However, my Roku does not connect to Netflix using my config (attached below). Works well - or as well as it can - without the VPN. I am wondering if anyone can point out where I have gone wrong...
My Network Config:
ros code
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\ 20/40mhz-ht-above disabled=no distance=indoors ht-rxchains=\ 0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=myssid \ wireless-protocol=802.11 /interface bridge add admin-mac=D4:CA:6D:A8:A1:C9 auto-mac=no l2mtu=1598 name=bridge-local \ protocol-mode=rstp /interface ethernet set [ find default-name=ether1 ] name=ether1-dmz speed=1Gbps set [ find default-name=ether2 ] name=ether2-wan1-SY speed=1Gbps set [ find default-name=ether3 ] name=ether3-wan2-AT speed=1Gbps set [ find default-name=ether4 ] name=ether4-lan-master speed=1Gbps set [ find default-name=ether5 ] master-port=ether4-lan-master name=\ ether5-lan-slave speed=1Gbps /interface pppoe-client add add-default-route=yes interface=ether3-wan2-AT max-mru=1492 max-mtu=\ 1492 name=pppoe-wan2-AT password=mypasswd user=\ myuserid /interface pptp-client add add-default-route=yes connect-to=172.18.0.1 max-mru=1492 max-mtu=1492 \ name=pptp-wan1-SY password=mypasswd2 user=\ myuserid2 /ip neighbor discovery set wlan1 discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\ tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \ wpa-pre-shared-key=mywpakey wpa2-pre-shared-key=mywpakey /ip pool add name=dhcp-lan ranges=192.168.88.160/27 add name=dhcp-dmz ranges=192.168.89.160/27 /ip dhcp-server add address-pool=dhcp-lan authoritative=yes disabled=no interface=\ bridge-local name=dhcp-server-lan add address-pool=dhcp-dmz authoritative=yes disabled=no interface=ether1-dmz \ name=dhcp-server-dmz /interface pptp-client add add-default-route=yes connect-to=108.171.104.20 disabled=no max-mru=1400 \ max-mtu=1400 name=vpn password=mypasswd3 profile=default user=myuserid3 /system logging action set 0 memory-lines=100 set 1 disk-lines-per-file=100 /interface bridge port add bridge=bridge-local interface=ether4-lan-master add bridge=bridge-local interface=wlan1 /ip accounting set enabled=yes /ip address add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0 add address=192.168.89.1/24 interface=ether1-dmz network=192.168.89.0 add address=192.168.7.5/24 interface=ether2-wan1-SY network=192.168.7.0 add address=192.168.0.5/24 interface=ether3-wan2-AT network=192.168.0.0 /ip dhcp-server network add address=192.168.88.0/24 comment="default configuration" dns-server=\ 8.8.8.8,8.8.4.4 gateway=192.168.88.1 add address=192.168.89.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.89.1 /ip dns set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=1024 \ servers=8.8.8.8,8.8.4.4 /ip firewall address-list add address=192.168.88.32/27 list=src-must-use-vpn add address=192.168.88.0/24 list=local-nets add address=192.168.89.0/24 list=local-nets add address=172.18.0.0/16 list=SY add address=192.168.1.0/24 list=AT add address=103.4.8.0/21 list=vpn add address=192.168.0.0/16 list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\ d this subnet before enable it" list=bogons add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \ need this subnet before enable it" list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\ \_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\ bogons add address=198.18.0.0/15 comment="NIDB Testing" list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ list=bogons add address=192.168.7.0/24 list=local-nets add address=192.168.0.0/24 list=local-nets add address=108.171.104.20 list=PPTP-Servers add address=172.18.0.1 list=PPTP-Servers /ip firewall filter add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \ tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" \ src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \ protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" \ src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" jump-target=\ ICMP protocol=icmp add action=drop chain=input comment="Block all access to the winbox - except t\ o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\ PORT ADDRESS LIST" dst-port=8291 protocol=tcp src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" \ jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\ bogons add action=add-src-to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\ 25,587 limit=30/1m,0 protocol=tcp