Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bypassing openvpn for Prime video on Android TV device

    Scheduled Pinned Locked Moved pfBlockerNG
    10 Posts 5 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      meridium
      last edited by

      I am using pfSense 2.4.5-RELEASE-p1 with pfBlockerNG-devel 3.0.0_5.

      Using a WAN interface and two LAN interfaces. Default all traffic is routed through an OpenVPN tunnel.

      Recently started to use Prime video (Amazon) and discovered that it does not work via VPN. So searched for a solution and found pfBlockerNG. So did a setup of pfBlockerNG. Added 'https://ip-ranges.amazonaws.com/ip-ranges.json' via IPv4 Source Definitions. Created some aliases for the devices to stream Prime. Created new firewall rules for both LAN interfaces and added the aliases to the firewall rules as source, added the pfBlockerNG alias as destination and filled the gateway to use my WAN interface, instead of the OpenVPN interface.

      All works fine for my 'regular' android devices. A phone and a tablet. Can watch Prime and no error about using a VPN. So traffic is routed via WAN and not via OpenVPN.

      Now the part where I am lost. A also have an Nvidia shield (v8.2.1), that is an Android TV device, and installed the Prime video app. When I start Prime video, then the Prime app is stuck at the message 'Internet connectivity problem'. As soon as I disable the firewall rule for bypassing OpenVPN and start the Prime app on the Nvidia Shield, the Prime app starts without the message 'Internet connectivity problem' and shows the start screen with movies and series. But offcourse, when selecting a movie or series, the error message is displayed that I am using a VPN.

      I also added all Amazon AS entries I found from this site 'https://bgp.he.net/', but no luck.

      Any help on how to proceed, is greatly appreciated.

      A GertjanG 2 Replies Last reply Reply Quote 0
      • A
        akuma1x @meridium
        last edited by akuma1x

        @meridium You need to policy route the traffic from your streaming devices out your WAN connection, without using the OpenVPN tunnel connection.

        You can do this by first creating static DHCP leases for the streaming devices. Then make an alias containing all the IP addresses for the streaming devices. Then, make an outbound NAT rule and a firewall rule on the LAN or LAN2 (you said you're using two LAN interfaces, so don't know which LAN these are sitting on) that specifically uses the WAN gateway of your ISP, not the OpenVPN gateway. Make sense?

        pfblockerNG doesn't have anything to do with this particular problem you're having. It is typically used to keep hackers/attackers out of your internal machines, if you've got that traffic open to the internet in the first place.

        So, long story short, you didn't need to install pfblockerNG, and can most likely remove it. Setup policy routing for your streaming devices and that should solve the "VPN errors" they are throwing at you.

        Jeff

        M 1 Reply Last reply Reply Quote 0
        • M
          meridium @akuma1x
          last edited by

          Jeff, first thank you for your reply.

          I get the impression you only read the subject and not the body of my post.

          You can do this by first creating static DHCP leases for the streaming devices. Then make an alias containing all the IP addresses for the streaming devices. Then, make an outbound NAT rule and a firewall rule on the LAN or LAN2 (you said you're using two LAN interfaces, so don't know which LAN these are sitting on) that specifically uses the WAN gateway of your ISP, not the OpenVPN gateway. Make sense?

          Yep, makes perfectly sense. An have done exactly that. As I have mentioned. Have devices on both LAN's. And 'regular' Android devices are working fine. So Prime traffic is routed direct to WAN.

          pfblockerNG doesn't have anything to do with this particular problem you're having. It is typically used to keep hackers/attackers out of your internal machines, if you've got that traffic open to the internet in the first place.

          Sorry, but yes it does. Need pfBlockerNG to be able to route only Prime directed traffic direct to WAN. All other traffic from the streaming devices still need to go via OpenVPN.

          Any other suggestions are welcome!

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @meridium
            last edited by Gertjan

            @meridium said in Bypassing openvpn for Prime video on Android TV device:

            I am using pfSense 2.4.5-RELEASE-p1 with pfBlockerNG-devel 3.0.0_5.

            You saw : pfBlockerNG v3.0.0_6 update ?

            If you want pfBlockerNG to' work' for some IP's, and not others, then this :

            (future update) Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LA
            tells me that pfBlockerNG can't do want you want - for now.

