Community discussions

MikroTik App
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Route Netflix traffic via VPN

Sat Jun 15, 2024 10:45 pm

Hi,
I've started looking for option to route specific traffic only instead of all traffic from desired IP in local network. In this case it is about all Netflix traffic to go via the VPN. I've added configuration as described here: https://serverfault.com/a/1094944 and it seems to be working but only partially. I mean, tcptraceroute is going via the VPN, same with web browser. I can login and select content but cannot play it. It just timing out which means something is missing. Do anyone tried configuration such like this?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20925
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Netflix traffic via VPN

Sun Jun 16, 2024 12:43 am

That doesnt look like Mikrotik OS, me thinks your in the wrong forum.
 
User avatar
gabacho4
Member
Member
Posts: 389
Joined: Mon Dec 28, 2020 12:30 pm
Location: Earth

Re: Route Netflix traffic via VPN

Sun Jun 16, 2024 12:57 am

That doesnt look like Mikrotik OS, me thinks your in the wrong forum.
You gotta lay off that Canadian moonshine Anav. The posting in that link is entirely focused on Mikrotik. OP - what VPN protocol are you using? What you've described sounds like an MTU/MSS issue based on my experience.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20925
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Netflix traffic via VPN

Sun Jun 16, 2024 8:42 pm

True dat, I never looked at the text and just saw that foreign looking hierglyphics and looking at it more closely does appear to be a script of some sort LOL

As to the question easy peasy.
Dedicate one VLAN to netflix use ( AKA, be it the apple tv box, or android box etc........ the device in question, on the vlan).
Use ip table, ip route, ip routing rule to send that traffic out vpn.
Done.

In other words why try and find a complicated solution when there should easy solutions!

Scripts are for kids, or Italians with nothing better to do ;-)
I avoid them until necessary.

/routing table add fib name=StreamVPN
/ip route
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=StreamVPN
/routing rule add src-address=StreamingDevice ( or Streaming Device List ) action=lookup-only-in table table=StreamVPN


Assuming you are using a third party VPN, add this mangle rule:
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn

If that mangle doesnt resolve MTU problems try a different one........
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Route Netflix traffic via VPN

Mon Jun 17, 2024 1:30 am

That doesnt look like Mikrotik OS, me thinks your in the wrong forum.
You gotta lay off that Canadian moonshine Anav. The posting in that link is entirely focused on Mikrotik. OP - what VPN protocol are you using? What you've described sounds like an MTU/MSS issue based on my experience.
WireGuard. The thing is that if I route all traffic via the VPN it is working fine. The problem is only when I am trying to route marked traffic, like there is something missing.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Route Netflix traffic via VPN

Mon Jun 17, 2024 1:31 am

That doesnt look like Mikrotik OS, me thinks your in the wrong forum.
Me thinks you must be illiterate.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Route Netflix traffic via VPN

Mon Jun 17, 2024 1:36 am

True dat, I never looked at the text and just saw that foreign looking hierglyphics and looking at it more closely does appear to be a script of some sort LOL
Just because you don't understand something doesn't mean it's wrong.
As to the question easy peasy.
Dedicate one VLAN to netflix use ( AKA, be it the apple tv box, or android box etc........ the device in question, on the vlan).
Use ip table, ip route, ip routing rule to send that traffic out vpn.
Done.
I already have this in place, as I said I am looking for something else. Please stop being fussy if you have no idea how to do it.
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Tue Jan 18, 2022 8:17 am

Re: Route Netflix traffic via VPN

Mon Jun 17, 2024 9:01 am

Please stop being fussy if you have no idea how to do it.
In fact, everything you need is described in second anav's post.
The other approach is to mangle against address list of all possible netflix ip addresses.
Post your config if you need exact patches.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Route Netflix traffic via VPN

Mon Jun 17, 2024 9:11 pm

Please stop being fussy if you have no idea how to do it.
In fact, everything you need is described in second anav's post.
The other approach is to mangle against address list of all possible netflix ip addresses.
Post your config if you need exact patches.
In fact I already wrote in my first post that I already have working solution ananv proposed in place. The other approach with mangle against address list of all possible netflix ip addresses is something I am trying to achieve and I've posted already a link in my first post. In short I have address list updating via the script from the link in my first post, traffic to netflix is being routed via the vpn, but I can't play any content like the address list obtained from script is incomplete.

