Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine

bill1

@Gertjan yes, I was logging

bill1

@stephenw10 I have 2 gateways, plus the default. WAN_DHCP does not pass traffic. I dont know where it comes from or how its configured. The Gateway field in the DHCP config is empty.
OVPNC_VPN4 takes traffic through the firewall to PIA, my VPN provider. This will pass traffic and seems to work ok. The default gateway will also pass traffic through the firewall to PIA. My goal was to find a way to route Roku traffic directly out through my ISP gateway and avoid the VPN. So far I have been unsuccessful following other posts on how they handled this.
What I have done for now, is to place my previous 4p Switch/ WIFI right after the cable modem. Then I plugged my switch that feeds the Roku into that. I also plugged my firewall in there and my other switch onto the firewall. I will continue to try to figure out how to get traffic around the VPN. Do you have any suggestions of things to try? Thanks for your help.

stephenw10

Did you set outbound NAT to manual and remove it from WAN in some "kill switch" crap like VPN providers seem to advocate?
If so then sure WAN will not work directly until you add back an outbound NAT rule on the WAN. Which sounds like what you might be hitting.

Steve

bill1

@stephenw10 That may be it. I have been trying to figure out how to undo that kill switch thing. I am not in deep cover, the VPN firewall is new. What should the outbound NAT look like?

stephenw10

I would set outbound NAT back to auto or hybrid and it will work.

But the rule you need will be something like:

Where the source includes at least the Roku device but more likely the full LAN subnet.

Steve

bill1

yes, its working. thanks

bill1

So, today is a new day. After a week or so, this morning, the Roku wont load. Let me be specific. There are some channels that will work. When I select a movie on Amazon prime I get a message that it will not continue because I am using a VPN or proxy. Spectrum, my cable ISP, indicates as much by not populating the channels number listing with channel numbers, except for channel 1, which is the Spectrum news station. (Note that this has been working for probably a week)

To troubleshoot this, I set up my pc with a spare fixed IP in the VPN_Bypass alias. (I put in 2, 1 for the Roku and one spare-- 192.168.1.236 & 237. When I checked my IP on whatismyip.com, it showed that I am routing through the VPN (wtf?)

Then I changed the rules to route ALL traffic through the WAN_DHCP

This seemed to work. My IP showed up correctly in my city (the VPN gateway is not in my city) however, Spectrum did not work and I got the same message from Amazon prime about the VPN or proxy.
Here is the NAT

I dont know where to go with this next. Now it is difficult to go back to my previous WIFI router because the config is changed to an AP. Please help. Thanks.

As a follow up, I changed my FW rules back to the original, routing the alias VPN_Bypass back to the WAN_DHCP. The PC I am on still was part of the VPN_Bypass alias and the ping showed correctly (no VPN). Another PC showed that it was back on the VPN, correctly withthe Roku, and Spectrum. So, the question remains is why the Roku thinks its on a VPN or proxy. Another question is why its been working for weeks and decided to bomb today.
Thanks for your help.

Gertjan

I'm just thinking out loud now :

Was the OpebVPN client still running, and this connected to your VPN supplier ?
You still had the NAT mode set to Hybrid mode ?
If both are true, probably active network states still routes through your VPN, even if a firewall changed.

I'm still looking for something like a kill switch : with one change activate or deactivate my VPN, without the need to change several settings to enable or disable it. Purely so I know how it work : I don't need neither want to use a VPN.

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

When I select a movie on Amazon prime I get a message that it will not continue because I am using a VPN or proxy

Known and some what normal. Most VOD comapnies don't "like" VPN's because you could be situated 100 meters away, or using their services from an another contingent. VOD companies maintain and collect lists with known VPN suppliers, and block connections coming from them. That is, they will inform you that it's not OK to use their services through a VPN.

bill1

@Gertjan said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

hey will inform you that it's not OK to use their services through a VPN.

Thanks for thinking on this. The message about the VPN was interesting because I was NOT on the VPN. I created an alias which was routed to WAN-DHCP, my cable modem gateway. I was able to verify that because I checked the IP online, and it was in my town. The VPN ip comes up in another state nearby. The really crazy part was that it worked fine for almost 3 weeks, then it didnt.>............................................Update from today. The VPN slowed down to like 8/12 mbps for certain parts of my LAN. I modified the firewall to route to the WAN (avoiding the VPN) and speeds went back up to 100. I want to see if anything else changes. I agree that there could be a NAT issue.