            Policy routing 'some IP's' to have them using the WAN interface, and other using the OpenVPN interface is done without using pfBlockerNG.
            I've the impression this policy routing isn't set up correctly.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            M G 2 Replies Last reply Reply Quote 0
            • M
              meridium @Gertjan
              last edited by

              @gertjan said in Bypassing openvpn for Prime video on Android TV device:

              You saw : pfBlockerNG v3.0.0_6 update ?

              Saw that there is an update. But did not apply it yet.

              If you want pfBlockerNG to' work' for some IP's, and not others, then this :

              (future update) Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LA
              tells me that pfBlockerNG can't do want you want - for now.

              Policy routing 'some IP's' to have them using the WAN interface, and other using the OpenVPN interface is done without using pfBlockerNG.
              I've the impression this policy routing isn't set up correctly.

              Not sure if we are talking about the same thing here. I am not trying to circumvent ip's that are blocked by pfBlockerNG. I am only using pfBlockerNG to populate an alias with server addresses used by Prime video. And then using that alias on a firewall rule to bypass my OpenVPN tunnel. And mentioned, that it is working fine for my 'regular' android devices, but not for my Android TV device. And looking if someone can point me into a direction what could be causing this.

              Thx!

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @meridium
                last edited by johnpoz

                @meridium said in Bypassing openvpn for Prime video on Android TV device:

                it is working fine for my 'regular' android devices, but not for my Android TV device

                Two things come to mind that could cause that.

                1. Your rules for whatever reason are not being applied to the IP of your TV device.
                2. Your device is using some other dns that resolves where its trying to go to an IP other than what is in your alias. Or is using an IP directly that again this is not listed in your rules to not use the vpn.

                I would suggest a sniff of the traffic of this devices IP. So you can see exactly where its trying to go, also should be able to see if using something other than your local dns - but this could be via doh or dot? When you try and launch prime video - what IPs is trying to go to in your sniff. Are they not in your alias list of prime video IPs, etc.

                If your sure your device is using your dns and nothing else, validated via your sniff, etc. And only going to IPs that are in your alias. Then evaluate your rules to why they are not being applied like you think they should be.

                Simpler solution to any or all of these sorts of problems - would be to just policy route the IP of your device out your normal wan.. Vs trying to only do that for prime video.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                M 1 Reply Last reply Reply Quote 0
                • M
                  meridium @johnpoz
                  last edited by

                  @johnpoz Been a while feeling as stuped as I feel now. Tried everything, including disabling pfBlockerNG, and found it had nothing to do with pfBlockerNG. Did a full bypass on the IP of the device and still no luck. After hours of looking at sniffing logs and trying several changes, I discovered... I once disabled one NAT mapping and exactly the one for LAN to the WAN interface. The mapping for LAN to the OpenVPN interface was enabled. I enabled the NAT mapping for LAN to the WAN interface and prime video now works like a charm.

                  Sorry for the hassle and thank you for your time!

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @meridium
                    last edited by

                    So you had messed with outbound nat? For why? Followed some stupid guide for vpn service that told you to do that?

                    There is normally little reason to ever take outbound nat out of auto, if you do want to do something with say policy route and nat something out a vpn.. Hybrid is better choice and just add the outbound nats you would need to use your vpn..

                    Glad you got it sorted.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      meridium @johnpoz
                      last edited by

                      @johnpoz A left over thing from the time pfsense was new to me. Wanted to be sure no traffic was going out over WAN.

                      Thx.

                      1 Reply Last reply Reply Quote 0
                      • G
                        ganwa @Gertjan
                        last edited by

                        @gertjan said in Bypassing openvpn for Prime video on Android TV device:

                        @meridium said in Bypassing openvpn for Prime video on Android TV device:

                        I am using pfSense 2.4.5-RELEASE-p1 with pfBlockerNG-devel 3.0.0_5.

                        You saw : pfBlockerNG v3.0.0_6 update ?

                        If you want pfBlockerNG to' work' for some IP's, and not others, then this :

                        (future update) Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LA
                        tells me that pfBlockerNG can't do want you want - for now.

                        Policy routing 'some IP's' to have them using the WAN interface, and other using the OpenVPN cinema hd apk download interface is done without using pfBlockerNG.
                        I've the impression this policy routing isn't set up correctly.

                        Thnaks buddy for the great information It really help me!!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.