Selective Routing for Netflix

[Xentrk]

@Patje

I created this version so the iptable routing rules for Plex.TV are before the Netflix and Amazon ipset lists, which will give them the higher priority. This will help debug what is going on.

Spoiler: create_routing_rules

create_routing_rules () {
# route plex.tv domains to OPVNC1
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 184.72.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 50.18.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 184.169.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 54.241.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 54.176.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN" > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN"

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_AMAZONAWS_US dst,dst -j MARK --set-mark "$FWMARK_WAN" > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_AMAZONAWS_US dst,dst -j MARK --set-mark "$FWMARK_WAN"
}

Download:

/usr/sbin/curl --retry 3  "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/test-branch/IPSET_Netflix_Plex.sh" -o "/jffs/scripts/IPSET_Netflix_Plex.sh" && chmod 755 "/jffs/scripts/IPSET_Netflix_Plex.sh"

You may need to update this section to configure to your setup

# Define Interface/bitmask for interfaces
# 0x7000/0x7000- WAN
# 0x1000/0x1000 - VPN Client 1
# 0x2000/0x2000 - VPN Client 2
# 0x3000/0x3000 - VPN Client 3
# 0x4000/0x4000 - VPN Client 4
# 0x5000/0x5000 - VPN Client 5
FWMARK_WAN="0x7000/0x7000"
FWMARK_OVPNC1="0x1000/0x1000"

To see if you have pkts going thru the iptables chain, type the command

iptables -nvL PREROUTING -t mangle --line

 

[Patje]

@Patje

I created this version so the iptable routing rules for Plex.TV are before the Netflix and Amazon ipset lists, which will give them the higher priority. This will help debug what is going on.

Spoiler: create_routing_rules

create_routing_rules () {
# route plex.tv domains to OPVNC1
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 184.72.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 50.18.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 184.169.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 54.241.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 54.176.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN" > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN"

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_AMAZONAWS_US dst,dst -j MARK --set-mark "$FWMARK_WAN" > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_AMAZONAWS_US dst,dst -j MARK --set-mark "$FWMARK_WAN"
}

Download:

/usr/sbin/curl --retry 3  "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/test-branch/IPSET_Netflix_Plex.sh" -o "/jffs/scripts/IPSET_Netflix_Plex.sh" && chmod 755 "/jffs/scripts/IPSET_Netflix_Plex.sh"

You may need to update this section to configure to your setup

# Define Interface/bitmask for interfaces
# 0x7000/0x7000- WAN
# 0x1000/0x1000 - VPN Client 1
# 0x2000/0x2000 - VPN Client 2
# 0x3000/0x3000 - VPN Client 3
# 0x4000/0x4000 - VPN Client 4
# 0x5000/0x5000 - VPN Client 5
FWMARK_WAN="0x7000/0x7000"
FWMARK_OVPNC1="0x1000/0x1000"

To see if you have pkts going thru the iptables chain, type the command

iptables -nvL PREROUTING -t mangle --line

Hello Xentrk,

I'm to busy today, try to do some tests tommorow.

kr.,
Patrick

 

[Xentrk]

Hello Xentrk,

I'm to busy today, try to do some tests tommorow.

kr.,
Patrick

No hurry. I did test with the list on github today. But it is deprecated. I'm going to stop trying to find another source list and will stick with the ASN list for now. Plex.TV domains are Amazon AWS in the EU. In the script in the test branch, I am only pulling Amazon AWS addresses in the US region. In theory, there should not have been a conflict. Hopefully this version will tell us more with what is going on.

 

[Patje]

He

@Patje

I created this version so the iptable routing rules for Plex.TV are before the Netflix and Amazon ipset lists, which will give them the higher priority. This will help debug what is going on.

Spoiler: create_routing_rules

create_routing_rules () {
# route plex.tv domains to OPVNC1
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 184.72.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 50.18.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 184.169.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 54.241.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"
iptables -t mangle -A PREROUTING -i br0 -p tcp -d 54.176.0.0/16 -j MARK --set-mark "$FWMARK_OVPNC1"

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN" > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN"

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_AMAZONAWS_US dst,dst -j MARK --set-mark "$FWMARK_WAN" > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set x3mRouting_AMAZONAWS_US dst,dst -j MARK --set-mark "$FWMARK_WAN"
}

Download:

/usr/sbin/curl --retry 3  "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/test-branch/IPSET_Netflix_Plex.sh" -o "/jffs/scripts/IPSET_Netflix_Plex.sh" && chmod 755 "/jffs/scripts/IPSET_Netflix_Plex.sh"

You may need to update this section to configure to your setup

# Define Interface/bitmask for interfaces
# 0x7000/0x7000- WAN
# 0x1000/0x1000 - VPN Client 1
# 0x2000/0x2000 - VPN Client 2
# 0x3000/0x3000 - VPN Client 3
# 0x4000/0x4000 - VPN Client 4
# 0x5000/0x5000 - VPN Client 5
FWMARK_WAN="0x7000/0x7000"
FWMARK_OVPNC1="0x1000/0x1000"

To see if you have pkts going thru the iptables chain, type the command

iptables -nvL PREROUTING -t mangle --line

Hello Xentrk,

I downloaded the script "IPSET_Netflix_Plex.sh" from the code and ran it.

iptables -nvL PREROUTING -t mangle --line returns:

