Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine

HardRooster

@stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

But what you could do is pass DNS servers to the TVs to use via DHCP static mappings (which I assume you have set otherwise the policy routing might break):
https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html#static-ip-mappings

Steve

I tried this, but I'm not quite sure how to configure it. It requires that the IP addresses be outside the pool of the current interface. Is that not going to break things since it would need to be on another subnet? 192.168.2.xxx vs 192.168.1.xxx Or am I supposed to shrink my existing pool, and place the static mapping outside that pool, but on the same subnet?

stephenw10

Yes, usually the DHCP pool is smaller than the subnet in order to allow for static mappings or statically configured devices.

You probably aren't using 254 dhcp leases so just reduce it by 10 or so.

Steve

bill1

Hi Folks. I have this issue also. I set the firewall up as shown. But I have a Roku3 and as far as I understand, DHCP is required, so I cant set the IP address to a fixed. Is there another way for me to isolate the Roku traffic? What if I plugged the Roku into its own port on the firewall? Right now I have a switch that the Roku is plugged in to and a home run to the firewall. Thanks in advance for the help.

Gertjan

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

What if I plugged the Roku into its own port on the firewall?

If this port isn't part of a switched set of port on the firewall, this means that this device will live in it's own network, using it's own DHCP server using a different DHCP pool.

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

DHCP is required, so I cant set the IP address to a fixed. Is there another way for me to isolate the Roku traffic?

Just create a static DHCP lease for it.
These type of lease are - should be - outside the DHCP lease pool.
See what @stephenw10 said just above.

bill1

So, is this it? Put it on its own port AND create a static lease for it ? Or just create a static lease for it and use the firewall ruls for the IP addresses as above?
Currently the OPT ports are configured to bridge to the LAN.
As far as a static DHCP lease, i will have to figure that out. It seems straight forward if the Roku was on its own port, but not sure how to call out the Roku for the DHCP lease. Sorry for the noob questions, thanks for helping.

akuma1x

@bill1 you call out the devices for static leases by their MAC addresses.

https://docs.netgate.com/pfsense/en/latest/dhcp/dhcp-server.html

Jeff

Gertjan

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

but not sure how to call out the Roku for the DHCP lease.

You don't need to touch the roku device.

All you need to know is it's MAC address.
And gues what, if rock obtained a lease in the past - just hook it up and boom .. you have it - you have already all the details needed.

It's even better :

Just click on the button, and the "Add static mapping" :

Over here :

you fill in a IPv4 that must be outside of your network's DHCP pool - a host name, so instead of BGTR458755fDRR you can give it a real short easy device name, and a description if needed.

Done.

bill1

Thanks for the help. This is the saga. I changed the network to 10.1.1.0\24, allocated 10.1.1.10 to 10.1.1.235, Got DNS to config Roku @ 10.1.1.237, and the spare bypass @ 10.1.1.236, Created the Firewall pass rule as shown... and when I tried it, got no internet. Nothing going out the wan, at all. So I screwed around with it, but couldnt get it to work. Rolled back a config version to the 192.168.1.1 network, re-did the DHCP, rules, etc and Everything but Roku was working. So, obviously I am missing something crucial to make my LAN 10.x.x.x based. Any Ideas on this would be helpful.
On the Roku, some stuff works. Some channels from Spectrum, my local provider would not populate. In the channel listing, the channel number would not show, and the programming would not play. The DHCP for the Roku IP address did work.
Then I had to pull the firewall back out and reset everything to get the Roku working again. My next experiment is to try a computer on the other VPN-bypass alias and see what IP address is showing from the outside. Any other ideas? Thanks

Gertjan

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

pull the firewall back out

What firewall rule ?

Btw : first make your network usable over WAN. If after a while you know everything works fine, start adding VPN stuff.
If needed, make exceptions, like, among others, Netflix devices

bill1

@Gertjan Thanks for helping. I am trying hard to learn this. Here is what I have done so far. BTW, i started from a complete image with the hardware, pf sense, and PIA

So I start with setting the IP subnet address

then config the DHCP server

leaving the high end addresses for fixed lease
assign the Roku

Create a bypass alias for roku + 1 more

VPN bypass rule (thinking that the destination may not be right)

with gateway setup in advanced

and the WAN rules

What do you think? Am I getting close?

