Hurricane Electric's IPv6 Tunnel Broker Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: 1 2 [3] 4

Author Topic: Netflix detects Toronto tunnel server as being in the US.  (Read 11091 times)

teddo

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #30 on: June 19, 2016, 06:00:32 PM »

Code: [Select]
#!/bin/sh
echo 'Clearing all rules'
ip6tables -F
ip6tables -X

echo 'Creating tables'
echo '  NetflixBlacklist'
ip6tables -N NetflixBlacklist

echo ' '
echo 'NetflixBlacklist (Netflix frowns on IPv6 tunnelbrokers)'
echo '  2a00:86c0::/32 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0::/32 -j DROP
echo '  2a00:86c0::/32 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0::/32 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2620:10C:7000::/44 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2620:10C:7000::/44 -j DROP
echo '  2620:10C:7000::/44 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2620:10C:7000::/44 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:d0b0::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:d0b0::/48 -j DROP
echo '  2a00:86c0:d0b0::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:d0b0::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:d0b1::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:d0b1::/48 -j DROP
echo '  2a00:86c0:d0b1::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:d0b1::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2607:FB10::/32 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2607:FB10::/32 -j DROP
echo '  2607:FB10::/32 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2607:FB10::/32 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:116::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:116::/48 -j DROP
echo '  2a00:86c0:116::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:116::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:117::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:117::/48 -j DROP
echo '  2a00:86c0:117::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:117::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:118::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:118::/48 -j DROP
echo '  2a00:86c0:118::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:118::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:119::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:119::/48 -j DROP
echo '  2a00:86c0:119::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:119::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:120::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:120::/48 -j DROP
echo '  2a00:86c0:120::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:120::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:121::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:121::/48 -j DROP
echo '  2a00:86c0:121::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:121::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:1018::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1018::/48 -j DROP
echo '  2a00:86c0:1018::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1018::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:126::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:126::/48 -j DROP
echo '  2a00:86c0:126::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:126::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:127::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:127::/48 -j DROP
echo '  2a00:86c0:127::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:127::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:1029::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1029::/48 -j DROP
echo '  2a00:86c0:1029::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1029::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:1028::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1028::/48 -j DROP
echo '  2a00:86c0:1028::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1028::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2406:da00:ff00::/96 (src) -> drop [AWS owned, associated with Netflix]'
ip6tables -A NetflixBlacklist -i sixbone -s 2406:da00:ff00::/96 -j DROP
echo '  2406:da00:ff00::/96 (dst) -> reject [AWS owned, associated with Netflix]'
ip6tables -A NetflixBlacklist -o sixbone -d 2406:da00:ff00::/96 -j REJECT --reject-with icmp6-addr-unreachable

echo ' '
echo 'FORWARD table (default: ACCEPT)'
echo '  check NetflixBlacklist'
ip6tables -A FORWARD -j NetflixBlacklist

I didn't have this problem until a couple days ago. I'm unhappy with the change. I have a box that forwards traffic to and from the Internet (masquerading for IPv4, and tunnel broker for IPv6).  I added this bit of code to my IPv6 firewall script. NetflixBlacklist is a chain that I created in the filter table, and I added a rule in the FORWARD chain to send all packets to that table. FORWARD defaults to accept. sixbone is the name of the ipv6/ip link that connects to HE's tunnel. This is a partial view of my firewall script, as I block other ports as well.

