pfSense Gold Subscription

Author Topic: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error  (Read 2689 times)

0 Members and 1 Guest are viewing this topic.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Netflix has started blocking all VPN associated networks that they can detect or identify as VPN or proxy. 

They are clumping Hurricane Electric tunnel broker IPs in with "proxy".

So, even if you are in the USA and have a real USA IP, you will probably see this:



So, just having HE IPV6 tunnel on your pfsense will probably cause netflix to throw an error screen in your face about being naughty and using VPNs and proxy.

So, I had to go into the firewall and make a quick floating rule REJECT all of the following:

2a01:578:3::/48
2406:da00:ff00::/48
2600:1407:19::/48
2607:f8b0:4001::/48
2620:108:700f::/48

These are all associated with amazon cloud services and netflix streaming.

Rejecting those causes Netflix to fail over to IPV4 and then everything works again.

I assume people with native IPV6 don't have this problem.  Just the people using tunnel brokers.

For me, to make it simple I made an alias containing all those IP ranges.

Then I selected all interfaces in my floating firewall rule and told it to apply as soon as it matched.

Not sure if this will be a permanent fix or if Netflix will come up with new IP ranges all the time, but for now it works.
« Last Edit: June 11, 2016, 01:53:03 am by kejianshi »

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2169
  • Karma: +166/-9
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #1 on: June 15, 2016, 08:09:48 am »
Hi,

The problem boils down to:
... Just the people using tunnel brokers.
Netflix made an international statement about that.

The entire issue is : who is on the list (that Netflix manages) that they consider as a proxy ?
You proved, as many did, that he.net is ... (the free IPv6 tunnel service).

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #2 on: June 15, 2016, 08:37:44 am »
Yeah - I think that netflix is going too far out of its way to attempt to enforce vpn and proxy bans.

Its like a net that is meant to catch tuna but scoops up dolphins, turtles and whatever else happens to be swimming at the time.

I for sure don't use IPV6 as a way to skirt geofiltering and I'd bet the same is true of most people. 

Netflix needs to give a pass on those HE IP blocks. 

Another way for Netflix to do it might be to fail over to IPV4 on their end as a check when it detects HE IPs rather than forcing the customers to figure out how to do it.


Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #4 on: June 15, 2016, 11:35:56 am »
Yep - Some people are definitely using it for that purpose. 

Still, I don't think its a good reason to slam everyone. 

I will be glad when native IPV6 is running on verizon fios so I don't need HE as much.

Although, I sort of like having static IPs for IPV6. 

Seems like the internet providers are again going out of there way to make up reasons for you IP to change all the time.

With IPV6, there is no good reason. 

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #5 on: June 16, 2016, 02:42:31 am »
You know - It would be nice to be able to enter a domain in a field in DNS resolver and tell it on a case by case basis to either remove all IPV6 or IPV4 references to a site.

Might be abit less brute force than blocking entire IPV6 ranges.

Offline reinderien

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #6 on: August 28, 2017, 07:20:53 am »
You know - It would be nice to be able to enter a domain in a field in DNS resolver and tell it on a case by case basis to either remove all IPV6 or IPV4 references to a site.

Might be a bit less brute force than blocking entire IPV6 ranges.

That's exactly what I got working here:

https://www.reddit.com/r/PFSENSE/comments/6weauh/ipv6_and_netflix_another_option/

Offline awebster

  • Sr. Member
  • ****
  • Posts: 356
  • Karma: +54/-0
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #7 on: August 29, 2017, 04:34:32 pm »
I didn't want it to break all IPv6 name resolution, so I used this method instead...works great!

https://forum.pfsense.org/index.php?topic=133172.msg732233#msg732233
--A.

