HBO GO on Samsung Smart TV doesn't work on RB2011 WiFi BUT works on WIRED connection

lotnybartek · April 13, 2017, 7:42am

RB2011 here.

So I’ve posted similar thread on polish website (a’la Mikrotik forum) but they were unable to help me. So I’m trying here.

My gear is:

TV: Samsung UE55H6400 - latest firmware, everything is up to date
Router: RouterBoard RB2011UAS-2HnD-IN - latest firmware, everything is up to date
Internet: VDSL2 60Mbit/8Mbit (VDSL2 modem works as a bridge + RB2011 as a PPPoE Client)

So my TV is connected to the Internet through WiFi (RB2011). This is a Smart TV - so among other applications (they are all works OK) on it I have HBO GO app. It worked fine for years, but since 2-3 months, it stopped working.
Application is starting fine, I get authorized with my username and password, I can browse all the content, thumbnails are dynamically loading. But when I want to start 99% of the movies or tv shows or whatever - I got “Connection lost” information (after 20 seconds - more or less). I found 1 or 2 clips that are loading fine though.
Strangely, everything works on my android phone (using HBO GO app) - on the very same WiFi.

Now, when I connect my TV to my phone LTE WiFi (mobile router) - everything is fine - every video or tv show or whatever works fine out of the box.

My Internet provider and my Mobile phone SIM provider are the same company - the obviously named different, in other words, My internet provider created and owns my Mobile phone SIM provider - I’m writing this because it can be (or not) related to some routing problems.

I contacted HBO GO using Facebook, but you know how they respond - “we may have a slight problem with our app on Smart TV and we’re are working on it”. Such statement would be fine if app would not work completely - but is certain situation it works.

====================

First, I tried to check on RB2011 on IP–>Firewall–>Connections what is happening, when I want to start a movie with “Connection lost” info. So, TV is trying to connect to and IP (I’ll write later which IP) but after a second connection disappears - and I got “Connection lost” info on TV. Mind - that everything works fine on my TV when it’s beeing connected to LTE Internet WiFi from my phone.

Second, I tried to check on RB2011 on IP–>Firewall–>Connections what is happening, when I want to start a movie which is loading and plays fine (1 or 2 movies). So, TV is trying to connect to and IP (SAME IP AS ABOVE) - connection remains stable and there is a steady data flow while watching.

I’m not like a big fan of HBO GO - but this is interesting from technical point of view.

How could I troubleshoot this one?

Bart

schotty · April 14, 2017, 9:41pm

Hmm, interesting and frustrating issue.

Stupid question to start with : If you jack straight into your DSL connection, does HBO flake out on you as well? This of course is eliminating or pinpointing the Mikrotik as the issue.

lotnybartek · April 20, 2017, 7:39pm

My bad. It’s Mikrotik thats blocking (somehow) HBO GO. I connected TV directly to modem - wifi - modem has router function and everything works like a charm.

How the hell I should troubleshoot this?

Heeeeelp me

lotnybartek · April 22, 2017, 1:50pm

Ok, look what I found so far.

HBO GO WORKS LIKE A CHARM WITH WIRED CONNECTION. DOES NOT WORK ON WIFI

Test were done using The Sopranos S01E01.

First of all, I checked to which IP TV is connecting to while streaming. It’s 93.184.221.133:80.

This is how connection looks like while streaming video on wired connection (RB2011):

After connecting TV to RB2011 WiFi:

As you can see, the connection is marked as “Closed” just from the beginning and it’s deleted from the list after 10 seconds after appearing.

The question is: what is closing the connection - the server that TV is connecting to or some firewall rule? And why this is happening only on WiFi?

Below is my firewall config:

