PfBlockerNG preventing PBS channel on Roku 4 from Working
-
I have 2.4.2-RELEASE-p1 installed.
The PBS Channel App on my Roku stopped working recently when using pfBlockerNG. I am able to select the channel and browse the selection of shows. Once I select a show, a spinning symbol starts to spin and then returns to the main Roku menu. May be similar to the issue I reported back in June 2017 here https://forum.pfsense.org/index.php?topic=132129.msg726771#msg726771
Disabling DNSBL has no impact on the issue. On the Roku, PBS does work if I turn off pfBlockerNG. PBS does not work if I have pfBlockerNG turned. What is strange is that the PBS channel works fine on the Amazon Fire Stick.
The PBS channel on the Roku works if I connect it to my Asus Router. This router uses the host-based ad blocking solution called AB-Solution.I am at a loss at how to troubleshoot the issue. Nothing obvious appears in the Alerts page. Any ideas are welcome.
-
Try to run a tcpdump whilst loading the PBS Channel on the Roku (Change the "re1" to your interface)
tcpdump -nnvli re1 port 53 | grep -B1 'A 10.10.10.1'It might help find out which domain is being blocked that is causing the Roku to not load the page…
-
Thank you for the help!
Before testing, I disabled pfBlockerNG and DNSBL. This time, it did not fix the issue. Turning off pfBlocker worked three times in my testing. So this adds more to the mystery.
I had to modify the command slightly.
tcpdump -nvli ovpnc1 port 53 -w log.pcap | grep -B1 'A 10.10.10.1' ``` I see queries in the pcap file to r53-api-vip.pbs.org. I get one ping reply, then it hangs:ping r53-api-vip.pbs.org
PING r53-api-vip.pbs.org (54.243.141.179): 56 data bytesWindows pingPinging r53-api-vip.pbs.org [54.243.141.179] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.I see some query requests to reports.crashlytics.com. A ping reports.crashlytics.com does the same thing. When viewing the details in Wireshark, the Query responses all state there is no error though. I believe these are both Amazon domains. I do have a firewall rule to route Amazon AWS traffic thru my private VPN server. But I also have the same rule on the Asus. I disabled the rule and PBS worked! I then re-enabled the rule and PBS broke again. I disabled the rule and this time, it did not work. I repeated this several times and could not get it working again. At first, I thought I might be onto something. :o However, there is another LAN rule that points the Roku to the same VPN server as the Amazon AWS rule. I got the same ping replies when routing traffic over the WAN. On the Asus router, I get ping replies for these domains. I also tried pinging several well known domains and got the expected responses. -
It could also be a CNAME that is blocked, so you need to review what domains were blocked… Also if you are using any IP block lists, it could be blocked by one of those rules...
-
I ended up just assigning a static DHCP lease to my Roku and giving it third party DNS server to bypass DNSBL.
I NAT all DNS traffic from every device besides the Roku to pfSense to prevent anything else from using third party DNS servers.
-
Thank you for posting the config @f34rinc.
The solution was to remove the Host Overrides in DNS Resolver for the following domains in DNSBL Custom Domain White List:
b.scorecardresearch.com
b.scorecardresearch.com.edgesuite.net
pubads.g.doubleclick.net
partnerad.l.doubleclick.netThis solution had worked previously per my link in the OP.
@BBCan177, how come the DNSL Alert Log reports the IF and Source as unknown? Is there a setting I need to configure? I still see IF and Source information from some LAN clients.
Thank you!
-
how come the DNSL Alert Log reports the IF and Source as unknown? Is there a setting I need to configure? I still see IF and Source information from some LAN clients.
I do believe the 'unknown' issue is due to the way HTTPS blocks were handled.
-
I route most of the traffic thru VPN tunnel. So that may be the reason as well.
-