It is not a problem with VPN because if I route all traffic from particular host via the VPN it works fine. I've tried to catch something with tcpdump but with no luck.
 
hapoo
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Wed Apr 24, 2019 1:35 am

Re: Route Netflix traffic via VPN

Mon Jun 17, 2024 9:43 pm

I have a similar set up, but not for Netflix (even though ironically the example I gave anav was for Netflix).
Mine works flawlessly, but I have a slightly different set up.

I don't use a script. I have entries in /ip dns static that automatically add them to my address list.
One issue I did run into is that sometimes the ttl on the entries was absurdly low (20 sec). Thankfully you can manually add on to the ttl timeout in /ip dns

As far as figuring out the domains used, rather than packet capturing, have you tried looking in the dns cache as soon as you start to play a video to see all the entries that were accessed?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20925
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Netflix traffic via VPN

Mon Jun 17, 2024 10:26 pm

Nice!!!
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Tue Jan 18, 2022 8:17 am

Re: Route Netflix traffic via VPN

Tue Jun 18, 2024 2:08 am

but I can't play any content like the address list obtained from script is incomplete.

It is not a problem with VPN because if I route all traffic from particular host via the VPN it works fine. I've tried to catch something with tcpdump but with no luck.
Let me pronounce some ideas, I would be glad if any could help:
1. If you 100% sure the problem is with incomplete address list, I guess its possible to make 2 snapshots of dns entries that are resolved with 2 different approaches (flush dns and total vpn vs flush dns and mangle + your script) and compare.
Then you may probably be able to notice some additional patterns to search and to add.
2. May be you have to resolve ip addresses with dns accessed thru vpn as well.
3. There are also couple of articles at netflix with dns names and ip ranges.
 
pajapatak
just joined
Posts: 17
Joined: Thu Oct 19, 2023 11:21 am

Re: Route Netflix traffic via VPN

Tue Jun 18, 2024 12:51 pm

Netflix is not only tcp, so you'd need to mark udp packages as well.
Another possible source of a problem is
passthrough=yes
depending on which rules come after this one.

Modified mangle rule from the linked website:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Sortie Netflix" dst-address-list=netflix new-routing-mark=via-sortie-netflix src-address=[your clients IP addresses]
should give the result you expect.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Route Netflix traffic via VPN

Wed Jun 19, 2024 1:10 am

Netflix is not only tcp, so you'd need to mark udp packages as well.
Another possible source of a problem is
passthrough=yes
depending on which rules come after this one.

Modified mangle rule from the linked website:
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Sortie Netflix" dst-address-list=netflix new-routing-mark=via-sortie-netflix src-address=[your clients IP addresses]
should give the result you expect.
Thanks, but it didn't make any difference except UDP traceroute/mtr is now also going via the VPN. I've tried with and without passthrough
 
pajapatak
just joined
Posts: 17
Joined: Thu Oct 19, 2023 11:21 am

Re: Route Netflix traffic via VPN

Wed Jun 19, 2024 9:32 am

Just to make sure: do you have
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
or
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535
as suggested by @anav before marking packages?

I have a very similar setup, and it works...
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1454
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Route Netflix traffic via VPN

Wed Jun 19, 2024 9:55 am

Hi @pajapatak, could you please do us all a big favor and post your complete solution in the "Useful User Articles" forum? Thank you!
 
pajapatak
just joined
Posts: 17
Joined: Thu Oct 19, 2023 11:21 am

Re: Route Netflix traffic via VPN

Wed Jun 19, 2024 5:59 pm

Hi @pajapatak, could you please do us all a big favor and post your complete solution in the "Useful User Articles" forum? Thank you!

Sure - here it is!
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Route Netflix traffic via VPN

Fri Jun 21, 2024 12:39 am

Hi @pajapatak, could you please do us all a big favor and post your complete solution in the "Useful User Articles" forum? Thank you!

