Selective Routing for Netflix

[psychopomp1]

Guys, using a full blown VPN is waaaaaaaay overkill if all you want to do is view Netflix from other locations. There is a far better and simpler solution.

Use a smartDNS service such as unblock.us, however this alone will probably still not let you view Netflix content from other regions as Netflix have wised up to such services over the last couple of years. You will also need to block Google DNS 8.8.8.8 & 8.8.4.4 (preferably at router level - see here and here for instructions) as Netflix will attempt to determine your true location using Google DNS especially if you have an Android device - many Android devices have Google DNS hard coded into them)

I've been using watching Netflix from many regions (incl USA & Canada) in UK on my Nvidia Shield TV box using unblock.us and its worked well without any issues 99% of the time. Unlike a VPN I'm not losing any speeds and have have used Netflix and Linksys routers to block Google DNS without any issues.

Edit: Also worth reading
https://dontblock.me/

Good luck!

 

[Adamm]

Guys, using a full blown VPN is waaaaaaaay overkill if all you want to do is view Netflix from other locations. There is a far better and simpler solution.

Use a smartDNS service such as unblock.us, however this alone will probably still not let you view Netflix content from other regions as Netflix have wised up to such services over the last couple of years. You will also need to block Google DNS 8.8.8.8 & 8.8.4.4 (preferably at router level - see here and here for instructions) as Netflix will attempt to determine your true location using Google DNS especially if you have an Android device - many Android devices have Google DNS hard coded into them)

I've been using watching Netflix from many regions (incl USA & Canada) in UK on my Nvidia Shield TV box using unblock.us and its worked well without any issues 99% of the time. Unlike a VPN I'm not losing any speeds and have have used Netflix and Linksys routers to block Google DNS without any issues.

Edit: Also worth reading
https://dontblock.me/

Good luck!

Netflix is just a proof of concept of what’s capable. A lot of people in this subforum at least I assume already have a VPN subscription, throw in a device like an AC86U and you can easily max most home connections.

 

[Xentrk]

Guys, using a full blown VPN is waaaaaaaay overkill if all you want to do is view Netflix from other locations. There is a far better and simpler solution.

Use a smartDNS service such as unblock.us, however this alone will probably still not let you view Netflix content from other regions as Netflix have wised up to such services over the last couple of years. You will also need to block Google DNS 8.8.8.8 & 8.8.4.4 (preferably at router level - see here and here for instructions) as Netflix will attempt to determine your true location using Google DNS especially if you have an Android device - many Android devices have Google DNS hard coded into them)

I've been using watching Netflix from many regions (incl USA & Canada) in UK on my Nvidia Shield TV box using unblock.us and its worked well without any issues 99% of the time. Unlike a VPN I'm not losing any speeds and have have used Netflix and Linksys routers to block Google DNS without any issues.

Edit: Also worth reading
https://dontblock.me/

Good luck!

I tested those services. They don't work for me as my WAN IP is dynamic. If it was just me, it would probably be okay. But with the dynamic WAN IP, one has to go thru a process to validate the WAN IP each time you want to watch. I have some non technical members of my household that can not or do not want to bother with this. So, I use a VPN service that offers a Private VPN IP for streaming that can get around VPN blocks. Please read my post at https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/

I have no issues with buffering. Good to know there are options available as everyone's situation is different.

 

[psychopomp1]

My ISP in UK provides me with a static IP address so I don't have to worry about my IP address changing when using a SmartDNS service. Having said that, unblock.us say their service can be used with DynDNS (see here) so perhaps those on a dynamic IP address can still use unblock.us without having to update their new IP address.

Btw I do have a subscription to a proper VPN service - I use vpn.ac as I find them brilliant wrt speeds & support - however I only use them when I need to change my IP address
eg when I'm abroad and need a uk ip address in order to use EE wifi calling on my iPhone
or when trying to access a geo-restricted website in UK.

However for Netflix streaming, unblock.us SmartDNS works very well for me and best of all, I don't lose any speed on my 330 Mbps FTTH connection

 

[EduardS]

Guys, using a full blown VPN is waaaaaaaay overkill if all you want to do is view Netflix from other locations. There is a far better and simpler solution.

I'm not interested in illegal activities but I am interested in keeping my privacy private. Using a VPN service is part of that, but due to the fact that Netflix adheres to a very rigorous VPN blocking policy, in order to be able to use a VPN, I need a method of circumventing Netflix streaming services passing through the VPN. That is where this topic steps in.

 

[Adamm]

I'm not interested in illegal activities but I am interested in keeping my privacy private. Using a VPN service is part of that, but due to the fact that Netflix adheres to a very rigorous VPN blocking policy, in order to be able to use a VPN, I need a method of circumventing Netflix streaming services passing through the VPN. That is where this topic steps in.

Could be worth looking into other providers or a “private ip” option if they offer it. I have an Astrill account and none of their IP space seems to be blacklisted by Netflix (that’s if getting different access to different catalogs is important to you).

 

[Alfsu]

I tested those services. They don't work for me as my WAN IP is dynamic. If it was just me, it would probably be okay. But with the dynamic WAN IP, one has to go thru a process to validate the WAN IP each time you want to watch. I have some non technical members of my household that can not or do not want to bother with this...

I've a dynamic WAN IP as well and have been using smart DNS service for almost two years now; it works flawlessly. I am working in the middle east, for quite some time now, and IMHO this is the best way to get some decent TV programing around here.
My smart DNS provider allows linking the dynamic dns name to my account, so little to none effort is needed to keep the WAN IP valid. The greatest benefit of it is eliminating the VPN overhead if you have limited bandwidth.
I do still use a VPN but for privacy purposes.

 

[Xentrk]

I've a dynamic WAN IP as well and have been using smart DNS service for almost two years now; it works flawlessly. I am working in the middle east, for quite some time now, and IMHO this is the best way to get some decent TV programing around here.
My smart DNS provider allows linking the dynamic dns name to my account, so little to none effort is needed to keep the WAN IP valid. The greatest benefit of it is eliminating the VPN overhead if you have limited bandwidth.
I do still use a VPN but for privacy purposes.

Thanks for the report. It has been over two years ago when I tried the various options. Smart DNS was one of the services I tested with. Not sure if they offered the ability to link with a dynamic DNS service at the time I was evaluating my options. I currently use DNS-O-MATIC to update other host name providers like OpenDNS for website filtering and ydns.io for my OpenVPN Server connection to the sites I support.

My pfSense box (an old Windows 7 PC that I converted to pfSense) is now the main router for my house. The selective routing can all be done using the features of the Web GUI. The Intel i5 CPU supports the AES-NI feature. I get very fast OpenVPN performance when compared to what I could achieve with the Asus AC88U. However, I never had buffering issues with the AC88U despite the low speeds reported from the speed test sites.

 

[Michael Knowles]

Thanks for all the work Xentrk & Adamm! I made two modifications to both of your scripts that you might find useful

For netflix.sh/IPSET_Netflix.sh to use asn.blawk.net

# Pull all IPv4s listed for Netflix USA - 2906
# Pull all IPv4s listed for Amazon AWS - 16509
# Pull all IPv4s listed for Akamai - 35994
# Pull all IPv4s listed for Akamai - 20940
for net in $(curl --silent http://asn.blawk.net/2906:16509:35994:20940 2>/dev/null); do
    ipset add NETFLIX $net
done

For vpnfix.sh I noticed fast.com needs to be a part of DNSMasq

 echo "ipset=/fast.com/netflix.com/nflxvideo.net/nflxso.net/nflxext.com/nflximg.net/NETFLIX #VPNFlix" >> /jffs/configs/dnsmasq.conf.add

also, change instances of /jffs/scripts/vpnflix.sh to $0 incase that is not the file name and/or location

 

[OGroteKoning]

I have posted my issue here and don't want to double post. But I am trying to set up aliases and rules on pfsense to enable specific tunelling based on sites being accessed.

