Netflix 4K and v17

Ugh! Been having problems on my LG OLED Netflix app. 1080p worked fine but when I viewed 4K it would get about 15+ mins into a show and then start giving an error.  If you tried to resume it would play about 3 secs and error again.  FINALLY traced it to v17 (MR2 or MR3).  I had Web Filter: Allow All.  As soon as I changed to to None it worked fine.  Tried the Netflix exception and still had the problem. I had been running v16.05 until v17 MR2 came out and had no problems. Weird.

  • Hm, I just picked up an LG OLED TV as well and watched a Netflix show in 4K with no issues (MR-3). I’m also running a custom Web Policy so my traffic is going through the web proxy. This was Netflix on an Apple TV though. If I get some time this weekend I can try the Netflix app on the LG TV itself.

  • In reply to shred:

    Hello,

    i've got the same Problem. But i think there is a solution.

     

    - The Information is out of the Sophos KB. But i did not remember the Link.

     

    You only have to create a new Firewall Rule with the following entrys. After adding this Rule evertything works fine.

     

    Source: LAN

    Source Network: in my Case the IP of my LG TV

    Destination: WAN

    Destination Networks: Netflix (it really exsist in the Dropdown menu)

    Service: ANY

     

    IPS: None

    Traffic Shaping: None

    Web Policy: none

    Application Control: None

    NAT: Rewrite source address (Masquerading)

     

    I hope it will help you

  • Hi,

    I solved it as follows:

    1. Create/enhance the Netflix FQDN Group with the following FQDNs:

    *.nflximg.com
    *.nflxvideo.com
    *.nflxso.com
    *.netflix.com
    *.nflxext.com
    *.nflximg.net
    *.nflxso.net
    *.nflxvideo.net

    2. Create a dedicated FW rule for NetFlix FQDN Group and your TV:

    Services: HTTP & HTTPS

    Web Malware: everything disabled

    IPS: can be enabled

    Web Policy: None

     

    And now the very important hint if it is still not working: Simply retry to play the video after 1-2 minutes if it was not working at first. This is some kind of a bug with the FQDNs, I've opened a thread for this here: First FQDN host resolution happens to late when used in FW rule

    Best Regards

    Dom Nik

     

  • RobertDavis

    Ugh! Been having problems on my LG OLED Netflix app. 1080p worked fine but when I viewed 4K it would get about 15+ mins into a show and then start giving an error.  If you tried to resume it would play about 3 secs and error again.  FINALLY traced it to v17 (MR2 or MR3).  I had Web Filter: Allow All.  As soon as I changed to to None it worked fine.  Tried the Netflix exception and still had the problem. I had been running v16.05 until v17 MR2 came out and had no problems. Weird.

    Robert,

    Go to Protect > Web > General Settings.  In Malware and Content Settings, click on Advanced Settings to expand that portion.  Does deactivating Scan Audio and Video files help?.

    Certain apps on my Apple TV don't work when I activate scanning of audio and video (EPIX, STARZ, and certain channels in SlingTV).  I don't have Netflix to test your issue.

  • There is a byte range bug in v17 https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-feedback/95909/fw-log-could-not-assocate-packet-to-any-connection-when-ips-enabled/352142#352142 which makes netflix fail when using web proxy.

    Either follow Dominik's advice above or create a new firewall rule

    Allow Lan>Wan user LG TV, uncheck http/s scanning, web policy none, application control none. You can apply LAN to WAN IPS policy if you like. Keep in mind, this rule won't scan anything but will NAT your TV so be mindful of the risks involved but I run all my streaming devices in this configuration instead of constantly tweaking firewall rules to make my streaming devices work correctly.

  • In reply to Dom Nik:

    The other thing that we have discovered is that you need to make sure that your TV and your XG are using the same DNS server.  Some ISPs have co-located Netflix streaming boxes so that if you do DNS via the ISP DNS you go to one set of servers and if you do DNS via something else (eg Google, OpenDNS) you get a different set of servers.

  • In reply to Michael Dunn:

    Michael Dunn

    The other thing that we have discovered is that you need to make sure that your TV and your XG are using the same DNS server.  Some ISPs have co-located Netflix streaming boxes so that if you do DNS via the ISP DNS you go to one set of servers and if you do DNS via something else (eg Google, OpenDNS) you get a different set of servers.

    Micheal,

    Thank you for brining that up.  I've run into that issue too.  Some smart TVs won't "smartly" use your gateway DNS nor let your change its DNS.

  • In reply to David Birdsall:

    Most likely they are doing DHCP and getting the DNS settings from DHCP.  So if they getting their address from the XG I think they should be using the XG as their DNS server and everything is good.  If they are using your home ADSL router's DHCP then they are going to use that as the DNS server, which then will go up however your modem is configured.  At which point you should make sure that you modem and XG are configured the same.  The worst may be things like PVRs and Set Top boxes provided by the telco/cableco.  Since they are only ever intended to work on their network, they could potentially be configured to use some specific DNS server or even worse (ignore DNS and use a completely different mechanism to determine what servers to connect to).

