Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine
-
@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
Am I getting close?
Looking good to me, except the last image : WAN rules. The last two shouldn't be there.
Note if the VPN_Bypass rule on LAN works, the counters in front of the rule 0/0 right now, start to count. This means the rule matches traffic.
-
I deleted the last 2. Now I get a message that all incoming connections will be blocked until pass rules are enabled. Is this right ?
-
@bill1 Yep, nothing will come in from the outside world, the internet basically. And that's the way you want your WAN interface to handle traffic, unless there's a very specific reason to allow traffic in.
pfsense sets up "states" for any internal traffic talking out to the internet. This is traffic that the internal machines initiate first, then a server or other computer out on the internet answers back. This type of traffic is passed normally. When you DON'T want internal machines answering outside computers is when the outside computer knocks on your door (firewall) first, without an internal machine asking for it. That is bad. pfsense is programmed to NOT accept, or answer back, to this type of outside traffic.
https://docs.netgate.com/pfsense/en/latest/book/firewall/firewall-fundamentals.html#firewall-stateful
Jeff
-
@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
I deleted the last 2. Now I get a message that all incoming connections will be blocked until pass rules are enabled. Is this right ?
Deleted these :
that were present on the WAN interface, right?What messages ?
-
@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
Now I get a message that all incoming connections will be blocked until pass rules are enabled
You see that message if you removed all the rules from an interface. That doesn't include the auto generated block private IPs and bogons though. So, yes, that is right if you removed those two rules from WAN.
Steve
-
That was my bad. On the WAN, i do want to deny incoming connections. Its a Firewall right?
I still have a feeling that the Roku issue isnt resolved yet. I have to put the firewall back in and try. The problem is that my wife is working from home and needs the internet, so I cant screw with it at just any time. Plus, the equipment is in the background shot for her Zoom meetings. (The initial problem is that certain Spectrum channels will not work)
-
OK, just spent 5 or 6 hours on this. I learned a lot, except how to get what I want to work. Generally, Roku works for the most part.
When I follow directions to route my alias VPN_Bypass to the WAN_DHCP gateway (under advanced>gateway) Roku does NOT work. It will work, however, if "default" is selected. What I do not understand is why, because when I look up under settings, they seem to be the same. Even with Roku working, my cable modem provider, Spectrum, on their Roku channel, very few channels will work. The message is something like "connect to the internet" for the channels that dont work, which is most. A very few channels will work though. I dont know what to do next. Here is another tidbit, If i disable the VPN_Bypass rule completely, nothing changes (Roku works, Spectrum same)
Any ideas anybody? Would it be possible to put another switch after the cable modem, plus the Roku and firewall into that ? Seems un-elegant. -
@akuma1x So help me understand whats going on here. Below is my log and the WAN is rejecting tons of requests IPV4 & IPV6
LMK if I am posting something I shouldnt. thanks -
Hi,
Yours is checked ?
-
When you specify a gateway all traffic matching that rule us forced via that gateway. When you leave the gateway as default the system routing table is used.
What DNS server is being handed to the Roku via DHCP? If it's the LAN address that will not work with WAN_DHCP set because it will be forced via the WAN and never reach the pfSense DNS service.
With default set it will reach it (Unbound or DNSmasq) but if those are configured to use the VPN, as VPN providers often instruct people to set, it will cause a problem for streaming because the DNS lookup location will not match the WAN location.
You probably need to pass an external DNS server to the Roku to use that will then be valid via the VPN_Bypass rule.The firewall should block unsolicited connections on WAN which is what those are. You have posted your WAN IP in that log which is generally unadvisable. If your WAN is dynamic it's not a huge deal though.
Steve
-
@Gertjan yes, I was logging
-
@stephenw10 I have 2 gateways, plus the default. WAN_DHCP does not pass traffic. I dont know where it comes from or how its configured. The Gateway field in the DHCP config is empty.
OVPNC_VPN4 takes traffic through the firewall to PIA, my VPN provider. This will pass traffic and seems to work ok. The default gateway will also pass traffic through the firewall to PIA. My goal was to find a way to route Roku traffic directly out through my ISP gateway and avoid the VPN. So far I have been unsuccessful following other posts on how they handled this.
What I have done for now, is to place my previous 4p Switch/ WIFI right after the cable modem. Then I plugged my switch that feeds the Roku into that. I also plugged my firewall in there and my other switch onto the firewall. I will continue to try to figure out how to get traffic around the VPN. Do you have any suggestions of things to try? Thanks for your help. -
Did you set outbound NAT to manual and remove it from WAN in some "kill switch" crap like VPN providers seem to advocate?
