Problems with Netflix freezing at 25%
-
Every since I installed pfsense, Netflix is buggy. It sometimes freezes at 25% and hangs.
I found some user blogs with similar complaints (i.e. http://blog.iharder.net/2016/06/03/fixed-poor-netflix-performance-with-pfsense/) but the suggestions do not work.
System/General
Version 2.3.3-RELEASE-p1 (amd64)
DNS set to OpenDNS
Disable DNS Forwarder [x]DNS Resolver
Enabled
Transparent mode
DNS Query Forwarding [x]Are my Netflix problems associated with DNS? Anyone else have Netflix issues?
-
Every since I installed pfsense, Netflix is buggy. It sometimes freezes at 25% and hangs.
System/General
DNS set to OpenDNS
Disable DNS Forwarder [x]DNS Resolver
Enabled
Transparent mode
DNS Query Forwarding [x]Unless you are blocking something with OpenDNS that netflix needs, then DNS shouldn't matter as long as it's working. Try using the Resolver mode.
Are you trying to use Netflix with a VPN?
Try to use Netflix and check you firewall logs during that time period to see what pops up.
What kind of device(s) are you trying to access netflix on?
Does it do the same thing from other devices?
Are my Netflix problems associated with DNS? Anyone else have Netflix issues? -
The problem is intermittent so it is hard to catch. The problem exists on an Amazon FireTV stick running android, plugged into the HDMI of the television. Netflix worked fine with my previous firewall, also using the same OpenDNS account without any setting changes. Streaming Netflix has been seamless until I swapped in the pfsense box.
The DNS Forwarder is disabled on the System/General and the DNS Resolver is enabled under Services.
I'll keep an eye out for the failure and try to grab a firewall log. The Amazon FireTV stick is the only device in the network accessing Netflix. I can attempt using a PC and see what happens, although since the failure is unpredictable/intermittent, the problem might not occur during a short test.
I googled "pfsense netflix" and it seems others have experienced this problem, for example, the blog link in my OP.
Edit 1: I looked at the firewall logs under Status/System Logs/Firewall/Normal View, and the traffic is shown in IPv6 notation. In /Summary View/ all of the pie charts are shown in IPv6. Looks like I need to learn IPv6.
Edit 2: Netflix has been running on the TV for about 30 minutes (time is now 18:30) and the last firewall entry is 14:01, so obviously nothing is triggering the firewall. I'll keep an eye on it.
Edit 3: Netflix just froze (time index 18:33) and the Status/System Logs/Firewall/Normal View does not have any new entries.
-
If you are using opendns then you are not using unbound as a resolver to the root servers.
I'm using Netflix with pfsense, unbound, suricata, DNSBL, pfblockerng, OpenVPN clients and servers. It isn't a pfsense limitation.
Are your whitelisting your rules? If so it could be an issue with icmp, ntp or something like that. Chromecast, Roku, Firestick, etc often need to use these things excessively in order to work reliably.
-
Make sure to remove those tweaks mentioned in that blog post you linked. They seem to be completely unrelated to Netflix, especially NAT reflection… Have you done any other strange tweaks, firewall rules, etc?
AFAIK, Netflix is nothing more than a TCP stream so it should work flawlessly like all the other TCP streams.
Also, since you are connecting to Netflix (they aren't initiating any connection with you) you also wouldn't see any blocked packets since all egress (LAN to WAN) packets are allowed by default.
I would look for problems elsewhere. Considering that the problems started when you setup pfSense, it does seems most likely that pfSense is causing problems but your WiFi AP or your ISP could just as likely be to blame.
Unless your pfSense config is strangely tweaked, standard TCP streams should all work flawlessly.
-
Yeah this post combined with your other post where you are having rebooting issues suggests that you have either done some bad adjustments to your config or are having hardware issues or both.
Either way you are probably better off starting over from scratch on a fresh install and not following online guides that have you do a bunch of tweaking. -
Yeah this post combined with your other post where you are having rebooting issues
Not sure what post this is. The last time I ran pfsense was in 2015 to mess with MITM HTTPS squid setups (never actually used it, though). I don't remember having rebooting issues.