I have the following aliases for possible firewall rules (I am not sure if this is really the right way):
1. http://asn.blawk.net/2906 for Netflix
2. http://asn.blawk.net/328045 for DSTv
3. http://asn.blawk.net/9901 for Neontv

I might be setting up my rules/aliases incorrectly or it could be that these lists on blawk.net are incomplete. I was told by someone at NordVPN that these lists are not complete, but I can not tell for sure. They did give me a txt file with "all" the IPs. I need the "complete" list of IPs/URLs for all 3 the above

 

[Xentrk]

I have posted my issue here and don't want to double post. But I am trying to set up aliases and rules on pfsense to enable specific tunelling based on sites being accessed.

I have the following aliases for possible firewall rules (I am not sure if this is really the right way):
1. http://asn.blawk.net/2906 for Netflix
2. http://asn.blawk.net/328045 for DSTv
3. http://asn.blawk.net/9901 for Neontv

I might be setting up my rules/aliases incorrectly or it could be that these lists on blawk.net are incomplete. I was told by someone at NordVPN that these lists are not complete, but I can not tell for sure. They did give me a txt file with "all" the IPs. I need the "complete" list of IPs/URLs for all 3 the above

There is a feature in the pfBlockerNG package that allows you to create IPv4 lists using just the ASN numbers. You then create and order the firewall rules on the LAN tab. I will follow up with some screen pics later today.

I have had some recent issues relying solely on using ASN. In most cases, mining the domain names written to the unbound or dnsmasq log file when accessing streaming media sites is required. Sort and pair the list to unique entries. In the Firewall tab, use the Alias option to create the alias. You can copy the domain names in. Then, create the rule in the Firewall > Rules > LAN page to route to the appropriate tunnel.

From the testing I did earlier in the year, you also need to route Amazon AWS thru the same tunnel for NF to work. NF hosts on Amazon servers which is why I implemented it this way. However, each geo location is different and the testing was awhile ago. The potential downside is Amazon Prime Traffic will also get routed to the tunnel. Mining the domain names may be better for this situation. Especially if you need to route Amazon Prime to a different tunnel or WAN.

 

[OGroteKoning]

There is a feature in the pfBlockerNG package that allows you to create IPv4 lists using just the ASN numbers. You then create and order the firewall rules on the LAN tab. I will follow up with some screen pics later today.

I know nothing about pfBlockerNG unfortunately.
I used the blawk links directly in the aliases - possibly why it didn't work ... ???
Looking forward to the screenshots thanks

I have had some recent issues relying solely on using ASN. In most cases, mining the domain names written to the unbound or dnsmasq log file when accessing streaming media sites is required. Sort and pair the list to unique entries. In the Firewall tab, use the Alias option to create the alias. You can copy the domain names in.

Is there any way to automate this?

 

[Xentrk]

I know nothing about pfBlockerNG unfortunately.

You will want to use the package to block ads, malware and to create the IPv4 lists. I recommend these resources to start.

https://www.linuxincluded.com/block-ads-malvertising-on-pfsense-using-pfblockerng-dnsbl/

I plan to do a blog article on it soon. You can ask for help on the pfSense forum site if you need it.

 

[Xentrk]

Is there any way to automate this?

I wrote a shell script on the Asus router that pulls the information from the log file, does a unique sort and sends the output to a text file. I have not written code to do this on pfSense.

Using this screen you can filter on the device IP you are streaming from. The domain names appear on the screen. You can then copy and paste the information in an excel spreadsheet and clean up the list that way.

 

[Xentrk]

This is the screen to create the IPv4 list in pfBlockerNG.

If you harvested the domain names, create a Firewall Alias using the IP screen and copy/paste them into the Alias.

This is how to create the Firewall rule on the LAN page for the Alias. Place the Firewall Alias name or the IPv4 list name as the Destination.

 

[Ted Danson]

This is really interesting. I'm awaiting delivery of a pfsense box right now but plan to implement selective routing as soon as I get it.