# apr/21/2017 09:34:39 by RouterOS 6.38.5
# software id = 6RHL-AT74
#
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
/ip firewall filter
add action=fasttrack-connection chain=forward comment=Fasttrack \
    connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="Separacja podsieci" dst-address=\
    192.168.10.0/26 src-address=192.168.10.64/26
add action=drop chain=forward dst-address=192.168.10.0/26 src-address=\
    192.168.10.128/26
add action=drop chain=forward comment="Drop Internet user USER" disabled=yes \
    src-mac-address=00:00:00:00:00:00
add action=accept chain=input comment=L2PT/IPSec disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input disabled=yes dst-port=1701 protocol=udp
add action=accept chain=input disabled=yes dst-port=4500 protocol=udp
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
    src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
    protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp
add action=drop chain=forward comment="drop telnet brute downstream" \
    dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=drop chain=input comment="drop rdp brute forcers" dst-port=3389 \
    protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=3389 \
    protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
    protocol=tcp src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
    protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=3389 \
    protocol=tcp
add action=drop chain=forward comment="drop rdp brute downstream" dst-port=\
    3389 protocol=tcp src-address-list=rdp_blacklist
add action=drop chain=input comment="drop winbox brute forcers" dst-port=8291 \
    protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
    protocol=tcp
add action=drop chain=forward comment="drop winbox brute downstream" \
    dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
/ip firewall mangle
add action=mark-connection chain=prerouting comment="MARK ICMP-IN" \
    new-connection-mark=icmp-con passthrough=yes protocol=icmp
add action=mark-connection chain=postrouting comment="MARK ICMP-OUT" \
    new-connection-mark=icmp-con passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting comment="MARK ICMP-IN" \
    connection-mark=icmp-con new-packet-mark=icmp-pkt passthrough=no \
    protocol=icmp
add action=mark-packet chain=postrouting comment="MARK ICMP-OUT" \
    connection-mark=icmp-con new-packet-mark=icmp-pkt passthrough=no \
    protocol=icmp
add action=mark-packet chain=forward comment="MARK IN - OUT FOR PCQ" \
    disabled=yes in-interface=pppoe-out1 new-packet-mark=all_download \
    passthrough=no
add action=mark-packet chain=forward disabled=yes new-packet-mark=all_upload \
    out-interface=pppoe-out1 passthrough=no
add action=mark-packet chain=input disabled=yes in-interface=pppoe-out1 \
    new-packet-mark=all_download passthrough=no
add action=mark-packet chain=output disabled=yes new-packet-mark=all_upload \
    out-interface=pppoe-out1 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat dst-address=10.0.0.1 out-interface=ether1
add action=masquerade chain=srcnat dst-address=192.168.10.140 out-interface=\
    bridge3
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

UPNP looks like this:

# apr/21/2017 09:40:47 by RouterOS 6.38.5
# software id = 6RHL-AT74
#
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=pppoe-out1 type=external
add interface=bridge1 type=internal
add interface=bridge2 type=internal
add interface=bridge3 type=internal

Now, it’s rly frustrating, why HBO GO works on wired connection but failing on WiFi - but only RB2011 WiFi. Like I said earlier, I connected TV using WiFi to different router (but the same Internet connection) and HBO GO works.

I tried changing WiFi: frequencies, channels, and all other options double checking if it works. No go here.

Help?

lotnybartek · April 23, 2017, 5:51pm

For some weird reason, enabling IP–>DNS–>Allow Remote Request, makes HBO GO works again on WiFi . After disabling it, HBO GO stops working. I don’t know how to explain this, on wired connection HBO GO works as normal.

Now, I need to check if DNS will be abused because of remote requests.

Any thoughts?

mag2020 · April 23, 2017, 6:51pm

If your concern is about abuse of your DNS, I suggest you just add a rule on the firewall to drop DNS requests from other devices and allow that from your prefered device.

lotnybartek · April 23, 2017, 7:03pm

Yes, I used this code:

/ip firewall filter
add chain=input in-interface=pppoe-out1 protocol=tcp dst-port=53 connection-state=new action=drop
add chain=input in-interface=pppoe-out1 protocol=udp dst-port=53 connection-state=new action=drop

normis · April 24, 2017, 9:42am

Is the issue solved then? Maybe your TV has a statically entered DNS configuration. Disabling “allow remote requests” stops the TV from using DNS services straight from the router. You can try to enter 8.8.8.8 in your TV as the DNS server, this is Googles DNS service, might work as well.

lotnybartek · April 25, 2017, 6:02am

Thank you normis for your answer. Yes, while attempting to solve the issue I also tried changing DNS to static on TV - no go.

I know as strange as it looks like, but enabling Allow Remote Requests fixed the issue - but I rly can’t explain why.

ventusz · April 11, 2020, 9:44am

I had a similar problem on my LG TV. It just didn’t want to work either through wireless or wired.

For me the solution was changing the primary DNS server from 1.1.1.1 to 8.8.8.8 on my MikroTik since for some reason Cloudflare’s DNS server couldn’t resolve hbo-playready.drmkeyserver.com

query from 192.168.0.5: #10625 hbo-playready.drmkeyserver.com. A
done query: #10625 dns name exists, but no appropriate record

While Google’s DNS did it well

query from 192.168.0.5: #11502 hbo-playready.drmkeyserver.com. A
done query: #11502 hbo-playready.drmkeyserver.com 35.158.188.37

I also have IP–>DNS–>Allow Remote Request enabled.

AlexUser · July 15, 2020, 4:33pm

The same for me. I can’t connect my TV box to MikroTik WiFi net. TV box finds proper wi-fi net but can’t connect to it for some reasons. Does anybody know what’s wrong?

BellamyDalziel · December 3, 2020, 8:40am

I encountered a small error on the system and I reinstalled it basically.