Netgate SG-1000 microFirewall

Author Topic: pfBlockerNG preventing PBS channel on Roku 4 from Working  (Read 232 times)

0 Members and 1 Guest are viewing this topic.

Offline Xentrk

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +6/-0
    • View Profile
pfBlockerNG preventing PBS channel on Roku 4 from Working
« on: January 03, 2018, 07:46:39 am »
I have 2.4.2-RELEASE-p1 installed. 

The PBS Channel App on my Roku stopped working recently when using pfBlockerNG.  I am able to select the channel and browse the selection of shows.  Once I select a show, a spinning symbol starts to spin and then returns to the main Roku menu.  May be similar to the issue I reported back in June 2017 here https://forum.pfsense.org/index.php?topic=132129.msg726771#msg726771

Disabling DNSBL has no impact on the issue.  On the Roku, PBS does work if I turn off pfBlockerNG.  PBS does not work if I have pfBlockerNG turned.  What is strange is that the PBS channel works fine on the Amazon Fire Stick. 
The PBS channel on the Roku works if I connect it to my Asus Router.  This router uses the host-based ad blocking solution called AB-Solution. 

I am at a loss at how to troubleshoot the issue.  Nothing obvious appears in the Alerts page.  Any ideas are welcome.

3 x ASUS RT-AC88U | ASUS Merlin 380.69 | AB-Solution | Skynet
D-Link 880L | DD-WRT 3.0-r29837 | entware | pixelserv-tls | using AD Block forked from https://github.com/aviadra/anti-ads-pack
pfSense appliance SG-2440 | 2.4.2_p1 | pfBlockerNG | with D-Link 880L as AP flashed with DD-WRT 3.0-r30016M

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2601
  • Karma: +810/-5
    • View Profile
    • Click for Support
Re: pfBlockerNG preventing PBS channel on Roku 4 from Working
« Reply #1 on: January 03, 2018, 04:03:32 pm »
Try to run a tcpdump whilst loading the PBS Channel on the Roku (Change the "re1" to your interface)

Code: [Select]
tcpdump -nnvli re1 port 53 | grep -B1 'A 10.10.10.1'
It might help find out which domain is being blocked that is causing the Roku to not load the page...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline Xentrk

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +6/-0
    • View Profile
Re: pfBlockerNG preventing PBS channel on Roku 4 from Working
« Reply #2 on: January 04, 2018, 09:36:05 am »
Thank you for the help! 

Before testing, I disabled pfBlockerNG and DNSBL. This time, it did not fix the issue.  Turning off pfBlocker worked three times in my testing. So this adds more to the mystery.   

I had to modify the command slightly.

Code: [Select]
tcpdump -nvli ovpnc1 port 53 -w log.pcap | grep -B1 'A 10.10.10.1' 

I see queries in the pcap file to r53-api-vip.pbs.org. I get one ping reply, then it hangs:

Code: [Select]
ping r53-api-vip.pbs.org
PING r53-api-vip.pbs.org (54.243.141.179): 56 data bytes

Windows ping
Code: [Select]
Pinging r53-api-vip.pbs.org [54.243.141.179] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

I see some query requests to reports.crashlytics.com.  A ping reports.crashlytics.com does the same thing.  When viewing the details in Wireshark, the Query responses all state there is no error though. I believe these are both Amazon domains. I do have a firewall rule to route Amazon AWS traffic thru my private VPN server.  But I also have the same rule on the Asus. I disabled the rule and PBS worked! I then re-enabled the rule and PBS broke again.  I disabled the rule and this time, it did not work.  I repeated this several times and could not get it working again. At first, I thought I might be onto something.  :o However, there is another LAN rule that points the Roku to the same VPN server as the Amazon AWS rule.

I got the same ping replies when routing traffic over the WAN.

On the Asus router, I get ping replies for these domains. I also tried pinging several well known domains and got the expected responses.



