Netflix problem

Discussion in 'Tomato Firmware' started by Netsurfer, Apr 7, 2019.

  1. Netsurfer

    Netsurfer New Member Member

    Hi,
    this is my first post and I hope you can help me.
    First of all... thank you for all the useful information you write here guys : )
    Well... my problem is very weird.
    Let me explain...
    I have a router on which I used to have DD-WRT until some days ago.
    I had my openvpn and everything worked fine.
    Just used the policies (in GUI) in order to make only some clients go through the VPN and Netflix had no problems whatsoever.
    Now for some reasons I've been using Tomato (1.28.0000 -3.5-140 K26ARM USB AIO-64K) and can't make it work anymore.
    Well... if I let everything go through the VPN, it works.
    If I use the routing policy only for one client (or for Netflix domains or both), I can access the American list... but when I start playing the movie, I see the famous problem...
    I don't have my ISP's DNS servers stored...
    I tried to set for instance 1.1.1.1 directly on my Mac but nothing changed.
    If I make a traceroute on port 53 using nmap... I do use the VPN! I can see it!
    If I do a dns leak test... it looks fine...
    I know that there are a lot of complicated things you guys talk about here (ipset, scripts and so on) but in this case I really think it is about one stupid rule but I don't understand what it is...
    I would like to make Netflix work on some specific clients... and if I could make it work on any client just using the domain instead of the IP, that'd be much better also XD

    Now... of course I'm going to have a look at your previous solutions (thank you Eibgrad for all your suggestions) but I really hope you can suggest something simple because this thing is really weird XD

    thanks

    p.s. I flushed the DNS cache on my Mac and tried to use an American DNS directly on my Mac (like 199.101.81.97)
    p.p.s. in my case, it doesn't even work if I set the VPN on my computer directly... and not even setting the internal 10.x.x.x vpn DNS works... (I told Tunnelblick to make everything go through the vpn but it doesn't work).
    It only works if I let everything from every client go through the vpn (when it's on Tomato)

    So: what is it that has been leaked? Because I don't know if it's really a DNS query!!!
     
    Last edited: Apr 7, 2019
  2. Sean B.

    Sean B. Network Guru Member

    Under Advanced->DHCP/dns do you have the option "Intercept DNS" enabled? You likely do, and that needs to be disabled.
     
  3. Netsurfer

    Netsurfer New Member Member

    Hi! No I have it disabled... BTW I did it... but I'm not sure if everything I did is necessary.
    I added some iptables rules and some dnsmasq configurations...
    I'm gonna do some other test and I'll come back and write why now it works.
    BTW I don't like it... because I would like to send only Netflix connections from every client through the VPN... but that's something at least now that it works...
     
  4. rs232

    rs232 Network Guru Member


    I have the same issue with IPTV. Where I live IPTV is blocked during the time when football/soccer games are on. It's actually a legislation so the ISP have the adhere. If you ask me this is non sense because you might have a legitimate IPTV service and/or not be watching football/soccer., but whatever...really don't want to go into politics so just talking about the technical side: what I can tell you is very similar to what you're experiencing.

    BTW IPTV is possibly way more simple as all it does is to call an URL (via m3u) containing a .ts stream. So there are no cookies, scripts or else you might get on the web.

    Using a VPN client on my end device does make IPTV work. Using routing policy not!

    So talking about VPN policy Routing only: what it is strange is that a traceroute does indeed make the traffic go via the VPN so it is going the right way. I too thought about DNS but if you think about this makes no sense as an nslookup from the end station does resolve correctly.

    I went as far as sniffing traffic with wireshark and so far I had no hint what so ever of what the issue might be. So thank for bringing this up.

    Do you mind sharing your findings e.g. iptables/dnsmasq modifications? Even if not perfect we can work on this together.
     
    Last edited: Apr 8, 2019
  5. Netsurfer

    Netsurfer New Member Member

    Sure in 12 hours tops I'll do.
    I would like to be sure about what is actually needed though XD
     
  6. eibgrad

    eibgrad Network Guru Member

    Not quite sure I understand what the OP is really looking for here in terms of a solution (is this a DNS problem??, do you want Netflix to be forced over the WAN??), but perhaps the following will help. It's a script I wrote quite some time ago that uses ipset to redirect specific domains over the WAN, irrespective of how the VPN is configured.

    https://pastebin.com/tpmCCpZS

    You simply list all your Netflix domains in DNSMasq's Custom Configuration field (as described in the script), and as the resolved domain names are added to the ipset's hash table, they are forced over the WAN using an alternate routing table that points to the WAN. Of course, it only works as well as your ability to identify all the domains used by Netflix (there are several). What follows is the most recent information I have on those domains (might not be current).

    Code:
    ipset=/nflxvideo.net/netflix.com/nflximg.net/nflxext.com/lan2wan
     
  7. Netsurfer

    Netsurfer New Member Member

    Sorry rs232 but I don't know yet what is absolutely necessary.
    Let me explain.
    Yesterday what I did was:
    - adding this in Dnsmasq
    Code:
    dhcp-option=tag:vpn,option:dns-server,10.10.21.65
    dhcp-host=MacAddress,set:vpn,MacProETH,192.168.1.20
    
    where 10.10.21.65 is the vpn dns server and 192.168.1.20 is the computer I want to go through the vpn

    - adding this in iptables

    Code:
    iptables -I FORWARD ! -o tun11 -s 192.168.1.20 -j DROP
    iptables -t nat -I PREROUTING -i br0 -s 192.168.1.20 -p udp --dport 53 -j DNAT --to 10.10.21.65
    iptables -t nat -I PREROUTING -i br0 -s 192.168.1.20 -p tcp --dport 53 -j DNAT --to 10.10.21.65
    
    - putting 192.168.1.20 in Routing Policy

    I don't remember what dns I used on my Mac, perhaps not the vpn one

    It worked.

    Now I only added the IP into Routing Policy and the vpn dns on my Mac... no dnsmasq and no iptables... and it works...

    If I use 1.1.1.1 on my Mac I need the iptables rules... and it works (it works without the first rule too... but you can use it just to be sure)

    So... you have to decide what to do depending on what you need...

    p.s. I always have Ignore Redirect Gateway (route-nopull) checked
     
  8. Netsurfer

    Netsurfer New Member Member

    Thanks eibgrad, what I would like is:

    VPN is on and no one is using it. Computer A decides to use Netflix. You start the browser on that computer, go on Netflix and it works. Only Netflix connection on that computer uses the VPN while all the other connections don't.
    And the same for any other client that decides to start Netflix.

    BTW I'm gonna try to have a look and understand your script.

    Thanks : )
     
  9. Netsurfer

    Netsurfer New Member Member

    I did it!!!!!

    192.168.1.1 as DNS on my Mac (that is my router of course)

    Dnsmasq:
    Code:
    server=/netflix.com/10.10.21.65
    server=/nflxvideo.net/10.10.21.65
    server=/nflxext.com/10.10.21.65
    

    Routing Policy:

    To Domain Netflix.com
    To Domain nflxvideo.net
    To Domain nflxext.com
    To Destination IP VPN_DNS_IP (I couldn't ping it without this...)

    XD

    p.s. there are also two previous messages awaiting moderator approval : )

    p.p.s.
    little off topic:

    does Amazon Prime Video work like Netflix for this stuff?

    Can a European Prime Customer access Amazon Video Usa? :p
     
    Last edited: Apr 9, 2019
  10. Netsurfer

    Netsurfer New Member Member

    little problem:

    I rebooted the router and now I can't reach 10.10.21.65 from the router... only if I do a ping -I tun11 it works... so all the rules don't work either... I have to figure out why : )

    edit: I removed To Destination IP 10.10.21.65 (that I had to add before, I don't know...) and now that VPN IP can be reached from the router and from the clients (it shouldn't be necessary from the clients I think but it works)

    edit2: I rebooted again and again can't ping it (I removed To Destination IP 10.10.21.65...)

    Just have to figure out why... perhaps I need some static route I don't know

    BTW if, when I reboot, I can ping that vpn dns, everything works fine

    p.s. I don't know if this might matter but my ISP has a big MAN with 10.x.x.x in it...

    A user even with a public IP goes through some 10.x.x.x before reaching the external internet...
     
    Last edited: Apr 9, 2019
  11. eibgrad

    eibgrad Network Guru Member

    Hmm, like I've said repeatedly here, I'm not sure what you're attempting to accomplish here. Based on your latest response, I take it you want those Netflix domains resolved by a specific DNS server, and using policy based routing, you want that DNS server to be forced over the VPN?? WAN??

    Around here, the most common issue w/ Netflix is having a VPN, wanting Netflix to work over the VPN, but having Netflix reject the connection because it's over a VPN. So we use ipset to force all the Netflix domains over the *WAN* while the VPN is active. Now Netflix works again.

    So maybe it's me. Maybe I'm just not getting it. You seem to be making a lot of changes and providing a lot of feedback, but I just can't figure out the goal here, and why these particular changes you're making are relevant. Maybe someone else will have better luck helping you out.
     
  12. Netsurfer

    Netsurfer New Member Member

    That's because the other post isn't readable yet but yea you got it :p

    I paste it here

    Thanks eibgrad, what I would like is:
    VPN is on and no one is using it. Computer A decides to use Netflix. You start the browser on that computer, go on Netflix and it works. Only Netflix connection on that computer uses the VPN while all the other connections don't.
    And the same for any other client that decides to start Netflix.

