Need Help debugging connections to Streaming services


  • Hy!
    I have been trying the whole week, but I cant find out whats wrong. Maybe someone can help me?

    The Thing is, I cant connect to Netflix, Vudu, Amazon etc using my streaming boxes (wdtv, roku), but I can using a win7 pc.

    My setup is:

    not working:

    openvpn-server (USA) –> cable modem (Europe)--> pfsense -> lan with streaming boxes

    working:

    openvpn-server (USA) --> cable modem --> pfsense -> lan with win7 pc

    It all began when my docsis modem was switched to ds-lite-ipv6 by my provider (but i dont know if thats the cause and to be honest, i just noticed that when i began looking for the problem, so it could be i was switched do ds-lite weeks before - but not months, that i would have noticed).

    before all broke my working setup was:

    openvpn-server (USA) --> cable modem --> win7 pc with openvpn client and ics natting to nic2 --> streaming boxes

    After they switched my modem i began ruling out what could cause the outage, so I switched from win7-ics to a pfsense firewall box (using a ne2208-31 box with 4 rtl-nics (celeron1ghz dualcore).

    On the streaming boxes youtube, pandora, hulu plus preview all work, so network connection is fine. with vudu it gets me a "connection timeout", but not on the win7-pc.

    On openvpn i use tun device and udp and that worked reliably for years now, tcp is too slow, so i really dont want to switch back to tcp although i suspect there is some trouble with the udp tunnel caused by my new docsis modem i got one year ago (constant replay messages..), but it worked until last week the modem was switched to ipv6.

    i blocked ipv6 completely in pfsense. as you know ds-lite makes ipv4 go over a povider-nat. but also, how could that be the troublemaker, as i use the openvpn tunnel and on the pc its working..

    funny thing is, i didnt use my roku box for 2 years (it was 100% offline). and now after i am sure that my pfsense setup is working i connected it back and same thing as on the wdtv: no netflix, no amazon, but its online and fetching content (Ads). so the trouble cant be that i was suspended by some services or that the box got an idea that ipv6 connectivity is there (the wdtv was on ipv6 for some  minutes because of debugging).

    i pretty much ruled out everything i could think of, but now i am stuck..

    in the openvpn log i found some "write UDPv4: No buffer space available" (they must have come from watching youtoube, cause while connecting to netflix these messages dont appear). so i googled and i deleted "push route <opevnpn-server>", no change...

    What could the difference be between the youtube app and netflix/roku what makes one working one not??

    i thought maybe the latter are very sensitive to timeouts and since ds-lite i may have a high-latency on ipv4, who knows! but converting everything to ipv6 (my openvpnserver etc etc) would be a huge work (as i dont know anything about ipv6 and i would have to built a new iptable ruleset for that, cause of the other services running on the server etc etc) and i dont even know if netflix and the others use ipv6, so i didnt try that, to just maybe find out that traffic still gets routed over ipv4.. i suspect my provider is sabotaging the connection, but again, how could that selectively affect the traffic inside an encrypted vpn-tunnel...so i thought maybe the ip adress of my vpn-server got blacklisted - but on all bigger streaming services at a time? and using win7 they answer and let me log in..

    pfsense-wise i am pretty sure everything is set up right, i checked with netalyzr and as said on the win7 machine everything works fine. netalyrz got me some dns-anomaly, it says microsoft.com is routed to unknonw ip.

    so as i am stuck, all i can thinnk of is analyzing packets, but i dont have the knowledge to do so..

    thx!!</opevnpn-server>


  • just found this..



  • so far i checked my openvpn settings and also set up a tcp tunnel.

    it all boils down to this:

    some apps on the streaming devices, although the traffic is routed over the vpn tunnel, detect, that the location is non us (vudu shows error 1:200).
    on the pc the services work.

    how can that be?

    in the nat settings on outbound interfaces i have no ipv6 rule.


  • hy, i think i found out, it appears that google provides geolocating about users using their dns . semms that thats new and wasnt used before. i use my own dns now instead of google and it works - apart from one streaming provider which obviously blocks my provider (there are news on the internet that this streaming service introduced ip blocking for all known vpn providers).

    so my problem was a "dns-leak"..

    p.s. i can ty it to google. but i cant say that there wasnt a problem with ipv6-dns, cause now i am back to ipv4 with my provider. so i still think having ipv6 and ipv4 somehow opens other possibilities for "dns-leaks". or maybe there is something in the response of dns servers that varies if the cleint is ipv6 aware, or it can be exploited to do geolocating.


  • Here I can get all services on VPN (private vpn).  The VPN is providing both IPv6 and IPv4.
    Everything works.

    Interesting difference between hulu and netflix.
    For hulu, you have to stay in the vpn whole time.  If you drop the vpn, the streams drops and you will get a "Not in that part of world" message.

    Netflix however, only needs me to be in the vpn long enough to select a title.  Soon as it starts playing I can disconnect VPN and it keeps playing.

    This is handy when the local network latency gets high and bandwidth is marginal. It improves netflix playback to drop the vpn.  Not so with hulu.

    Hulu is using my IPv4 and netflix defaults to IPv6.  Both are fine on google DNS both 4/6.


  • thats a neat trick :)
    indeed on unblock-us, which provides dns redirection to proxy servers they say that netflix does geolocating only on the main site - or the main interface - but not from its streaming servers - and you found how to exploit that nicely :)


  • Well, my VPNs in the USA are mostly on fiber so they are not a problem. Very speedy.  Locally here in Manila, internet can turn to mush pretty fast, so every little trick helps.

    I'll be glad if HULU emulates netflix in the future.  Besides the ease of networking and IPv6 compatibility, Netflix HTML5 is much less processor intensive than hulu Flash.  Lower processor load=lower wattage = lower power bill.  Here electric is almost 3x the usa price.