3 x ASUS RT-AC88U | ASUS Merlin 380.69 | AB-Solution | Skynet
D-Link 880L | DD-WRT 3.0-r29837 | entware | pixelserv-tls | using AD Block forked from https://github.com/aviadra/anti-ads-pack
pfSense appliance SG-2440 | 2.4.2_p1 | pfBlockerNG | with D-Link 880L as AP flashed with DD-WRT 3.0-r30016M

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2601
  • Karma: +810/-5
    • View Profile
    • Click for Support
Re: pfBlockerNG preventing PBS channel on Roku 4 from Working
« Reply #3 on: January 05, 2018, 09:17:07 am »
It could also be a CNAME that is blocked, so you need to review what domains were blocked...  Also if you are using any IP block lists, it could be blocked by one of those rules...

"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline f34rinc

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +22/-0
    • View Profile
    • legoclan
Re: pfBlockerNG preventing PBS channel on Roku 4 from Working
« Reply #4 on: January 05, 2018, 10:22:53 am »
I ended up just assigning a static DHCP lease to my Roku and giving it third party DNS server to bypass DNSBL.

I NAT all DNS traffic from every device besides the Roku to pfSense to prevent anything else from using third party DNS servers.

Offline Xentrk

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +6/-0
    • View Profile
Re: pfBlockerNG preventing PBS channel on Roku 4 from Working
« Reply #5 on: January 12, 2018, 03:03:43 am »
Thank you for posting the config @f34rinc

The solution was to remove the Host Overrides in DNS Resolver for the following domains in DNSBL Custom Domain White List:

b.scorecardresearch.com
b.scorecardresearch.com.edgesuite.net
pubads.g.doubleclick.net
partnerad.l.doubleclick.net

This solution had worked previously per my link in the OP.

@BBCan177, how come the DNSL Alert Log reports the IF and Source as unknown?  Is there a setting I need to configure?  I still see IF and Source information from some LAN clients. 

Thank you!
« Last Edit: January 12, 2018, 03:11:20 am by Xentrk »
3 x ASUS RT-AC88U | ASUS Merlin 380.69 | AB-Solution | Skynet
D-Link 880L | DD-WRT 3.0-r29837 | entware | pixelserv-tls | using AD Block forked from https://github.com/aviadra/anti-ads-pack
pfSense appliance SG-2440 | 2.4.2_p1 | pfBlockerNG | with D-Link 880L as AP flashed with DD-WRT 3.0-r30016M

Offline f34rinc

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +22/-0
    • View Profile
    • legoclan
Re: pfBlockerNG preventing PBS channel on Roku 4 from Working
« Reply #6 on: January 12, 2018, 10:17:05 am »
how come the DNSL Alert Log reports the IF and Source as unknown?  Is there a setting I need to configure?  I still see IF and Source information from some LAN clients. 

I do believe the 'unknown' issue is due to the way HTTPS blocks were handled.

Offline Xentrk

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +6/-0
    • View Profile
Re: pfBlockerNG preventing PBS channel on Roku 4 from Working
« Reply #7 on: January 13, 2018, 06:24:43 pm »
I route most of the traffic thru VPN tunnel.  So that may be the reason as well. 
3 x ASUS RT-AC88U | ASUS Merlin 380.69 | AB-Solution | Skynet
D-Link 880L | DD-WRT 3.0-r29837 | entware | pixelserv-tls | using AD Block forked from https://github.com/aviadra/anti-ads-pack
pfSense appliance SG-2440 | 2.4.2_p1 | pfBlockerNG | with D-Link 880L as AP flashed with DD-WRT 3.0-r30016M

Offline BBcan177

  • Moderator
  • Hero Member
  • *****
  • Posts: 2601
  • Karma: +810/-5
    • View Profile
    • Click for Support
Re: pfBlockerNG preventing PBS channel on Roku 4 from Working
« Reply #8 on: January 15, 2018, 09:31:42 pm »
@BBCan177, how come the DNSL Alert Log reports the IF and Source as unknown?  Is there a setting I need to configure?  I still see IF and Source information from some LAN clients. 

This is already addressed in the upcoming release...
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |