IKEv2 setup issue with Netflix

Hi. I have VPN setup through IKEv2 for a 10.10.10.0/24 network. While everything seems to be working just fine, I’m having trouble accessing Netflix. Often times it doesn’t load, or only loads content partially.
Ipsec connection is already being excluded from fassttrack. I’ve read in the forum that it has to do something with the MTU size discovery. I’ve tried multiple solutions already, such as these:

/ip firewall mangle
add action=change-mss src-address=10.10.10.0/24 chain=forward new-mss=clamp-to-pmtu passthrough=yes \
    protocol=tcp tcp-flags=syn
/ip firewall mangle
add action=change-mss src-address=10.10.10.0/24 chain=forward new-mss=1382 passthrough=yes \
    protocol=tcp tcp-flags=syn

However, they don’t seem to resolve my issue. Can someone point me to the solution?

new-mss=clamp-to-pmtu makes no sense if PMTUD doesn’t work (I wonder what sense it actually makes if it does, anyone?)
The second rule only adjusts the MSS your client indicates to the server, but the real issue is most likely the sending direction (large packets from the client do not make it to the server). So instead of any action=change-mss rules, an additional IPsec policy should be the proper solution:

action=none src-address=10.10.10.0/24 dst-address=10.10.10.0/24. It has to be placed before (above) the template policy used by the /ip ipsec identity row of the IKEv2 VPN.

I created the policy, however, I’m not sure if I should keep the ones I setup originally. Is the order correct?

action=none src-address=10.10.10.0/24 dst-address=10.10.10.0/24. It has to be placed before (above) the template policy used by the /ip ipsec identity row of the IKEv2 VPN.
[/quote]

As you haven’t posted the complete configuration in the OP, I’ve made a guess, and the guess was wrong. So the policy #3 on the screenshot, which I have proposed, is useless and you can remove it; it’s policy #2 that should make the PMTUD work.

If it does, all is good and the only thing to do is to move it before current #0 (the only enabled template) so that once you disconnect and re-connect the VPN, current #4 would not be created before (above) current #2.

If it doesn’t, my assumption was wrong and something else is wrong.

Sadly it doesn’t change anything. Here is my complete configuration, maybe there’s something missing.

# jan/06/2022 22:51:22 by RouterOS 6.49.2
# software id = J5T5-YMFQ
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
add name=bridgeVPN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=network wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=network-5ghz wireless-protocol=\
    802.11
add disabled=no mac-address=xx:xx:xx:xx:xx master-interface=wlan1 name=\
    wlan3 ssid=networkVPN wds-default-bridge=bridge wps-mode=disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=mypassword \
    wpa2-pre-shared-key=mypassword
/ip ipsec mode-config
add name=USVPN responder=no src-address-list=local
/ip ipsec policy group
add name=USVPN
/ip ipsec profile
add name=USVPN
/ip ipsec peer
add address=173.237.207.38/32 exchange-mode=ike2 name=USVPN profile=USVPN
/ip ipsec proposal
add name=USVPN pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.20.10.2-10.20.10.254
add name=dhcp_pool2 ranges=10.20.10.2-10.20.10.254
add name=dhcp_pool3 ranges=100.100.100.2-100.100.100.254
add name=dhcp_pool4 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool4 disabled=no interface=bridgeVPN name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridgeVPN interface=wlan3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.10.1/24 interface=bridgeVPN network=10.10.10.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=162.252.172.57,149.154.159.92 gateway=\
    10.10.10.1
add address=100.100.100.0/24 gateway=100.100.100.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.10.10.0/24 list=local
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="excluding vpn from fasttrack" \
    connection-state=established,related dst-address-list=!local \
    src-address-list=local
add action=accept chain=forward comment="excluding vpn from fasttrack" \
    connection-state=established,related dst-address-list=local \
    src-address-list=!local
add action=fasttrack-connection chain=forward comment=\
    "ipsec excluded from faststrack" connection-mark=!ipsec connection-state=\
    established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=forward ipsec-policy=in,ipsec \
    new-connection-mark=ipsec
add action=mark-connection chain=forward ipsec-policy=out,ipsec \
    new-connection-mark=ipsec
add action=change-mss chain=forward disabled=yes new-mss=1200 passthrough=yes \
    protocol=tcp src-address=10.10.10.0/24 tcp-flags=syn tcp-mss=1201-65535
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
    passthrough=yes protocol=tcp src-address=10.10.10.0/24 tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add auth-method=eap certificate=surfsharkVPN eap-methods=eap-mschapv2 \
    generate-policy=port-strict mode-config=USVPN password=\
    passwordxxx peer=USVPN policy-template-group=USVPN username=\
    usernamexxx
/ip ipsec policy
add action=none dst-address=10.10.10.0/24 src-address=0.0.0.0/0
add disabled=yes dst-address=0.0.0.0/0 group=USVPN proposal=USVPN \
    src-address=0.0.0.0/0 template=yes
/system clock
set time-zone-name=Europe/Riga
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I cannot see anything missing there, rather some redundant parts - I’d remove the action=mark-connection rules from mangle and the connection-mark=!local condition from the first action=fasttrack-connection rule, because the two action=accept rules matching on local=>!local and on !local=>local placed before the action=fasttrack-connection one are sufficient to prevent packets to/from 10.10.10.0/24 from making their connections fasttracked. So you can re-enable the first fasttracking rule, and remove the second one which is shadowed by the “accept established/related/untracked” one anyway. But that’s not a solution of the Netflix issue, that’s just saving a few CPU cycles per packet.