This is a fresh install of the latest version 2.3.3. I started from scratch (fresh install). The only tweaks I made adding Dynamic DNS services (dynDNS and OpenDNS) and the DNS Resolver setup. After a day or two, I added the Snort package (connectivity ruleset looking at LAN) and pfBlockerNG (DNSBL EasyList and Spamhaus rules). After a few more days, I added OpenVPN and IPsec, along with basic firewall rules to allow the VPN ports. That's it. I saved the configuration between tweaks.
The wifi AP and ISP are the same since before pfsense. I'm switching back to my old firewall to benchmark everything on a known configuration.
The DNS configuration is:
System/General
DNS Server 1: 208.67.222.222
DNS Server 2: 208.67.220.220
Not Checked "Allow DNS Server list to be overridden"
Not Checked "Do not use the DNS Forwarder/DNS Resolver as a DNS server"DNS Resolver
Enabled
Transparent mode
Checked "DNS Query Forwarding" -
Every since I installed pfsense, Netflix is buggy. It sometimes freezes at 25% and hangs.
System/General
DNS set to OpenDNS
Disable DNS Forwarder [x]DNS Resolver
Enabled
Transparent mode
DNS Query Forwarding [x]Unless you are blocking something with OpenDNS that netflix needs, then DNS shouldn't matter as long as it's working. Try using the Resolver mode.
Are you trying to use Netflix with a VPN?
Try to use Netflix and check you firewall logs during that time period to see what pops up.
What kind of device(s) are you trying to access netflix on?
Does it do the same thing from other devices?
Are my Netflix problems associated with DNS? Anyone else have Netflix issues?My Sony smart TV running the Netflix app does the same thing now and then its having quite a bit of trouble today my pfsense is not using any VPN just DNSBL nothing in the logs indicate anything major is being blocked I suspect the CDN's in my area might be having issues as another streaming service ABC iview was also having trouble at the same time.
-
Yeah this post combined with your other post where you are having rebooting issues
Not sure what post this is. The last time I ran pfsense was in 2015 to mess with MITM HTTPS squid setups (never actually used it, though). I don't remember having rebooting issues.
Sorry! confused this post with a different one!
-
After a day or two, I added the Snort package (connectivity ruleset looking at LAN)
This is almost certainly the problem. There are a lot of rules in default Snort that will screw up Netflix (among many other things).
Disable Snort completely and clear the snort2c table (if you don't know how just reboot the firewall after disabling snort).Any IPS system is not meant to be just turned on and left alone. The idea is that you turn it on as an IDS only, then remove rules that result in false positives until you have it configured the way you like it (this usually takes a while because you need to see how it behaves with different types of traffic on your network on larger networks it can literally take months, small home use networks probably hours to days).
It's also possible that something on pfBNG or DNSBL is causing problems, or the VPN, but I'd put my money on snort.
As far as DNS Resolver goes, if you are using a specific service for DNS, then you are by definition not using Unbound as a Resolver, you are forwarding your requests to a third party. In the default out of the box setup pfSense will ask the Root DNS Servers for your DNS queries and work their way down the system. Regardless of what boxes you checked, if you use OpenDNS you are Forwarding.
-
My Sony smart TV running the Netflix app does the same thing now and then its having quite a bit of trouble today my pfsense is not using any VPN just DNSBL nothing in the logs indicate anything major is being blocked I suspect the CDN's in my area might be having issues as another streaming service ABC iview was also having trouble at the same time.
What packages are you using?
As has been stated, pfSense out of the box will stream Netflix perfectly. Any issue with Netflix or any other streaming service is not inherent to pfSense. It is most likely a configuration problem, beyond that, ISP, streaming service, hardware, etc. but definitely not just because of some unknown issue with pfSense.
-
apcupsd , Cron, openvpn-client-export , pfBlockerNG, snort (not active on any interfaces), squid , squidGuard
My TV hangs at 25% but given time and no changes to the FW things start working again I've yet to find any firewall or system logs that coincide with the issues
-
To benchmark performance, I took out pfSense and inserted my old firewall and rebooted all network hardware (including PoE switch that powers wifi). I've had Netflix running all morning while I've been working around the house and it hasn't hung a single time. I'm going to leave the old firewall installed for a day or two to make sure no glitches occur. This will eliminate the wifi AP, ISP, etc. as being suspects in the investigation.
