PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs
-
Happy Holidays everyone, any help is super appreciated.
I'm brand new to pfSense (installed last night), but comfortable in this area.
This one has me stumped for the last few hours– only Netflix and Hulu can no longer connect over specific devices.
iPhone 7 & iPad Pro - working great
Windows PC - working great
Macbook Air - working great
Android Tablet / Roku Smart TVs - Netflix "NW-2-5" error when connecting ; Hulu - previews load, when trying to watch a stream I get "something is wrong with your connection"Firewall logs at the time of connection show nothing from these device IPs.
I've spent ~30 minutes searching for this same error
Anyone heard of this before?
-
Shoot happens with Amazon Video on Android / Smart TVs too.
I'm tempted to hardwire the TVs into ISP routers / skipping the pfSense firewall.
Found another other thread– but dude didn't remember his fix.
https://forum.pfsense.org/index.php?topic=141791.0 -
And it gets worse.
Amazon Echo and Echo Dot no longer connect / even when going through factory reset.
Crap– what could be going on?
-
https://forum.pfsense.org/index.php
Like this?
-
firewall > rules > lan
add a static entry for each of the devices.
edit the gateway of EACH statically created device and change it to gateway/ WAN interface.
this works for both PIA and nordvpn
-
firewall > rules > lan
add a static entry for each of the devices.
edit the gateway of EACH statically created device and change it to gateway/ WAN interface.
this works for both PIA and nordvpn
thanks, but it unfortunately didn't make a difference
Network: 192.168.100.20/32 (IP address of a Smart TV)
Gateway: 192.168.2.1 (Gateway of WAN2)
Interface: <interface is="" correct="">I'm using dual-WANs through a gateway group.</interface> -
I'm also not using a VPN.
It's just pfSense 2.4.2 basic configuration w/ a gateway group setup for Dual WANs.
I'm going to erase and install 2.3.5
-
pfSense 2.3.5, out of the box, didn't configure anything but 1 WAN and LAN through the initial install prompts.
Same situation- Netflix, Hulu, Amazon Video all fail to load on the Smart TVs.
Zero issues with Apple and MSFT products.
This is really frustrating
-
IPV6 in play?
-
IPV6 in play?
Got it disabled / set to "None" on the WAN / LAN interfaces
Temporarily setup a Floating Firewall rule to Deny any IPv6 Traffic - source anywhere, destination anywhere– but didn't make a difference.
Poor Amazon Echo won't connect either :/
-
Hi,
Heres what i have done. Please make an alias with all the static assigned IP's of media devices. Create a floating rule for that alias and ope the ports for it. I think i have 80 and 443 and then all the ephemeral ports. You can google the range for ephemeral ports.
Please see the attached screen shot of my floating rule for media devices. Also if you have squid, by pass the rule for those ip's.Please let me know if you are still stuck,
thanks,
molykule
-
Hi,
Heres what i have done. Please make an alias with all the static assigned IP's of media devices. Create a floating rule for that alias and ope the ports for it. I think i have 80 and 443 and then all the ephemeral ports. You can google the range for ephemeral ports.
Please see the attached screen shot of my floating rule for media devices. Also if you have squid, by pass the rule for those ip's.Please let me know if you are still stuck,
thanks,
molykuleI copied your floating firewall rule starting w/ 1 Smart TV IP – added Alias for ports 80, 443, and 49152:65535, however the issue still persists.
Another weird thing I noticed, the "sign in" button on pfchangs.com doesn't trigger the pop-up; happens on all computers. Works when I switch to Wifi off ISP modem.
For what it's worth, I installed and did the basic config of OpenSense-- same issues there too.
Here's my full setup if this helps...
WAN 1 -> Time Warner Coax -> Netgear Modem -> Linksys Velop Router -> PCIe Dual Nic Port 1 (WAN1 in)
WAN 2 -> ATT Uverse Copper -> ATT Modem/Router Combo -> PCIe Dual Nic Port 2 (WAN2 in)
LAN out -> Netgear Gigabit Switch -> Wired Devices / Wifi Controller in Bridged modem (DHCP on wifi controller turned off)Ubuntu 16 Desktop Parent Host
1x Onboard NIC (LAN in)
1x PCIe NIC (LAN out)
1x PCEe Dual Nic ( WAN1 in, WAN2 in)Virtual Box- VM Hosting pFSense 2.4.2
Bridged Adapters for WAN1 in (em0) WAN2 in (em1) LAN1 out (em2) - > Promiscuous Mode - Deny All on all adaptersWAN1 em0: 192.168.2.x (assigned by DHCP of Linksys Router)
WAN2 em1: 192.168.1.x (assigned by DHCP of ATT Modem/Router Combo)
LAN em2: 192.168.100.1 (gateway for local network devices / issuing DHCP)DNS: I disable internal DNS server from pfSense. I have LAN DHCP server set to use a custom DNS IP for devices-- a Raspberry Pi thats running PiHole
-
I ran into lots of issues because of the following
1. Pfsense loves intel Nic’s (not your issue just throwing it out there)
2. Clear the blacklisted ip addresses
3. (do u have snort enabled?) if yes what rules sources Are you using? -
I ran into lots of issues because of the following
1. Pfsense loves intel Nic’s (not your issue just throwing it out there)
2. Clear the blacklisted ip addresses
3. (do u have snort enabled?) if yes what rules sources Are you using?Nothing blacklisted. All NICs are physically Intel except 1, but they're all Intel emulated within Virtualbox.
