Netflix outside VPN
-
@ianp this works on my pfsense setup in case it helps you troubleshoot. Caveat is it is not tested with Netflix (in other words not sure if Neflix will stream), but at least you know that it should work once you find the right Netflix IPs that need to be routed outside VPN.
-
Ensure interface of streaming device (presumably LAN) is selected under pfBlockerNG (2.2.5) > IP > IP Interface/Rules Configuration > Outbound Firewall Rules.
-
Also ensure that Firewall 'Auto' Rule Order (also under IP Interface/Rules Configuration) is set to have pfBlocker pass and block rules ahead of pfSense rules (you need the rule you are creating to be at the top or before others that may also match that traffic). Did not have "Floating Rules" enabled while testing.
-
Create rule (whitelist) with "Permit Outbound" Action and use the HE.net URL above for IPv4 Source Definitions. Set your WAN as Custom Gateway under Advanced Outbound Firewall Rule Settings
-
Once you Update (Force Update), you should see the new rule as a permit rule under LAN (or OPT equivalent) with WAN gateway and IPs downloaded from he.net in a table under Diagnostics / Tables / pfB_name of rule_v4 (assuming IPv4).
Downside with this setup is all traffic from LAN going to IPs in whitelist will bypass VPN (i.e. not just traffic from your streaming box). Hope this helps, I know the inbound/outbound firewall and pfBlocker terminology can get tricky. You may also want to refer to the pfSense book and documenation, for example https://www.netgate.com/docs/pfsense/book/firewall/floating-rules.html and/or https://www.netgate.com/docs/pfsense/firewall/index.html
-
-
@bbcan177 I am aware of the Adv. Inbound/Outbound rules, however on my box there is no Tag / Tagged custom option (as there is under Firewall Rules Advanced Options). Am I missing anything, could this Tag be hardcoded somehow? Thanks again.
The only options I see under Adv Outbound are :
Invert Destination
Custom DST Port
Custom Source
Custom Protocol
Custom Gateway -
@t41k2m3 said in Netflix outside VPN:
I am aware of the Adv. Inbound/Outbound rules, however on my box there is no Tag / Tagged custom option
I will review the code and see if that could be added. There is some work to add more code to this functionality since its spread across several different pages.
You can also just create an "Alias type" which will not create any rules, then you can add the rules manually to associate this Aliastable.
-
@bbcan177 thanks, appreciate you. Been racking my brain if/how this could be accomplished. My conclusion is that it needs to be an option in pfBlocker (tagging that is) as an alias would only allow the rule I add to pfsense manually to go after the pfBlocker rules (which will likely block the traffic I want to intercept and send out via WAN, that's why I need the rule to go first). Hope this makes sense, if you could add it I'd be happy to help test it.
-
@t41k2m3 Thanks. My mistake even more basic. The pull down menu didn’t fill with AS-numbers and names when creating the IP4 rule. I typed AS2906 and nothing happened but I could save the rule.
A statement with ‘Netflix’ appeared in the viewer during reload so ...It was after changing the browser that I discovered it was supposed to autocomplete. The pfb_netflix exists now, so I can try to do something more.
-
@ianp said in Netflix outside VPN:
Thanks. My mistake even more basic. The pull down menu didn’t fill with AS-numbers and names when creating the IP4 rule. I typed AS2906 and nothing happened but I could save the rule.
A statement with ‘Netflix’ appeared in the viewer during reload so ...
It was after changing the browser that I discovered it was supposed to autocomplete. The pfb_netflix exists now, so I can try to do something more.pfBlockerNG-devel has a new ASN function which is better than what existed in the pfBlockeNG version. Would recommend the devel version.
-
@bbcan177 said in Netflix outside VPN:
pfBlockerNG-devel has a new ASN function which is better than what existed in the pfBlockeNG version. Would recommend the devel version.
do you mean AS function available under IP Custom List > Enable Domain/AS when defining a rule? (have actually been using that successfully once the AS was identified).
Or do you mean there is another AS functionality somewhere else (that maybe includes other stuff like automated search for AS numbers based on name or other parameters)? -
@t41k2m3 The gui is the same, however the ASN field entry is an auto-complete, so typing three characters/numbers will do a search of the ASN database. Also devel uses a new source for ASN -> IP which is a lot more accurate then what is in pfBlockerNG.
-
@bbcan177 said in Netflix outside VPN:
@t41k2m3 The gui is the same, however the ASN field entry is an auto-complete, so typing three characters/numbers will do a search of the ASN database. Also devel uses a new source for ASN -> IP which is a lot more accurate then what is in pfBlockerNG.
Thanks pretty cool feature
-
@BBcan177 just to close this loop, still think it would be useful to have a TAG option available under Adv. Inbound/Outbound options.
Did however found a way around this issue, shared below in case it may be helpful to you or others going forward.
In case of the following situation:
- need to route outside of VPN traffic to IPs possibly blocked by pfBlocker AND
- need to control the source (i.e. not all LAN/VLAN, but only from specific LAN devices) and
therefore a) permit rule needs to go at the top of the list or ahead any pfblocker block/rejecty rules; b) will require tagging on the LAN rule and matching floating rule on the WAN (since LAN source IP will be lost after NAT)
one way to do this is to make sure pfBlocker does NOT use floating rules AND then add 2 floating rules manually (1 tag IN rule on LAN with WAN as gateway, 1 tagged matching OUT rule on WAN) at the top of the floating rules list. Those floating rules will be parsed before the LAN tab rules and as such before any pfBlocker rules.
-
please check this answer https://forum.netgate.com/topic/96636/netflix-vpn-block-how-to-fix/19
