Routing Disney+/Netflix Over Non-VPN Interface
-
@satisifed-stew For pulling the ASNs, there's a search functionality built into the pfBlockerNG interface. If you go to Firewall > pfBlockerNG > IP > IPv4, then click the Add button, under the IPv4 Source Definitions section change the Format to ASN and begin typing in the Source field. It will dynamically update based on what you're typing. Note that in my experience this can be quite slow, because it starts searching as soon as you type the first character and will begin populating an enormous result list. It works better if you copy and paste the full search term (e.g. "netflix").
There are also sites you can use to search for ASNs like:
https://www.ultratools.com/tools/asnInfoPlease note also that I do not use IPv6. If you do, you'll need to make IPv6 aliases as well.
You're also right that some of my aliases (like Amazon AWS) are going to catch far more traffic than just what I'm after. You can experiment some to see what's really needed to get things working for you. For me it's not so much of a concern for the devices that I apply these rules too if not all non-video-streaming traffic goes through the VPN.
-
Thanks for the additional insight @TheNarc - is it safe to assume that
VideoStreamersis an alias for all of your devices that might need to use the streaming services on your network? If not, what does the alias encompass? -
@satisifed-stew Yes exactly, it's just an alias for the LAN IPs (DHCP static mappings so they won't change) of devices on the LAN that need Netflix, Hulu, etc. to work.
-
Makes sense @TheNarc ! So i followed the instructions - made a few assumptions about the other fields to fill in, but it doesn't seem to have to alleviated the content blocking. I essentially duplicated your Netflix-associated ASN IPv4 rule, augmented with Disney. It seems to have auto-created rules in WAN (inbound), LAN (outbound), OVPNC (both), OPT2 (inbound), and OpenVPN (both) but still no luck. Any idea on what I might be doing wrong?
-
these as plus help.netflix.com and www.netflix.com as lookup work for me. Make sure you select the interface you want them to go out on in the autorule too. -
@satisifed-stew I'm not sure how similar your configuration is to mine, but I use a LAN (inbound) firewall rule to set the gateway to default (i.e. NOT the VPN) when the source address is contained in my VideoStreamers alias. And remember that it needs to come before (above) your catch-all rule that sends everything through the VPN. Again, assuming your configuration is similar to mine.
-
@jstride Do you mean by choosing a custom gateway? I only get the option to use "default" in the advanced outbound firewall rule settings. Apologies for the elementary question, but I did my best googling and RTFMing for outbound autorules and no luck. It doesn't help I've got a significant other really bothered we're not able to have our regular Netflix/Disney+ content.
-
@satisifed-stew have you got multiple gateways configured (not just the OPT2 interface)? You should see them in System> Routing > Gateways.
FYI in case you need Disney+ - this is what works for me:
-
@jstride I've got WAN and OVPNC gateways for both IP protocols. Thanks for the insight to the Disney+ rules, I'll make sure I have those as well
-
@jstride looking into it further, in the pfBlocker Alerts it's showing that it's allowing traffic from my devices out to an AWS server (which I assume is netflix, given the time of the logs are identical each time I visit Netflix), so I think I have the outbound connection setup properly.
-
So after some additional troubleshooting, I found my fat finger moment and got Netflix back up and working so that the content would stream from the website. However, it still appears to think I'm behind a VPN as not all of the content is still available. I did a PCAP and validated the content is coming through the LAN. I've applied the all of the ASNs @jstride/@TheNarc recommended, minus the Amazon ones, at the moment since @jstride mentioned he got his Netflix working without the AWS.
I would appreciate if someone could point me in a direction to do some additional research as my SO is still frustrated this isn't resolve and is close to ripping the appliance out of the wall
-
@satisifed-stew I used ntopng to look at which URLs my TV was accessing. TBH my wife gets annoyed that she can't see suits so I've set the TV to send everything out directly, not over the VPN for the time being.
I'll see if I get some time over the weekend to try and solve it...
-
@satisifed-stew You mention that this is an appliance; is it a dedicated streaming device? And if so, is there a reason that you wouldn't just want to take it off the VPN entirely? I try to create finer-grained rules for laptops or other more general purpose devices to try to keep as much traffic as possible going through the VPN, but for a dedicated streaming device I'd be inclined to just have it bypass the VPN for everything.
-
@satisifed-stew said in Routing Disney+/Netflix Over Non-VPN Interface:
So after some additional troubleshooting, I found my fat finger moment and got Netflix back up and working so that the content would stream from the website. However, it still appears to think I'm behind a VPN as not all of the content is still available.
Open the main page of the streamer in a PC type device, using a browser.
Activate the 'dev tools' of the browser, so it shows on the bottom part of your screen all the files and scripts it tries to load while accessing menus and content. (Firefiox : press Ctrl-Shift-K).
Take note of all the domain names show - the something dot extension - that pass by.
All these should be "white listed".
You'll see netflix.com and also domain names that are at first totally not related to netflix at all. All traffic generated should not be passed to the VPN as one of them make sit clear to 'Netflix' that you use 2 WAN IP's, and one is a VPN so .... -
@TheNarc Apologies for the delay. I meant the firewall is a dedicated device. I'm looking to stream from a collection of different devices (computers, TV, phone), which is why I'm trying to get the traffic rerouted, rather than having devices bypass the VPN for everything.
-
@satisifed-stew @TheNarc nearly 2 months later and I finally resolved the issue! Turns out I didn't have an outbound NAT rule for my network to go out through the WAN - since all traffic was going out through the VPN. Configured the rule, and now it works. Amazingly, I didn't have to sleep on the couch one night either while I worked on fixing it.
-
@satisifed-stew Great news! Glad you got it working, and sorry for sort of dropping off this thread. I'm a pretty casual forum user myself though and didn't have other ideas at the time. Thanks for following up for anyone who may have the same issue.
