4. Group of hosts using Custom Gateway, can't connect to iTunes

Group of hosts using Custom Gateway, can't connect to iTunes

  • M

    Hi all,

    So I am going through this odd behaviour with my pfSense if you can help me.

    The setup is as follows:

    pfSense is connected to the Internet and I also have IPv6 traffic via Hurricane Electric/TunnelBroker, and I use a VPN service configured via OpenVPN.
    I have a number of AppleTV's in my place we use to watch TV (via my ISP TV app, on the phone, streaming to the tv as they don't have native app) and mostly Netflix shows.

    So as you know Netflix is the major proxy killer, so for Netflix I can't have neither IPv6 or VPN enabled.

    To bypass this I did the following:

    • Created an Alias with all my AppleTV's
    • Created a Quick Floating Rule for the LAN interface, direction out, source tv alias to reject IPv6 traffic.
      (this is working, no IPv6 going through)

    Now the issues...
    I created a Quick Floating Rule for LAN (out) to Pass traffic from source tv's, selecting the DHCP_WAN as Gateway under advanced settings -> this does nothing, Netflix always fails to stream.

    So next I turned to the DHCP Leases, as they are fixed

    • Services > DHCP Server
    • Select tv lease
    • Set WAN IP on the Gateway field.

    And...

    • Netflix works now!
    • I can use YouTube & others
    • I can't connect to iTunes store with this config on any tv.

    Streaming from my iPhone Operator TV app fails. (I can stream movies from my phone normally tho).
    After a while without being able to connect to the iTunes store I am asked to authenticate and always fails "Can't connect to the iTunes store"

    What is the correct configuration so that traffic coming form these devices will go directly through the WAN instead of VPN?

    Thanks

    0
  • M

    Ok guys thanks for no replies anyway got this sorted.
    I still have no idea what was the problem.

    I must have tried 20 different configuration options with rules and all. In the end, I have it all working with just ONE rule that I'm 99% sure I tried before.... go figure... sigh
    After I got things working I started disabling the others one by one to see which would impact. Anyway, here's the rule that has it working now:

    Firewall > Rules > LAN
    Immediately below the Anti-Lockout Rule, add a new rule:

    • Action: Pass
    • Interface: LAN
    • Address Family: IPv4
    • Protocol: Any
    • Source: AppleTV's alias
    • Destination: any
    • Advanced options: Gateway - WAN_DHCP

    In the meanwhile I had an IPv6 block below but it wasn't creating states so I disabled it, and still all is working. So I'll just keep an eye on it and lyk tomorrow.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy