Code: Select all
/ip address
add address=10.0.0.1/24 interface=lan network=10.0.0.0
add address=10.10.10.1/29 interface=wireguard1 network=10.10.10.0
We first create a routing table:
Code: Select all
/routing table
add comment="wireguard 1" disabled=no fib name=t-wg1
and add the following rule to the top of /ip/firewall/mangle
Code: Select all
/ip/firewall/mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 \
passthrough=yes protocol=tcp tcp-flags=syn
Afterwards, we mark routing:
Code: Select all
add action=mark-routing chain=prerouting comment=Netflix dst-address-list=Netflix \
in-interface-list=!WAN new-routing-mark=t-wg1 passthrough=no src-address=10.0.0.10
add action=mark-routing chain=prerouting comment="Amazon (Netflix)" dst-address-list=Amazon \
in-interface-list=!WAN new-routing-mark=t-wg1 passthrough=no src-address=10.0.0.10
Address list 'Netflix' is basically a set of IP4 addresses of AS2906:
Code: Select all
/ip firewall address-list
add address=23.246.0.0/18 comment=Netflix list=Netflix
add address=37.77.184.0/21 comment=Netflix list=Netflix
add address=45.57.0.0/17 comment=Netflix list=Netflix
add address=64.120.128.0/17 comment=Netflix list=Netflix
add address=66.197.128.0/17 comment=Netflix list=Netflix
add address=69.53.224.0/19 comment=Netflix list=Netflix
add address=108.175.32.0/20 comment=Netflix list=Netflix
add address=185.2.220.0/22 comment=Netflix list=Netflix
add address=185.9.188.0/22 comment=Netflix list=Netflix
add address=192.173.64.0/18 comment=Netflix list=Netflix
add address=198.38.96.0/19 comment=Netflix list=Netflix
add address=198.45.48.0/20 comment=Netflix list=Netflix
add address=208.75.76.0/22 comment=Netflix list=Netflix
But, since Netflix uses Amazon as its CDN, we also need a list containing certain addresses from AS16509 (see AWS IP address ranges). Not all the addresses from AS16509 are needed, but finding out which one are, is not always trivial. My strategy (client device being a TV) was to route all the traffic through the wireguard for a certain period of time, and 'catch' the IP addresses:
Code: Select all
add action=add-dst-to-address-list address-list=TV-Nflx address-list-timeout=\
none-static chain=prerouting comment="Get Amazon IP" dst-address=\
!10.0.0.0/24 src-address=10.0.0.10
Afterwards, combining the Amazon addresses collected in 'TV-Nflx' list (the rest you can filter out) and AWS IP address ranges you can create your Amazon address list. For different regions of the world, and for different Netflix subscriptions, this list will (significantly) differ, so you'll have to create it yourself.
In case you already have the list 'Amazon' and need to catch those few addresses which are not present in your list, you can add
Code: Select all
dst-address-list=!Amazon
In /ip/firewall/nat you need a src-nat or masquerade rule:
Code: Select all
/ip firewall nat
add action=src-nat chain=srcnat comment="wireguard 1" routing-mark=t-wg1 to-addresses=10.10.10.1
And finally in /ip route we add:
Code: Select all
/ip route
add comment="wireguard 1" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=wireguard1 pref-src="" routing-table=t-wg1 scope=30 \
suppress-hw-offload=no target-scope=10
Optionally, you can add a killswitch:
Code: Select all
add blackhole comment="killswitch wg" disabled=no distance=10 dst-address=\
0.0.0.0/0 gateway="" pref-src="" routing-table=t-wg1 scope=250 \
suppress-hw-offload=no target-scope=10