Sure - here it is!
Thanks, that's different approach and AWS IP adressess is something missing in the dns based setup I am struggling with. Honestly how often do you need to update AWS IP ranges in order Netflix to work? I mean, I don't watch Netflix too often maybe once-twice a year but I don't want to put myself into situation where my kids are moaning that Netflix doesn't work for every five days. Moreover I found 18.165.227.30 in my add-dst-to-address-list belonging to either 18.163.0.0/16 or 18.164.0.0/15 (not to mention duplicates) I am sensing this to be a nightmare to manage.
 
pajapatak
just joined
Posts: 17
Joined: Thu Oct 19, 2023 11:21 am

Re: Route Netflix traffic via VPN

Sat Jun 22, 2024 2:29 pm

It doesn't need too frequent updates, most of the time the same IP blocks are used. If the 'initial' address list is ok, then every few months you'd have to add a few IP blocks more. Bigger problem is if you use some of the commercial VPNs (like nord, pia, torguard, etc) and their residential/streaming/dedicated IP - they are usually detected by Netflix after some time, and streaming doesn't work any more, regardless of your (by that time perfect) policy routing.
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Route Netflix traffic via VPN

Sat Jun 22, 2024 6:25 pm

It doesn't need too frequent updates, most of the time the same IP blocks are used. If the 'initial' address list is ok, then every few months you'd have to add a few IP blocks more. Bigger problem is if you use some of the commercial VPNs (like nord, pia, torguard, etc) and their residential/streaming/dedicated IP - they are usually detected by Netflix after some time, and streaming doesn't work any more, regardless of your (by that time perfect) policy routing.
I am not using commercial VPN this is purely static residential IP at someone else home I am sharing stream services with. Currently I have separate Chromecast traffic routed via this VPN link but I was thinking about getting rid of it and just mark Netflix traffic. However also adding a whole block of /15 /16 or even /24 will be difficult for me because I am working from home and my company cloud provider is AWS. Anyway thanks for sharing and I think your solution is the only working.
 
pajapatak
just joined
Posts: 17
Joined: Thu Oct 19, 2023 11:21 am

Re: Route Netflix traffic via VPN

Sat Jun 22, 2024 8:04 pm

Working from home should not be a problem here. Lets assume, you have several devices, which use Netflix - those devices can be added to a list
/ip firewall address-list
add address=10.0.0.2 comment="local device x" list=NflxLAN
add address=10.0.0.7 comment="local device y" list=NflxLAN
add address=10.0.0.11 comment="local device z" list=NflxLAN

If you have
add action=mark-routing chain=prerouting comment=Netflix dst-address-list=Netflix \
    in-interface-list=!WAN new-routing-mark=t-wg1 passthrough=no src-address-list=NflxLAN

then the traffic of your work device (lets say, a laptop with local IP 10.0.0.4) won't be affected. Here I assumed LAN devices have their static IP addresses. :wink:
 
User avatar
horizn
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 74
Joined: Fri Mar 19, 2010 1:16 pm
Location: UK

Re: Route Netflix traffic via VPN

Sat Jun 22, 2024 8:35 pm

yeah in that way it would work, I was thinking about 192.168.10.0/24 and 192.168.30.0/24 where I have devices watching netflix. Literally I wanted all devices in the network to use Netflix using this route without giving them static IPs.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: Route Netflix traffic via VPN

Thu Jul 11, 2024 2:42 am

Assuming you are using a third party VPN, add this mangle rule:
[i]add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn[/i]

If that mangle doesnt resolve MTU problems try a different one........
[i]add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535[/i]
[/quote]
@anav
since you mentioned that. I'm experiencing some VPN issues.
When you adding this mangle rules, does MTU of L2VPN is by default, or only you are playing with the mangle rules
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20925
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Route Netflix traffic via VPN

Thu Jul 11, 2024 3:21 am

Hi there nichky, those work arounds are for the client peer (for handshake router) that is trying to out normally send www traffic out a third party VPN provider.
One keeps the default MTU at both ends (both ends should normally have the same MTU setup), whether that applies in other scenarios I dont know.

It is a standalone mangle rule with out-interface=wireguard1

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], eworm, foresthus, TarekH and 51 guests