Showtime Anytime blocked

[diver3923 4]

It appears Showtime Anytime is blocked while using AirVPN.  I'm using a Roku streaming box to access Showtime.  The Showtime app loads normally and displays all of the available content, but when you attempt to play any content it responds with "Playback failed - Could not initialize video player."  If I disconnect from the VPN it starts to work perfectly.  Re-enabling the VPN brings the problem back.

 

The error message is strange, but the fact that it works normally when disconnected from the VPN suggests they are somehow filtering or blocking traffic from the VPN. 

 

Servers observed on:  Metallah, Miaplacidus and Rasalas.

[zhang888 1066]

How about other servers? Please provide more details about the service, and if this is indeed a widespread issue, it can be solved if you

have the exact hostnames/URLs you are trying to access.

 

Some services restrict access to U.S. based IPs because of various DMCA laws. Try the CA servers, for example.

[diver3923 4]

I'll do some more testing on it with different servers and respond back with more info.  I'll also try to identify what hosts it is using.  Since it is a Roku I'm not aware of the actual URL or IPs it is using.  I'll turn on some logging at the router to see what traffic is passing through.

 

The Roku device doesn't have anyway to connect to a VPN directly so I am using a pfSense router to connect to AirVPN.  There are two VLANs - one has all traffic going to the VPN and the other has all traffic going out the normal WAN interface.  I see the difference in behavior from the Showtime service when switching from the VPN VLAN to the WAN VLAN

 

The Roku has Google's DNS servers hard coded into it.  I suspect one reason for this is to geo-locate users.  I'm using NAT to capture all outbound DNS requests and redirect them to the pfSense box which then goes to the AirVPN DNS servers. 

 

I will also experiment a bit with using a different device to access the service (to eliminate the possibility that it is related to the Roku) but it will take a bit of time to reconfigure some settings.

[diver3923 4]

I did a bit more research into this.  It turns out the service isn't being blocked after all.  I determined the problem was related to my firewall not passing outbound traffic from the Roku on port 2012.  My initial tests of switching back and forth between VLANs (VPN and normal WAN) led me to believe it was an issue with the VPN since it worked on the normal WAN VLAN. 

 

I turned on some logging and saw that the Roku was trying to use port 2012 and was being blocked.  I discovered that the firewall rules on each of the two VLANs were slightly different.  Allowing traffic on port 2012 solved the problem.

[flat4 79]

What version of pfsense are you using? Also are you port forwarding? If so can you post a screen shots of the port forward.

 

Sent from my SAMSUNG-SM-N920A using Tapatalk

[diver3923 4]

I'm using pfSense 2.3.  The only port forwarding I'm using is related to NAT redirection for DNS and NTP.  The Roku (or at least some of the channels) is ignoring the DNS coming from DHCP and is querying Google DNS at 8.8.8.8 or 8.8.4.4.  I don't want DNS requests to leak out of the VPN, so I'm using the NAT redirection to force the Roku DNS requests to go to the router. 

 

The firewall rule for the Roku traffic is:

Pass Traffic

Protocol: IPv4 TCP/UDP

Source: VL60 (this is a VLAN I use only for streaming devices)

Source Port: Any

Destination: !RFC1918 (this alias is defined as 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 and 127.0.0.0/8).  Take note of the "!" - Not RFC1918

Destination Port: 80, 443, 2012 (port 2012 is the one I had to add to get Showtime to work)

Gateway: VPN_WAN

 

This is working for all of the channels I've tested (Showtime, HBO, ESPN, and a few others).  I haven't tested Netflix, Hulu or Amazon yet to know if they work or will need additional ports allowed.

[diver3923 4]

Instructions for setting up port forwarding for DNS can be found here:  https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense