Community discussions

MUM Europe 2020
 
pradeepsekar
just joined
Topic Author
Posts: 13
Joined: Sun Oct 13, 2013 6:21 am

Cant stream Netflix via VPN

Mon Nov 18, 2013 6:12 pm

I run RB951G-2HnD - I have 2 WANs and have configured Failover, which appears to work fine. I also run a VPN for accessing specific IPs (Services like Netflix) that are throttled by my ISPs. I have some devices that need to go via VPN for all Internet Access - have segregated them via LAN IP.

However, my Roku does not connect to Netflix using my config (attached below). Works well - or as well as it can - without the VPN. I am wondering if anyone can point out where I have gone wrong...

My Network Config:
Untitled.png

ros code

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above disabled=no distance=indoors ht-rxchains=\
    0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=myssid \
    wireless-protocol=802.11
/interface bridge
add admin-mac=D4:CA:6D:A8:A1:C9 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface ethernet
set [ find default-name=ether1 ] name=ether1-dmz speed=1Gbps
set [ find default-name=ether2 ] name=ether2-wan1-SY speed=1Gbps
set [ find default-name=ether3 ] name=ether3-wan2-AT speed=1Gbps
set [ find default-name=ether4 ] name=ether4-lan-master speed=1Gbps
set [ find default-name=ether5 ] master-port=ether4-lan-master name=\
    ether5-lan-slave speed=1Gbps
/interface pppoe-client
add add-default-route=yes interface=ether3-wan2-AT max-mru=1492 max-mtu=\
    1492 name=pppoe-wan2-AT password=mypasswd user=\
    myuserid
/interface pptp-client
add add-default-route=yes connect-to=172.18.0.1 max-mru=1492 max-mtu=1492 \
    name=pptp-wan1-SY password=mypasswd2 user=\
    myuserid2
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \
    wpa-pre-shared-key=mywpakey wpa2-pre-shared-key=mywpakey
/ip pool
add name=dhcp-lan ranges=192.168.88.160/27
add name=dhcp-dmz ranges=192.168.89.160/27
/ip dhcp-server
add address-pool=dhcp-lan authoritative=yes disabled=no interface=\
    bridge-local name=dhcp-server-lan
add address-pool=dhcp-dmz authoritative=yes disabled=no interface=ether1-dmz \
    name=dhcp-server-dmz
/interface pptp-client
add add-default-route=yes connect-to=108.171.104.20 disabled=no max-mru=1400 \
    max-mtu=1400 name=vpn password=mypasswd3 profile=default user=myuserid3
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether4-lan-master
add bridge=bridge-local interface=wlan1
/ip accounting
set enabled=yes
/ip address
add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0
add address=192.168.89.1/24 interface=ether1-dmz network=192.168.89.0
add address=192.168.7.5/24 interface=ether2-wan1-SY network=192.168.7.0
add address=192.168.0.5/24 interface=ether3-wan2-AT network=192.168.0.0
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    8.8.8.8,8.8.4.4 gateway=192.168.88.1
add address=192.168.89.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=1024 \
    servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.88.32/27 list=src-must-use-vpn
add address=192.168.88.0/24 list=local-nets
add address=192.168.89.0/24 list=local-nets
add address=172.18.0.0/16 list=SY
add address=192.168.1.0/24 list=AT
add address=103.4.8.0/21 list=vpn
add address=192.168.0.0/16 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=bogons
add address=192.168.7.0/24 list=local-nets
add address=192.168.0.0/24 list=local-nets
add address=108.171.104.20 list=PPTP-Servers
add address=172.18.0.1 list=PPTP-Servers
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add chain=input comment="Accept DNS - TCP" in-interface=bridge-local port=53 \
    protocol=tcp
add chain=input comment="Accept DNS - TCP" in-interface=ether1-dmz port=53 \
    protocol=tcp
add chain=input comment="Accept to established connections" connection-state=\
    established in-interface=bridge-local protocol=tcp
add chain=input comment="Accept to established connections" connection-state=\
    established in-interface=ether1-dmz protocol=tcp
add chain=input comment="Accept to related connections" connection-state=\
