Pluto tv is being blocked on my smart TV.



  • So plutotv doesn't like vpns. Fine. So I setup a rule in firewall ->lan ipv4 protocol any source/lan net (tried em both) any port my TV's ip for destination any port and wan nonvpn gateway. It worked for awhile but after installing pfblocker and snort it's not working again. I checked alerts and reports in snort and pfblocker and there's nothing firing off. Nor in my firewall logs.... At least not with my tvs internal address. Deleted snort and pfblocker and reset firewall states still no dice.

    downloaded the app on my phone and it was also blocked at first. Then I connected to cellular data and it connected and started streaming then I connected back to wifi and now the app on the phone connects everytime over the VPN but not the tv? 🤨 Casting the app to the tv fails as well.

    I passed through my Plex server with no problem. I also tried manually putting in my isps DNS addresses into the tv.

    This is my last issue on my network! Any help would be greatly appreciated!

    Edit when I change my dns resolver outgoing network interface to wan it works. However this causes DNS leaks through the VPN!



  • Hi,

    First :
    @calbha said in Pluto tv is being blocked on my smart TV.:

    It worked for awhile but after installing pfblocker and snort it's not working again

    Then :

    deleted snort and pfblocker and reset firewall states still no dice.

    which strongly indicates the issue is not snort neither pfblockerng.
    But I doubt that.
    By default, pfSense itself behaves as a router/firewall, not different as any other on planet earth.

    @calbha said in Pluto tv is being blocked on my smart TV.:

    but not the tv?

    Be aware that the TV can be identified as such upstream. The TV app isn't also the same thing as the Phone app.
    Make it work again by going back at the "at first" situation.
    Wireshark the TV at that moment so you know what to look for.
    When you have to use pfBlockerNG and/or Snort, remember to whitelist it.
    Or wireshark again and see what type of traffic is blocked locally.

    Note : snort and pfblockerNG are probably doing what you ask them to do ^^



  • @Gertjan thanks for your reply and attempt to help. Even when I went back to just a VPN though and passing through the tv it stopped working entirely for some reason. I'm also just starting to understand pfsense somewhat and Wireshark is a bit over my head at the moment maybe it's time to learn though. Also my TV's internal ip are not showing up in any reports alerts or firewall logs when trying to connect.



  • my tv is set to Alias (smarttvs) port * destination * port * gateway WAN_DHCP.

    and it works perfectly



  • @bcruze yeah I did the same just without an alias and used the internal ip instead. That's why it's frustrating me.



  • @Gertjan I did a packet capture on ethernet. Tried to get Pluto to connect for 10 seconds. Went back to Wireshark and the tvs internal ip isn't showing up at all. But the tv is wireless. I dunno if that has anything to do with why I can't find the ip anywhere



  • assign it a static ip address by the mac address



  • @bcruze it's an issue with DNS resolver. Cause when I changed the DNS resolver to outgoing wan instead of the VPN it works. But this causes DNS leaks



  • @calbha said in Pluto tv is being blocked on my smart TV.:

    @bcruze it's an issue with DNS resolver. Cause when I changed the DNS resolver to outgoing wan instead of the VPN it works. But this causes DNS leaks

    I know you probably don't want to hear this, but using a VPN for regular Internet traffic (in an attempt to "hide") is fraught with issues one after the other. Many of the commercial service providers on the Internet restrict access from known VPN exit nodes. This is because VPN have a reputation for being a type of smokescreen for questionable actors to hide behind while doing questionable things on the web. No, that does mean every VPN user is a potential bad actor, but the whole ecosystem of VPNs for privacy has been polluted by the bad actors that are using it. Thus services such as Netflix, Hulu and even other non-streaming web sites are beginning to bar access from clients coming from known VPN nodes.

    The only way to have reliable streaming when you are using a VPN service (from Smart TVs, for instance), is to give the TVs static IP addresses and use policy routing on the firewall to make sure all of their traffic (DNS and everything else) goes out your regular non-VPN WAN address.



