Amazon Fire TV not working

  • Hi!

    I'm using pfSense 2.1.5 and my Amazon Fire TV is not working. I have a classic setup, so: Modem – pfsense -- Switch -- Clients (Fire TV also). Every client is working well, but not the Fire TV. I also testet to create a new interface DMZ and allow all in the rules tab, same problem. I can't get any connection with the Fire TV, but I can ping it.
    If I plug it directly to the modem, it is working fine.

    Here's a screen of my firewall log:

    Whats the problem, what can I try to do?


  • Do you have the uPNP service running on the interface (LAN)?

  • No I don't have. But I also testet it with it running. What I found out: if I go to Advanced - Firewall/NAT and check "disable all packet filtering" and uncheck it again, Fire TV works fine for a short period of time. But at least after 1 hour, it's not working anymore. Is this a bug from pfsense, or what's happening there?

  • LAYER 8 Netgate

    What is showing up as blocked in the firewall logs?

  • Nothing, thats the problem.

  • You know what.  I bet manual outbound NAT with static port need be set up on basically the entire LAN…  (WAN...  technically)

    Perhaps maybe just 49000 - 65535...

    But I'd do the whole LAN at first to see if that fixes the issue and then narrow the ports.

    It is a UDP stream after all.  Might be the issue, as it so often is.

  • You may use other protocols, like some games amongst other things, that do not work properly when the source port gets rewritten. To disable this functionality, you need to use the static port option. Click Firewall -> NAT, and the Outbound tab. Click "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save. You will then see a rule at the bottom of the page labeled "Auto created rule for LAN". Click + to copy that rule. Change the rule so it only covers the source IP of your device that needs static port, and any other settings you need. Check the "static port" box on that page, and click Save. Move the rule to the top of the list. Apply changes and this behavior will be disabled.


    I'd just do the entire 1-65535 at first, just to see if that changes things.  Then try to narrow it to only what your service needs.
    Be sure to put your rule with static port on top of the list(-;

    If this makes no difference, its easy to change back to automatic outbound nat.

  • Wich rule do I have to copy and edit?

    My LAN is the, there also is the Fire TV connected to.

  • You see the very first rule?  Hit the + button to the right of it.  Then change destination port to 1 - 65535

    Then change the description to something like "static port entire lan".  Then save the rule.  After that, move that rule to top of list.

    Be sure to save/apply.

    See if it works.  Might need a reboot.

    Its easy to go back and delete if doesn't work.

  • P.S.  Looks like where there was 500, you should make that blank to catch all ports.

    No idea if this will work.  Could also be a dlna issue.  I hope its this "easy" for you.

  • Is there a possibility that I lock out myself with that? I'm connected via WAN right now  :D

    Trying to set the destination port range to 1-65535 it says "You must supply either a valid port or port alias for the destination port entry."

    EDIT: thanks for the tip! I've edited now the first rule and leave the port empty, for cover all ports. Will try that later at home if its fixed. Will report then, thanks a lot till now!

  • Where it had 500, just make it blank to catch all ports.  No - You will not be locked out.

  • See edited post above, thanks!

  • Don't thank me unless it works.  Good chance its no effect at all.

  • You're right, let's see.

    As I setup DMZ yesterday, I let the firewall log everything and found out that Fire TV only connects via port 80 and 443 and (I think it was) 2289 TCP. Also uses 53 as well. But even with everything allowed, it didn't work.
    Maybe it's realy an UDP stream problem, don't know. Also requested the Amazon support, they can't help me right now and gave it to the technicals.

    Is there any possibility to see whitch ports the Fire TV is using, or trying to use?

  • I think you are going to find out fire tv will use a ton of random udp ports, but lets see.

    Your pfsense setup is far from simple - its possible you have other issues.

  • Hm, first issue is if I set the NAT outbound from automatic to manual, IPsec isn't working anymore. So I edited the first rule to any port, and set back to automatic. Is that ok, or whats the difference to manual? Now IPsec is working fine again.

  • automatic totally ignores any rules you set.

    when you get home try it with manual.

    If it works, you might want to make a LAN segment just for fire tv.

  • I'm being stupid - duh…

    You can change your first rule to the single IP of fire tv instead of the entire LAN

    like    (replace 100 with whatever your amazon fire device is)

    Then static ports will only apply to that 1 device.

  • Well I think I need automatic for the IPsec, or not?

  • Automatic has screwed me more often than not.  I don't use it anywhere.

    I don't use ipsec though.  Still I doubt seriously its required.

  • Tested it right now, manual - no traffic passes through IPsec. Automatic - it works fine  :-\

  • Oh, forgot to create a manual outbound rule for the virtual network. Now IPsec works fine with manual outbound NAT. Let's see what the FireTV say's later at home. I think there is the problem, or that the connection isn't established. After disableing and enableing the firewall, I see at the states that there are many connections from the Fire TV established. After a while, they are not anymore and it's not working anymore.

    EDIT: maybe it also is a multicast problem? Could that be? I dont have any rules for IGMP traffig.

  • OK, testet it now, and it's not working :(.

    Why is it only working for a few minutes after checking "Disable all packet filtering." in the advanced firewall/nat and uncheck it again? Don't know whats happening there. The firewall logs alsways says the same and allowing the traffic.

  • Im not sure.  I suspect its something particular to your configuration.  You have several things configured on that router.

    Are you blocking ANYTHING on the LAN?

    Do you have a good allow-all rule?

    When you "Disable packet filtering" you are turning off the firewall.

    At that point it establishes a connection and works.

    The connection once open is persistent even after firewall is enabled again.

    Until it eventually dies sometime later.

    So I'm wondering which rule is killing it?

  • Can you post your lan firewall rules?

  • The strange thing is, if I check the disable all packet filtering to disable the firewall, every client will lost his connection. So nobody can access anything anymore. After unchecking it, everything works fine.

    Here are my LAN rules right now:

    That's the allow all rule:

    These are the UDP ports opend if it is working:

    EDIT: hm, now it's not working anymore and the UDP connections still are established.

  • It's getting even stranger, if I try to watch a movie, sometimes it takes some minutes, but then it starts. So it seems to be very slow, but works?!  :-[

    EDIT: yes, if I can click to watch a trailer or film, it works now. But the menue dont works, and gets me errors. But after disable and reenable the firewall, also the menu works fast and fine.

  • Looks like you got carried away with your firewall rule set.

    Looks abit over complicated.

    I'm pretty sure this is a self inflicted issue.

  • Maybe there is a problem in the NAT configuration? I ask myself why everything works, also TV's but not the FireTV in the menu. The menu is too slow, but streaming works well if I get the chance to see the "play" button.

  • OK, I deleted all my Firewall Rules, all my NAT forwards and outbounds, but it still don't works.
    Now I made a factory default reset and it works! But why the hell, what is different?

  • OMG, think I got it  ;D. On WAN interface was a manual (wrong) MTU set, after deleting it works till now with my old config!

  • I'm glad its all good now.  (-:

    So nothing special required.  Thats actually good news.

  • Yes, it is :)