Videos and audio not working.. Help plz!!



  • Hi I recently setup pfsense replacing old setup
    services I am using on pfsense …
    DHCP server
    Load balancing 5*WAN -->>>1 LAN
    Captive Portal

    Everything is working fine except videos on websites like "www.vk.com" (vkontakte) ....  most of the videos on that site are showing error
    ""the video has not uploaded yet or th""
    and audios are also having problem ...

    Can it happen due to load balancing ... I really need immediate solution ... as on my network 90% users are using that website and everyone is complaining about this ... I need help...


  • Netgate Administrator

    It can be a problem. Most mainstream websites seem to have updated to allow for loadbalanced connections though.
    It still causes me trouble on banking sites or credit card checks.

    You can try enabling 'sticky connections' if you haven't already. It's in: System: Advanced: Miscellaneous:

    You can setup a firewall rule to route all connections to vk.com through one wan.

    Steve



  • I tried sticky connections, but its not helping
    Now I don't exactly how to set the firewall rule for vk.com


  • Netgate Administrator

    I'm not familiar with vk.com (it appears to be russian facebook) so I don't know exactly how to do this. In general sites like this might only allow video to clients who are logged in. The load balancer operates on a round robin basis, one WAN at a time. Thus if you have a connection open to a page on vk.com and try to open another connection to view a video (which may appear to be on the same page) it will probably go out via a different WAN.
    Because the WANs are NATed the servers at vk.com see the new connection as coming from a completely different IP and don't allow that, it looks like a security problem.

    Therefore to stop this happening send all your connections to vk.com via a single WAN.

    1. First determine what the IPs used by vk.com are.
    2. Create an alias in pfSense to these IP's to make things easier (more readable)
    3. Add a firewall rule on your LAN interface, above the load balancing rule, that has vk.com alias as the destination and uses the default gateway.

    Steve

    Edit: I have just discovered that you can very easily complete steps 1 and 2 (at least in part) by going to: Diagnostics: DNS Lookup: in the webGUI. Enter vk.com and then click on 'create alias out of these entries' at the bottom. Great feature!  :)

    Edit2: Of course this may not work if the embedded video is actually served from a different url.



  • Hi Steve thanks very much I will try the above just now …
    But I discovered that when I put 1 WAN on tier 1 and others tier 2,3 or 4 5... the videos start working ...
    but due to this i have observed that the most of websites are taking a long time to respond and sometime they never respond and speed is also affected ... (all WAN's have equal speed of 50 Mbps)


  • Netgate Administrator

    When you do that all your traffic will go via your tier 1 WAN unless it goes down or the ping time becomes very high.

    Steve



  • I created … but its not helping too(
    I guess you are right they host videos and audios on different server ... only thing working is tier 1
    load balancing was my the main reason to switch to pfsense ...

    ![New Picture.jpg](/public/imported_attachments/1/New Picture.jpg)
    ![New Picture.jpg_thumb](/public/imported_attachments/1/New Picture.jpg_thumb)


  • Netgate Administrator

    You probably want to change the protocol to any, if it's streaming video it may not be TCP.
    If they are using another domain to host video you can simply add that to the alias or create a new rule and alias for it.

    Steve



  • I tried changing that to Any also but not helping …. and I have collected other ips too, but everytime i serch for dns there is a new ip
    I just found out that they use P2P servers ... in that condition what should i do?



  • Hi Steve … today I tried diverting all the youtube traffic to one WAN ... I followed the same procedure as above for vk but trafic graphs are not showing any changes when all the traffic of youtube is on one WAN (that WAN was on tier 2)
    May be I am making any mistake creating the rules!!!

    and one more thing the WAN on tier 1 is constantly having packet loss of 20-40% ... can I create a threshold value that the traffic switches to other WAN ...


  • Netgate Administrator

    The tier value you assign to each WAN only affects gateway groups. If you have added a rule to send all youtube traffic via a single gateway it will make no difference. You can either leave the gateway setting as default (in which case it will use the system gateway, probably the first WAN) or set it to a particular gateway from which ever WAN you want.
    Youtube is likely to be difficult since they have a massive number of IPs across a worldwide set of server farms!

    You can set the packetloss thresholds in: System: Gateways: Edit gateway: Advanced.
    You can also set the weight there so that you can divert more traffic to another WAN if it's struggling.

    You could try approaching this from another direction.
    I've never tried this but you could use firewall rules to divide your users traffic between the WANs. E.g. 192.168.1.10-30 route to gateway 1, 31-50 to gateway 2 etc. This may not be practical for you.

    Steve



  • @stephenw10:

    You could try approaching this from another direction.
    I've never tried this but you could use firewall rules to divide your users traffic between the WANs. E.g. 192.168.1.10-30 route to gateway 1, 31-50 to gateway 2 etc. This may not be practical for you.

    Steve

    thanks for the feedback …. I know I am asking too much ... but I am stuck in situation that I don't know how to handle ... apparently I have only one LAN and I need captive portal to work .. can I do this without shaking up my present setup ...  ... if yes just provide me the outlines to do that!


  • Netgate Administrator

    I've never used the captive portal feature so I may not be of much help.  :(

    However, as it says in the docs wiki, it's much the same as that for m0n0wall which is well documented here:
    http://doc.m0n0.ch/handbook/captiveportal.html

    I can't  see any reason why you couldn't do it with your setup.

    Steve



  • Sorry … But I can't find any direct setting in firewall rules where I can assign these gateways to set of lan ips!!


  • Netgate Administrator

    I've never tried this either I was just speculating but..
    Set the source in the firewall rule to network then divide up your LAN by defining, say, a /27 (30 addresses).
    E.g. 192.168.1.1/27 (192.168.1.1-30). The only problem with that is that in that case 192.168.1.31 is seen as the broadcast address so is not included.  :-
    A better way might be to define some aliases for your LAN client groups.
    Yes, just tried it and that works much better.
    Add an alias with type network(s) and divide up your LAN address space, 192.168.1.1-192.168.1.32, for example. Add aliases so you have divided up your LAN into 5 groups.
    Add firewall rules with source, alias LAN1-32, gateway WAN1.

    Like I said I've not tried this but it should work. It has a number of drawbacks though. If one WAN goes down that group of LAN IPs will not have access. It will not share the load evenly, if your heaviest users are all in group 1 they will have a problem.  :-\

    Steve



  • You could make 5 gateway groups, each with a different WAN as tier1 and the others rolling down in priority:
    WAN1-Priority-Group - WAN1 = Tier1, WAN2 = Tier2, WAN3 = Tier3 …
    WAN2-Priority-Group - WAN2 = Tier1, WAN3 = Tier2, WAN4 = Tier3 ...
    WAN3-Priority-Group - WAN3 = Tier1, WAN4 = Tier2, WAN5 = Tier3 ...
    WAN4-Priority-Group - WAN4 = Tier1, WAN5 = Tier2, WAN1 = Tier3 ...
    WAN5-Priority-Group - WAN5 = Tier1, WAN1 = Tier2, WAN2 = Tier3 ...

    Then have your aliases for each group of users, e.g.
    Group1 192.168.1.0/27  (0-31)
    Group2 192.168.1.32/27 (32-63)
    Group3 192.168.1.64/27 (64-95)
    Group4 192.168.1.96/27 (96-127)
    Group5 192.168.1.128/27 (128-159)
    (splitup the range of IPs that your users actually get into 5 reasonably subnet-able ranges)

    Then have 5 rules, each rule feeds one of the alias 'Groupn' into the matching WANn-Priority-Group.
    Then, if a WAN is down, that group should failover into the next WAN. But any single user on a single local IP will have all their traffic directed to a single WAN link at any one time.
    This is a manual load-balancing and failover scheme, but at least it ensures that 1 client IP will go out over 1 WAN and appear to have 1 NAT'd IP address to all the internet servers it accesses.


  • Netgate Administrator

    Yes of course, that solves the fail over problem.  :)

    However you can't just use /27 as it doesn't include the first or broadcast address, 0 and 31 in the first subnet 32 and 63 in the second etc.
    The alias entry page can generate the required networks by entering a range, 192.168.1.1-190.168.1.32 as I said above. It results in this:

    192.168.1.1/32, 192.168.1.2/31, 192.168.1.4/30, 192.168.1.8/29, 192.168.1.16/28, 192.168.1.32/32 
    

    Which looks nasty but is correct!

    Steve



  • thanks very much guys … for the help
    I am using subnet 192.168.0.1 ...
    then this should be my setup?

    Group1 192.168.0.0/27  (0-31)
    Group2 192.168.0.32/27 (32-63)
    Group3 192.168.0.64/27 (64-95)
    Group4 192.168.0.96/27 (96-127)
    Group5 192.168.0.128/27 (128-159)

    can start addresses from .. 192.168.0.50/27 (50-81)

    and in aliases i say the option of hosts/network /url etc ....
    so can I defines particular ips in aliases list .., may be I can list all the ips in aliases list without following the above approach


  • Netgate Administrator

    Don't use the /27 notation for the reason I outlined above.

    Use alias type network(s) and enter '192.168.0.1-192.168.0.32' etc.

    Steve



  • Hi Steve … I followed your instructions ... I have made all the aliases groups and load balancing groups ... have put all the users on static ips
    I saw I can't move the groups up or down ... so I guess I need to delete the old Load balancing group ... ??
    and I was wondering then what should I put gateway in LAN .. default or can I recreate a group like old one and put LAN on to that ... I guess in this ways it will handle the left over IPs to ... presently my IP list is 120+


  • Netgate Administrator

    You need to have the new rules corresponding to the groups at the top of the list since the firewall matches rules on a top down basis.

    It would be a good idea to have a default rule below these to catch anything that isn't matched. You can use the default gateway for this or a loadbalancing gateway.

    Does it look like this is working?

    Steve



  • Its working ))) Thanks Steve … I am really thank full to you and this forum ... I never expected this type of response ...
    I have implemented the setup partially ... just for now 2 WAN .. actually I couldn't sort out the IP ... I need a little a time for that  may by the end of the today I will manage implement the setup ...
    and other three WANs are working on the old Load Balancing group ...
    One more thing ... I asked you about the configuration of my pfsense earlier that can it handle the through put of 250 Mbps (in other topic) ... you said yes
    But whenever I go to speedtest ... it never crosses 135 Mbps (usually around 120 Mbps) ... is it normal for speedtest .... ( I am using cat 5e wire for gigabit link to GBswitch)


  • Netgate Administrator

    I have read that speedtest.net does not give an accurate result above 100Mbps but I am unable to test that with my two WANs (20Mb and 40Mb). I can say that it uses both my connections and gives a value usually around 56Mb.

    You can test the connection by manually starting some large downloads on each WAN. It's a PITA though!  :P

    Steve



  • Hi … I arranged whole setup ... All working good ... Finally everything is settled ... For the time being I am not too worried about the speedtest ... Well I really appreciate your help Steve and this forum ...!!!


Log in to reply