    related protocol=tcp
add chain=input comment="Full access to LOCAL-NETS address list" \
    src-address-list=local-nets
add chain=input comment="For PPTP Client" protocol=gre src-address-list=\
    PPTP-Servers
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" in-interface=\
    ether2-wan1-SY
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" in-interface=\
    ether3-wan2-AT
add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 \
    limit=1,5 protocol=icmp
add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\
    icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall mangle
add chain=prerouting dst-address-list=local-nets in-interface=bridge-local
add chain=prerouting dst-address-list=local-nets in-interface=bridge-local
add action=mark-connection chain=prerouting comment=\
    "Mark connections from WAN1" connection-mark=no-mark in-interface=\
    ether2-wan1-SY new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting comment=\
    "Mark connections from WAN2" connection-mark=no-mark in-interface=\
    ether3-wan2-AT new-connection-mark=wan2_conn
add action=mark-connection chain=prerouting comment=\
    "Mark Connections from VPN" connection-mark=no-mark in-interface=vpn \
    new-connection-mark=vpn_conn
add action=mark-connection chain=prerouting comment=\
    "Mark connections for Sources that must go only via VPN" connection-mark=\
    no-mark dst-address-list=!192.168.0.0/16 new-connection-mark=vpn_conn \
    src-address-list=src-must-use-vpn
add action=mark-connection chain=prerouting comment=\
    "Mark connections that must go only via VPN" connection-mark=no-mark \
    dst-address-list=vpn new-connection-mark=vpn_conn
add action=mark-connection chain=prerouting comment=\
    "Mark connections that must go only via SY" connection-mark=no-mark \
    dst-address-list=SY new-connection-mark=SY_conn
add action=mark-connection chain=prerouting comment=\
    "Mark connections that must go only via AT" connection-mark=no-mark \
    dst-address-list=AT new-connection-mark=AT_conn
add action=mark-connection chain=prerouting comment=\
    "Mark all other connections for Failover - Primary WAN1, Secondary WAN2" \
    connection-mark=no-mark dst-address-list=!local-nets dst-address-type=\
    !local new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting comment="LB Rule 0:6" \
    connection-mark=no-mark disabled=yes dst-address-list=!local-nets \
    dst-address-type=!local new-connection-mark=wan1_conn \
    per-connection-classifier=both-addresses-and-ports:6/0
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-list=!local-nets dst-address-type=!local \
    new-connection-mark=wan1_conn per-connection-classifier=\
    both-addresses-and-ports:6/1
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-list=!local-nets dst-address-type=!local \
    new-connection-mark=wan1_conn per-connection-classifier=\
    both-addresses-and-ports:6/2
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-list=!local-nets dst-address-type=!local \
    new-connection-mark=wan1_conn per-connection-classifier=\
    both-addresses-and-ports:6/3
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-list=!local-nets dst-address-type=!local \
    new-connection-mark=wan1_conn per-connection-classifier=\
    both-addresses-and-ports:6/4
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
    yes dst-address-list=!local-nets dst-address-type=!local \
    new-connection-mark=wan2_conn per-connection-classifier=\
    both-addresses-and-ports:6/5
add action=mark-routing chain=prerouting comment="Route VPN connections" \
    connection-mark=vpn_conn dst-address-list=!local-nets dst-address-type=\
    !local new-routing-mark=to_vpn
add action=mark-routing chain=prerouting comment="Route SY connections" \
    connection-mark=SY_conn dst-address-list=!local-nets dst-address-type=\
    !local new-routing-mark=to_SY
add action=mark-routing chain=prerouting comment="Route AT connections" \
    connection-mark=AT_conn dst-address-list=!local-nets \