Spoiler

Chain PREROUTING (policy ACCEPT 68 packets, 17068 bytes)

num pkts bytes target prot opt in out source destination

1 48 18427 MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

2 3116 1133K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

3 0 0 MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

4 0 0 MARK tcp -- br0 * 0.0.0.0/0 184.72.0.0/16 MARK or 0x1000

5 0 0 MARK tcp -- br0 * 0.0.0.0/0 50.18.0.0/16 MARK or 0x1000

6 0 0 MARK tcp -- br0 * 0.0.0.0/0 184.169.0.0/16 MARK or 0x1000

7 0 0 MARK tcp -- br0 * 0.0.0.0/0 54.241.0.0/16 MARK or 0x1000

8 0 0 MARK tcp -- br0 * 0.0.0.0/0 54.176.0.0/16 MARK or 0x1000

9 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst,dst MARK or 0x7000

10 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS_US dst,dst MARK or 0x7000

1st - Netflix doesn't work anymore
2nd - my MacBook uses the vpn-1 tunnel, but Kodi, installed on the same MacBook suddenly uses the vpn-2 tunnel
3rd - Plex goes trough the vpn-1 tunnel as aspected.

kr.,
Patrick

 

[Xentrk]

He


Hello Xentrk,

I downloaded the script "IPSET_Netflix_Plex.sh" from the code and ran it.

iptables -nvL PREROUTING -t mangle --line returns:

Spoiler

Chain PREROUTING (policy ACCEPT 68 packets, 17068 bytes)

num pkts bytes target prot opt in out source destination

1 48 18427 MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

2 3116 1133K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

3 0 0 MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

4 0 0 MARK tcp -- br0 * 0.0.0.0/0 184.72.0.0/16 MARK or 0x1000

5 0 0 MARK tcp -- br0 * 0.0.0.0/0 50.18.0.0/16 MARK or 0x1000

6 0 0 MARK tcp -- br0 * 0.0.0.0/0 184.169.0.0/16 MARK or 0x1000

7 0 0 MARK tcp -- br0 * 0.0.0.0/0 54.241.0.0/16 MARK or 0x1000

8 0 0 MARK tcp -- br0 * 0.0.0.0/0 54.176.0.0/16 MARK or 0x1000

9 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst,dst MARK or 0x7000

10 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS_US dst,dst MARK or 0x7000

1st - Netflix doesn't work anymore
2nd - my MacBook uses the vpn-1 tunnel, but Kodi, installed on the same MacBook suddenly uses the vpn-2 tunnel
3rd - Plex goes trough the vpn-1 tunnel as aspected.

kr.,
Patrick

Interesting, I suspect that in your region, Netflix traffic is not being sent to Amazon AWS servers in US. I don’t see any packets traversing the Plex.TV, Amazon or Netflix IPSET list chains. CDN providers may be in play e.g. Akamai, which is preventing the script from working.

The script may also not be accommodating the fact that you have two VPN clients running. I am working on a complete selective routing package that may be more useful for you setup that takes all of this into account and is easy to configure to each persons local network.

Despite this, we need better insight into the domains being queried when you use Netflix. Since you have AB-Solution installed, we can take advantage of the dnsmasq logging that takes place to the /tmp/mnt/absolution/adblocking/logs/dnsmasq.log file.

Add these shortcuts to /jffs/configs/profile.add to make it easier to navigate to the AB-Solution log file directory and the /jffs/scripts & /jffs/configs directories:

alias abl='cd /tmp/mnt/absolution/adblocking/logs'
alias js='cd /jffs/scripts'
alias jc='cd /jffs/configs'

Then, open up a new SSH session to they take effect.

This script is called getdomainnames.sh

#!/bin/sh
set -x
# This script will format the output of tail -f dnsmasq.log > logfile
# where logfile is the output of tail -f dnsmasq.log
#  1. extract records whose contents contain the word "query"
#  2. output only the domain name
#  3. sort file for unique contents to elimnate duplicates
#  4. save to $1_domains
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
#     e.g. ./getdomainnames.sh logfile
#
source_file=/tmp/mnt/absolution/adblocking/logs/$1
output_file="${source_file}_domains"
cat $source_file | grep query | grep 192.168.22.157 | awk '{ print $6 }' | sort -u > "$output_file"

Copy it to /jffs/scripts/getdomainnames.sh and make it executable e.g. chmod 755 getdomainnames.sh

Change the IP reference in the script to match the IP address of the device you will be streaming Netflix from. Close the script. Type abl to navigate to the ABS log file directory.

Turn off VPN for this test so your Netflix traffic can traverse thru the WAN without impedance.

Type

tail -f dnsmasq.log > Netflix

Now, go to the device you are watching Netflix from. Navigate around and watch several videos to generate traffic.

When done, press ctrl-C to stop logging to the Netflix file.

You can type js to navigate back to the /jffs/scripts directory and run getdomannames.sh. You must pass the file name as a parameter.

./jffs/scripts/getdomainnames.sh Netflix

This will create a file called Netflix_domains n the /tmp/mnt/absolution/adblocking/logs directory. We can now see the domains being called using your ISP and region.

I have had great luck using the ipset method in Post #217 when CDNs are involved.

You can try that approach over the weekend.

 

[Patje]

Interesting, I suspect that in your region, Netflix traffic is not being sent to Amazon AWS servers in US. I don’t see any packets traversing the Plex.TV, Amazon or Netflix IPSET list chains. CDN providers may be in play e.g. Akamai, which is preventing the script from working.

The script may also not be accommodating the fact that you have two VPN clients running. I am working on a complete selective routing package that may be more useful for you setup that takes all of this into account and is easy to configure to each persons local network.

Despite this, we need better insight into the domains being queried when you use Netflix. Since you have AB-Solution installed, we can take advantage of the dnsmasq logging that takes place to the /tmp/mnt/absolution/adblocking/logs/dnsmasq.log file.

Add these shortcuts to /jffs/configs/profile.add to make it easier to navigate to the AB-Solution log file directory and the /jffs/scripts & /jffs/configs directories:

alias abl='cd /tmp/mnt/absolution/adblocking/logs'
alias js='cd /jffs/scripts'
alias jc='cd /jffs/configs'

Then, open up a new SSH session to they take effect.

This script is called getdomainnames.sh

#!/bin/sh
set -x
# This script will format the output of tail -f dnsmasq.log > logfile
# where logfile is the output of tail -f dnsmasq.log
#  1. extract records whose contents contain the word "query"
#  2. output only the domain name
#  3. sort file for unique contents to elimnate duplicates
#  4. save to $1_domains
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
#     e.g. ./getdomainnames.sh logfile
#
source_file=/tmp/mnt/absolution/adblocking/logs/$1
output_file="${source_file}_domains"
cat $source_file | grep query | grep 192.168.22.157 | awk '{ print $6 }' | sort -u > "$output_file"

Copy it to /jffs/scripts/getdomainnames.sh and make it executable e.g. chmod 755 getdomainnames.sh

Change the IP reference in the script to match the IP address of the device you will be streaming Netflix from. Close the script. Type abl to navigate to the ABS log file directory.

Turn off VPN for this test so your Netflix traffic can traverse thru the WAN without impedance.

Type

tail -f dnsmasq.log > Netflix

Now, go to the device you are watching Netflix from. Navigate around and watch several videos to generate traffic.

When done, press ctrl-C to stop logging to the Netflix file.

You can type js to navigate back to the /jffs/scripts directory and run getdomannames.sh. You must pass the file name as a parameter.

./jffs/scripts/getdomainnames.sh Netflix

This will create a file called Netflix_domains n the /tmp/mnt/absolution/adblocking/logs directory. We can now see the domains being called using your ISP and region.

I have had great luck using the ipset method in Post #217 when CDNs are involved.

You can try that approach over the weekend.

Hello xentrk,

I've modified the script a little bit because absolution runs in a different folder on my system but the test looks good and i've collected some domains in Netflix_domains:

Spoiler: Netflix_domains

ac667j44z64ozsnsgjis6.r.nflxso.net
adservice.google.nl
ae.nflximg.net
anycast.ftl.netflix.com
art-s.nflximg.net
assets.nflxext.com
bolt.dropbox.com
bolt.v.dropbox.com
client.dropbox.com
cm.g.doubleclick.net
e12690.f.akamaiedge.net
e13252.dscg.akamaiedge.net
ftl-1-2433-9999.ixunicast.nflxso.net
future.prod.ftl.netflix.com
gateway.fe.apple-dns.net
gateway.icloud.com
ichnaea-web.geo.netflix.com
ichnaea-web.netflix.com
ichnaea-web.us-east-1.prodaa.netflix.com
ipv4-c054-ams001-ix.1.oca.nflxvideo.net
ipv4-c055-ams001-ix.1.oca.nflxvideo.net
ipv4-c057-ams001-ix.1.oca.nflxvideo.net
ipv4-c058-ams001-ix.1.oca.nflxvideo.net
ipv4-c062-ams001-ix.1.oca.nflxvideo.net
ipv4-c064-ams001-ix.1.oca.nflxvideo.net
ipv4-c075-ams001-ix.1.oca.nflxvideo.net
ipv4-c078-ams001-ix.1.oca.nflxvideo.net
ipv4-c085-ams001-ix.1.oca.nflxvideo.net
ipv4-c086-ams001-ix.1.oca.nflxvideo.net
ipv4-c089-ams001-ix.1.oca.nflxvideo.net
ipv4-c091-ams001-ix.1.oca.nflxvideo.net
ipv4-c093-ams001-ix.1.oca.nflxvideo.net
ipv4-c094-ams001-ix.1.oca.nflxvideo.net
ipv4-c098-ams001-ix.1.oca.nflxvideo.net
ipv4-c101-ams001-ix.1.oca.nflxvideo.net
ipv4-c102-ams001-ix.1.oca.nflxvideo.net
ipv4-c105-ams001-ix.1.oca.nflxvideo.net
ipv4-c115-ams001-ix.1.oca.nflxvideo.net
ipv4-c116-ams001-ix.1.oca.nflxvideo.net
ipv4-c118-ams001-ix.1.oca.nflxvideo.net
ipv4-c121-ams001-ix.1.oca.nflxvideo.net
ipv4-c122-ams001-ix.1.oca.nflxvideo.net
ipv4-c124-ams001-ix.1.oca.nflxvideo.net
ipv4-c125-ams001-ix.1.oca.nflxvideo.net
ipv4-c129-ams001-ix.1.oca.nflxvideo.net
ipv4-c136-ams001-ix.1.oca.nflxvideo.net
ipv4-c138-ams001-ix.1.oca.nflxvideo.net
ipv4-c139-ams001-ix.1.oca.nflxvideo.net
ipv4-c142-ams001-ix.1.oca.nflxvideo.net
ipv4-c145-ams001-ix.1.oca.nflxvideo.net
ipv4-c146-ams001-ix.1.oca.nflxvideo.net
ipv4-c150-ams001-ix.1.oca.nflxvideo.net
ipv4-c153-ams001-ix.1.oca.nflxvideo.net
ipv4-c154-ams001-ix.1.oca.nflxvideo.net
ipv4-c155-ams001-ix.1.oca.nflxvideo.net
ipv4-c157-ams001-ix.1.oca.nflxvideo.net
moderate.ftl.netflix.com
oca-api.netflix.com
oca-api.us-east-1.prodaa.netflix.com
occ-0-769-768.1.nflxso.net
pagead.l.doubleclick.net
pagead46.l.doubleclick.net
push.prod.netflix.com
push.prod.us-east-1.prodaa.netflix.com
s.btstatic.com
s.thebrighttag.com
sha2.san.akam.nflximg.net
star-z-mini.c10r.facebook.com
td.thebrighttag.com
time-osx.g.aaplimg.com
time.euro.apple.com
userstream.twitter.com
www.facebook.com
www.google.nl
www.netflix.com
www.us-east-1.prodaa.netflix.com

Hopefully this helps

FYI
My region is Western Europe, the Netherlands


kr.,
Patrick

 

[Xentrk]

Hello xentrk,

I've modified the script a little bit because absolution runs in a different folder on my system but the test looks good and i've collected some domains in Netflix_domains:

Spoiler: Netflix_domains

ac667j44z64ozsnsgjis6.r.nflxso.net
adservice.google.nl
ae.nflximg.net
anycast.ftl.netflix.com
art-s.nflximg.net
assets.nflxext.com
bolt.dropbox.com
bolt.v.dropbox.com
client.dropbox.com
cm.g.doubleclick.net
e12690.f.akamaiedge.net
e13252.dscg.akamaiedge.net
ftl-1-2433-9999.ixunicast.nflxso.net
future.prod.ftl.netflix.com
gateway.fe.apple-dns.net
gateway.icloud.com
ichnaea-web.geo.netflix.com
ichnaea-web.netflix.com
ichnaea-web.us-east-1.prodaa.netflix.com
ipv4-c054-ams001-ix.1.oca.nflxvideo.net
ipv4-c055-ams001-ix.1.oca.nflxvideo.net
ipv4-c057-ams001-ix.1.oca.nflxvideo.net
ipv4-c058-ams001-ix.1.oca.nflxvideo.net
ipv4-c062-ams001-ix.1.oca.nflxvideo.net
ipv4-c064-ams001-ix.1.oca.nflxvideo.net
ipv4-c075-ams001-ix.1.oca.nflxvideo.net
ipv4-c078-ams001-ix.1.oca.nflxvideo.net
ipv4-c085-ams001-ix.1.oca.nflxvideo.net
ipv4-c086-ams001-ix.1.oca.nflxvideo.net
ipv4-c089-ams001-ix.1.oca.nflxvideo.net
ipv4-c091-ams001-ix.1.oca.nflxvideo.net
ipv4-c093-ams001-ix.1.oca.nflxvideo.net
ipv4-c094-ams001-ix.1.oca.nflxvideo.net
ipv4-c098-ams001-ix.1.oca.nflxvideo.net
ipv4-c101-ams001-ix.1.oca.nflxvideo.net
ipv4-c102-ams001-ix.1.oca.nflxvideo.net
ipv4-c105-ams001-ix.1.oca.nflxvideo.net
ipv4-c115-ams001-ix.1.oca.nflxvideo.net
ipv4-c116-ams001-ix.1.oca.nflxvideo.net
ipv4-c118-ams001-ix.1.oca.nflxvideo.net
ipv4-c121-ams001-ix.1.oca.nflxvideo.net
ipv4-c122-ams001-ix.1.oca.nflxvideo.net
ipv4-c124-ams001-ix.1.oca.nflxvideo.net
ipv4-c125-ams001-ix.1.oca.nflxvideo.net
ipv4-c129-ams001-ix.1.oca.nflxvideo.net
ipv4-c136-ams001-ix.1.oca.nflxvideo.net
ipv4-c138-ams001-ix.1.oca.nflxvideo.net
ipv4-c139-ams001-ix.1.oca.nflxvideo.net
ipv4-c142-ams001-ix.1.oca.nflxvideo.net
ipv4-c145-ams001-ix.1.oca.nflxvideo.net
ipv4-c146-ams001-ix.1.oca.nflxvideo.net
ipv4-c150-ams001-ix.1.oca.nflxvideo.net
ipv4-c153-ams001-ix.1.oca.nflxvideo.net
ipv4-c154-ams001-ix.1.oca.nflxvideo.net
ipv4-c155-ams001-ix.1.oca.nflxvideo.net
ipv4-c157-ams001-ix.1.oca.nflxvideo.net
moderate.ftl.netflix.com
oca-api.netflix.com
oca-api.us-east-1.prodaa.netflix.com
occ-0-769-768.1.nflxso.net
pagead.l.doubleclick.net
pagead46.l.doubleclick.net
push.prod.netflix.com
push.prod.us-east-1.prodaa.netflix.com
s.btstatic.com
s.thebrighttag.com
sha2.san.akam.nflximg.net
star-z-mini.c10r.facebook.com
td.thebrighttag.com
time-osx.g.aaplimg.com
time.euro.apple.com
userstream.twitter.com
www.facebook.com
www.google.nl
www.netflix.com
www.us-east-1.prodaa.netflix.com

Hopefully this helps

FYI
My region is Western Europe, the Netherlands


kr.,
Patrick

Thank you @Patje,

That information will help debug what is going on. sha2.san.akam.nflximg.net is one of the offending domains that is preventing it the script from working. nslookup yields IP 88.221.16.80 https://bgp.he.net/ip/88.221.16.80. Akamai is a CDN. I have had good luck using the ipset method to collect the domains. I'll look the list over in more detail tomorrow.

 

[Xentrk]

Hi @Patje,
Greetings from The Land of Smiles

I did some analysis on the domains. I think the best approach for now is to use the capabilities of ipset inside of dnsmasq to determine the IPv4 addresses required.

I have a project in development and was able to use existing code that is part of the project.

To download the script:

/usr/sbin/curl --retry 3  "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/test-branch/IPSET_Netflix_Domains.sh" -o "/jffs/scripts/IPSET_Netflix_Domains.sh" && chmod 755 "/jffs/scripts/IPSET_Netflix_Domains.sh"

The entry

ipset=btstatic.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/thebrighttag.com/NETFLIX

will be added to /jffs/configs/dnsmasq.conf.add if it's not found and restart dnsmasq. As you use Netflix, it will generate the IPv4 addresses and load them into the IPSET list NETFLIX. At 2AM, the current ipset list NETFLIX will be saved to /opt/tmp/NETFLIX. If the script works okay, call it from nat-start e.g. sh /jffs/scripts/IPSET_Netflix_Domains.sh. The script will populate the ipset list from the copy saved by the 2AM backup job on boot. You can save the current list anytime by typing ipset save NETFLIX > /opt/tmp/NETFLIX.

If there is still problems, I have one more domain we will need to add for Akamai. But I want to try to avoid it for now to see if the current domains are sufficient. I have had good luck with this technique. Especially when watching some streaming medis via a browser vs a streaming media device. In browser sessions, I tend to see more CDN domains when compared to a streaming media device. The ipset utility has been very helpful for these situations.

 

[Patje]

Hi @Patje,
Greetings from The Land of Smiles

I did some analysis on the domains. I think the best approach for now is to use the capabilities of ipset inside of dnsmasq to determine the IPv4 addresses required.

I have a project in development and was able to use existing code that is part of the project.

To download the script:

/usr/sbin/curl --retry 3  "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/test-branch/IPSET_Netflix_Domains.sh" -o "/jffs/scripts/IPSET_Netflix_Domains.sh" && chmod 755 "/jffs/scripts/IPSET_Netflix_Domains.sh"

The entry

ipset=btstatic.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/thebrighttag.com/NETFLIX

will be added to /jffs/configs/dnsmasq.conf.add if it's not found and restart dnsmasq. As you use Netflix, it will generate the IPv4 addresses and load them into the IPSET list NETFLIX. At 2AM, the current ipset list NETFLIX will be saved to /opt/tmp/NETFLIX. If the script works okay, call it from nat-start e.g. sh /jffs/scripts/IPSET_Netflix_Domains.sh. The script will populate the ipset list from the copy saved by the 2AM backup job on boot. You can save the current list anytime by typing ipset save NETFLIX > /opt/tmp/NETFLIX.

If there is still problems, I have one more domain we will need to add for Akamai. But I want to try to avoid it for now to see if the current domains are sufficient. I have had good luck with this technique. Especially when watching some streaming medis via a browser vs a streaming media device. In browser sessions, I tend to see more CDN domains when compared to a streaming media device. The ipset utility has been very helpful for these situations.

Hello Xentrk,

Sorry for not replying, but a bit busy last days.
Tonight I can do some tests again


kr.,
Patrick

 

[Martineau]

Download:

/usr/sbin/curl --retry 3  "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/test-branch/IPSET_Netflix_Plex.sh" -o "/jffs/scripts/IPSET_Netflix_Plex.sh" && chmod 755 "/jffs/scripts/IPSET_Netflix_Plex.sh"

Do you have a fatal 'prio value' typo for the WAN fwmark tagging?

ip rule add fwmark "$FWMARK_WAN" table 254 prio 10000

should be
 
ip rule add fwmark "$FWMARK_WAN" table 254 prio 9990

and a non-fatal 'prio value' typo for the VPN Client 5 fwmark tagging?

ip rule add fwmark "$FWMARK_OVPNC5" table 115 prio 10800

should be

ip rule add fwmark "$FWMARK_OVPNC5" table 115 prio 10900

Also, rather than restrict the fwmark tagging rule to TCP only, perhaps you should also allow UDP traffic?

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN" > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN"

change to

iptables -t mangle -D PREROUTING -i br0  -m set --match-set NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN" > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0  -m set --match-set NETFLIX dst,dst -j MARK --set-mark "$FWMARK_WAN"

 

[Patje]

Do you have a fatal 'prio value' typo for the WAN fwmark tagging?

ip rule add fwmark "$FWMARK_WAN" table 254 prio 10000

should be
 
ip rule add fwmark "$FWMARK_WAN" table 254 prio 9990

and a non-fatal 'prio value' typo for the VPN Client 5 fwmark tagging?

ip rule add fwmark "$FWMARK_OVPNC5" table 115 prio 10800

should be

ip rule add fwmark "$FWMARK_OVPNC5" table 115 prio 10900

Then I'll wait with my test.


kr.,
Patrick

 

[Martineau]

Then I'll wait with my test.

