Netflix over WAN, all other traffic over PIAVPN, firewall rules don't seem to apply

tl;dr of problem: Netflix traffic still goes over VPN despite firewall rules. I suspect alias is wrong, despite following instructions. I live in Germany and am trying to access GERMAN netflix catalog, though will try US catalog later, perhaps with smartDNS.

More detail:
I’m only asking here after having spent 2 nights fighting with this and having read a lot of different tutorials. I’m not really sure what’s wrong as everything should line up.

I’ve setup my pfsense box according to the level1 techs video series.

I’ve got these manual outbound NAT rule generation settings and these LAN firewall rule settings. In that rule I’m using an alias for Netflix that includes the toplevel domains Netflix uses. I’ve also tried bulk uploading a global IP list as an alias (not just the US addresses as I’m in Germany) and that also did not work.

Every time I try to tracert from the firewall to netflix, regardless of source interface, it passes over the PIAVPN. I’m at a loss as to why my rules aren’t working. I was thinking maybe my NAT was wrong, but I’ve copied the settings from the video and also tried copying the settings from this setpbystep tutorial on the pfsense forums. No dice.

What am I missing?

Just to test, I setup a rule for privateinternetaccess to go over WAN and it worked, so I know it’s possible to route traffic via rules over different interfaces, but Netflix still won’t play nice and still goes over my VPN.

move your rule above all the other rules.

Tried that, no luck.

That netflix rule does need to be above the other allow rules or it won’t work. What specifically is in your netflix alias? Because just the top level domains won’t work, you need to have all of the FQDN for every netflix server your client tries to talk to, it doen’t accept wild cards or anything like that.

What you can do to find out what you need to add to the alias is ti run a packet sniffer like wireshark on your client machine and filter the DNS requests, then add all the domain names it looks up when you use netflix. It’s tedius but it works.

Although I know lots of people who’ve tried to get this working without any success. Using domain name aliases in the firewall rules is far from fool proof and for things with complex CDN systems like netflix it’s not all that reliable.

I literally set up almost the same thing up this afternoon. You may be having a different issue, but I got VPN vs nonVPN routing working seemingly perfectly, without VPN clients being able to connect if the VPN is down.

Below are the complete notes I took for myself, which should take you start to finish for setting up PIA on PFSense, with rules that allow certain clients (192.168.40.1-192.168.40.49) to use the normal internet, and others (192.168.40.50-192.168.40.200) are forced to use the VPN, and when the VPN is down they are NOT able to connect to the normal internet, as far as I can tell. Note that unlike in the Level1 video, you DO NOT need an internal CA for PIA. The Level1 video also missed a Misc setting which actually enforces the gateway selections you make, without it clients can use other gateways when the intended one is down (this is bad).

System -> Cert Manager -> CAs
#get ca.crt from here https://www.privateinternetaccess.com/pages/client-support/pfsense
New CA
CA name: PIA
Certificate Data: Copy text contents of crt, including begin and end certificate

VPN -> OpenVPN -> Clients
New Client
Protocol: UDP
Server host or address: COUNTRY.CITY.privateinternetaccess.com
Server port: 1198
Server hostname resolution: Ensure that “Infinitely resolve server” is checked.
User Authentication Settings: normal PIA login
TLS Authentication: Ensure “Enable authentication of TLS packets” is disabled.
Peer Certificate Authority: Select the PIA CA we setup.
Client Certificate: None (Username and/or Password required)
Encryption Algorithm: AES-128-CBC (128-bit).
Auth digest algorithm: SHA1 (160-bit).
Compression: Enabled with Adaptive Compression.
Disable IPv6: Ensure “Don’t forward IPv6 traffic” is checked.
Don’t pull routes (I added this): Checked
Custom options: Copy and paste the following into the custom options textbox:
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0

Status -> OpenVPN
#Should say Status is up
Status -> System Logs -> OpenVPN
#Should say “initialization sequence completed”

Interfaces -> Assign
Add ovpnc as an interface, click on the hyperlink for OP2 or whatever it becomes
Rename it to PIA
Enable Interface: Checked (If you don’t see gateways created for the VPN, you may have forgotten this step)

System -> Routing -> Gateways
Disable PIR_VPNV6 gateway
Set PIA_VPNV4 monitor IP 8.8.8.8 (or some random internet IP that you want to check. The monitoring goes through the VPN, so you don’t get false positives)
WAN_DHCP is default gateway

Firewall -> NAT -> Outbound
Outbound NAT mode: Manual outbound NAT
Copy each of the mappings and change the interfaces of the copies to PIA

Firewall -> Aliases -> IP
Create Alias NonVPN_Clients for ip addresses that won’t be VPN’d (192.168.40.1-192.168.40.49)
Create Alias VPN_Clients for ipaddresses that will be VPN’d (192.168.40.50-192.168.40.200)
#Your aliases will vary depending what you’re doing, but the concept is the same

Firewall -> Rules -> LAN
Change Default IPV6 rule to block (personal preference, I don’t know IPV6)
Change Default IPV4 rule to Source: NonVPN_Clients (Specific to my setup, changing it from LAN net to something else excludes devices not in NonVPN_Clients. Don’t exclude your router’s ip (192.168.40.1 for me) or it may break your connection altogether, or prevent pfsense from getting updates and stuff)
Copy Default IPV4 rule, change Source: VPN_Clients and Gateway: PIA_VPNV4 (Specific to my setup, clients excluded from the above rule get included in this one. By changing the gateway to the VPN and excluding them above, these clients can only connect through the VPN gateway provided you set the Misc setting below)
Move anti-lockout rule to the top (just in case)

System -> Advanced -> Misc
Skip Rules when gateway is down: Enabled (IMPORTANT. Removes VPN_Clients rule when VPN is down, so they can’t access the internet. Without this enabled, the VPN_Clients were redirected to the normal gateway when the VPN is down. This is VERY bad because you don’t have control or knowledge over which gateways the clients use, which was the whole point of doing this)

Run through these steps and see what happens, hopefully it helps. You can simulate the VPN being down for failover (or lack thereof) testing by changing the server port in the Openvpn client settings to something wrong.