  • @bmeeks said in Pluto tv is being blocked on my smart TV.:

    use policy routing on the firewall to make sure all of their traffic (DNS and everything else) goes out your regular non-VPN WAN address.

    That was what he (meant to) said here :

    @bcruze said in Pluto tv is being blocked on my smart TV.:

    tv is set to Alias (smarttvs) port * destination * port * gateway WAN_DHCP.

    Right ?



  • @Gertjan I did the port forwarding and rules. I need to somehow have the tv not go through pfsense DNS resolver which goes through the VPN. If I change the outbound interface to wan it works but then my isps DNS is leaking.



  • services > dhcp server > at the very bottom assign the device a static address

    then edit the mapping and under DNS servers. use any public DNS server. reboot the device

    and it should work just fine

    OR just put in public DNS servers on the device if it will allow you. but the above is alot easier



  • @calbha said in Pluto tv is being blocked on my smart TV.:

    my isps DNS is leaking

    Well, that is : DNS requests from the TV are "leaking" .... as does all the traffic from the TV .. ^^
    But, is this a VPN issue as @bmeeks outlined ? (deactivate your VPN and the problem is gone ?)



  • when I change the dns resolver to wan in pfsense then its not just from the tv ip my whole network is showing my isps dns from the laptop. yes turning the vpn off does indeed solve the issue. but I shouldn't have to go and disable the vpn.

    as you can see in the picture the I copied the wan rules for my plex server which is bypassing the vpn successfully! and just for kicks I added lan rules as well with the gateway as wan-nonvpn.

    the problem seems to be that its resolving the vpns dns address to the tv. plex doesn't care but pluto tv does. I need a way for the tv to skip being assigned to the vpns dns addresses. the tv does have a manual dns option but no matter what I put in there stops network connectivity to the tv.



  • This post is deleted!


  • @bcruze I just tried assigning static dhcp still not connecting. I remember a different way of doing this using the invert match option but I don't remember the steps.



  • heres a copy of my lan rules bytheway



  • @Gertjan i remember when i did this for plex i had to add a line in the dns resolver custom options. this was copy and pasted though

    server:
    private-domain: "plex.direct"

    so i wouldnt have a clue what to add for pluto tv since im not running a server but im wondering if that's whats missing.


  • Netgate Administrator

    That WAN rule does nothing here. Remove it.

    The LAN rule only catches traffic with destination 'plutotv'. That alias is almost certainly not covering all the IPs the TV might connect to. Just change that to any so all traffic from the TV goes out the WAN.

    You need to pass a public DNS server (or more than one) to the TV only via DHCP static mapping so it does not use Unbound. That way it resolve directly out of the WAN whilst everything else use Unbound and that's using the VPN.

    Selection_757.png

    Steve



  • @stephenw10 well it's up showed up with an IP in the tables and is the site you go to watch on the web and is how I got Plex to bypass despite only having 3 IPS for Plex.tv. I also added other addresses to the alias that I saw the tv trying to connect to with Wireshark during trying to connect to Pluto tv. I also tried setting up a static Dhcp with a public DNS address already at the previous person's suggestion and adding public DNS addresses to the tv itself and it still wouldn't work. So I said screw it and just decided to use the website instead. 😒


  • Netgate Administrator

    I assume you added the public DNS servers to that alias too if you didn't change it to any destination?

    If not it would just have routed those over the VPN.



  • @stephenw10 i didn't see anywhere to enter DNS servers in firewall -> aliases. I'm assuming you'd do it elsewhere. Maybe that would help.


  • Netgate Administrator

    It would have to be in the plutotv alias if you had those LAN rules. That's the only traffic from the TV that is routed via the WAN directly. You should just set that to 'any' though. PlutoTV will have a very large number of IP addresses, there is no way a simple alias will ever match all traffic for it.

    Steve



  • @stephenw10 I've tried every imaginable configuration possible that made sense and some that didn't. in firewall rules source any destination tv ip included and reverse. I appreciate the help though. I know from my postings I probably sound like I don't know at all what I'm doing. :P I wish you all could try it for yourself to see I'm not crazy.


Log in to reply