    BTW I'm gonna try to have a look and understand your script.

    Thanks : )

    and the post before that

    Sorry rs232 but I don't know yet what is absolutely necessary.
    Let me explain.
    Yesterday what I did was:
    - adding this in Dnsmasq
    Code:
    dhcp-option=tag:vpn,option:dns-server,10.10.21.65
    dhcp-host=MacAddress,set:vpn,MacProETH,192.168.1.20
    
    where 10.10.21.65 is the vpn dns server and 192.168.1.20 is the computer I want to go through the vpn

    - adding this in iptables

    Code:
    iptables -I FORWARD ! -o tun11 -s 192.168.1.20 -j DROP
    iptables -t nat -I PREROUTING -i br0 -s 192.168.1.20 -p udp --dport 53 -j DNAT --to 10.10.21.65
    iptables -t nat -I PREROUTING -i br0 -s 192.168.1.20 -p tcp --dport 53 -j DNAT --to 10.10.21.65
    
    - putting 192.168.1.20 in Routing Policy

    I don't remember what dns I used on my Mac, perhaps not the vpn one

    It worked.

    Now I only added the IP into Routing Policy and the vpn dns on my Mac... no dnsmasq and no iptables... and it works...

    If I use 1.1.1.1 on my Mac I need the iptables rules... and it works (it works without the first rule too... but you can use it just to be sure)

    So... you have to decide what to do depending on what you need...

    p.s. I always have Ignore Redirect Gateway (route-nopull) checked
     
    Last edited: Apr 9, 2019
  13. Netsurfer

    Netsurfer New Member Member

    I figured it out: the dns IP changes... that's why I couldn't ping it :\

    with the right dns (or with another way to reach the vpn dns) it works without any script or other complicated things : )
     
  14. Netsurfer

    Netsurfer New Member Member

    Now, my problem is:

    if I use the internal vpn dns (10.x.x.x) in dnsmasq it works, but every time the vpn goes down that IP changes...
    If I use another dns it doesn't work anymore, even if every kind of dns query goes through the vpn, those ones I do using the terminal on Tomato included...
    Does anyone know what is leaked before I start using wireshark?
     
  15. Netsurfer

    Netsurfer New Member Member

    I just found out the public IP I connect to for my VPN is a DNS itself so I solved that problem too.
    In order to do a recap:

    My goal was to make Netflix USA work on my clients without making them go through the VPN for all their connections.

    In order to do so, what I did is:

    Dnsmasq
    -
    Code:
    server=/netflix.com/VPN_DNS_IP
    server=/nflxvideo.net/VPN_DNS_IP
    server=/nflxext.com/VPN_DNS_IP
    
    and

    Routing Policy
    To Domain netflix.com
    To Domain nflxvideo.net
    To Domain nflxext.com

    Nothing else.

    Now if I want to use Netflix on a computer, it just works without doing anything else.

    This is different for apps though (because what I did wasn't working anymore).

    For my smart tv I added its IP as source in Routing Policy and this rule in iptables
    Code:
    iptables -I FORWARD ! -o tun11 -s 192.168.1.50 -j DROP
    
    That means everything goes through the VPN obviously...

    I might investigate more in order to avoid that (some On Demand things don't work anymore in my country because now my tv is connecting "from" USA) but now it's not a big problem for me.

    If I find out how to solve this last problem I'll come back and explain it.

    Hope what I wrote helps someone.
     
  16. Sean B.

    Sean B. Network Guru Member

    I don't use netflix, nor pipe it over a VPN, so I'm not familiar with what all is required to trick it into a different region. But as far as the DNS part:

    The TV app may be using DNS servers that are either coded into the app, or are given to it each time the app checks in rather than ones the TV received via DHCP. To get around this you can intercept DNS queries from the TV providing they still use the standard port 53..

    Code:
    iptables -t nat -A PREROUTING -s IP.OF.TV ! -d IP.OF.ROUTER -p udp --dport 53 -j DNAT --to-destination IP.OF.ROUTER
    This will intercept udp traffic with the destination port 53 coming from your TV that is not already destined for your router, and send it to the router. As you have server= rules configured on the router, any matching queries from the TV will be answered by your VPN DNS as they are for other clients.
     
    rs232 likes this.
  17. Netsurfer

    Netsurfer New Member Member

    I directly used the option in GUI for all the clients (that one you asked me about in the first answer) and it works!
    Thank you! : )
     
  18. Sean B.

    Sean B. Network Guru Member

    Ah, yes, that will do the same thing. As long as all DNS queries from your LAN being intercepted by the router is what you want/acceptable. Glad it works.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice