Get nexflix app to go though WAN while other apps through VPN

[Adam Popiel]

Hello,

Im using a VPN service on my router but when my tv runs through the VPN tunnel, my Netflix is blocked.
Only after putting the tv over WAN, does Netflix start working. Is there a way to do this?

 

[Adam Popiel]

I've already installed x3mRouting.

@Martineau maybe you know a good way to manage this?

 

[CaptainSTX]

If you have an ASUS router running Merlin's improved firmware then use policy based routing and select the TV to use the WAN while other devices use the VPN tunnel(s). All this can be dine using the GUI.

 

[maghuro]

If you have an ASUS router running Merlin's improved firmware then use policy based routing and select the TV to use the WAN while other devices use the VPN tunnel(s). All this can be dine using the GUI.

Teach us how.
Because if I do that on vpn connect, all devices connect to wan and I have to manually choose which devices connect to vpn.
I want the inverse - all through the vpn except the devices I choose.

 

[Adam Popiel]

If you have an ASUS router running Merlin's improved firmware then use policy based routing and select the TV to use the WAN while other devices use the VPN tunnel(s). All this can be dine using the GUI.

I want to let a specific app on the TV going through WAN the rest of the apps through Vpn

 

[Martineau]

I want to let a specific app on the TV going through WAN the rest of the apps through Vpn

see Split tunneling based on Application Can it be done?

 

[CaptainSTX]

Teach us how.
Because if I do that on vpn connect, all devices connect to wan and I have to manually choose which devices connect to vpn.
I want the inverse - all through the vpn except the devices I choose.

This should work using policy routing. If I screw up the CIDR notation I'm sure someone will set it straight.

1. Assign your TV a static IP outside the DHCP pool you are using but in same subnet.

2. Under policy routing where you specify devices

3. Assuming your router uses a typical LAN IP like 192.168.1.1 then where you enter range
192.168.1.0/24 = VPN

This will route everything using the VPN

4. On the next line you enter the exception for the TV which you assigned a static IP

192.168.1.99 = WAN

I have never used CIDR ranges as I prefer to assign everything that connects to my network a static IP.

 

[Martineau]

I have never used CIDR ranges as I prefer to assign everything that connects to my network a static IP.

This doesn't make any sense?

Whether or not you have "assigned static IPs to everything that connects to your network", you may refer to them using CIDR notation regardless.

CIDR notation is simply a convenient (shorthand) way to refer to a contiguous range of IPs in say GUI dialogs rather than tediously itemise them individually.

 

[octopus]

This doesn't make any sense?

Whether or not you have "assigned static IPs to everything that connects to your network", you may refer to them using CIDR notation regardless.

CIDR notation is simply a convenient (shorthand) way to refer to a contiguous range of IPs in say GUI dialogs rather than tediously itemise them individually.

I have to admire you for your enormous patience.......

 

[CaptainSTX]

I prefer assigning static IPs for several reasons:

1. I like to keep devices of a similar type or function in the same range, ie NAS, Printers, switches 10 -20, IoT devices 30 -40, etc. I have nine ranges I use.

2. For security I have a small DHCP pool and since I have every thing that connects regularly with a static IP, anything that then connects to this pool is obvious when a strange device connects to my network and I can investigate.

Yes it is tedious setting up 60+ devices with static IPs but with a stable router you should not have to do this very frequently, but each to his own.

I understand the basics of CIDR notation but I don't use it in my setup. I simply responded to the poster who wanted an easy way to have their TV use the WAN while everything else routes using the VPN.

Even if I were to try and use CIDR notation it probably wouldn't work for me as I also run three VPN clients, one for personal use, another for IoT devices and the third so my wife so she can connect to Swedish language sites by using a Swedish IP and these devices can come from any of the nine LAN IP ranges I have designated for certain types of equipment.

Complicated yes but as with many posters on this site I do things because I can and because its interesting to see what is possible.

 

[maghuro]

This should work using policy routing. If I screw up the CIDR notation I'm sure someone will set it straight.

1. Assign your TV a static IP outside the DHCP pool you are using but in same subnet.

2. Under policy routing where you specify devices

3. Assuming your router uses a typical LAN IP like 192.168.1.1 then where you enter range
192.168.1.0/24 = VPN

This will route everything using the VPN

4. On the next line you enter the exception for the TV which you assigned a static IP

192.168.1.99 = WAN

I have never used CIDR ranges as I prefer to assign everything that connects to my network a static IP.

If I assign the IP 192.168.1.99 to my tv, it's still inside DHCP pool (192.168.1.0/24) because it compreends the IPs between 192.168.1.1 to 192.168.1.254, am I right?

 

[CaptainSTX]

If I assign the IP 192.168.1.99 to my tv, it's still inside DHCP pool (192.168.1.0/24) because it compreends the IPs between 192.168.1.1 to 192.168.1.254, am I right?

The 192.168.1.99 should be seen as an exception and since it will come after the general rule in the IP tables it should work.

If I was setting up your router under the LAN section I would set your IP pool to something smaller than 254 addresses i.e 192.168.1.100 - 192.168.1.150 but that is your choice. Even if you don't do this the VPN routing should work it is just cleaner in that the static IP .99 is outside the DHCP pool.

To be clear what I am suggesting will put all the connections (Netflix, Hulu, Amazon ) on your TV through the WAN which is the how I read the question you asked. If you only want Netflix on the WAN then what I am suggesting won't do that.

 

[Martineau]

So taking your 'static' (or do you really mean 'Reserved'?) IoT Range .30 - .40 as an educational example

Q. Hypothetically, if you wanted ALL 11 devices to be Selectively Routed via say VPN Client 1

What is the minimum number of IP entries would you need in the GUI table?
​

A. ?​

I'd bet $1,000,000 it is more than the total of three using CIDR notation in the GUI.

i.e. The three CIDR notation entries concisely cover the 11 devices in IP range .30 - .40 - saving ~73% i.e. 8 lines aka 8x15 = 111 bytes of NVRAM

192.168.0.30/31
192.168.0.32/29
192.168.0.40/32

so you could set'n'forget and never have to worry about updating the GUI - unless of course your subnet scheme is flawed.

Similarly you may wish to place them in a managed IPSET to be referenced in firewall rules?

Now clearly given the advantages of the use of CIDR notation (which cannot influence how device IP assignment is physically achieved), surely you would agree that there is no reason to remain a CIDR bigot?.

QED

 

[MyPal]

Teach us how.
Because if I do that on vpn connect, all devices connect to wan and I have to manually choose which devices connect to vpn.
I want the inverse - all through the vpn except the devices I choose.

You need to reserve or allocate a fixed IP address for your Netflix device and then add that IP to your VPN policy (strict) to use the WAN interface. Your default DHCP subnet range should be policy set to go through the VPN interface once you have setup policy based routing for your VPN client connection. Eg DHCP subnet range of first 50 devices from a 192.168.10.0/24 network, you would VLSM 192.168.10.0/26 to VPN. An IP address outside of that range could be reserved to be set to use the WAN interface & therefore bypass the VPN. Eg 192.168.10.65

There is no need to unnecessarily complicate things. Just give the Netflix device an IP address outside of your regular DHCP scope & policy route it to the WAN interface.

 

[MyPal]

Probably beyond the scope of this thread, however, I don’t think you should be using VLSM network IDs & broadcast addresses as available hosts. Just saying.

 

[thiggins]

I've edited Martineau's response and deleted posts related to his offensive comments.

Based on multiple reports of insulting behavior, Martineau has earned a one week time-out.

We all have enough to deal with right now without enduring less-than-kind behavior from others. I won't have it in these forums, no matter what the contributions of the offender.

 

[maghuro]

This should work using policy routing. If I screw up the CIDR notation I'm sure someone will set it straight.

1. Assign your TV a static IP outside the DHCP pool you are using but in same subnet.

2. Under policy routing where you specify devices

3. Assuming your router uses a typical LAN IP like 192.168.1.1 then where you enter range
192.168.1.0/24 = VPN

This will route everything using the VPN

4. On the next line you enter the exception for the TV which you assigned a static IP

192.168.1.99 = WAN

I have never used CIDR ranges as I prefer to assign everything that connects to my network a static IP.

I've done exactly as you said, and everything working as expected! Perfect, thanks!
However, router itself is going through WAN instead of VPN.
To test, I've introduced manually routers private IP (192.168.20.1) on policy router strict to go through vpn and it doesn't.
I have a script I made to update my IP on a DDNS server and the script (which is held by the router) detects wan IP and not VPN IP.

 

[CaptainSTX]

Only thing I can recommend is try changing the order of the rules in the policy routing, save them then reboot the router and see if it makes any difference.

Just a question is there a particular reason that you need/want the router connecting through the VPN?

I don't connect my router using the VPN tunnel as I think It has the potential to cause more problems than it potentially solves. Your ISP know who you are and your address so it isn't fooling them. If you want to hide DNS inquiries there are other ways to do that.

 

[royarcher]

Hello,

Im using a VPN service on my router but when my tv runs through the VPN tunnel, my Netflix is blocked.
Only after putting the tv over WAN, does Netflix start working. Is there a way to do this?

You might find that it is as simple as changing locations for example if I use la3 or Washington with express VPN I don't have a problem but other locations,I can't actually think of one at the moment, I get blocked by Netflix Hulu and amazon Ps you may want to look into smart DNS servers I am currently using one and have for more than a year and I can stream any us content from Australia and the speed is just amazing compared to a VPN connection