    dst-address-type=!local new-routing-mark=to_AT
add action=mark-routing chain=prerouting comment=\
    "Route WAN1 connections - with Failover" connection-mark=wan1_conn \
    dst-address-list=!local-nets dst-address-type=!local new-routing-mark=\
    to_wan1
add action=mark-routing chain=prerouting comment=\
    "Route WAN2 connections - with Failover" connection-mark=wan2_conn \
    dst-address-list=!local-nets dst-address-type=!local new-routing-mark=\
    to_wan2
add action=mark-routing chain=output comment="Send connections via VPN" \
    connection-mark=vpn_conn dst-address-list=!local-nets new-routing-mark=\
    to_vpn
add action=mark-routing chain=output comment=\
    "Send connections via WAN1 - With Failover" connection-mark=wan1_conn \
    dst-address-list=!local-nets new-routing-mark=to_wan1
add action=mark-routing chain=output comment=\
    "Send connections via WAN2 - With Failover" connection-mark=wan2_conn \
    dst-address-list=!local-nets new-routing-mark=to_wan2
add action=mark-routing chain=output comment="Send connections via SY" \
    connection-mark=SY_conn dst-address-list=!local-nets new-routing-mark=\
    to_SY
add action=mark-routing chain=output comment="Send connections via AT" \
    connection-mark=AT_conn dst-address-list=!local-nets \
    new-routing-mark=to_AT
add action=mark-routing chain=output comment=\
    "Send connections from Router via VPN" connection-mark=no-mark \
    dst-address-list=vpn new-routing-mark=to_vpn
add action=mark-routing chain=output comment=\
    "Send connections from Router via SY" connection-mark=no-mark \
    dst-address-list=SY new-routing-mark=to_SY
add action=mark-routing chain=output comment=\
    "Send connections from Router via AT" connection-mark=no-mark \
    dst-address-list=AT new-routing-mark=to_AT
add action=mark-routing chain=output comment=\
    "Send connections from Router via WAN1 - with failover" connection-mark=\
    no-mark disabled=yes dst-address-list=!local-nets dst-address-type=! \
    new-routing-mark=to_wan1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2-wan1-SY
add action=masquerade chain=srcnat out-interface=ether3-wan2-AT
add action=masquerade chain=srcnat out-interface=vpn
/ip route
add distance=1 gateway=vpn routing-mark=to_vpn
add distance=1 gateway=192.168.7.1 routing-mark=to_SY
add distance=1 gateway=192.168.0.1 routing-mark=to_AT
add distance=1 gateway=10.1.1.1 routing-mark=to_wan1
add distance=2 gateway=10.2.2.2 routing-mark=to_wan1
add distance=1 gateway=10.2.2.2 routing-mark=to_wan2
add distance=2 gateway=10.1.1.1 routing-mark=to_wan2
add distance=3 gateway=10.1.1.1
add distance=4 gateway=10.2.2.2
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=\
    173.194.36.49 scope=10
add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=\
    202.144.65.205 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=\
    74.125.236.127 scope=10
add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=\
    96.17.180.161 scope=10
add distance=1 dst-address=74.125.236.127/32 gateway=192.168.0.1 scope=10
add distance=1 dst-address=96.17.180.161/32 gateway=192.168.0.1 scope=10
add distance=5 dst-address=108.171.104.20/32 gateway=10.1.1.1
add distance=6 dst-address=108.171.104.20/32 gateway=10.2.2.2
add distance=1 dst-address=172.18.0.1/32 gateway=172.18.138.1
add distance=1 dst-address=173.194.36.49/32 gateway=192.168.7.1 scope=10
add distance=1 dst-address=202.144.65.205/32 gateway=192.168.7.1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8000
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=202.71.140.36 secondary-ntp=165.193.126.229
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-wan1-SY
add interface=ether3-wan2-AT
add interface=ether4-lan-master
add interface=ether5-lan-slave
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-wan1-SY
add interface=ether3-wan2-AT
add interface=ether4-lan-master
add interface=ether5-lan-slave
add interface=wlan1
add interface=bridge-local
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: adeeadee, amt, dedysobr, heidarren, oskarsk and 187 guests