Ideas to fix my IP location with PF Sense

pduk82

Hi all,

Strange situation which I am hoping I can fix with PF Sense and your help.
I recently changed ISP to Hey!Broadband (FW Networks) and I'm generally happy with the service except for the IP address block they use. It would seem that the IP addresses they hand out for my service may have originally been registered outside the UK but subsequently reassigned as UK IPs. My IP lookups come back as UK and the address blocks appear to show UK when I look them up. However certain websites and services still think my IP is non - UK and block. Examples of UK sites and services include: Netflix, Tesco, Costa, ITV Player and more.
I have contacted my ISP to ask to be assigned IPs from another block which originated from the UK. Looking up their AS212426 – Hey Broadband LTD (https://ipinfo.io/AS212426) show they have a few options in this respect but as they may not help me.

If they don't help...
Are there options to route using PF Sense certain websites and services to something like a VPN or VPS or other option to help me get around this issue and restore access to these websites and services?
Thanks in advance

SteveITS

@pduk82 IPv4 space is bought and sold quite a bit as they're running out. You might find the database being used gets updated in a month or two.

pfSense can use a VPN (https://docs.netgate.com/pfsense/en/latest/recipes/index.html#ipsec and the rest of the page) but be aware some web sites detect and block access via VPN because they assume the person is trying to get around geo based licensing/blocks.

pduk82

Thanks @steveits .
I checked the address block from which I am being assigned dynamic IPs, it was last updated in 2020. From what I have read, websites and internet services can sometimes use older databases. I think this is what is happening with Tesco for instance. I wish they used databases that update more regularly but I can't control that.
In the case of Netflix, I'm surprised for such a high tech company why don't they know my IP is UK when the database was updated two years ago.
Very frustrating.

johnpoz

@pduk82 Welcome to the world of moving IPs ;) it is becoming more and more common for stuff like this.. Company needs more IPs - they go on the gray market that sells/transfers IPs - and yeah it can take a while for the DBs to get updated. And yes again some companies could be using quite old info..

Other than routing your traffic over a vpn not much you can do really - unless your isp can move you to a different block of addresses that hasn't been purchased or moved in a long time..

viragomann

@pduk82
I'm even more surprised, as they obviously are updating their VPN provider block list frequently.

BTW: this is, what @SteveITS was talking about.
If you get a public UK IP for your own VPS and establish a VPN to it and route the concerned destination IPs over the VPN, you might succeed in accessing the services.

pduk82

@viragomann @SteveITS @johnpoz
Thanks guys
So I have never setup a VPN or VPS so wondering if anyone could recommend a specific approach or service I could try. I'm going to have to learn how to do this.

johnpoz

@pduk82 I run a vps and then just openvpn-as on it - this is their commercial product, but comes with 2 concurrent connections allowed.. Very easy to manage, just install the package and hit the web interface.. You can then download the ovpn file and just either put in that info by hand, or the import if your on pfsense plus and it does all the heavy lifting of details. I just tried that out recently when I redid my vps..

I am not a fan of any of the vpn services, if I needed/wanted to do something like this I would go the vps route - they can be had for a few bucks.. I spend like 20$ a year for mine, use to be like 12.. All depends on how much umph you need on it - which doesn't require much to route some traffic - your bandwidth per month might be the issue if your routing say like netflix through it or something.. And yeah the normal vpn services might be wack-a-mole ish because they like to block known vpn IP blocks as well.

pduk82

@johnpoz Really useful.
So I just discovered that after all that we don't think its the ISP and IP...
I managed to find someone in my local area also on HeyB and on the same address block. He managed to just confirm that he can access the sites ok which left me wondering what is going on. I plugged my laptop in direct to the ISP ONT and used the PPPoE settings in my network settings and managed to test direct, and found that I could indeed access all the sites.
So its a PF sense setting.
I'm confused as I'm in the overlap contracts between my old ISP BT FTTP and HeyB FTTP so I'm running dual WAN with a WAN group set to make HeyB tier 1 and BT tier 2 in case of failover. Really neat stuff, but total overkill for home internet!
Most of the settings are the same, yet when I turn off the HeyB ONT and BT comes alive then all the sites also work. So it's something very specific to the settings for HeyB.
Wondering where to start troubleshooting.

SteveITS

@pduk82 check DNS. If that resolves (ideally to the same ip as your friend) try a traceroute. Check firewall logs.

pduk82

Thank you all so much for the help and what eventually was my error.
Some websites do seem to have old databases which lists my IP address/block as foreign and those error msgs were very specific. While others (the majority) were non specific errors and Access Denied. It threw me into thinking this entire issue was related to the IP Geo tag databases.

In fact I have now determined that most of the issues were related to how I had setup dual wan on my PF Sense. I can't say what the issue was but I deleted the interface and re-setup that 2nd WAN interface, now its working.

This has removed the vast majority of issues. I still have a couple of websites that seem to be confused but nothing major. Hey!Broadband IPs not at fault.

Thanks so much for your help and now I'm going to do some research and testing while I have two contracts running side by side I'd like to check latency and speed etc so draw some performance stats for the community. I am likely to post more on this as I try to figure that out.

JKnott

@steveits said in Ideas to fix my IP location with PF Sense:

IPv4 space is bought and sold quite a bit as they're running out.

This brings back the problem where the IPv4 address blocks were all over the place. Several years ago, the Internet crashed because routing tables were being overloaded. There was also an aggregation in Europe, several years ago, to address (sorry ) the routing issue. The problem does not arise with IPv6, as the address blocks are arranged geographically from the start.

johnpoz

@jknott said in Ideas to fix my IP location with PF Sense:

The problem does not arise with IPv6, as the address blocks are arranged geographically from the start.

You can still have issues - company X gets a block, a /32 from Arin.. They also have a location in EU that they advertise say a /42 of that /32

My last company is doing exactly that.. I was involved in the acquisition of the ipv6 space from arin, and the creation of the routing objects and the setting of where the different /44 and 42 would be routed out of, etc.

There is no perfect solution to the geo location of specific IPs.. There will always be problems in accurate knowing of where exactly some IP is coming from.

While agree with you that IPv6 should be a clean slate, and the ip space was divided up nicely between the different registries so IP space XYZ should be from specific part of the world.. But that is not saying it stays that way for very long ;)

JKnott

@johnpoz

They would be assigned blocks geographically, so the EU block would be different from the North America block. It is still possible to move blocks around the world, but this would be much less than what's happening with IPv4, where geography was not a consideration at the start and isn't with the resales.

ipinfo_devrel

I work for IPinfo. If we are not providing accurate IP geolocation data for you, consider submitting an IP correction request: https://ipinfo.io/corrections

The request goes through the verification process. If the correction is verified within 24-48 hours the geolocation data gets updated.