RTMP streaming is blocked



  • I expercienced that RTMP streaming get's blocked.
    I started a topic in the past (locked now) but the problem remained.
    rtmp, rtmpt, rmtpe, … all are blocked.

    In one of the video's I'm trying to access, I get a Server not found: rtmpt://.... error.

    Pfsense uses the squid proxy, tried already transparant and non transparant mode.
    The Squid filter has been turned of for testing purpose and I allowed (temporally) all TCP/UDP traffic from * to * on LAN and WAN with allow IP-options but still the streaming gets blocked.

    A tcpdump of one computer trying to access such a stream is included.

    I tried both tests on this page and got this outcome:

    WIN 11,4,402,265

    RMTP Default Success 47.8s
    RMTP Port 1935 Failed 15.4s
    RMTP Port 80 Failed 15.4s
    RMTP Port 443 Failed 15.4s
    RMTPT (Tunneling) Default Success 2.7s
    RMTPT (Tunneling) Port 80 Success 2.7s
    RMTPT (Tunneling) Port 443 Success 2.7s
    RMTPT (Tunneling) Port 1935 Success 2.7s

    WIN 11,4,402,265

    RTMP DEFAULT TimeOut
    RTMP 80    Failed
    RTMP 443    Failed
    RTMP 1935  Failed
    RTMPT DEFAULT Success
    RTMPT 80    Success
    RTMPT 443    Success
    RTMPT 1935  Success
    packetcapture_klazoid.txt



  • I did a clean install of pfSense (2.1 snapshot) and installed Squid as proxy (port 8080). With this setup I'm unable to watch any movie from this page: http://www.deredactie.be/cm/vrtnieuws/mediatheek

    I'm starting to wonder if it my/pfsense faults or a faulty setup of the way the website tries to stream the data over rtmp.


  • Netgate Administrator

    From behind a 2.0.1 Nano install I am seeing:

    
    WIN 11,3,300,271
    
    RMTP Default Success 2s 
    RMTP Port 1935 Success 2s 
    RMTP Port 80 Success 2s 
    RMTP Port 443 Success 2s 
    RMTPT (Tunneling) Default Success 5.8s 
    RMTPT (Tunneling) Port 80 Success 5.6s 
    RMTPT (Tunneling) Port 443 Success 6.2s 
    RMTPT (Tunneling) Port 1935 Success 6.2s 
    
    
    WIN 11,3,300,271
    
    RTMP 		DEFAULT		Success
    RTMP 		80     		Success
    RTMP 		443    		Success
    RTMP 		1935   		Success
    RTMPT		DEFAULT		Success
    RTMPT		80     		Success
    RTMPT		443    		Success
    RTMPT		1935   		Success
    
    

    Not running Squid.

    Steve


  • Rebel Alliance Global Moderator

    running on win7 x64 box in firefox, behind pfsense

    2.1-BETA0 (i386)
    built on Thu Sep 13 04:24:49 EDT 2012
    FreeBSD 8.3-RELEASE-p4
    With gitsync as of a couple of days ago.

    Not using any proxies at all in pfsense.

    
    WIN 11,4,402,265
    
    RMTP Default Success 1.3s 
    RMTP Port 1935 Success 1.4s 
    RMTP Port 80 Success 1.4s 
    RMTP Port 443 Success 1.3s 
    RMTPT (Tunneling) Default Success 2.8s 
    RMTPT (Tunneling) Port 80 Success 2.8s 
    RMTPT (Tunneling) Port 443 Success 2.9s 
    RMTPT (Tunneling) Port 1935 Success 2.9s 
    
    
    
    WIN 11,4,402,265
    
    RTMP 		DEFAULT	Success
    RTMP 		80     		Success
    RTMP 		443    		Success
    RTMP 		1935   		Success
    RTMPT		DEFAULT	Success
    RTMPT		80     		Success
    RTMPT		443    		Success
    RTMPT		1935   		Success
    
    

    Looks like all those test pass for me.  You behind any sort of double nat?



  • Modem is connected directly on pfSense WAN card, all pc's on same LAN subnet. So I guess I have a single NAT (automatic).

    The strange part: Last week, I contacted the publisher of the website. They said they wouldn't change a thing and suddenly (same day of the mail) the movies started to work. I didn't change a thing… My joy wasn't of long duration when I noticed the movies get blocked again since yesterday. This time I have proof they changed something. The standard "server not found rtmpt://" is changed by a custom error message: "This video could not be played. Maybe there is a service on the network that makes it impossible for you to view the movies (ie. corporate firewall)."

    Conclusion: if they want, they can make it work for me, apparantly they dont for some reason. Don't know what I can try more since I've tested this already with an allow * to * rule.

    edit

    I have now tracked the problem down to the squid proxy. I was able to get the movie working in transparant mode but this is a setting I prefer not to use...

    This topic seems related to this problem: http://serverfault.com/questions/264079/force-rtmp-streams-playing-flash-to-be-requested-via-proxy-server

    I've added 'acl Safe_ports port 1935' to the custom options but this didn't work.


  • Rebel Alliance Global Moderator

    "Modem is connected directly on pfSense WAN card"

    Depends if what your calling a "modem" is really a modem and not a gateway.  What is your pfsense wan IP, does it start with 10.x.x.x, 192.168.x.x or 172.16-31.x.x ?

    "I have now tracked the problem down to the squid proxy"

    thought you said they could make it work for you since they changed something?


  • Netgate Administrator

    In the linked forum threads it says that server side configuration can determine whether or not flash respects local proxy settings. Running squid transparently ensures all traffic is proxied (or allowed to pass).
    Presumably the problem here is that flash ignores the proxy settings and attempts to connect directly. This fails because you are blocking this traffic? You would see this in the logs. Since rtmp traffic attempts initially to use a high port you could just allow that.
    Or try some sort of SOCKS encapsulation as the thread suggests.

    Steve



  • @johnpoz:

    "Modem is connected directly on pfSense WAN card"

    Depends if what your calling a "modem" is really a modem and not a gateway.  What is your pfsense wan IP, does it start with 10.x.x.x, 192.168.x.x or 172.16-31.x.x ?

    "I have now tracked the problem down to the squid proxy"

    thought you said they could make it work for you since they changed something?

    Modem is the real cable modem. IP of wan is 81.x.x.x

    If you watch the tests in the first post, you see the tunneling of rtmp isn't blocked. I guess they didn't use tunneling in the past, turned it on for a moment (the moment it worked for me) and now turned it back off.

    From what i've read flash ignores proxy settings and tries to use port 1935, 80 or 443 and if this doesn't work alot of website will try to send the data in a capsulated http packet. They don't use that method for some reason. I've tried to add port 1935 to the squid savelist but that didn't fix it.


Locked