Gertjan

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

Am I getting close?

Looking good to me, except the last image : WAN rules. The last two shouldn't be there.

Note if the VPN_Bypass rule on LAN works, the counters in front of the rule 0/0 right now, start to count. This means the rule matches traffic.

bill1

I deleted the last 2. Now I get a message that all incoming connections will be blocked until pass rules are enabled. Is this right ?

akuma1x

@bill1 Yep, nothing will come in from the outside world, the internet basically. And that's the way you want your WAN interface to handle traffic, unless there's a very specific reason to allow traffic in.

pfsense sets up "states" for any internal traffic talking out to the internet. This is traffic that the internal machines initiate first, then a server or other computer out on the internet answers back. This type of traffic is passed normally. When you DON'T want internal machines answering outside computers is when the outside computer knocks on your door (firewall) first, without an internal machine asking for it. That is bad. pfsense is programmed to NOT accept, or answer back, to this type of outside traffic.

https://docs.netgate.com/pfsense/en/latest/book/firewall/firewall-fundamentals.html#firewall-stateful

Jeff

Gertjan

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

I deleted the last 2. Now I get a message that all incoming connections will be blocked until pass rules are enabled. Is this right ?

Deleted these :

that were present on the WAN interface, right?

What messages ?

stephenw10

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

Now I get a message that all incoming connections will be blocked until pass rules are enabled

You see that message if you removed all the rules from an interface. That doesn't include the auto generated block private IPs and bogons though. So, yes, that is right if you removed those two rules from WAN.

Steve

bill1

That was my bad. On the WAN, i do want to deny incoming connections. Its a Firewall right?

I still have a feeling that the Roku issue isnt resolved yet. I have to put the firewall back in and try. The problem is that my wife is working from home and needs the internet, so I cant screw with it at just any time. Plus, the equipment is in the background shot for her Zoom meetings. (The initial problem is that certain Spectrum channels will not work)

bill1

OK, just spent 5 or 6 hours on this. I learned a lot, except how to get what I want to work. Generally, Roku works for the most part.

When I follow directions to route my alias VPN_Bypass to the WAN_DHCP gateway (under advanced>gateway) Roku does NOT work. It will work, however, if "default" is selected. What I do not understand is why, because when I look up under settings, they seem to be the same. Even with Roku working, my cable modem provider, Spectrum, on their Roku channel, very few channels will work. The message is something like "connect to the internet" for the channels that dont work, which is most. A very few channels will work though. I dont know what to do next. Here is another tidbit, If i disable the VPN_Bypass rule completely, nothing changes (Roku works, Spectrum same)
Any ideas anybody? Would it be possible to put another switch after the cable modem, plus the Roku and firewall into that ? Seems un-elegant.

bill1

@akuma1x So help me understand whats going on here. Below is my log and the WAN is rejecting tons of requests IPV4 & IPV6

LMK if I am posting something I shouldnt. thanks

Gertjan

Hi,

Yours is checked ?

stephenw10

When you specify a gateway all traffic matching that rule us forced via that gateway. When you leave the gateway as default the system routing table is used.
What DNS server is being handed to the Roku via DHCP? If it's the LAN address that will not work with WAN_DHCP set because it will be forced via the WAN and never reach the pfSense DNS service.
With default set it will reach it (Unbound or DNSmasq) but if those are configured to use the VPN, as VPN providers often instruct people to set, it will cause a problem for streaming because the DNS lookup location will not match the WAN location.
You probably need to pass an external DNS server to the Roku to use that will then be valid via the VPN_Bypass rule.

The firewall should block unsolicited connections on WAN which is what those are. You have posted your WAN IP in that log which is generally unadvisable. If your WAN is dynamic it's not a huge deal though.

Steve