If you could continue with yours tests, I'm sure @Xentrk would appreciate it, particularly if your testing time is limited and the time difference etc.

I could be wrong with my analysis.

 

[Patje]

Hi @Patje,
Greetings from The Land of Smiles

I did some analysis on the domains. I think the best approach for now is to use the capabilities of ipset inside of dnsmasq to determine the IPv4 addresses required.

I have a project in development and was able to use existing code that is part of the project.

To download the script:

/usr/sbin/curl --retry 3  "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/test-branch/IPSET_Netflix_Domains.sh" -o "/jffs/scripts/IPSET_Netflix_Domains.sh" && chmod 755 "/jffs/scripts/IPSET_Netflix_Domains.sh"

The entry

ipset=btstatic.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/thebrighttag.com/NETFLIX

will be added to /jffs/configs/dnsmasq.conf.add if it's not found and restart dnsmasq. As you use Netflix, it will generate the IPv4 addresses and load them into the IPSET list NETFLIX. At 2AM, the current ipset list NETFLIX will be saved to /opt/tmp/NETFLIX. If the script works okay, call it from nat-start e.g. sh /jffs/scripts/IPSET_Netflix_Domains.sh. The script will populate the ipset list from the copy saved by the 2AM backup job on boot. You can save the current list anytime by typing ipset save NETFLIX > /opt/tmp/NETFLIX.

If there is still problems, I have one more domain we will need to add for Akamai. But I want to try to avoid it for now to see if the current domains are sufficient. I have had good luck with this technique. Especially when watching some streaming medis via a browser vs a streaming media device. In browser sessions, I tend to see more CDN domains when compared to a streaming media device. The ipset utility has been very helpful for these situations.

Hi Xentrk,

Still can't watch Netflix with a client connected to a VPN after running the script.
Kodi and Plex showing my VPN-IP as expected.

kr.,
Patrick

 

[Martineau]

Hi Xentrk,

Still can't watch Netflix with a client connected to a VPN after running the script.
Kodi and Plex showing my VPN-IP as expected.

Can you post the output of the following two commands?

ip rule

iptables -nvL PREROUTING -t mangle --line

 

[Patje]

Can you post the output of the following two commands?

ip rule

iptables -nvL PREROUTING -t mangle --line

Hi Martieau,

ip rule

Spoiler

0: from all lookup local

10000: from all fwmark 0x7000/0x7000 lookup main

10100: from all fwmark 0x1000/0x1000 lookup ovpnc1

10101: from 10.54.1.98 lookup ovpnc1

10102: from 10.54.1.210 lookup ovpnc1

10103: from 10.54.1.213 lookup ovpnc1

10300: from all fwmark 0x2000/0x2000 lookup ovpnc2

10301: from 10.54.1.99 lookup ovpnc2

10302: from 10.54.1.209 lookup ovpnc2

10303: from 10.54.1.201 lookup ovpnc2

10304: from 10.54.1.200 lookup ovpnc2

10500: from all fwmark 0x3000/0x3000 lookup ovpnc3

10700: from all fwmark 0x4000/0x4000 lookup ovpnc4

10800: from all fwmark 0x5000/0x5000 lookup ovpnc5

32766: from all lookup main

32767: from all lookup default

iptables -nvL PREROUTING -t mangle --line

Spoiler

Chain PREROUTING (policy ACCEPT 7301 packets, 3681K bytes)

num pkts bytes target prot opt in out source destination

1 423 219K MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

2 8136K 11G MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

3 0 0 MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

4 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst,dst MARK or 0x7000

kr.,
Patrick

 

[Martineau]

Hi Martieau,

ip rule

Spoiler

0: from all lookup local

10000: from all fwmark 0x7000/0x7000 lookup main

10100: from all fwmark 0x1000/0x1000 lookup ovpnc1

10101: from 10.54.1.98 lookup ovpnc1

10102: from 10.54.1.210 lookup ovpnc1

10103: from 10.54.1.213 lookup ovpnc1

10300: from all fwmark 0x2000/0x2000 lookup ovpnc2

10301: from 10.54.1.99 lookup ovpnc2

10302: from 10.54.1.209 lookup ovpnc2

10303: from 10.54.1.201 lookup ovpnc2

10304: from 10.54.1.200 lookup ovpnc2

10500: from all fwmark 0x3000/0x3000 lookup ovpnc3

10700: from all fwmark 0x4000/0x4000 lookup ovpnc4

10800: from all fwmark 0x5000/0x5000 lookup ovpnc5

32766: from all lookup main

32767: from all lookup default

iptables -nvL PREROUTING -t mangle --line

Spoiler

Chain PREROUTING (policy ACCEPT 7301 packets, 3681K bytes)

num pkts bytes target prot opt in out source destination

1 423 219K MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

2 8136K 11G MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

3 0 0 MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7

4 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst,dst MARK or 0x7000

Perhaps try issuing

iptables -t mangle -D PREROUTING -p tcp -i br0  -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000
iptables -t mangle -A PREROUTING -i br0  -m set --match-set NETFLIX dst -j MARK --set-mark 0x7000/0x7000

ip rule add fwmark 0x7000/0x7000 lookup main prio 9990
ip route flush cache

 

[Xentrk]

Thanks for helping @Martineau! Good catch on the iptables above

I made changes to the script on github: removed "-p tcp", changed "ipset=btstatic.com/" to ipset=/btstatic.com/, fixed prior for the interfaces.

@Patje, try adding akamaiedge.net to the NETFLIX ipset list in dnsmasq.conf.add and lines 117, 119 and 123 in the script. When done type the command service restart_dnsmasq to make it active.

 printf "ipset=/btstatic.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/thebrighttag.com/NETFLIX\n"

becomes

 printf "ipset=/akamaiedge.net/btstatic.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/thebrighttag.com/NETFLIX\n"

 

[Patje]

Thanks for helping @Martineau! Good catch on the iptables above

I made changes to the script on github: removed "-p tcp", changed "ipset=btstatic.com/" to ipset=/btstatic.com/, fixed prior for the interfaces.

@Patje, try adding akamaiedge.net to the NETFLIX ipset list in dnsmasq.conf.add and lines 117, 119 and 123 in the script. When done type the command service restart_dnsmasq to make it active.

 printf "ipset=/btstatic.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/thebrighttag.com/NETFLIX\n"

becomes

 printf "ipset=/akamaiedge.net/btstatic.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/thebrighttag.com/NETFLIX\n"

Hi Xentrk,

I tested with the modified version, but Netflix still has the streaming error.


kr.,
Patrick

 

[Xentrk]

Hi Xentrk,

I tested with the modified version, but Netflix still has the streaming error.


kr.,
Patrick

Thanks for the feedback. Sorry this has not worked for you. Perhaps there is a domain name that didn't make the list? I found with many of the streaming services, I need to generate the domains in dnsmasq.log by streaming on both a streaming media device in addition to a web browser to fully capture all the traffic, especially for the CDN domains. That is all I can thing of at this time. I had similar issues with one site and this was the only method that finally allowed me to capture all of the domains. I will perform more in depth analysis on the domain list you posted earlier. In the meantime, see if you can generate another domain name list using both a web browser and your media streaming device(s).

With all of the changes, check /jffs/configs/dnsmasq.conf.add and make sure you don't have a duplicate entry for the NETFLIX ipset list. If one exists, comment out the old one and restart dnsmasq.

Check that the NETFLIX ipset list has contents by running the liststats command and confirming you see a number > 0. Or, view the entries by typing ipset -L NETFLIX. The
iptables -nvL PREROUTING -t mangle --line command will tell us if packets are traversing the Chain for the 0x7000/0x7000 fwmark/bitmask combo.

 

[Xentrk]

I reviewed the domains again. Rather than adding an entry, I suggest we remove btstatic.com as this is an ad server. These are sorted unique domains. I don't see an entry for amazon aws servers though.

akamaiedge.net
netflix.com
nflxext.com
nflximg.net
nflxso.net
nflxvideo.net
thebrighttag.com

td.thebrighttag.com appears to be the Amazon domain in your region:

 nslookup td.thebrighttag.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      td.thebrighttag.com
Address 1: 52.198.158.144 ec2-52-198-158-144.ap-northeast-1.compute.amazonaws.com
Address 2: 52.199.89.250 ec2-52-199-89-250.ap-northeast-1.compute.amazonaws.com
Address 3: 13.115.92.121 ec2-13-115-92-121.ap-northeast-1.compute.amazonaws.com
Address 4: 52.68.114.140 ec2-52-68-114-140.ap-northeast-1.compute.amazonaws.com
Address 5: 54.150.223.2 ec2-54-150-223-2.ap-northeast-1.compute.amazonaws.com
Address 6: 54.65.1.116 ec2-54-65-1-116.ap-northeast-1.compute.amazonaws.com
Address 7: 54.64.95.88 ec2-54-64-95-88.ap-northeast-1.compute.amazonaws.com
Address 8: 54.64.137.216 ec2-54-64-137-216.ap-northeast-1.compute.amazonaws.com

The concern I have with putting akamaiedge.net on the list is that this CDN service may also be use for streaming media traffic you want to route over the VPN. So a conflict may occur. In this case, doing an nslookup or drill on the domain names may be preferred to avoid this. More on this below...

I guess for giggle and grins, you could add the entry amazonaws.com to the ipset list. But, be prepared for all of Amazon services to go out the WAN. I now restrict my Netflix traffic to only use AWS servers in US. There is another streaming service in the EU that I send to Amazon AWS to the EU.

But dnsmasq should be generating the IPv4 address and loading them into the ipset list NETFLIX. I know there is a conflict with AB-Solution, now Diversion and VPN where DNSMASQ is bypassed when Accept DNS Configuration=Exclusive on the VPN web gui.
service restart_dnsmasq command is sometimes required to get things to behave.

As I mentioned above, mining the IPv4 addresses from the domain names you mined in dnsmasq.log may be the preferred option.

I sorted the last domain name list you sent me and removed ad servers and domains that were the result of network traffic to develop the "filtered" list. This is another selective routing technique.

I placed the list of Domain Names in a file called /jffs/scripts/Patje/NETFLIX_DOMAINS

Spoiler: Domain Names

ac667j44z64ozsnsgjis6.r.nflxso.net
ae.nflximg.net
anycast.ftl.netflix.com
art-s.nflximg.net
assets.nflxext.com
e12690.f.akamaiedge.net
e13252.dscg.akamaiedge.net
ftl-1-2433-9999.ixunicast.nflxso.net
future.prod.ftl.netflix.com
ichnaea-web.geo.netflix.com
ichnaea-web.netflix.com
ichnaea-web.us-east-1.prodaa.netflix.com
ipv4-c054-ams001-ix.1.oca.nflxvideo.net
ipv4-c055-ams001-ix.1.oca.nflxvideo.net
ipv4-c057-ams001-ix.1.oca.nflxvideo.net
ipv4-c058-ams001-ix.1.oca.nflxvideo.net
ipv4-c062-ams001-ix.1.oca.nflxvideo.net
ipv4-c064-ams001-ix.1.oca.nflxvideo.net
ipv4-c075-ams001-ix.1.oca.nflxvideo.net
ipv4-c078-ams001-ix.1.oca.nflxvideo.net
ipv4-c085-ams001-ix.1.oca.nflxvideo.net
ipv4-c086-ams001-ix.1.oca.nflxvideo.net
ipv4-c089-ams001-ix.1.oca.nflxvideo.net
ipv4-c091-ams001-ix.1.oca.nflxvideo.net
ipv4-c093-ams001-ix.1.oca.nflxvideo.net
ipv4-c094-ams001-ix.1.oca.nflxvideo.net
ipv4-c098-ams001-ix.1.oca.nflxvideo.net
ipv4-c101-ams001-ix.1.oca.nflxvideo.net
ipv4-c102-ams001-ix.1.oca.nflxvideo.net
ipv4-c105-ams001-ix.1.oca.nflxvideo.net
ipv4-c115-ams001-ix.1.oca.nflxvideo.net
ipv4-c116-ams001-ix.1.oca.nflxvideo.net
ipv4-c118-ams001-ix.1.oca.nflxvideo.net
ipv4-c121-ams001-ix.1.oca.nflxvideo.net
ipv4-c122-ams001-ix.1.oca.nflxvideo.net
ipv4-c124-ams001-ix.1.oca.nflxvideo.net
ipv4-c125-ams001-ix.1.oca.nflxvideo.net
ipv4-c129-ams001-ix.1.oca.nflxvideo.net
ipv4-c136-ams001-ix.1.oca.nflxvideo.net
ipv4-c138-ams001-ix.1.oca.nflxvideo.net
ipv4-c139-ams001-ix.1.oca.nflxvideo.net
ipv4-c142-ams001-ix.1.oca.nflxvideo.net
ipv4-c145-ams001-ix.1.oca.nflxvideo.net
ipv4-c146-ams001-ix.1.oca.nflxvideo.net
ipv4-c150-ams001-ix.1.oca.nflxvideo.net
ipv4-c153-ams001-ix.1.oca.nflxvideo.net
ipv4-c154-ams001-ix.1.oca.nflxvideo.net
ipv4-c155-ams001-ix.1.oca.nflxvideo.net
ipv4-c157-ams001-ix.1.oca.nflxvideo.net
moderate.ftl.netflix.com
oca-api.netflix.com
oca-api.us-east-1.prodaa.netflix.com
occ-0-769-768.1.nflxso.net
push.prod.netflix.com
push.prod.us-east-1.prodaa.netflix.com
sha2.san.akam.nflximg.net
td.thebrighttag.com
www.netflix.com
www.us-east-1.prodaa.netflix.com

I ran this script to load the ipset list NETLIX. Requires that entware package drill be installed e.g. opkg install drill.

#!/bin/sh
set -x

lookup_domain () {
    for DNS in $(awk '{ print $1 }' /jffs/scripts/Patje/NETFLIX_DOMAINS)
        do
            drill -4 $DNS | grep -v SERVER | grep -E "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" | cut -f 5 >> /tmp/lookup_domain.$$
        done
    awk '{print "add NETFLIX " $1}' "/tmp/lookup_domain.$$" | ipset restore -!
}

lookup_IP () {
    for IP in $(awk '{ print $1 }' /tmp/lookup_domain.$$  )
        do
            whob "$IP" >> /jffs/scripts/Patje/NETFLIX_DOMAIN_DETAILS.txt
            printf '\n' >> /jffs/scripts/Patje/NETFLIX_DOMAIN_DETAILS.txt
        done
    rm /tmp/lookup_domain.$$
}

true > /tmp/lookup_domain.$$
true > /jffs/scripts/Patje/NETFLIX_DOMAIN_DETAILS.txt
ipset flush NETFLIX
lookup_domain
lookup_IP

It will also create a file called NETFLIX_DOMAIN_DETAILS.txt to help with the analysis of the domain names. It also provides useful information, like what ASN the IP belongs to, that can be of assistance.

IP: 45.57.40.1
Origin-AS: 40027
Prefix: 45.57.40.0/24
AS-Path: 18106 2906 40027
AS-Org-Name: Netflix Streaming Services Inc.
Org-Name: Netflix Streaming Services Inc.
Net-Name: SS-CDN-4
Cache-Date: 1535440483
Latitude: 39.738008
Longitude: -75.550353
City: Wilmington
Region: Delaware
Country: United States
Country-Code: US

IP: 23.42.146.206
Origin-AS: 45758
Prefix: 23.42.144.0/22
AS-Path: 18106 9505 45758
AS-Org-Name: Triple T Internet/Triple T Broadband
Org-Name: Akamai Technologies
Net-Name: AKAMAI
Cache-Date: 1535440483
Latitude: 32.783060
Longitude: -96.806670
City: Dallas
Region: Texas
Country: United States
Country-Code: US
<snip>