Channel Issues & Questions

Help & troubleshooting for channels on your Roku device, including adding/removing channels, logging in to, authenticating, or activating a channel, channel-specific playback issues, assistance contacting channel publishers to report issues, and adjusting channel-specific settings.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
duckwebs
Level 8

Problems with CBS All Access on Dual WAN network

Jump to solution

I’m having problems with CBS All Access with a Roku 3 (4200x software version 9.3.0 Build 4194-04) on a dual WAN network.

I have a dual WAN network, with Spectrum cable internet (200 down/10 up) and ATT Uverse (1000/1000) connected through a Ubiquiti Edgerouter 4.  On the LAN side I have two separate networks, each with an 8 port switch connected to a Ubiquiti input port.  Both LANs use the same OpenDNS servers, rather than the ISP provided ones, to avoid problems with lookup on failover.  

The Roku is on the “entertainment” network that is set up to route everything through the Spectrum connection because it doesn’t need high upload speeds.  Normally all traffic from that switch and port goes through the Spectrum connection, but it’s set to fail over to the ATT connection if Spectrum goes down.

When both WANs are connected, I get a variety of errors in the CBS app: Sometimes “uh oh.  An error occurred, we’re working in it”, sometimes “that content is not available outside your country”, and sometimes it gives me the CBS all access login screen.  If I unplug either WAN, the problem goes away immediately without resetting anything, though I sometimes have to exit the CBS app and return to it.  So individually both Roku->LAN->WAN1/WAN2 routes work, but it fails if both WANs are available.

If I unplug one WAN I can start a program and it will continue to play after I plug the WAN back in, failing when it gets to the next commercial break.  

I also don’t get this problem running CBS all access in a browser: I can plug a computer into either switch and watch programs in a browser on the computer with both WANs plugged in with no issues.

I suspect this is a problem with how the All Access application does authorizations, but any suggestions on fixing it on my end without having to unplug things to watch CBS would be welcome.

0 Kudos
1 Solution

Accepted Solutions
duckwebs
Level 8

Re: Problems with CBS All Access on Dual WAN network

Jump to solution

I think I finally fixed it.  I was missing a pointer to the load splitter on one of the two local networks.  My config file with the host/username/password information is posted below in the code block. The thing that was missing was putting a reference to the firewall "balance" group in the eth3 interface.  So it was correctly pointing the general LAN at the right WAN, but letting the entertainment LAN bounce between the two WANs.  I have some sticky settings on one of my balance groups (the general one, not the entertainment one), but I don't think they make a difference.  

Note that if you're set up for dynamic load balancing this probably won't fix it - I'm splitting the loads so entertainment goes to one WAN and other stuff goes to the other WAN, and they only cross if there's a failover.  The authentication problem seems to come in if the load is getting bounced between the two, so setting up with the load balance wizard will probably leave you with the problem.  You might be able to adjust your "sticky" settings to keep CBS locked to one WAN for extended times once it connects though.  Also note that you should set your DNS servers to be identical third party servers (i.e. not set by the ISP) for all LANs and VLANs so that you don't run into problems with either being denied access or pointed differently when there's a failover.

here's my config file:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth2
                }
            }
            modify {
                table main
            }
        }
        rule 2502 {
            action modify
            modify {
                lb-group TPLink
            }
            source {
                address 192.168.128.0/24
                group {
                }
            }
        }
        rule 2503 {
            action modify
            modify {
                lb-group TVTop
            }
            source {
                address 192.168.127.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.128.1/24
        description "Local - TPLink"
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN - Uverse"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description "WAN 2 - Spectrum"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth3 {
        address 192.168.127.1/24
        description "Local2 - TVTop"
        duplex full
        firewall {
            in {
                modify balance
            }
        }
        speed 1000
    }
    loopback lo {
    }
}
load-balance {
    group TPLink {
        interface eth1 {
        }
        interface eth2 {
            failover-only
        }
        lb-local enable
        lb-local-metric-change disable
        sticky {
            proto enable
            source-addr enable
        }
    }
    group TVTop {
        interface eth1 {
            failover-only
        }
        interface eth2 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.128.0/24 {
                default-router 192.168.128.1
                dns-server 4.2.2.1
                dns-server 4.2.2.2
                lease 86400
                start 192.168.128.38 {
                    stop 192.168.128.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.127.0/24 {
                default-router 192.168.127.1
                dns-server 4.2.2.1
                dns-server 4.2.2.2
                lease 86400
                start 192.168.127.64 {
                    stop 192.168.127.200
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth3
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5002 {
            description "masquerade for WAN"
            outbound-interface eth1
            type masquerade
        }
        rule 5004 {
            description "masquerade for WAN 2"
            outbound-interface eth2
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name myhostname
    login {
        user admin {
            authentication {
                encrypted-password passwordremoved 
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.11.5274269.200221.1029 */