add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \ protocol=tcp src-address-list=spammers add chain=input comment="Accept DNS - UDP" port=53 protocol=udp add chain=input comment="Accept DNS - TCP" in-interface=bridge-local port=53 \ protocol=tcp add chain=input comment="Accept DNS - TCP" in-interface=ether1-dmz port=53 \ protocol=tcp add chain=input comment="Accept to established connections" connection-state=\ established in-interface=bridge-local protocol=tcp add chain=input comment="Accept to established connections" connection-state=\ established in-interface=ether1-dmz protocol=tcp add chain=input comment="Accept to related connections" connection-state=\ related protocol=tcp add chain=input comment="Full access to LOCAL-NETS address list" \ src-address-list=local-nets add chain=input comment="For PPTP Client" protocol=gre src-address-list=\ PPTP-Servers add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" in-interface=\ ether2-wan1-SY add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" in-interface=\ ether3-wan2-AT add chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 \ limit=1,5 protocol=icmp add chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp add chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp add chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=\ icmp add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \ protocol=icmp /ip firewall mangle add chain=prerouting dst-address-list=local-nets in-interface=bridge-local add chain=prerouting dst-address-list=local-nets in-interface=bridge-local add action=mark-connection chain=prerouting comment=\ "Mark connections from WAN1" connection-mark=no-mark in-interface=\ ether2-wan1-SY new-connection-mark=wan1_conn add action=mark-connection chain=prerouting comment=\ "Mark connections from WAN2" connection-mark=no-mark in-interface=\ ether3-wan2-AT new-connection-mark=wan2_conn add action=mark-connection chain=prerouting comment=\ "Mark Connections from VPN" connection-mark=no-mark in-interface=vpn \ new-connection-mark=vpn_conn add action=mark-connection chain=prerouting comment=\ "Mark connections for Sources that must go only via VPN" connection-mark=\ no-mark dst-address-list=!192.168.0.0/16 new-connection-mark=vpn_conn \ src-address-list=src-must-use-vpn add action=mark-connection chain=prerouting comment=\ "Mark connections that must go only via VPN" connection-mark=no-mark \ dst-address-list=vpn new-connection-mark=vpn_conn add action=mark-connection chain=prerouting comment=\ "Mark connections that must go only via SY" connection-mark=no-mark \ dst-address-list=SY new-connection-mark=SY_conn add action=mark-connection chain=prerouting comment=\ "Mark connections that must go only via AT" connection-mark=no-mark \ dst-address-list=AT new-connection-mark=AT_conn add action=mark-connection chain=prerouting comment=\ "Mark all other connections for Failover - Primary WAN1, Secondary WAN2" \ connection-mark=no-mark dst-address-list=!local-nets dst-address-type=\ !local new-connection-mark=wan1_conn add action=mark-connection chain=prerouting comment="LB Rule 0:6" \ connection-mark=no-mark disabled=yes dst-address-list=!local-nets \ dst-address-type=!local new-connection-mark=wan1_conn \ per-connection-classifier=both-addresses-and-ports:6/0 add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\ yes dst-address-list=!local-nets dst-address-type=!local \ new-connection-mark=wan1_conn per-connection-classifier=\ both-addresses-and-ports:6/1 add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\ yes dst-address-list=!local-nets dst-address-type=!local \ new-connection-mark=wan1_conn per-connection-classifier=\ both-addresses-and-ports:6/2 add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\ yes dst-address-list=!local-nets dst-address-type=!local \ new-connection-mark=wan1_conn per-connection-classifier=\ both-addresses-and-ports:6/3 add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\ yes dst-address-list=!local-nets dst-address-type=!local \ new-connection-mark=wan1_conn per-connection-classifier=\ both-addresses-and-ports:6/4 add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\ yes dst-address-list=!local-nets dst-address-type=!local \ new-connection-mark=wan2_conn per-connection-classifier=\ both-addresses-and-ports:6/5 add action=mark-routing chain=prerouting comment="Route VPN connections" \ connection-mark=vpn_conn dst-address-list=!local-nets