Netflix detects Toronto tunnel server as being in the US.

[teddo]

Code Select Expand

#!/bin/sh
echo 'Clearing all rules'
ip6tables -F
ip6tables -X

echo 'Creating tables'
echo '  NetflixBlacklist'
ip6tables -N NetflixBlacklist

echo ' '
echo 'NetflixBlacklist (Netflix frowns on IPv6 tunnelbrokers)'
echo '  2a00:86c0::/32 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0::/32 -j DROP
echo '  2a00:86c0::/32 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0::/32 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2620:10C:7000::/44 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2620:10C:7000::/44 -j DROP
echo '  2620:10C:7000::/44 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2620:10C:7000::/44 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:d0b0::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:d0b0::/48 -j DROP
echo '  2a00:86c0:d0b0::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:d0b0::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:d0b1::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:d0b1::/48 -j DROP
echo '  2a00:86c0:d0b1::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:d0b1::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2607:FB10::/32 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2607:FB10::/32 -j DROP
echo '  2607:FB10::/32 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2607:FB10::/32 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:116::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:116::/48 -j DROP
echo '  2a00:86c0:116::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:116::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:117::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:117::/48 -j DROP
echo '  2a00:86c0:117::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:117::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:118::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:118::/48 -j DROP
echo '  2a00:86c0:118::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:118::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:119::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:119::/48 -j DROP
echo '  2a00:86c0:119::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:119::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:120::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:120::/48 -j DROP
echo '  2a00:86c0:120::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:120::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:121::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:121::/48 -j DROP
echo '  2a00:86c0:121::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:121::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:1018::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1018::/48 -j DROP
echo '  2a00:86c0:1018::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1018::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:126::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:126::/48 -j DROP
echo '  2a00:86c0:126::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:126::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:127::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:127::/48 -j DROP
echo '  2a00:86c0:127::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:127::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:1029::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1029::/48 -j DROP
echo '  2a00:86c0:1029::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1029::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2a00:86c0:1028::/48 (src) -> drop [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -i sixbone -s 2a00:86c0:1028::/48 -j DROP
echo '  2a00:86c0:1028::/48 (dst) -> reject [AS2906 Netflix owned]'
ip6tables -A NetflixBlacklist -o sixbone -d 2a00:86c0:1028::/48 -j REJECT --reject-with icmp6-addr-unreachable

echo '  2406:da00:ff00::/96 (src) -> drop [AWS owned, associated with Netflix]'
ip6tables -A NetflixBlacklist -i sixbone -s 2406:da00:ff00::/96 -j DROP
echo '  2406:da00:ff00::/96 (dst) -> reject [AWS owned, associated with Netflix]'
ip6tables -A NetflixBlacklist -o sixbone -d 2406:da00:ff00::/96 -j REJECT --reject-with icmp6-addr-unreachable

echo ' '
echo 'FORWARD table (default: ACCEPT)'
echo '  check NetflixBlacklist'
ip6tables -A FORWARD -j NetflixBlacklist

I didn't have this problem until a couple days ago. I'm unhappy with the change. I have a box that forwards traffic to and from the Internet (masquerading for IPv4, and tunnel broker for IPv6).  I added this bit of code to my IPv6 firewall script. NetflixBlacklist is a chain that I created in the filter table, and I added a rule in the FORWARD chain to send all packets to that table. FORWARD defaults to accept. sixbone is the name of the ipv6/ip link that connects to HE's tunnel. This is a partial view of my firewall script, as I block other ports as well.

So far, this seems to work for me. Hopefully this bit of code can save you some time and grief. Shame on Netflix for blocking tunnel broker.

[obsessive]

For those feeling a bit adventurous.. I have created a dns-proxy (golang) that will allow you to reject AAAA netflix replies https://github.com/hasanihunter/dns-filter

[artooro]

A combination of Netflix blocking HE.net and now their price hike for HD video, I have cancelled my Netflix account. When issue with tunnelbroker.net is resolved we'll see, might subscribe again.

[lbarros]

I guess if I black hole all IPv6 prefixes for Netflix originating from AS2906 (Netflix) and send an ICMP unreachable, that should do it

http://bgp.he.net/AS2906#_prefixes6

[JDog2pt0]

So, since I'm just running a linksys wireless router with Tomato on it I haven't been able to find a way to do anything listed in this thread here. Is there any chance that an iptable rule could be written to force netflix to use IPv4? If so, is there any one here who could write one? I know nothing of iptables and my research online turned up nothing conclusive.

[link9]

I just ran into this after trying Netflix on my Apple TV for the first time.

The workaround I am now using is to simply block the Apple TV from having IPv6 functionality. No big deal as the only other use it really has is for AirPlay. I couldn't see how to do this on the Apple TV itself so instead I blocked it on the router.

In my case this is an EdgeRouter but I'd expect this syntax to work with VyOS etc too.


> edit firewall ipv6-name localLANipv6 rule 100]

rule 100 {
     action drop
     description "Block Apple TV from IPv6 so Netflix works"
     protocol all
     source {
         mac-address xx:xx:xx:xx:xx:xx
     }
}

[ggee]

I've noticed today that Netflix seems to be working again without any workarounds.  Any one else seeing it working now?

[link9]

Yup - seems to be working again for me too (based in the UK, Netflix showing UK content).

[hazza]

Just turned off my Netflix AAAA DNS filter, and it's working fine! (For now...)

[bjo]

Yep, working here again with Frankfurt tunnels  :)

[ascareg]

As of today, my HE tunnel (Chicago endpoint) is being blocked by Netflix again. :(

[Bieniu]

Same for me with endpoint Warsaw. Netflix is blocked again.

[bjo]

Same sh*t, different endpoint: Berlin.

[hevanaa]

Also Stockholm endpoint is disabled, so I had to block requests to the Netflix IP addresses (taken from Reddit):

2a01:578:3::/48
2406:da00:ff00::/48
2600:1407:19::/48
2607:f8b0:4001::/48
2620:108:700f::/48

I don't understand the reasoning for blocking, because Netflix clearly have some kind of geoip system in place. I have had the same content on IPV6 and IPV4. It was more than a year ago or so, when there were occasional glitches and I was suddenly seeing content from US servers on IPV6. That was very slow and annoying. Luckily it was fixed and has worked fine ever since until the total blocking of the tunnel. It is a shame.

[dhenderson]

Yup - looks like the Toronto endpoint is hit as well. Oddly enough, I never noticed a blockage in July/August...