If so then sure WAN will not work directly until you add back an outbound NAT rule on the WAN. Which sounds like what you might be hitting.Steve
-
@stephenw10 That may be it. I have been trying to figure out how to undo that kill switch thing. I am not in deep cover, the VPN firewall is new. What should the outbound NAT look like?
-
I would set outbound NAT back to auto or hybrid and it will work.
But the rule you need will be something like:
Where the source includes at least the Roku device but more likely the full LAN subnet.
Steve
-
yes, its working. thanks
-
So, today is a new day. After a week or so, this morning, the Roku wont load. Let me be specific. There are some channels that will work. When I select a movie on Amazon prime I get a message that it will not continue because I am using a VPN or proxy. Spectrum, my cable ISP, indicates as much by not populating the channels number listing with channel numbers, except for channel 1, which is the Spectrum news station. (Note that this has been working for probably a week)
To troubleshoot this, I set up my pc with a spare fixed IP in the VPN_Bypass alias. (I put in 2, 1 for the Roku and one spare-- 192.168.1.236 & 237. When I checked my IP on whatismyip.com, it showed that I am routing through the VPN (wtf?)
Then I changed the rules to route ALL traffic through the WAN_DHCP
This seemed to work. My IP showed up correctly in my city (the VPN gateway is not in my city) however, Spectrum did not work and I got the same message from Amazon prime about the VPN or proxy.
Here is the NAT
I dont know where to go with this next. Now it is difficult to go back to my previous WIFI router because the config is changed to an AP. Please help. Thanks.
As a follow up, I changed my FW rules back to the original, routing the alias VPN_Bypass back to the WAN_DHCP. The PC I am on still was part of the VPN_Bypass alias and the ping showed correctly (no VPN). Another PC showed that it was back on the VPN, correctly withthe Roku, and Spectrum. So, the question remains is why the Roku thinks its on a VPN or proxy. Another question is why its been working for weeks and decided to bomb today.
Thanks for your help. -
I'm just thinking out loud now :
Was the OpebVPN client still running, and this connected to your VPN supplier ?
You still had the NAT mode set to Hybrid mode ?
If both are true, probably active network states still routes through your VPN, even if a firewall changed.I'm still looking for something like a kill switch : with one change activate or deactivate my VPN, without the need to change several settings to enable or disable it. Purely so I know how it work : I don't need neither want to use a VPN.
@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
When I select a movie on Amazon prime I get a message that it will not continue because I am using a VPN or proxy
Known and some what normal. Most VOD comapnies don't "like" VPN's because you could be situated 100 meters away, or using their services from an another contingent. VOD companies maintain and collect lists with known VPN suppliers, and block connections coming from them. That is, they will inform you that it's not OK to use their services through a VPN.
-
@Gertjan said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
hey will inform you that it's not OK to use their services through a VPN.
Thanks for thinking on this. The message about the VPN was interesting because I was NOT on the VPN. I created an alias which was routed to WAN-DHCP, my cable modem gateway. I was able to verify that because I checked the IP online, and it was in my town. The VPN ip comes up in another state nearby. The really crazy part was that it worked fine for almost 3 weeks, then it didnt.>............................................Update from today. The VPN slowed down to like 8/12 mbps for certain parts of my LAN. I modified the firewall to route to the WAN (avoiding the VPN) and speeds went back up to 100. I want to see if anything else changes. I agree that there could be a NAT issue.
-
Even a small device like a SG-1100 would have no troubles with a 100 Mbits stream.
Because you are using IPv4, NATting takes always place, in both directions, because your LAN is RFC1918, and the WAN is .... the world. That's what's routing is all about. Live with IPv6 will get easier on you in the future (but why wait ? ^^ ).@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:
The VPN slowed down to like 8/12 mbps for certain parts
I guess you just found out that VPN servers do not sell a fixed rate / speed, just 'what they have right now'.
Let's say a VPN server with an 1 Gigabit / sec pipe to the net costs about 50 $ a month.
Would you rent it out to 10 clients (VPN accounts) and then stop having more clients using that server, or leave the number of connections and clients open and see what happens ? (and while doing so, you would a a free BMW and a Tesla at the end of the year, instead of a basic Ford ?)
VPN's that are limited by the (your) ISP bandwidth are hard to find .... and will cost more then something like 10 $ / month.