Edit1: I dug through the Firewall and Snort logs and didn't see the Amazon FireTV IP address being flagged. If I understand correctly, Snort just looks at the packets and nothing is actually intercepted unless the Firewall is told to.
Edit 2: I looked closely at the Amazon FireTV. Netflix isn't hanging. The FireTV, although being connected to the wifi with a valid IP address, was actually losing connectivity. pfSense was actually blocking the device's IP address altogether at the firewall.
In the meantime, I'm building a fresh pfSense box (60GB SSD Atom D525 CPU 4MB memory dual-port Intel NIC). I plan on running the fresh install with as many factory defaults as possible as see how things work. I will report progress.
-
pfSense was actually blocking the device's IP address altogether at the firewall.
If you have snort configured as an IPS, then anything a rule hits on adds the IP to the snort2c table which the firewall uses to block traffic.
Just a configuration problem. And possibly related to snort depending on how you have it setup.
-
Conclusion: Netflix problem associated with Snort.
The fresh installation ran fine, so I swapped SSDs to my previous pfsense installation and un-installed Snort. Netflix working again.
In this thread, there was a off-topic discussion about OpenDNS. I started a new thread "OpenDNS and pfBlockerNG DNSBL" under the DNS forum, particularly how OpenDNS operating in forwarding mode impacts pfBlockerNG.
I will slowly work up towards IDS using Snort or Suricata. Seems that Suricata is the preferable selection. I have been reading the Asterix "Snort master Suppress List" thread and the pfBasic "Taming the beasts… aka suricata blueprint" thread.
"Snort master Suppress List" https://forum.pfsense.org/index.php?topic=56267.0
"Taming the beasts… aka suricata blueprint" https://forum.pfsense.org/index.php?topic=78062.450
"OpenDNS and pfBlockerNG DNSBL" https://forum.pfsense.org/index.php?topic=128721.0 -
Thanks for this info I have exactly same problem!
I was setting up pfSense and slowly adding new Services. Squid and SquidGuard, pfBlockerNG and then Snort and my Netflix broke. Exactly the same stopping at 25% loading. Netflix connectivity checks are fine and report no problem.
I had tried to find the issue in Snort but I couldn't find anything in the logs blocking my Sony TV running the Netflix. In fact I tested on other devices that initially still worked okay but eventually all devices stopped loading at 25%.
This leads me to believe that it has more to do with some sort of "reputation" rules that eventually block Netflix.
I keep on investigating this but if anybody has any hints where to look for the issue much appreciated!
-
Thanks for this info I have exactly same problem!
I was setting up pfSense and slowly adding new Services. Squid and SquidGuard, pfBlockerNG and then Snort and my Netflix broke. Exactly the same stopping at 25% loading. Netflix connectivity checks are fine and report no problem.
I had tried to find the issue in Snort but I couldn't find anything in the logs blocking my Sony TV running the Netflix. In fact I tested on other devices that initially still worked okay but eventually all devices stopped loading at 25%.
This leads me to believe that it has more to do with some sort of "reputation" rules that eventually block Netflix.
I keep on investigating this but if anybody has any hints where to look for the issue much appreciated!
After further investigation the culprit is not Snort but Squid Proxy Server!
I have no idea why but when Squid proxy is enabled Netflix will only stream to 25%. Disable squid and all is good!
What is strange though I could swear that I had this working with squid before. Even today I am pretty sure I was watching Netflix with squid enabled but then suddenly I hit that issue where it only loads to 25% until I disable squid. Very strange!
-
Not regarding Netflix but with squid Transparent proxy I got strange issues also like mobile APPS, sometimes are slow to load stuff and also take a long time to log out, when I disable squid everything is snappy
-
Check System - Advanced - Firewall & NAT.
Look for "IP Random id generation".
If it is checked, uncheck that box.