dst-address-type=\ !local new-routing-mark=to_vpn add action=mark-routing chain=prerouting comment="Route SY connections" \ connection-mark=SY_conn dst-address-list=!local-nets dst-address-type=\ !local new-routing-mark=to_SY add action=mark-routing chain=prerouting comment="Route AT connections" \ connection-mark=AT_conn dst-address-list=!local-nets \ dst-address-type=!local new-routing-mark=to_AT add action=mark-routing chain=prerouting comment=\ "Route WAN1 connections - with Failover" connection-mark=wan1_conn \ dst-address-list=!local-nets dst-address-type=!local new-routing-mark=\ to_wan1 add action=mark-routing chain=prerouting comment=\ "Route WAN2 connections - with Failover" connection-mark=wan2_conn \ dst-address-list=!local-nets dst-address-type=!local new-routing-mark=\ to_wan2 add action=mark-routing chain=output comment="Send connections via VPN" \ connection-mark=vpn_conn dst-address-list=!local-nets new-routing-mark=\ to_vpn add action=mark-routing chain=output comment=\ "Send connections via WAN1 - With Failover" connection-mark=wan1_conn \ dst-address-list=!local-nets new-routing-mark=to_wan1 add action=mark-routing chain=output comment=\ "Send connections via WAN2 - With Failover" connection-mark=wan2_conn \ dst-address-list=!local-nets new-routing-mark=to_wan2 add action=mark-routing chain=output comment="Send connections via SY" \ connection-mark=SY_conn dst-address-list=!local-nets new-routing-mark=\ to_SY add action=mark-routing chain=output comment="Send connections via AT" \ connection-mark=AT_conn dst-address-list=!local-nets \ new-routing-mark=to_AT add action=mark-routing chain=output comment=\ "Send connections from Router via VPN" connection-mark=no-mark \ dst-address-list=vpn new-routing-mark=to_vpn add action=mark-routing chain=output comment=\ "Send connections from Router via SY" connection-mark=no-mark \ dst-address-list=SY new-routing-mark=to_SY add action=mark-routing chain=output comment=\ "Send connections from Router via AT" connection-mark=no-mark \ dst-address-list=AT new-routing-mark=to_AT add action=mark-routing chain=output comment=\ "Send connections from Router via WAN1 - with failover" connection-mark=\ no-mark disabled=yes dst-address-list=!local-nets dst-address-type=! \ new-routing-mark=to_wan1 /ip firewall nat add action=masquerade chain=srcnat out-interface=ether2-wan1-SY add action=masquerade chain=srcnat out-interface=ether3-wan2-AT add action=masquerade chain=srcnat out-interface=vpn /ip route add distance=1 gateway=vpn routing-mark=to_vpn add distance=1 gateway=192.168.7.1 routing-mark=to_SY add distance=1 gateway=192.168.0.1 routing-mark=to_AT add distance=1 gateway=10.1.1.1 routing-mark=to_wan1 add distance=2 gateway=10.2.2.2 routing-mark=to_wan1 add distance=1 gateway=10.2.2.2 routing-mark=to_wan2 add distance=2 gateway=10.1.1.1 routing-mark=to_wan2 add distance=3 gateway=10.1.1.1 add distance=4 gateway=10.2.2.2 add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=\ 173.194.36.49 scope=10 add check-gateway=ping distance=1 dst-address=10.1.1.1/32 gateway=\ 202.144.65.205 scope=10 add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=\ 74.125.236.127 scope=10 add check-gateway=ping distance=1 dst-address=10.2.2.2/32 gateway=\ 96.17.180.161 scope=10 add distance=1 dst-address=74.125.236.127/32 gateway=192.168.0.1 scope=10 add distance=1 dst-address=96.17.180.161/32 gateway=192.168.0.1 scope=10 add distance=5 dst-address=108.171.104.20/32 gateway=10.1.1.1 add distance=6 dst-address=108.171.104.20/32 gateway=10.2.2.2 add distance=1 dst-address=172.18.0.1/32 gateway=172.18.138.1 add distance=1 dst-address=173.194.36.49/32 gateway=192.168.7.1 scope=10 add distance=1 dst-address=202.144.65.205/32 gateway=192.168.7.1 scope=10 /ip service set telnet disabled=yes set ftp disabled=yes set www port=8000 set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /system leds set 0 interface=wlan1 /system ntp client set enabled=yes primary-ntp=202.71.140.36 secondary-ntp=165.193.126.229 /system ntp server set broadcast=yes enabled=yes multicast=yes /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2-wan1-SY add interface=ether3-wan2-AT add interface=ether4-lan-master add interface=ether5-lan-slave add interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2-wan1-SY add interface=ether3-wan2-AT add interface=ether4-lan-master add interface=ether5-lan-slave add interface=wlan1 add interface=bridge-local