Netflix outside VPN



  • Hello,

    pfSense is configured to to send all communication via an OpenVPN-tunnel. This breaks Netflix.
    There are tons of ‘solutions’ but they all seem a bit outdated.

    I found an old post from bbcan177 where he recommended to add http://bgp.he.net/search?search[search]=netflix&commit=Search to an alias.

    Is this still valid and where can I do this please? Will this break existing pfBlockerNG please?

    Thanks,

    Ian


  • Moderator

    @ianp

    I don't do this myself, but check out the links in reddit, or post there to see if the question gets more traction. Netflix is more VPN aware, so it may not work well anymore.

    http://lmgtfy.com/?q=reddit+netflix+asn



  • I apologise if I formulated the question to broadly however I’m not lazy. I ploughed through the Reddit’s, read the posts mostly on Pia, VPN and pfBlockerNg but there is so much conflicting info that I hope for an authoritative answer here.

    I configured an IP4 list with the results of the query as an alias native but it doesn’t show up in Diagnostic - Tables so I think I’m doing something wrong but I cannot figure out what.



  • I have a related issue that I was hoping @BBcan177 may be able to shed some light on. Running pfsense 2.4.4 with pfBlockerNG-devel 2.2.5_17 and OpenVPN, most traffic routed via VPN. Need certain destination IP ranges from specific LAN devices (ideally not any LAN device) to go out via WAN (bypass VPN).

    Been unable thus far to configure such a setup using pfBlockerNG as I didn't seem to find a tagging option to tag a Custom Source rule on LAN which then could be matched with a floating outbound rule on WAN (per pfSense Book: a connection can be marked by an interface tab rule and then matched in the outbound direction on a floating rule. This is a useful way to act on WAN outbound traffic from one specific internal host that could not otherwise be matched due to NAT masking the source).

    Is this possible to do as described above? Or is the only option in pfBlocker to created a rule with Source any (which does not need to be tagged, but all devices instead of just a limited set would bypass the VPN)? Thanks for any help or insights.


  • Moderator

    @t41k2m3 said in Netflix outside VPN:

    Is this possible to do as described above? Or is the only option in pfBlocker to created a rule with Source any (which does not need to be tagged, but all devices instead of just a limited set would bypass the VPN)? Thanks for any help or insights.

    For IP Aliases in pfBlockerNG, there are "Adv. Inbound/Outbound" settings which can be fine tuned as required for your needs.



  • @ianp this works on my pfsense setup in case it helps you troubleshoot. Caveat is it is not tested with Netflix (in other words not sure if Neflix will stream), but at least you know that it should work once you find the right Netflix IPs that need to be routed outside VPN.

    1. Ensure interface of streaming device (presumably LAN) is selected under pfBlockerNG (2.2.5) > IP > IP Interface/Rules Configuration > Outbound Firewall Rules.

    2. Also ensure that Firewall 'Auto' Rule Order (also under IP Interface/Rules Configuration) is set to have pfBlocker pass and block rules ahead of pfSense rules (you need the rule you are creating to be at the top or before others that may also match that traffic). Did not have "Floating Rules" enabled while testing.

    3. Create rule (whitelist) with "Permit Outbound" Action and use the HE.net URL above for IPv4 Source Definitions. Set your WAN as Custom Gateway under Advanced Outbound Firewall Rule Settings

    4. Once you Update (Force Update), you should see the new rule as a permit rule under LAN (or OPT equivalent) with WAN gateway and IPs downloaded from he.net in a table under Diagnostics / Tables / pfB_name of rule_v4 (assuming IPv4).

    Downside with this setup is all traffic from LAN going to IPs in whitelist will bypass VPN (i.e. not just traffic from your streaming box). Hope this helps, I know the inbound/outbound firewall and pfBlocker terminology can get tricky. You may also want to refer to the pfSense book and documenation, for example https://www.netgate.com/docs/pfsense/book/firewall/floating-rules.html and/or https://www.netgate.com/docs/pfsense/firewall/index.html



  • @bbcan177 I am aware of the Adv. Inbound/Outbound rules, however on my box there is no Tag / Tagged custom option (as there is under Firewall Rules Advanced Options). Am I missing anything, could this Tag be hardcoded somehow? Thanks again.

    The only options I see under Adv Outbound are :
    Invert Destination
    Custom DST Port
    Custom Source
    Custom Protocol
    Custom Gateway


  • Moderator

    @t41k2m3 said in Netflix outside VPN:

    I am aware of the Adv. Inbound/Outbound rules, however on my box there is no Tag / Tagged custom option

    I will review the code and see if that could be added. There is some work to add more code to this functionality since its spread across several different pages.

    You can also just create an "Alias type" which will not create any rules, then you can add the rules manually to associate this Aliastable.



  • @bbcan177 thanks, appreciate you. Been racking my brain if/how this could be accomplished. My conclusion is that it needs to be an option in pfBlocker (tagging that is) as an alias would only allow the rule I add to pfsense manually to go after the pfBlocker rules (which will likely block the traffic I want to intercept and send out via WAN, that's why I need the rule to go first). Hope this makes sense, if you could add it I'd be happy to help test it.



  • @t41k2m3 Thanks. My mistake even more basic. The pull down menu didn’t fill with AS-numbers and names when creating the IP4 rule. I typed AS2906 and nothing happened but I could save the rule.
    A statement with ‘Netflix’ appeared in the viewer during reload so ...

    It was after changing the browser that I discovered it was supposed to autocomplete. The pfb_netflix exists now, so I can try to do something more.


  • Moderator

    @ianp said in Netflix outside VPN:

    Thanks. My mistake even more basic. The pull down menu didn’t fill with AS-numbers and names when creating the IP4 rule. I typed AS2906 and nothing happened but I could save the rule.
    A statement with ‘Netflix’ appeared in the viewer during reload so ...
    It was after changing the browser that I discovered it was supposed to autocomplete. The pfb_netflix exists now, so I can try to do something more.

    pfBlockerNG-devel has a new ASN function which is better than what existed in the pfBlockeNG version. Would recommend the devel version.



  • @bbcan177 said in Netflix outside VPN:

    pfBlockerNG-devel has a new ASN function which is better than what existed in the pfBlockeNG version. Would recommend the devel version.

    do you mean AS function available under IP Custom List > Enable Domain/AS when defining a rule? (have actually been using that successfully once the AS was identified).
    Or do you mean there is another AS functionality somewhere else (that maybe includes other stuff like automated search for AS numbers based on name or other parameters)?


  • Moderator

    @t41k2m3 The gui is the same, however the ASN field entry is an auto-complete, so typing three characters/numbers will do a search of the ASN database. Also devel uses a new source for ASN -> IP which is a lot more accurate then what is in pfBlockerNG.



  • @bbcan177 said in Netflix outside VPN:

    @t41k2m3 The gui is the same, however the ASN field entry is an auto-complete, so typing three characters/numbers will do a search of the ASN database. Also devel uses a new source for ASN -> IP which is a lot more accurate then what is in pfBlockerNG.

    Thanks pretty cool feature



  • @BBcan177 just to close this loop, still think it would be useful to have a TAG option available under Adv. Inbound/Outbound options.

    Did however found a way around this issue, shared below in case it may be helpful to you or others going forward.

    In case of the following situation:

    • need to route outside of VPN traffic to IPs possibly blocked by pfBlocker AND
    • need to control the source (i.e. not all LAN/VLAN, but only from specific LAN devices) and

    therefore a) permit rule needs to go at the top of the list or ahead any pfblocker block/rejecty rules; b) will require tagging on the LAN rule and matching floating rule on the WAN (since LAN source IP will be lost after NAT)

    one way to do this is to make sure pfBlocker does NOT use floating rules AND then add 2 floating rules manually (1 tag IN rule on LAN with WAN as gateway, 1 tagged matching OUT rule on WAN) at the top of the floating rules list. Those floating rules will be parsed before the LAN tab rules and as such before any pfBlocker rules.