For now, I have the TVs connected to the Linksys Velop Wifi (different than my regular wifi controller) / bypassing pfSense. On the CODELQ traffic shaper for that WAN, I reduced the speed 12mbits leaving room for the TVs if my main network is saturating the circuits.
Not sure what snort is, unless it's enabled and installed by default, I don't have it.
It's frustrating to the point where I'd pay someone $50 to fix it. Any takers :)?
-
You have to enable IPV6 from lan to wan.
I had the same issue. My guess is that it is part of the anti-VPN measures Netflix et Al have put in place
-
@ccnewb
Hey,
Are you using DNS Resolver? -
@yanik @usedtolosing : why are you replying against a 4 years old thread ?
-
@gertjan because I found a solution, and I had a problem.
Google still returns search results for old threads.
Why are you replying to a 4 year old thread?
-
@usedtolosing said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:
Google still returns search results for old threads.
pfSense, dated 4 years ago has close to nothing to do with pfSense today.
Like applying a Windows XP solution on Wiondows 10.
Are you using a pfSense version from 2017 ? -
@usedtolosing
How did you enable IPv6 from LAN to WAN?
This thread may be old, but it's still an Issue with Chromecast 4th gen and Netflix. Although it works when I make a floating rule to pass all for the Chromecast. -
@truetype said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:
@usedtolosing
How did you enable IPv6 from LAN to WAN?
This thread may be old, but it's still an Issue with Chromecast 4th gen and Netflix. Although it works when I make a floating rule to pass all for the Chromecast.Yup, I am facing this crazy issue tonight.
Netflix will not let my android login. If I switch off of using pfSense DNS then it works immediately every time.
This is so bizarre. There is nothing in the firewall logs. Nothing. Even pcap is useless, it's like it doesn't show any traffic because the client never gets a DNS response for Netflix. So it never tries to connect.
It is 100% something with DNS. Even if I connect to another vlan it's the same problem. I disabled all firewalling, everything, changed firewall to use Google DNS...last resort would be to try disabling caching I guess.
I'm a senior network admin and this problem is driving me crazy.
Edit: enabling DNS forwarding mode fixes the issue. This is definitely some kind of unbound issue....SO weird.
-
After some further reading this appears to be due to ECS responses - which adds geolocation type data to the DNS query. Unbound seems to be having some problems with that in pfSense.
When googling e.g 'unbound netflix' more information seems to be coming up. Unbound does support ECS but I've no idea how to go about enabling that in pfSense.
Some workarounds are to set forwarding zones for specific hostnames so that it always sends queries for those domains to upstream servers (hence why forwarding mode works immediately). But it gets cumbersome as Netflix has many hostnames.
E.g:
forward-zone: name: "netflix.com" forward-addr: 8.8.8.8
From https://www.reddit.com/r/pihole/comments/n5ne6b/pihole_unbound_netflix_issues/
-
If people /networks that use pfSense as a firewall router had issues using 'netflix.com' then this would be a hot, ongoing issue on this forum, the unbound support forum, etc.
Actually, every FreeBSD user, as FreeBSD uses unbound by default, would face the issue.
And more : Netflix itself is one of FreeBSD's biggest FreeBSD users .....So, I say it upfront : sorry for not being able to help, but : what did you do to not making it work ?
It's not hard to create a default pfSrnse installation : after install, connect the WAN.
LAN : same thing - don't use any VLAN stuff... keep the one and only default LAN firewall rule.
Just change the password.
Do not add or change anything related to DNS, as pfSense uses unbound, a solver, so nothing (like zero) is needed to make DNS work.netflix works ....
Now, get your setup back to what it is now .... netflix doesn't work.You've found the issue ;)
-
So this is not an IPv6 specific issue?
I've never seen an issue logging into Neflix with an Android based smart TV behind pfSense here. It could be regional I guess.
-
@stephenw10 I don't have a Chromecast, specifically this seems to be android phones.
As to why just android phones .. I don't know.
Definitely a DNS thing and not an ipv6 thing.
-
@incith Only android devices I have is a tablet, and firetv stick thing - I just checked both - and no issues accessing netflix. While I have ipv6 via a HE tunnel, the network my firetv and tablet are on don't have Ipv6 enabled.
-
@stephenw10 said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:
It could be regional I guess.
I have READ that they are not VPN friendly. Carry on.
And greetings from The Future! -
@johnpoz For me it was specifically logging in. It worked fine until I logged out, then the sign on screen would not come back on first launch (clear data on app).
I also noticed the Netflix app aggressively trying to use 8.8.8.8 and 8.8.4.4 but I had external DNS blocked.
Unblocking those did not resolve the issue either.
Also was happening on wife's phone. I had full dnssec enabled, not sure if that matters.On my phone, specifying public DNS servers would immediately present the login page again. But no matter what I did on pfSense it would never work.
Occasionally, one time, out of dozens of attempts if would load the login screen - but only once. Second attempt back to nothing. It's like every now and then after flushing the cache I'd get the very first DNS response that perhaps has ecs data. I had dnssec enabled etc etc, and tls DNS. Even disabling all of that didn't work.
Disabled pfblocker, suricata, arpwatch, etc. Nothing worked. Nothing in the logs at all (just the 8.8.8.8 being blocked originally - and I was like "oh this will be an easy fix...I'll just allow Google DNS." Nope.)
Honestly, this is slightly out of my realm but I am 100% convinced it is DNS related.
-
Mmm, FireTV and GoogleTV (or whatever they were calling it) are both Android based and I'd expect to hit something like this.
It's possible they use a different (older?) version of the Netflix app which doesn't include this 'feature' I guess.
-
@incith said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:
due to ECS responses - which adds geolocation type data to the DNS query. Unbound seems to be having some problems with that in pfSense.
The module is not enabled in unbound that is on pfsense AFAIK, and testing points to that being the case.. So for example if I do a query to pfsense to
$ dig TXT whoami.ds.akahelp.net @192.168.9.253 +short "ns" "209.snipped"
This is my IP where the query came from.. but listed as NS since yeah that would be the IP where the query came from when resolving. If I query say 8.8.8.8 I get back
$ dig TXT whoami.ds.akahelp.net @8.8.8.8 +short "ip" "209.snipped" "ecs" "209.snipped/24/24" "ns" "172.253.192.78"
Where the ecs is the /24 my IP is on.. the IP is reported as my public IP, also correct, and the ns is whatever google ns actually did the query to get the record.
Not sure why you think that should cause you not to be able to connect to netflix?
-
@johnpoz again it doesn't appear to be the actual 'connection to netflix', either it can't locate an appropriate regional login server or who knows. I haven't investigated that far.
In my testing, this was the solution, and seemingly for others online as well - the only common variable being ECS.
If there was something else blocking the connection I would have seen it in pcaps or etc. The fact it works immediately when forwarding DNS requests...
If not ECS, it will STILL be a DNS issue of some kind. My money is on ECS.
Netflix does a ton of anti-vpn stuff from what I've read and I feel this is the likely reason - but that's just a guess. Since they don't know where you're connecting from in the ecs they reject it.
-
I'd be more than happy to reproduce the results if wanted. Any insight I can provide, I will.
-
I agree, it's probably DNS. It's always DNS!
There's a lot of speculation that it's ECS but I don't see any actual proof of that in some brief searching. Yet.
-
@incith so again, ecs is not a thing with current unbound installed on pfsense
I just logged out of my netflix client on my android tablet.. I have a block to any other dns, and yup the stupid client is trying to use google pretty hard.. But its blocked, and the only dns it can use is my local dns.. Which just resolves.
And able to login to netflix just fine on the tablet, even though blocking google, and not sending any ecs..
While you very well could have a dns related problem, I highly doubt its a ecs problem - because well unbound isn't going to be sending any ecs info, since the module is not enabled in the one on pfsense. And you sure do not need to send that info to be able to login to netflix..
If you believe its a dns related problem - simple sniff of your clients dns traffic, see what it asks for, see what doesn't get answered.. Packet capture on pfsense for your clients IP on port 53.. Is there something its asking of dns that doesn't get answered?
Along with looking at dns, you could just capture all the clients traffic - is there something other than google dns its trying to talk to that doesn't get answered..
-
@stephenw10 said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:
It's always DNS!
-
@johnpoz I'll do some more digging after work 🫡
-
@incith also curious why/how you would think ecs could fix the problem.. When you resolve clearly who you talk to knows what IP you did the query from..
ecs is for sending extra data when you want to send info about the client asking, that is different than who is doing the actual query..
EDNS Client Subnet (ECS) is an option in the Extension Mechanisms for DNS that allows a recursive DNS resolver to specify the subnetwork for the host or client on whose behalf it is making a DNS query. This is generally intended to help speed up the delivery of data from content delivery networks (CDN), by allowing better use of DNS-based load balancing to select a service address near the client when the client computer is not necessarily near the recursive resolver.
In what scenario would this help you, your client is behind your public IP.. So when you resolve, this would be the same as your IP the query is coming from.
ECS would make sense when say you had a corp network where you had central dns in your say chicago office, but you had clients in your LA office.. So you would want your chicago dns to send the info for the clients public IP range in LA, so when that client went to go talk to whatever resource on the public internet, it went to an IP close to LA and not chicago.. If the was such a resource in the CDN the resource is being served from.
ECS when all your queries are coming from from the same IP your clients would be using to talk to the internet with any doesn't make much sense.. Now sure it could very well help maybe in anycast sort of scenario where hey the dns your talking too is not the closest too you, and this remote NS should hand back a different IP then its region because well the client is in a different region, and only reason the query ended up on this remote NS was anycast. But then again the IP of the ns doing the query would be known anyway.. And that IP is no different than your client, etc.
I am just trying to come up with a scenario where ecs would or could solve your issue, and I am not seeing how it could be a problem to be honest. Now if you were routing your dns through some vpn - and the endpoint was far away from where your actually at, sure you might want to send your pubic subnet range in the query, so the actual NS that is going to answer for the query, knows hey use the best answer for the client subnet, and not the IP of the NS actually asking for it.. As you saw in when I queried 8.8.8.8 TXT directly.. But my client sent no extra info for that info to be available..
So you see any info in this query about the clients subnet or IP?
edit:
To be honest this would of been handy 20 years ago when company at worked for used central dns ;) and local internet access.. And some issues of connectivity could of be better if got an answer back based on the clients location vs where the query came from..I will do some googling on android and netflix and ecs, but I really don't see how that could be an issue..
-
@incith if you think its a dns related problem with unbound/pfsense - why not just have these android clients use 8.8.8.8 directly for everything, not just some specific forward for netflix.com
Do they work then? That would else for sure point the issue with something going on with dns on your end.
-
@johnpoz I feel like I've already said that works.
I don't want to go in circles.
I will further post my findings later.
Why not force my phone to use Google? Because I don't want to. That's a bandaid, not an understanding of the problem.
I don't think posting anymore "I don't see how..." will resolve anything.
In a nutshell, it's simple: with DNS caching on, I cannot login to Netflix on my phone. With DNS caching off (forward all requests), it works. Every. Single. Time. If I tell DHCP to specify my dns servers as public, it also works. If I revert that change and go back to caching DNS (even after restarting unbound and flushing the cache in status page), it will not login again.
You must clear data on your android between every attempt on the Netflix app.
I'm glad it's working for you!
That still doesn't mean it's not a DNS issue, as it clearly is, for me.
Even when I change my upstream DNS servers on pfSense, it made no difference. Ok?
This is absolutely something with unbound. Whether it's ECS or not.
-
@incith said in PfSense - Cannot connect to Netflix and Hulu on Andriod devices / Smart TVs:
This is absolutely something with unbound
Your not doing any filtering, no pfblocker lists? That could cause problems, but if that was the case it wouldn't work when you forward vs resolve either.
To get to the problem of what is not working when resolving, you need to know exactly what is failing, then you can troubleshoot why that is happening.
I had a weird issue the other day, where I was having trouble talking to the NS for .tv this was causing my app.plex.tv to fail.. This was something upstream of me..
;; ADDITIONAL SECTION: a.nic.tv. 172800 IN A 37.209.192.6 b.nic.tv. 172800 IN A 37.209.194.6 c.nic.tv. 172800 IN A 37.209.196.6 d.nic.tv. 172800 IN A 37.209.198.6
I couldn't reliably talk to any of these NSers.. I found that by doing a dig with +trace for the app.plex.tv what was failing.. It was either something on their end, or something in my isp or just the internet that was not allowing me to talk to them. Prob something with my isp connection, because if I tried it from the one of my vps boxes no issue. Google wasn't having any issues, for a temp work around I setup forward for plex.tv to google, kind of like how your doing.. Then the next day the issue was gone..
If you sniff your clients IP for all dns its doing and find the one(s) that are failing you could do a +trace with dig to figure out what is failing in the resolve process. You might also want to look at your resolver status, look for domains that have high RTT or RTO or issues with timeouts.
When I was having the problem the other day, these number clearly showed major issue talking to those servers..