What would be brilliant is if there was somewhere to keep a list of the different service e.g. Netflix, Hulu, DirectvNOW and so on and their associated domain/asn entries that could be maintained. Wishful thinking!

Regardless, thanks a lot for those screenshots, they will prove very useful when my box arrives.

 

[CaptainSTX]

This is really interesting. I'm awaiting delivery of a pfsense box right now but plan to implement selective routing as soon as I get it.

What would be brilliant is if there was somewhere to keep a list of the different service e.g. Netflix, Hulu, DirectvNOW and so on and their associated domain/asn entries that could be maintained. Wishful thinking!

Regardless, thanks a lot for those screenshots, they will prove very useful when my box arrives.

An interim solution while you are waiting to setup your new Pfsense device is to switch your VPN provider. Currently none of Astrill's VPN USA servers are blocked by Netflix according to them. I have tested Miami, NYC and Denver. Astrill has also apparently upped their game as I can now get 170 Mbps download speeds on their network using AES-256-CBC encryption. This is only slightly slower (1 - 5 Mbps ) than I get using PIA with AES-128-CBC encryption. If Astrill can get around Netflix's VPN detector there are probably other providers that can also.

 

[Xentrk]

This is really interesting. I'm awaiting delivery of a pfsense box right now but plan to implement selective routing as soon as I get it.

What would be brilliant is if there was somewhere to keep a list of the different service e.g. Netflix, Hulu, DirectvNOW and so on and their associated domain/asn entries that could be maintained. Wishful thinking!

Regardless, thanks a lot for those screenshots, they will prove very useful when my box arrives.

https://bgp.he.net is the site I use to lookup AS numbers for streaming media services. This one is Hulu:

https://bgp.he.net/AS23286#_prefixes

I still have to revert to mining domain names for most of them. As another person pointed out, their ISP or region is also using CDN. So mining domain names is the way to go. I have been able to do it using dnsmasq log feature on Asus Merlin and the Unbound resolover log on pfSense.

 

[Xentrk]

A look at the pfBlockerNG dashboard shows packet counts compared to the IPv4 lists created using the ASN.

 

[Ted Danson]

An interim solution while you are waiting to setup your new Pfsense device is to switch your VPN provider. Currently none of Astrill's VPN USA servers are blocked by Netflix according to them. I have tested Miami, NYC and Denver. Astrill has also apparently upped their game as I can now get 170 Mbps download speeds on their network using AES-256-CBC encryption. This is only slightly slower (1 - 5 Mbps ) than I get using PIA with AES-128-CBC encryption. If Astrill can get around Netflix's VPN detector there are probably other providers that can also.

Useful info, thanks. I don't subscribe to Netflix so not affected by this presently. If I did I would want to push all Netflix traffic directly over WAN and not VPN.

https://bgp.he.net is the site I use to lookup AS numbers for streaming media services. This one is Hulu:

https://bgp.he.net/AS23286#_prefixes

I still have to revert to mining domain names for most of them. As another person pointed out, their ISP or region is also using CDN. So mining domain names is the way to go. I have been able to do it using dnsmasq log feature on Asus Merlin and the Unbound resolover log on pfSense.

This is great information. Thank you. I might look in to some sort of Wiki or repository that could be maintained regularly. It could help a lot of people. I can't think of any legal implications as it's publicly available information right?

Is it possible, via pfsense, to selectively route applications/services like we've discussed? By that, what I mean is:

• Set up multiple VPN connections / interfaces. E.g. UK/USA/JP/IE etc
• Route, for example, BBC iPlayer traffic over UK VPN, Hulu over USA VPN etc and then everything else not fitting those traffic rules, route it over WAN

Does pfsense domain routing work like dnsmasq? Currently on my RT-AC5300 I have dnsmasq.conf.add and add my own domains there to run over separate Smart DNS IP's. That's all I do. It's a bit hit and miss though and now I find I want to route everything over VPN instead. Hopefully with a fast box it will help me get nice VPN speeds, enough to get 4K streams working properly.