But since fasttracking is not what breaks your Netflix connections, enable the first action=change-mss rule, and add another one which will look the same except that 10.10.10.0/24 will be used as dst-address rather than src-address.

If this doesn’t help, it is not an MTU/MSS issue.

I’ve added the additional mangle rule, but it still doesn’t resolve anything.
The weirdest thing is all other streaming services work perfectly - tubi, pluto tv, hbo etc. The problem is only with Netflix.

That sounds like Netflix is checking something - the IP subnets used by popular VPN providers may be blacklisted, or Netflix may check the MTU size… Only sniffing can tell you whether there is something wrong at TCP level or whether the issue is at application level.

I don’t think the IPs are blacklisted, because partially it works - if you try opening episode/movie, 1 in maybe like 5 tries will work out, and you’ll be able to watch the episode till the end with no interruptions. However, most of the time it stucks loading or gives you different connection errors.
I’m not very mikrotik router savvy - is sniffing something I can do? If yes, can you point me to instructions?

It can be done, but it only makes sense if you can use Wireshark yourself, or have a local friend who can, to analyse the TCP session(s) between your “TV” device and the Netflix servers.

If you watch netflix on a PC, you can sniff using Wireshark directly on that PC; if you use a smart TV, the best way is to use port mirroring on the Mikrotik to copy the traffic to the Ethernet port of the PC.

I was able to capture a .pcap file, is it allowed to post it here? or does it contain sensitive information?

It may contain sensitive information. It does not mean that it is forbidden to post it here, but you may not want to. More important, it seems that only image (picture) or text files can be attached.

Not really sure what to look for, here is what I see. Netflix server seems to be 138.199.42.165:

Well, the actual pcap files are necessary for a serious analysis, the screenshots are useless. That’s why I was mentioning a local friend who can use Wireshark to analyse things.

What I can see from the screenshots is that your sniffing method creates duplicate packets in the resulting .pcap, what exactly does your current sniffing setup look like?

I can have a look at the .pcap if you don’t mind sharing it with me despite the eventual presence of sensitive info in it, but take into account I am a random stranger to you Your public IP will likely not be present in the capture, but hard to say what else may pop up there - some DNS queries, some visited public IPs… anyway, can you run openssl somewhere (Linux or Windows command line skills required)?

What I can see from the screenshots is that your sniffing method creates duplicate packets in the resulting .pcap, what exactly does your current sniffing setup look like?

I got the file using built-in Packet sniffer in Mikrotik router and then opened it on Wireshark app on Windows.

can you run openssl somewhere (Linux or Windows command line skills required)?

yes, I have Openssl installed on Windows

That’s still not a detailed enough description It seems you haven’t specified a particular interface to sniff at, so each packet is stored once as caught at bridgeVPN and the second time as caught at wlan3, and many other packets are stored as well although not necessary. So the capture may not contain the interesting part as it may have exceeded the reserved file size.

So if you still want me to have a look at your pcap, follow the instructions here.

Yes, I would appreciate if you could take a look at it. Here’s the output of my file:

YHWIzSu4rE/gBQCfe61I6WKoy5nb+qR6e99Rbc7ST3WwJoEAHIHzy/DJSXa0FFzq
3w6/4FcPvWuTA4AJHiLAEX/yGDz1ZSUnQhcHgm+7E2pLq0Tm+fTOE26QPp2i8lEe
brmAXPIx5g/CmSkiSNMBVzTAY/YOa+THauIlVNxTz5tTGAcCKoE5nzvmkRgYTI8P
L7/f+Osy2l9y7LZk6dYTTREslqtW17NnGn0XdouXMSN1I+agU3L6ZDvJcWtpsAjZ
SRgjkllDzdqOmQi+RWuB8GrIw4b3S2enQUCdXOxiDJan+1DyYAMldvPhPQnroIzo
qWPQNk324rLhREZZfTkhEQ7jXRfFTg0D6tD6E69tyao5YMPHov6K8YtMMopL1OR6
75PPg8ByqDkeRI2iBObFMAS3Lw8onFNQLGZzSZVoTtd4i4o6XehAPJCgcjCCzqKp
sohrIGFlpGPXmh4r8Dnoc5bk2y5u6XjLEZ1ock8Ayp5CG1v93VmdL1aA8iMc27TY
Lu1XVu/912olFB5hDknmGo0XXa+19apKHjMuouISfiC0VEYF7dgweIrjtY5jw2cM
sRy175h/a5Nt3MNU1ADBgC01hWveeWvI7qqyzzoW9sQ98iVjcDEWsDYtxiF5Zld6
aczEghKGVw8A4UVRwP61bbS4D8xGmLdcKh61tkzYZfA=

That’s still not a detailed enough description > > It seems you haven’t specified a particular interface to sniff at, so each packet is stored once as caught at bridgeVPN and the second time as caught at wlan3, and many other packets are stored as well although not necessary. So the capture may not contain the interesting part as it may have exceeded the reserved file size.

That seems to be the case. I only specified the IP address to sniff and set the memory limit to 10mb. I captured around 30s of me navigating through different sections in Netflix (with content load issues) and also Netflix being stuck in video loading.
Do I have to recapture file, however, also specifying the interface now (bridge or wlan)?