Pfsense PIA VPN and Netflix

geldorff · January 8, 2018, 11:52pm

Please Help.

I have my pfsense router set up and running in a dual wan configuration, I have the PIA VPN setup and that works flawlessly. I can not seem to get the LAN rule to work to bypass the VPN and send my netflix traffic over my normal ISP wan connection. One difference, I do have a Gateway group and the dual wans are set up for fail over.

Level1Techs video: https://www.youtube.com/watch?v=ekRgAATnIsU&t=275s

Dexter_Kane · January 9, 2018, 1:09am

What do your LAN rules look like? What’s in the Netflix alias?

Dynamic_Gravity · January 9, 2018, 1:13am

I can actually use Netflix over PIA VPN if I set it through using Switzerland.

So if you can’t get it to do that maybe you should give that a try as a temp fix.

geldorff · January 9, 2018, 1:26am

Dexter_Kane · January 9, 2018, 1:54am

LAN rules look okay (although I’d use any for the protocol just in case it needs igmp or something) but for the alias you need to have the FQDN of every Netflix server that you will connect to, not just the root domain. So you need (for example) server01.netflix.com etc.

If you can’t find a list of all the servers then the best (but tedious) way to get the ones you need is to use a packet sniffer like wireshark on a machine that you’re using Netflix on. In wireshark filter for DNS traffic and note all the domain names that are requested when using Netflix, then add those to the alias.

geldorff · January 9, 2018, 2:08am

Ok, great idea, I just used the search in google like Ryan and Wendell used.

Dexter_Kane · January 9, 2018, 2:12am

I’m not sure if this helps or not but I’ve suggested it to people before. Make sure you’re using the dns resolver in pfsense rather than the dns forwarder. Make sure dns cache is enabled and set the cache life to the same period (or longer) as the alias look up (it should say on the alias page if I remember).

Because the aliases are resolved periodically you want to make sure that the client and the firewall are both getting the same ip for each domain name so using the dns cache should help with that.

Yockanookany · January 9, 2018, 2:25am

I had a great deal of trouble getting my PIA up and running but when I finally started tinkering with DNS it worked. It wasn’t this method but I’m sure dexter won’t lead you wrong, OP.

Dexter_Kane · January 9, 2018, 2:26am

What worked for you? I personally haven’t tried to get Netflix working through a vpn, just some sites which don’t play nice with it.

Yockanookany · January 9, 2018, 2:37am

I ran PIA through it’s internet DNS servers but used my works openDNS connector for everything else. I lost the configuration when the upgrade bricked my install and I haven’t gotten it working again, mainly because of lack of time. When I get it up again I’ll get that config for you.

Knight26 · January 9, 2018, 3:45am

The only way I’ve gotten a Netflix bypass rule to work consistently is to have not only the Netflix ip addresses, but also the Amazon Web Service server addresses that they use. You can use wireshark to generate a list or download the public AWS address ranges in a json file, convert it into a text file, then import them into pfsense as a new alias. Setup a rule to bypass the Netflix ip’s and a separate one for the AWS addresses. This will also create a bypass for Amazon Video as well. The benefit of splitting them means that the AWS ip’s can be easily updated when they change, just download a new list from Amazon. The Netflix ip’s don’t actually change very often. The drawback is that the AWS list contains about 900 ip’s that are being routed around the VPN and many of them probably have nothing to do with video streaming

ExpressVPN has a server in LA that is setup to allow Netflix streaming. A separate one for Amazon Video and Hulu but their service is more than twice the cost of PIA.

geldorff · January 9, 2018, 2:48pm

All great ideas, While I was checking which services would be affected, only Netflix took the hit, my hulu Sling and Amazon Prime Video services are all working fine.

I did start the list build for Netflix addresses and must have about 10-15 in the list so far. I had seen the AWS servers in the stream but didn’t add them to the list. Maybe that’s what I’m missing.

The other thing I also noticed, while my gaming only added about 10 ms of latency, my overall speed is way down, didn’t really think about the speed of the connections at the end of the tunnel. Having GFiber its kinda hard to see speeds of 200Mbps or less… Ugh.

Knight26 · January 9, 2018, 3:50pm

If you want to avoid the higher latency for online gaming then you’ll need to setup rules for the ports that the games you play use. Most of the popular games should have the port ranges posted somewhere.

geldorff · January 9, 2018, 4:22pm

Anything under 100 ms is ok, my normal is 70-80 so 80-90 ms is withing range

geldorff · January 9, 2018, 7:48pm

Did that during the first part of configuring the router, ty.

geldorff · January 17, 2018, 11:32pm

That would be cool!

andrewdfogg · January 18, 2018, 1:18am

I had trouble creating Netflix rules on Pfsense which I think was down to my ISP (Virgin media UK) having their own Caching servers for Netflix. Tried adding some of them to my Alias but couldn’t work it out.

Yockanookany · January 18, 2018, 1:25am

Thanks for replying here, i had completely forgotten about this. I just got PIA set back up yesterday so ill have to get that part working again this weekend.

geldorff · January 18, 2018, 9:36pm

I found these “netflix” servers, does anyone have any others?

108.175.32.0/20
208.75.76.0/22
64.212.0.0/14
199.92.0.0/14
206.32.0.0/14
209.244.0.0/14
68.142.64.0/18
69.28.128.0/18
69.164.0.0/18
208.111.128.0/18
128.242.0.0/16
204.0.0.0/14
204.141.0.0/16
204.200.0.0/14
208.44.0.0/14

Linuxephus · January 18, 2018, 9:56pm

Not sure if you fully resolved your issue. But a quick Google search turned this up.

https://www.privateinternetaccess.com/forum/discussion/21421/pia-vpn-neftlix-bypass-for-pfsense