Offline reinderien

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +0/-0
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #8 on: August 29, 2017, 04:36:41 pm »
I didn't want it to break all IPv6 name resolution

The single-purpose bind solution does not break all IPv6 resolution. It targets specific domain names as registered through the unbound domain override mechanism. Comparatively speaking, the solution you linked breaks a whole lot more: many millions of IPv6 addresses are all blocked.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2169
  • Karma: +166/-9
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #9 on: August 30, 2017, 04:22:51 am »
Exact.
This : https://forum.pfsense.org/index.php?topic=133172.msg732233#msg732233 is very ugly with a many (future) side effects.
This : https://www.reddit.com/r/PFSENSE/comments/6weauh/ipv6_and_netflix_another_option/ is beautiful because it block only listed domain names.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #10 on: October 14, 2017, 10:36:58 am »
I like it, of course.  I just prefer to keep pfsense using as much of its default features as possible. 

I'm not sure that switching to bind wouldn't break something (or lots of somethings) after an update/upgrade.

That is my only worry with that solution.

Offline zskwrel

  • Newbie
  • *
  • Posts: 6
  • Karma: +1/-0
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #11 on: October 21, 2017, 01:30:15 pm »
See: https://forums.he.net/index.php?topic=3564.msg21004#msg21004

Just add these parameters to the 'Custom options' box under: Services>DNS Resolver>General Settings.

Code: [Select]
local-zone: "netflix.com" typetransparent
local-data: "netflix.com IN AAAA ::"

local-zone: "netflix.net" typetransparent
local-data: "netflix.net IN AAAA ::"

local-zone: "nflxext.com" typetransparent
local-data: "nflxext.com IN AAAA ::"

local-zone: "nflximg.net" typetransparent
local-data: "nflximg.net IN AAAA ::"

local-zone: "nflxvideo.net" typetransparent
local-data: "nflxvideo.net IN AAAA ::"

local-zone: "www.netflix.com" typetransparent
local-data: "www.netflix.com IN AAAA ::"

local-zone: "customerevents.netflix.com" typetransparent
local-data: "customerevents.netflix.com IN AAAA ::"

local-zone: "secure.netflix.com" typetransparent
local-data: "secure.netflix.com IN AAAA ::"

local-zone: "adtech.nflximg.net" typetransparent
local-data: "adtech.nflximg.net IN AAAA ::"

local-zone: "assets.nflxext.com" typetransparent
local-data: "assets.nflxext.com IN AAAA ::"

local-zone: "codex.nflxext.com" typetransparent
local-data: "codex.nflxext.com IN AAAA ::"

local-zone: "dockhand.netflix.com" typetransparent
local-data: "dockhand.netflix.com IN AAAA ::"

local-zone: "ichnaea.netflix.com" typetransparent
local-data: "ichnaea.netflix.com IN AAAA ::"

local-zone: "art-s.nflximg.net" typetransparent
local-data: "art-s.nflximg.net IN AAAA ::"

local-zone: "tp-s.nflximg.net" typetransparent
local-data: "tp-s.nflximg.net IN AAAA ::"

Caveat: While I found Netflix to play on my PC using several different web browsers after adding the above parameters to unbound, Netflix still refuses to play through the Netflix PC app, Apple TV, or my iPhone Netflix app. If anybody can help explain why only web browsers work I'd be most grateful.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9255
  • Karma: +1054/-308
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #12 on: October 21, 2017, 01:36:38 pm »
Quote
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
Netflix intentionally breaks access when using Tunnel Broker IPv6

There. Fixed it for you.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #13 on: October 21, 2017, 02:10:41 pm »
Yep.  Someone over there at netflix must be really bored...

Thing is I have plenty of IPV4 addresses that are private and in no vpn related IP blocks. 

I really just use HE for IPV6 generically.  It is actually far more useful than the IPV6 that most ISPs provision since it is static.

I also don't believe HE intends their service to be a VPN like service.  What a huge mess.
« Last Edit: October 21, 2017, 02:14:13 pm by kejianshi »

Offline zskwrel

  • Newbie
  • *
  • Posts: 6
  • Karma: +1/-0
    • View Profile
Re: Pfsense plus hurricane electric breaks netflix IPV6 - proxy error
« Reply #14 on: October 21, 2017, 02:33:59 pm »
In order to block the Hurricane Electric tunnel from trying to access Netflix I resorted to setting up an alias with the Netflix IPv6 address blocks then set up a reject rule in the LAN firewall rules. This seems to solve the problem of my Netflix apps being blocked.