Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense plus hurricane electric breaks netflix IPV6 - proxy error

    Scheduled Pinned Locked Moved IPv6
    37 Posts 14 Posters 13.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • boukeB
      bouke @kejianshi
      last edited by

      @kejianshi Thanks. This quick fix works fine for me.

      1 Reply Last reply Reply Quote 1
      • M
        msf2000
        last edited by

        I'm running into a situation where the Netflix app is not failing over to IPv4 with the reject rule in place for IPv6 addresses. Only solution is to disable IPv6 on the client.

        Has anyone had trouble with their setup since implementing the reject rules described (above)?

        N 1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          If the client thinks it has IPv6 and gets a response - even though it is a connection refused - why should it try IPv4? In general, if you have a dual stack client you don't want to selectively break IPv6. You want to turn it off. Behavior there will be application and operating system dependent.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by Gertjan

            Another solution is : inform the local resolver ( unbound) that it should remove any IPv6 when the URL is "netflix" like.

            https://forum.netgate.com/topic/118566/netflix-and-he-net-tunnel-fixed-using-unbound-python-module

            As soon as I view a film from netflix with my IPv6 enabled PC via pfSense (using he.net for IPv6 addresses) I see this in the DNS log :

            Aug 6 17:35:51 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for anycast.ftl.netflix.com.
            Aug 6 17:35:51 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for anycast.ftl.netflix.com.
            Aug 6 17:35:51 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for oca-api.us-west-2.prodaa.netflix.com.
            Aug 6 17:35:51 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for oca-api.us-west-2.prodaa.netflix.com.
            Aug 6 17:35:51 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for ifo5usjqtzhvl6xjlsanq-euw1.r.nflxso.net.
            Aug 6 17:35:51 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for oca-api.netflix.com.
            Aug 6 17:35:48 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for push.prod.us-west-2.prodaa.netflix.com.
            Aug 6 17:35:48 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for push.prod.netflix.com.
            Aug 6 17:35:47 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for occ-0-56-55.1.nflxso.net.
            Aug 6 17:35:47 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for occ-0-56-55.1.nflxso.net.
            Aug 6 17:35:41 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for ichnaea-web.us-west-2.prodaa.netflix.com.
            Aug 6 17:35:41 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for ichnaea-web.netflix.com.
            Aug 6 17:35:39 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for assets.nflxext.com.
            Aug 6 17:35:39 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for assets.nflxext.com.
            Aug 6 17:35:39 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for codex.nflxext.com.
            Aug 6 17:35:39 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for codex.nflxext.com.
            Aug 6 17:35:38 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for www.eu-west-1.prodaa.netflix.com.
            Aug 6 17:35:38 	unbound 	52268:1 	info: no-aaaa: blocking AAAA request for www.netflix.com.
            

            Thus : any Netflix related URL that has an Pv6 is removed from the DNS request reply - only IPv4 persists. So the application use pure IPv4 to contact Netflix. This means : not using IPv6 so not using he.net.
            Works !

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • N
              Napsterbater @msf2000
              last edited by

              @msf2000

              @msf2000 said in Pfsense plus hurricane electric breaks netflix IPV6 - proxy error:

              I'm running into a situation where the Netflix app is not failing over to IPv4 with the reject rule in place for IPv6 addresses. Only solution is to disable IPv6 on the client.

              Has anyone had trouble with their setup since implementing the reject rules described (above)?

              Switch Reject for Block and see if Happy Eyeballs kicks in?

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by kejianshi

                So its years later. Jan 2022 and I set this up again on a new pfsense and this time it seems so far that Netflix, Amazon and others are not blocking Hurricane Electric IPV6 anymore. So thats nice! (So far).

                N 1 Reply Last reply Reply Quote 0
                • N
                  Napsterbater @kejianshi
                  last edited by

                  @kejianshi You will notice ALOT of stuff is missing. They no longer outright block you, but they only show you a "Global" view, i.e. stuff available everywhere. Stuff allowed in your location but not allowed everywhere is not shown.

                  This is my currently block list that seems to catch everything netflix.

                  2406:da00:ff00::/48
                  2607:f8b0:4001::/48
                  2620:108:700f::/48
                  2a01:578:3::/48
                  2600:1407:19::/48
                  2a05:d018:76c::/48
                  2600:1f18:631e::/48
                  2607:fb10::/32

                  GertjanG K 3 Replies Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @Napsterbater
                    last edited by

                    @napsterbater said in Pfsense plus hurricane electric breaks netflix IPV6 - proxy error:

                    but they only show you a "Global" view

                    You have to login first, right ?
                    What you can view is probably based upon your IP (4 or 6).
                    And probably the country from which you subscribed.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    N 1 Reply Last reply Reply Quote 0
                    • K
                      kejianshi @Napsterbater
                      last edited by

                      @napsterbater Thanks! I tested your "Theory" and turns out it was a fact. I have loaded my alias with those IPs and made the firewall block rule. Now the omitted content is present again. I tested it with "Stargate SG1" which is apparently US-Only content and your are correct. Thanks for the heads up.

                      1 Reply Last reply Reply Quote 1
                      • N
                        Napsterbater @Gertjan
                        last edited by

                        @gertjan said in Pfsense plus hurricane electric breaks netflix IPV6 - proxy error:

                        @napsterbater said in Pfsense plus hurricane electric breaks netflix IPV6 - proxy error:

                        but they only show you a "Global" view

                        You have to login first, right ?
                        What you can view is probably based upon your IP (4 or 6).
                        And probably the country from which you subscribed.

                        Yes.
                        An HE IPv6 = VPN as far as Netflix is concerned.
                        No, only Globally available items, your login or "country subscribed in" has no bearing..

                        1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @Napsterbater
                          last edited by

                          For the record : these (are placed in an alias) and then placed on the LAN interface, right ? ::

                          @napsterbater said in Pfsense plus hurricane electric breaks netflix IPV6 - proxy error:

                          2406:da00:ff00::/48
                          2607:f8b0:4001::/48
                          2620:108:700f::/48
                          2a01:578:3::/48
                          2600:1407:19::/48
                          2a05:d018:76c::/48
                          2600:1f18:631e::/48
                          2607:fb10::/32

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          K 1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi @Gertjan
                            last edited by kejianshi

                            @gertjan I applied it to all interfaces in a floating rule. Why Not right? Yeah. Its an alias. Netflix was sort of sneaky by not blocking everything. Had me fooled for a minute there. I also handed out static IPV6 addresses to everything connected to the pfsense including my XMPP chat server and phone server. Interestingly, that totally fixed NAT issues like broken video and broken voice even when only one side of the conversation was on IPV6 and the other side was on IPV4. Thats the main reason I want everyone to transition to IPV6. No more NAT. No more buying a public IP for every server. No more need for STUN, ICE, Jingle, WebRTC, TURN servers or crap like that.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.