Hi,
I’ve started looking for option to route specific traffic only instead of all traffic from desired IP in local network. In this case it is about all Netflix traffic to go via the VPN. I’ve added configuration as described here: https://serverfault.com/a/1094944 and it seems to be working but only partially. I mean, tcptraceroute is going via the VPN, same with web browser. I can login and select content but cannot play it. It just timing out which means something is missing. Do anyone tried configuration such like this?
That doesnt look like Mikrotik OS, me thinks your in the wrong forum.
You gotta lay off that Canadian moonshine Anav. The posting in that link is entirely focused on Mikrotik. OP - what VPN protocol are you using? What you’ve described sounds like an MTU/MSS issue based on my experience.
True dat, I never looked at the text and just saw that foreign looking hierglyphics and looking at it more closely does appear to be a script of some sort LOL
As to the question easy peasy.
Dedicate one VLAN to netflix use ( AKA, be it the apple tv box, or android box etc… the device in question, on the vlan).
Use ip table, ip route, ip routing rule to send that traffic out vpn.
Done.
In other words why try and find a complicated solution when there should easy solutions!
Scripts are for kids, or Italians with nothing better to do 
I avoid them until necessary.
/routing table add fib name=StreamVPN
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=StreamVPN
/routing rule add src-address=StreamingDevice ( or Streaming Device List ) action=lookup-only-in table table=StreamVPN
Assuming you are using a third party VPN, add this mangle rule:
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
If that mangle doesnt resolve MTU problems try a different one…
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
WireGuard. The thing is that if I route all traffic via the VPN it is working fine. The problem is only when I am trying to route marked traffic, like there is something missing.
Me thinks you must be illiterate.
Just because you don’t understand something doesn’t mean it’s wrong.
I already have this in place, as I said I am looking for something else. Please stop being fussy if you have no idea how to do it.
In fact, everything you need is described in second anav’s post.
The other approach is to mangle against address list of all possible netflix ip addresses.
Post your config if you need exact patches.
In fact I already wrote in my first post that I already have working solution ananv proposed in place. The other approach with mangle against address list of all possible netflix ip addresses is something I am trying to achieve and I’ve posted already a link in my first post. In short I have address list updating via the script from the link in my first post, traffic to netflix is being routed via the vpn, but I can’t play any content like the address list obtained from script is incomplete.
It is not a problem with VPN because if I route all traffic from particular host via the VPN it works fine. I’ve tried to catch something with tcpdump but with no luck.
I have a similar set up, but not for Netflix (even though ironically the example I gave anav was for Netflix).
Mine works flawlessly, but I have a slightly different set up.
I don’t use a script. I have entries in /ip dns static that automatically add them to my address list.
One issue I did run into is that sometimes the ttl on the entries was absurdly low (20 sec). Thankfully you can manually add on to the ttl timeout in /ip dns
As far as figuring out the domains used, rather than packet capturing, have you tried looking in the dns cache as soon as you start to play a video to see all the entries that were accessed?
Nice!!!
Let me pronounce some ideas, I would be glad if any could help:
- If you 100% sure the problem is with incomplete address list, I guess its possible to make 2 snapshots of dns entries that are resolved with 2 different approaches (flush dns and total vpn vs flush dns and mangle + your script) and compare.
Then you may probably be able to notice some additional patterns to search and to add. - May be you have to resolve ip addresses with dns accessed thru vpn as well.
- There are also couple of articles at netflix with dns names and ip ranges.
Netflix is not only tcp, so you’d need to mark udp packages as well.
Another possible source of a problem is
passthrough=yes
depending on which rules come after this one.
Modified mangle rule from the linked website:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Sortie Netflix" dst-address-list=netflix new-routing-mark=via-sortie-netflix src-address=[your clients IP addresses]
should give the result you expect.
Thanks, but it didn’t make any difference except UDP traceroute/mtr is now also going via the VPN. I’ve tried with and without passthrough
Just to make sure: do you have
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
or
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
as suggested by @anav before marking packages?
I have a very similar setup, and it works…
Hi @pajapatak, could you please do us all a big favor and post your complete solution in the “Useful User Articles” forum? Thank you!
Sure - here it is!
Thanks, that’s different approach and AWS IP adressess is something missing in the dns based setup I am struggling with. Honestly how often do you need to update AWS IP ranges in order Netflix to work? I mean, I don’t watch Netflix too often maybe once-twice a year but I don’t want to put myself into situation where my kids are moaning that Netflix doesn’t work for every five days. Moreover I found 18.165.227.30 in my add-dst-to-address-list belonging to either 18.163.0.0/16 or 18.164.0.0/15 (not to mention duplicates) I am sensing this to be a nightmare to manage.
It doesn’t need too frequent updates, most of the time the same IP blocks are used. If the ‘initial’ address list is ok, then every few months you’d have to add a few IP blocks more. Bigger problem is if you use some of the commercial VPNs (like nord, pia, torguard, etc) and their residential/streaming/dedicated IP - they are usually detected by Netflix after some time, and streaming doesn’t work any more, regardless of your (by that time perfect) policy routing.
I am not using commercial VPN this is purely static residential IP at someone else home I am sharing stream services with. Currently I have separate Chromecast traffic routed via this VPN link but I was thinking about getting rid of it and just mark Netflix traffic. However also adding a whole block of /15 /16 or even /24 will be difficult for me because I am working from home and my company cloud provider is AWS. Anyway thanks for sharing and I think your solution is the only working.