Gertjan

Even a small device like a SG-1100 would have no troubles with a 100 Mbits stream.
Because you are using IPv4, NATting takes always place, in both directions, because your LAN is RFC1918, and the WAN is .... the world. That's what's routing is all about. Live with IPv6 will get easier on you in the future (but why wait ? ^^ ).

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

The VPN slowed down to like 8/12 mbps for certain parts

I guess you just found out that VPN servers do not sell a fixed rate / speed, just 'what they have right now'.

Let's say a VPN server with an 1 Gigabit / sec pipe to the net costs about 50 $ a month.
Would you rent it out to 10 clients (VPN accounts) and then stop having more clients using that server, or leave the number of connections and clients open and see what happens ? (and while doing so, you would a a free BMW and a Tesla at the end of the year, instead of a basic Ford ?)
VPN's that are limited by the (your) ISP bandwidth are hard to find .... and will cost more then something like 10 $ / month.

bill1

@Gertjan I can live with the vpn speed, or bypass it. My main issue is that by routing through the firewall and out the WAN_DHCP port I am still seen by Roku and other streaming services as a VPN or proxy. So, I cannot get to some Roku channels, nor can I access Spectrum stations that I pay for access. How do I fix this besides demoting the firewall and installing a different DHCP server connected to the cable modem ? How about this, I can connect the Roku to its own firewall port. Is there a way to NAT that out differently, or would it make a difference ? Thanks

Gertjan

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

How about this, I can connect the Roku to its own firewall port. Is there a way to NAT that out differently, or would it make a difference ?

An OPTx port, which is just another 'LAN' network, has uses the default gateway, which should be your WAN, or VPN.

I never tried it myself, but what you should do is :
Lock the Roku to a fixed IP, by using a static IP setup, or use the MAC DHCP Lease.
Then , because the IP is known, make a firewall rule that uses a thing that is known as "policy routin" == define the gateway for this rule.
For me, this means : when this IP = Rocku sends traffic, then the assigned gateway in that rule will get used, whatever the system default gateway is.

bill1

As I mentioned above, I have the Roku on its own DHCP lease. I have assigned the ip to an alias called "VPN-Bypass" I route the VPN bypass traffic to the WAN-DHCP gateway to bypass the vpn. I verified that "VPN-Bypass" traffic is NOT going through the VPN by checking the IP online. YET, the Roku and Spectrum message I get says that I am connected to "a vpn or proxy" Last night, the VPN was slow so I modified the rules as below to route all traffic through the WAN-DHCP gateway. but still Roku and Spectrum return the same messages. Am I the only one that cant get this to work? Obviously my intent in the firewall setup was not to block content I am paying for. There should be a way to fix this.

Gertjan

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

but still Roku and Spectrum return the same messages.

Is it possible to check with the Roku thing what the IP-WAN is ? If it is your from your ISP, then your ISP is listed as a VPN ^^

To be 100 % sure, you did stop the OpenVPN client service, right ?

stephenw10

When you change the rules that does not clear existing states that were opened by the previous rule.
So you might have had an open state still for the Roku to Amazon via the VPN. If something is holding that open it will just use that state rather than opening a new state that would then use the new rules and hence the WAN directly.

Clear the firewall states between tests.

Steve

bcruze

This post is deleted!

bill1

@Gertjan said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

Is it possible to check with the Roku thing what the IP-WAN is ?

I did verify that the Roku picked up the correct allocated ip in the "Bypass_VPN" alias. Also I allocated another ip within the VPN_Bypass alias. I assigned a pc this address and verified that the IP was not going through the VPN. However, I did not stop the VPN service. I will try that for sure. Thanks

bill1

@stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

might have had an open state

Hey, I think you are on to something. Over the many hours of startup learning, I was beginning to think that there was some kind of latent setting that wasnt resetting. I have re-booted the firewall, tried stopping and restarting services, but I noticed that when I get something working, it often does not stay working. The next morning, for example. Could also happen days or weeks. *******************!!!!!!!!!!!!!! OK,I reset the states and it worked. I have the Spectrum channels back. Now I just have to un-do the work around and see if I can get the other traffic back through the VPN.

bill1

ugh, still not working. I thought it was because the channel numbers were populating, but not any more. I still get the message that I am on a proxy or VPN.

This is the rules table

All traffic is going to the WAN-DHCP. I verified this by checking the IP. I also shut down the VPN service. Any ideas on what I can check next?

bcruze

under source it should list your Alias with the correct IP of the device. not lan.net