re-did the DHCP, rules, etc and Everything but Roku was working. So, obviously I am missing something crucial to make my LAN 10.x.x.x based. Any Ideas on this would be helpful.
                                        On the Roku, some stuff works. Some channels from Spectrum, my local provider would not populate. In the channel listing, the channel number would not show, and the programming would not play. The DHCP for the Roku IP address did work.
                                        Then I had to pull the firewall back out and reset everything to get the Roku working again. My next experiment is to try a computer on the other VPN-bypass alias and see what IP address is showing from the outside. Any other ideas? Thanks

                                        GertjanG 1 Reply Last reply Reply Quote 0
                                        • GertjanG
                                          Gertjan @bill1
                                          last edited by

                                          @bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

                                          pull the firewall back out

                                          What firewall rule ?

                                          Btw : first make your network usable over WAN. If after a while you know everything works fine, start adding VPN stuff.
                                          If needed, make exceptions, like, among others, Netflix devices

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          B 1 Reply Last reply Reply Quote 0
                                          • B
                                            bill1 @Gertjan
                                            last edited by

                                            @Gertjan Thanks for helping. I am trying hard to learn this. Here is what I have done so far. BTW, i started from a complete image with the hardware, pf sense, and PIA

                                            So I start with setting the IP subnet address

                                            36a1f81a-b42c-4948-8f8d-d0b90f61daca-image.png

                                            then config the DHCP server
                                            bb6088ae-d5a3-421e-8645-efef4066eb79-image.png

                                            leaving the high end addresses for fixed lease
                                            assign the Roku

                                            Create a bypass alias for roku + 1 more
                                            4fc8b94c-1ce1-4067-9b41-43bec5d4a925-image.png

                                            08991a49-be6b-4678-bab4-6c1b42939b6b-image.png

                                            VPN bypass rule (thinking that the destination may not be right)
                                            df4e92b3-f66a-4251-914b-f9665327d7c5-image.png

                                            with gateway setup in advanced
                                            4949e4cf-a027-4b9e-b69c-44b9cf9688b4-image.png

                                            and the WAN rules

                                            740458dd-c7da-4dad-94da-01c5c4acade5-image.png

                                            What do you think? Am I getting close?

                                            GertjanG 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.