 

 

View solution in original post

0 Kudos
3 Replies
snys
Level 7

Re: Problems with CBS All Access on Dual WAN network

Jump to solution

I have this same issue.  Any chance you found a solution?

0 Kudos
duckwebs
Level 8

Re: Problems with CBS All Access on Dual WAN network

Jump to solution

Only solution so far is to go into the dashboard and disable one of the WAN connections when I want to watch CBS all access.

0 Kudos
duckwebs
Level 8

Re: Problems with CBS All Access on Dual WAN network

Jump to solution

I think I finally fixed it.  I was missing a pointer to the load splitter on one of the two local networks.  My config file with the host/username/password information is posted below in the code block. The thing that was missing was putting a reference to the firewall "balance" group in the eth3 interface.  So it was correctly pointing the general LAN at the right WAN, but letting the entertainment LAN bounce between the two WANs.  I have some sticky settings on one of my balance groups (the general one, not the entertainment one), but I don't think they make a difference.  

Note that if you're set up for dynamic load balancing this probably won't fix it - I'm splitting the loads so entertainment goes to one WAN and other stuff goes to the other WAN, and they only cross if there's a failover.  The authentication problem seems to come in if the load is getting bounced between the two, so setting up with the load balance wizard will probably leave you with the problem.  You might be able to adjust your "sticky" settings to keep CBS locked to one WAN for extended times once it connects though.  Also note that you should set your DNS servers to be identical third party servers (i.e. not set by the ISP) for all LANs and VLANs so that you don't run into problems with either being denied access or pointed differently when there's a failover.

here's my config file:

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth2
                }
            }
            modify {
                table main
            }
        }
        rule 2502 {
            action modify
            modify {
                lb-group TPLink
            }
            source {
                address 192.168.128.0/24
                group {
                }
            }
        }
        rule 2503 {
            action modify
            modify {
                lb-group TVTop
            }
            source {
                address 192.168.127.0/24
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.128.1/24
        description "Local - TPLink"
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "WAN - Uverse"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description "WAN 2 - Spectrum"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth3 {
        address 192.168.127.1/24
        description "Local2 - TVTop"
        duplex full
        firewall {
            in {
                modify balance
            }
        }
        speed 1000
    }
    loopback lo {
    }
}
load-balance {
    group TPLink {
        interface eth1 {
        }
        interface eth2 {
            failover-only
        }
        lb-local enable
        lb-local-metric-change disable
        sticky {
            proto enable
            source-addr enable
        }
    }
    group TVTop {
        interface eth1 {
            failover-only
        }
        interface eth2 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
protocols {
    static {
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.128.0/24 {
                default-router 192.168.128.1
                dns-server 4.2.2.1
                dns-server 4.2.2.2
                lease 86400
                start 192.168.128.38 {
                    stop 192.168.128.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative disable
            subnet 192.168.127.0/24 {
                default-router 192.168.127.1
                dns-server 4.2.2.1
                dns-server 4.2.2.2
                lease 86400
                start 192.168.127.64 {
                    stop 192.168.127.200
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth3
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5002 {
            description "masquerade for WAN"
            outbound-interface eth1
            type masquerade
        }
        rule 5004 {
            description "masquerade for WAN 2"
            outbound-interface eth2
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name myhostname
    login {
        user admin {
            authentication {
                encrypted-password passwordremoved 
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Los_Angeles
    traffic-analysis {
        dpi enable
        export enable
    }
}
traffic-control {
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.10.11.5274269.200221.1029 */

 

 

View solution in original post

0 Kudos