1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Restricting Netflix Access?

Discussion in 'Tomato Firmware' started by Sivananda, Apr 17, 2010.

  1. Sivananda

    Sivananda Networkin' Nut Member

    Ok, so I've been wrestling with this one on & off for a few days now. Not much luck finding anything helpful with Google either, so thought I'd ask here.

    I've got a WRT54Gv2 running v1.27. Among the several devices on my home network, I have a Playstation 3 which connects wirelessly. In addition to gaming the PS3 is also used to stream movies from Netflix. What I'm trying to do is set up an Access Restriction that will block this capability at specified times on certain days.

    Being already somewhat familiar with setting up other restrictions in Tomato, I thought, "This shouldn't be too difficult, right?" I had successfully set a similar restriction for Youtube videos on a different device --for whatever reason, neither the 'flash' l7 filter nor the 'flash' check box worked, but the 'httpvideo' l7 filter did the trick-- so I figured maybe that would work for Netflix as well. I knew that they used Silverlight rather than flash so I didn't bother with trying either of the flash filters initially.

    Well, the 'httpvideo' filter did nothing. Just to make sure I then tried the flash filters. Still no good. "Ok," I think, "maybe I can just block any requests that include 'netflix' anywhere in the URL." So I put 'netflix' in the 'HTTP Request' box (without quotes). No good; movies still play fine.

    "Alright well, I guess maybe their stream servers are on a different domain. Time to bust out the ol' Wireshark." So I fire up tcpdump via the CIFS Client, isolating the PS3 IP and generating a dump file while a movie is playing, to be read by Wireshark. Sure enough, it looks like the stream itself is actually coming from Akamai servers. I also note a number of requests to a few different domains that include the word 'netflix', as well as another bunch to a subdomain of llnwd.net, which is one of the Silverlight domains.

    "Now we're gettin' somewhere! Surely if I add 'akamai' to the list, that should do the trick. And what the heck, let's add 'llnwd' for good measure." Dang. STILL the movie plays merrily on. (Oh and yes, I save after each change. I've also rebooted.)

    Ok, back to Wireshark. Maybe I'll see something helpful. I notice that a good portion of the relevant requests are using https, port 443. "Hmmm... I seem to recall reading somewhere that the HTTP Request filter doesn't work for encrypted http (https) requests", so for my next experiment I set a Port/Application filter on destination port 443, TCP/UDP. BINGO! No more Netflix!

    Right now you're probably thinking, "Great, problem solved!" Well, not exactly. While it does indeed stop Netflix cold, the problem is that increasingly, PS3 games are beginning to also use https requests to 'phone home' to their publishers as a means of verifying their authenticity before they'll let you play (not to mention checking for updates). Yea I know, sucks, but welcome to the future eh? Gonna be great whenever one of those publishers closes up shop (which they often do). How do you like your new $60 coaster?

    ANYway, that's another issue. As you can see, filtering on port 443 is not really an adequate solution, but it's the best I've been able to come up with. Does anybody have any other ideas that don't involve purchasing other equipment or changing firmware?

    TIA... :)
  2. Azuse

    Azuse Addicted to LI Member

    I don't follow, there's the httpvideo L7 and the flash L7, what's the second flash check-box/filter to which you refer?
  3. Sivananda

    Sivananda Networkin' Nut Member

    Bottom of the Access Restrictions page (see attached image).

    Not that it really matters; it does nothing in this case anyway...

    Attached Files:

Share This Page