  • In reply to Michael Dunn:

    I haven't had time to play with it since I posted so haven't been able to do more testing.  As noted the error was ONLY with 4K programs.  I could watch HD (1080p) all day with no problems.  My first quick thought is that Netflix keeps chunks on different servers (for caching) and my show switched to a different server to finish.  That is just a guess.

    The LG is DHCP handled by the XG firewall and uses my ISP DNS.

    I might try to force a Google DNS when I test again. I will also try the specific exclusions listed.  The built-in v17 Netflix exclusion had no affect.

  • In reply to Michael Dunn:

    Michael Dunn

    Most likely they are doing DHCP and getting the DNS settings from DHCP.  So if they getting their address from the XG I think they should be using the XG as their DNS server and everything is good. 

    I know for a fact that roku has hard coded google 8.8.8.8/8.8.4.4 dns servers. That is why every beta I ask for the ability to DNAT (which is available in SG) any dns traffic to anywhere back to XG for certain devices. Every device including most IoTs and phones also try to connect to NTP servers all day long all over the place but that is separate discussion although it still comes under my DNAT feature request.

    In any case always nice to hear your input Michael.

  • In reply to Michael Dunn:

    Michael,

    I fully understand this issue. I was saying thank you for bringing it up because I forgot to mention it to Robert Davis.

    I have run into this issue on earlier generations of smart TVs built for home users who did not have home networking, because they used cellular internet or were not "connected" at all.  Once they got a smart TV an internet service was now required to be installed or the streaming came through MoCA.

    I haven't seen this in 4k models because I'm sure that, by default, they get their instruction from the network router that most homes have now.

  • In reply to Billybob:

    Oh god I just looked up Roku dns....  I *think* it actually changes the DNS settings based on the region of the account that is logged in.  There are instructions for non-US people to use DNS tricks to create a US account, which then gets you US-based DNS settings on the Roku.  Which suggests that the region of the Roku account will change what DNS it uses.  Some packet sniffing might prove this.

    In any case, the underlying thing issue is:

    Netflix (on some devices) will do a DNS lookup and then connect directly to IPs.  These IPs may be owned by Netflix or may be owned by the ISP.

    The XG will do DNS lookups (part of FQDN Host Group) to get list of IPs.

    If the two lists do not match, then the XG can have problems.

     

    Solution 1)

    Make sure they match (use same DNS)

    Solution 2)

    Have a failing stream.  Look at Web Logs for errors (will be status code 416).   Manually add those IPs to the Netflix FQDN group or Exception (whichever method you are using).

  • In reply to Dom Nik:

    Dom Nik

    And now the very important hint if it is still not working: Simply retry to play the video after 1-2 minutes if it was not working at first. This is some kind of a bug with the FQDNs, I've opened a thread for this here: First FQDN host resolution happens to late when used in FW rule

     

    Hi Dom,

    As of v17 MR2 this should no longer be the behavior.

     

    I just found out that as of MR2, the XG does passive monitoring of DNS traffic.  That means that even if the device is not using the XG to do DNS, as long as the packets are flowing across the XG it should populate the FQDN Host Group correctly.  Which means that as of MR2 it should not matter if box does DNS to the same thing (as long as the DNS flows through the XG).

     

    Is there anyone in who is currently experiencing problems with Netflix where:

    Using v17 MR2 or later

    Using the OOB FQDN Host Group "Netflix" as describe here: https://community.sophos.com/kb/en-us/125061

     

    In other words, does the KB fully resolve all issues?  Or do we still have a problem?

  • In reply to Michael Dunn:

    Hi Michael,

    thanks for your reply.

    I'm not affected by the DNS problem as I publish my XG as DNS server through DHCP and the DNS port to WAN is not open for my clients. --> Netflix is basically working with the KB workaround (though I've added some more FQDNs to it I think).

    However the problem described in my other thread is still present in MR3 and can be reproduced easily after a restart of the XG when the FQDN cache is empty. Then the FW rules with these FQDNs won't be applied on the first request that comes in. Some applications will then fail, e.g. "Outbank" for iOS/macOS or Netflix for the Amazon FireTV. After the first try you have to wait some time until the FQDN cache is filled in XG, close the app and retry afterwards.

    Best Regards

    Dom Nik

  • In reply to Dom Nik:

    Reply from development:

    Ok, that cause is perfectly clear to me. It’s expected behavior, and should be seen as an exceptional event. Firewall does not store learned DNS entries persistently, so after a reboot, clients may have cached DNS results that the firewall doesn’t yet know.  This should ONLY happen after a firewall reboot, which should be an uncommon occurrence

     

    Are you finding any impacts aside from the fact that the cache is cleared on reboot?