Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Group of hosts using Custom Gateway, can't connect to iTunes

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 1 Posters 234 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • maverickwsM
      maverickws
      last edited by maverickws

      Hi all,

      So I am going through this odd behaviour with my pfSense if you can help me.

      The setup is as follows:

      pfSense is connected to the Internet and I also have IPv6 traffic via Hurricane Electric/TunnelBroker, and I use a VPN service configured via OpenVPN.
      I have a number of AppleTV's in my place we use to watch TV (via my ISP TV app, on the phone, streaming to the tv as they don't have native app) and mostly Netflix shows.

      So as you know Netflix is the major proxy killer, so for Netflix I can't have neither IPv6 or VPN enabled.

      To bypass this I did the following:

      • Created an Alias with all my AppleTV's
      • Created a Quick Floating Rule for the LAN interface, direction out, source tv alias to reject IPv6 traffic.
        (this is working, no IPv6 going through)

      Now the issues...
      I created a Quick Floating Rule for LAN (out) to Pass traffic from source tv's, selecting the DHCP_WAN as Gateway under advanced settings -> this does nothing, Netflix always fails to stream.

      So next I turned to the DHCP Leases, as they are fixed

      • Services > DHCP Server
      • Select tv lease
      • Set WAN IP on the Gateway field.

      And...

      • Netflix works now!
      • I can use YouTube & others
      • I can't connect to iTunes store with this config on any tv.

      Streaming from my iPhone Operator TV app fails. (I can stream movies from my phone normally tho).
      After a while without being able to connect to the iTunes store I am asked to authenticate and always fails "Can't connect to the iTunes store"

      What is the correct configuration so that traffic coming form these devices will go directly through the WAN instead of VPN?

      Thanks

      1 Reply Last reply Reply Quote 0
      • maverickwsM
        maverickws
        last edited by maverickws

        Ok guys thanks for no replies anyway got this sorted.
        I still have no idea what was the problem.

        I must have tried 20 different configuration options with rules and all. In the end, I have it all working with just ONE rule that I'm 99% sure I tried before.... go figure... sigh
        After I got things working I started disabling the others one by one to see which would impact. Anyway, here's the rule that has it working now:

        Firewall > Rules > LAN
        Immediately below the Anti-Lockout Rule, add a new rule:

        • Action: Pass
        • Interface: LAN
        • Address Family: IPv4
        • Protocol: Any
        • Source: AppleTV's alias
        • Destination: any
        • Advanced options: Gateway - WAN_DHCP

        In the meanwhile I had an IPv6 block below but it wasn't creating states so I disabled it, and still all is working. So I'll just keep an eye on it and lyk tomorrow.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.