Community discussions

MikroTik App
 
pajapatak
just joined
Topic Author
Posts: 17
Joined: Thu Oct 19, 2023 11:21 am

Routing Netflix traffic of a LAN client via a wireguard

Wed Jun 19, 2024 5:54 pm

In this example, we will route Netflix traffic from a specific lan client (10.0.0.10) through wireguard. Lan and wireguard addresses are
/ip address
add address=10.0.0.1/24 interface=lan network=10.0.0.0
add address=10.10.10.1/29 interface=wireguard1 network=10.10.10.0

We first create a routing table:
/routing table
add comment="wireguard 1" disabled=no fib name=t-wg1

and add the following rule to the top of /ip/firewall/mangle
/ip/firewall/mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 \
    passthrough=yes protocol=tcp tcp-flags=syn

Afterwards, we mark routing:
add action=mark-routing chain=prerouting comment=Netflix dst-address-list=Netflix \
    in-interface-list=!WAN new-routing-mark=t-wg1 passthrough=no src-address=10.0.0.10
add action=mark-routing chain=prerouting comment="Amazon (Netflix)" dst-address-list=Amazon \
    in-interface-list=!WAN new-routing-mark=t-wg1 passthrough=no src-address=10.0.0.10

Address list 'Netflix' is basically a set of IP4 addresses of AS2906:
/ip firewall address-list
add address=23.246.0.0/18 comment=Netflix list=Netflix
add address=37.77.184.0/21 comment=Netflix list=Netflix
add address=45.57.0.0/17 comment=Netflix list=Netflix
add address=64.120.128.0/17 comment=Netflix list=Netflix
add address=66.197.128.0/17 comment=Netflix list=Netflix
add address=69.53.224.0/19 comment=Netflix list=Netflix
add address=108.175.32.0/20 comment=Netflix list=Netflix
add address=185.2.220.0/22 comment=Netflix list=Netflix
add address=185.9.188.0/22 comment=Netflix list=Netflix
add address=192.173.64.0/18 comment=Netflix list=Netflix
add address=198.38.96.0/19 comment=Netflix list=Netflix
add address=198.45.48.0/20 comment=Netflix list=Netflix
add address=208.75.76.0/22 comment=Netflix list=Netflix

But, since Netflix uses Amazon as its CDN, we also need a list containing certain addresses from AS16509 (see AWS IP address ranges). Not all the addresses from AS16509 are needed, but finding out which one are, is not always trivial. My strategy (client device being a TV) was to route all the traffic through the wireguard for a certain period of time, and 'catch' the IP addresses:
add action=add-dst-to-address-list address-list=TV-Nflx address-list-timeout=\
    none-static chain=prerouting comment="Get Amazon IP" dst-address=\
    !10.0.0.0/24 src-address=10.0.0.10

Afterwards, combining the Amazon addresses collected in 'TV-Nflx' list (the rest you can filter out) and AWS IP address ranges you can create your Amazon address list. For different regions of the world, and for different Netflix subscriptions, this list will (significantly) differ, so you'll have to create it yourself.

In case you already have the list 'Amazon' and need to catch those few addresses which are not present in your list, you can add
dst-address-list=!Amazon
to the previous rule.

In /ip/firewall/nat you need a src-nat or masquerade rule:
/ip firewall nat
add action=src-nat chain=srcnat comment="wireguard 1" routing-mark=t-wg1 to-addresses=10.10.10.1

And finally in /ip route we add:
/ip route
add comment="wireguard 1" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=wireguard1 pref-src="" routing-table=t-wg1 scope=30 \
    suppress-hw-offload=no target-scope=10

Optionally, you can add a killswitch:
	
add blackhole comment="killswitch wg" disabled=no distance=10 dst-address=\
    0.0.0.0/0 gateway="" pref-src="" routing-table=t-wg1 scope=250 \
    suppress-hw-offload=no target-scope=10
 
User avatar
abbio90
Member
Member
Posts: 380
Joined: Fri Aug 27, 2021 9:16 pm
Location: Oristano
Contact:

Re: Routing Netflix traffic of a LAN client via a wireguard

Sun Aug 25, 2024 4:28 pm

Optionally, you can add a killswitch
could you specify what this rule does?

Who is online

Users browsing this forum: No registered users and 1 guest