So far, this seems to work for me. Hopefully this bit of code can save you some time and grief. Shame on Netflix for blocking tunnel broker.
Logged

obsessive

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #31 on: June 23, 2016, 08:33:43 PM »

For those feeling a bit adventurous.. I have created a dns-proxy (golang) that will allow you to reject AAAA netflix replies https://github.com/hasanihunter/dns-filter
Logged

artooro

  • Newbie
  • *
  • Posts: 4
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #32 on: July 01, 2016, 08:15:30 AM »

A combination of Netflix blocking HE.net and now their price hike for HD video, I have cancelled my Netflix account. When issue with tunnelbroker.net is resolved we'll see, might subscribe again.
Logged

lbarros

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #33 on: July 07, 2016, 06:01:58 AM »

I guess if I black hole all IPv6 prefixes for Netflix originating from AS2906 (Netflix) and send an ICMP unreachable, that should do it

http://bgp.he.net/AS2906#_prefixes6
Logged

JDog2pt0

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #34 on: July 10, 2016, 11:11:46 PM »

So, since I'm just running a linksys wireless router with Tomato on it I haven't been able to find a way to do anything listed in this thread here. Is there any chance that an iptable rule could be written to force netflix to use IPv4? If so, is there any one here who could write one? I know nothing of iptables and my research online turned up nothing conclusive.
Logged

link9

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #35 on: August 04, 2016, 12:31:42 PM »

I just ran into this after trying Netflix on my Apple TV for the first time.

The workaround I am now using is to simply block the Apple TV from having IPv6 functionality. No big deal as the only other use it really has is for AirPlay. I couldn't see how to do this on the Apple TV itself so instead I blocked it on the router.

In my case this is an EdgeRouter but I'd expect this syntax to work with VyOS etc too.


> edit firewall ipv6-name localLANipv6 rule 100]

 rule 100 {
     action drop
     description "Block Apple TV from IPv6 so Netflix works"
     protocol all
     source {
         mac-address xx:xx:xx:xx:xx:xx
     }
 }
Logged

ggee

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #36 on: August 07, 2016, 06:29:28 PM »

I've noticed today that Netflix seems to be working again without any workarounds.  Any one else seeing it working now?



Logged
<a href="http://ipv6.he.net/certification/scoresheet.php?pass_name=ggee" target="_blank"><img src="http://ipv6.he.net/certification/create_badge.php?pass_name=ggee&badge=3" border=0 alt="IPv6 Certification Badge for ggee"></img></a>

link9

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #37 on: August 10, 2016, 02:11:11 PM »

Yup - seems to be working again for me too (based in the UK, Netflix showing UK content).
Logged

hazza

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #38 on: August 11, 2016, 11:35:15 AM »

Just turned off my Netflix AAAA DNS filter, and it's working fine! (For now...)
Logged

bjo

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #39 on: August 14, 2016, 12:39:46 PM »

Yep, working here again with Frankfurt tunnels  :)
Logged

ascareg

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #40 on: September 29, 2016, 05:07:46 PM »

As of today, my HE tunnel (Chicago endpoint) is being blocked by Netflix again. :(
Logged

Bieniu

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #41 on: September 30, 2016, 02:02:26 AM »

Same for me with endpoint Warsaw. Netflix is blocked again.
Logged

bjo

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #42 on: September 30, 2016, 06:32:07 AM »

Same sh*t, different endpoint: Berlin.
Logged

hevanaa

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #43 on: October 02, 2016, 12:32:08 AM »

Also Stockholm endpoint is disabled, so I had to block requests to the Netflix IP addresses (taken from Reddit):

2a01:578:3::/48
2406:da00:ff00::/48
2600:1407:19::/48
2607:f8b0:4001::/48
2620:108:700f::/48

I don't understand the reasoning for blocking, because Netflix clearly have some kind of geoip system in place. I have had the same content on IPV6 and IPV4. It was more than a year ago or so, when there were occasional glitches and I was suddenly seeing content from US servers on IPV6. That was very slow and annoying. Luckily it was fixed and has worked fine ever since until the total blocking of the tunnel. It is a shame.
Logged

dhenderson

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: Netflix detects Toronto tunnel server as being in the US.
« Reply #44 on: October 05, 2016, 07:23:24 PM »

Yup - looks like the Toronto endpoint is hit as well. Oddly enough, I never noticed a blockage in July/August...
Logged
Pages: 1 2 [3] 4