Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine

bill1 · Jun 5, 2020, 3:45 PM

As I mentioned above, I have the Roku on its own DHCP lease. I have assigned the ip to an alias called "VPN-Bypass" I route the VPN bypass traffic to the WAN-DHCP gateway to bypass the vpn. I verified that "VPN-Bypass" traffic is NOT going through the VPN by checking the IP online. YET, the Roku and Spectrum message I get says that I am connected to "a vpn or proxy" Last night, the VPN was slow so I modified the rules as below to route all traffic through the WAN-DHCP gateway. but still Roku and Spectrum return the same messages. Am I the only one that cant get this to work? Obviously my intent in the firewall setup was not to block content I am paying for. There should be a way to fix this.

login-to-view

Gertjan · Jun 6, 2020, 6:35 AM

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

but still Roku and Spectrum return the same messages.

Is it possible to check with the Roku thing what the IP-WAN is ? If it is your from your ISP, then your ISP is listed as a VPN ^^

To be 100 % sure, you did stop the OpenVPN client service, right ?

stephenw10 · Jun 6, 2020, 9:43 PM

When you change the rules that does not clear existing states that were opened by the previous rule.
So you might have had an open state still for the Roku to Amazon via the VPN. If something is holding that open it will just use that state rather than opening a new state that would then use the new rules and hence the WAN directly.

Clear the firewall states between tests.

Steve

bcruze · Jun 7, 2020, 11:25 AM

This post is deleted!

bill1 · Jun 8, 2020, 1:22 PM

@Gertjan said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

Is it possible to check with the Roku thing what the IP-WAN is ?

I did verify that the Roku picked up the correct allocated ip in the "Bypass_VPN" alias. Also I allocated another ip within the VPN_Bypass alias. I assigned a pc this address and verified that the IP was not going through the VPN. However, I did not stop the VPN service. I will try that for sure. Thanks

bill1 · Jun 8, 2020, 1:40 PM

@stephenw10 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

might have had an open state

Hey, I think you are on to something. Over the many hours of startup learning, I was beginning to think that there was some kind of latent setting that wasnt resetting. I have re-booted the firewall, tried stopping and restarting services, but I noticed that when I get something working, it often does not stay working. The next morning, for example. Could also happen days or weeks. *******************!!!!!!!!!!!!!! OK,I reset the states and it worked. I have the Spectrum channels back. Now I just have to un-do the work around and see if I can get the other traffic back through the VPN.

bill1 · Jun 8, 2020, 3:51 PM

ugh, still not working. I thought it was because the channel numbers were populating, but not any more. I still get the message that I am on a proxy or VPN.

This is the rules table
login-to-view
All traffic is going to the WAN-DHCP. I verified this by checking the IP. I also shut down the VPN service. Any ideas on what I can check next?

bcruze · Jun 8, 2020, 4:25 PM

under source it should list your Alias with the correct IP of the device. not lan.net

bill1 · Jun 8, 2020, 4:44 PM

@bcruze in this case I am trying to eliminate the VPN. I shut down the VPN service and the 2nd rule should take all traffic through the WAN_DHCP gateway. What I do not understand is why I cant stream from Spectrum. The message is that I am on a VPN or proxy. Spectrum says disable that to continue. Also, I get the same message on the Roku amazon. No streaming to a vpn. But the best I can tell, I am not on a VPN.

bmeeks · Jun 8, 2020, 6:30 PM

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

@bcruze in this case I am trying to eliminate the VPN. I shut down the VPN service and the 2nd rule should take all traffic through the WAN_DHCP gateway. What I do not understand is why I cant stream from Spectrum. The message is that I am on a VPN or proxy. Spectrum says disable that to continue. Also, I get the same message on the Roku amazon. No streaming to a vpn. But the best I can tell, I am not on a VPN.

Exactly how did you configure the VPN originally? Most every set of VPN setup instructions from the various providers fail to instruct you to check the box for "Don't Pull Routes" during the setup on pfSense. When not checked, this setting causes the default route to be pulled from your VPN provider host and this default route can override your actual WAN gateway provided by your ISP. That very well might be what is happening to you. Even with the VPN "turned off", that default route could still be causing you problems. When you do policy-based routing you should always check the "Don't Pull Routes" checkbox. The short version is that with your VPN provider set as the "default route", all of your traffic including non-encrypted non-VPN traffic will still get routed through your VPN provider's networks. This will trigger the "you appear to be using a proxy or VPN message".

I have not carefully and throughly read every single post in this kind of lengthy thread, so forgive me if this has already been checked out. But this is something you need to check on if you have not already done so.

bill1 · Jun 8, 2020, 6:46 PM

@bmeeks said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

check the box for "Don't Pull Routes

OK, I checked the box. This was not mentioned before. We will see what happens when I go back to the VPN. For now I got it working again. Yes, Roku and Spectrum stream (yea)!!. What I did (I think) to get it working was that I disabled all the outgoing NAT Hybrid rules
login-to-view
Could this be related?
I will give it a little time and then see if i can get the other traffic back through the VPN.
This IS progress. Thanks

bmeeks · Jun 8, 2020, 6:56 PM

@bill1 said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

@bmeeks said in Roku TV - pfSense - OpenVPN - : Netflix, Hulu, QVC won't stream at all, Prime streams fine:

check the box for "Don't Pull Routes

OK, I checked the box. This was not mentioned before. We will see what happens when I go back to the VPN. For now I got it working again. Yes, Roku and Spectrum stream (yea)!!. What I did (I think) to get it working was that I disabled all the outgoing NAT Hybrid rules
login-to-view
Could this be related?
I will give it a little time and then see if i can get the other traffic back through the VPN.
This IS progress. Thanks

You will likely need a few of those NAT rules in place for the VPN to function. You can selectively enable them for testing and see what is required. Don't forget, when testing the VPN, to also test your services that should NOT be going over the VPN to be sure they still work.

I'm betting the "Dont' Pull Routes" setting was a part of your problem. Most VPN setup instructions don't mention that because they assume you will always be sending all of your traffic to them over the VPN tunnel. However, when you want to send some traffic over the VPN but other traffic through your regular ISP, you need to be sure your default route is not changed to be that of your VPN provider. That's what that checkbox does.

stephenw10 · Jun 10, 2020, 2:05 PM

At least you still have those WAN NAT rules. Many VPN providers have you remove them to give a feature they totally confusingly name "Kill Switch". Fail Safe would have been much better but I guess that didn't justify their existence sufficiently.
Anyway the problem here was likely that the default route was changed causing Unbound to use the VPN for DNS queries and services like Netflix will detect that and block you.

Steve