Hi guys,
I've written here earlier trying to get an idea how to access netflix only through VPN for more content. Got an answer that the solution could be Policy based routing. I have little to no experience with Mikrotik and couldn't get this to work. I purchased FastestVPN. I have a Mikrotik Hap ac2, behind an ISP router in bridge mode. The MT has a pppoe connection.
I used these two links to try and get it to work:
https://wiki.mikrotik.com/wiki/Policy_Base_Routing
https://support.fastestvpn.com/tutorial ... rotik/pptp
The second link is FastestVPN tutorial to get it to work with Mikrotik. What I did so far:
PPP -> Interface -> add new ->
General is unchanged, in dial out I wrote the user name and password (these are correct, tried and retried, copied from the browser where I logged in sucessfully), and also copied the server from their site. At bottom right, status is constantly changing from link established to terminating. Screenshot attached.
I also created a mangle rule, chain prerouting, src address: 192.168.88.0/24, content netflix (I don't thing this should be an issue), action mark routing, new routing mark is the interface i created in the previous step.
I created a NAT masquerade rule, that says FastestVPN PPTP Netflix not ready (in red). When I change servers in the interface, sometimes the link established doesn't switch to terminating, but the NAT rule is still in red.
Does anyone have an idea what I am doing wrong? Or is FastestVPN the problem here? Or anything else?
Can't get Policy based routing VPN to work
You do not have the required permissions to view the files attached to this post.
Re: Can't get Policy based routing VPN to work
Few ideas on what's wrong:
- Netflix detects when you are running through VPN server. It detects when you are using non-residential IP.
- Netflix has more domains. Not just "netflix.net". You need to route all such traffic using VPN.
- Not sure, but I think "content" parameter in Mikrotik filter rules does not work since this traffic is HTTPS and Mikrotik is not able to see content of packets.
- Netflix might find your real (approximate) location using something called DNS Leak.
Re: Can't get Policy based routing VPN to work
Thanks for the input. Unfortunately, I haven't gotten to a part where I can say if routing the "netflix traffic" works or not. I'm still having a problem establishing a stable link to the VPN server. As I said, PPTP client is jumping from link established to terminated every few seconds.
I have just figured out that the profile in the PPTP Client setup was the wrong one. It was the one for my VPN connection to Mikrotik, not default. When I changed it to default it stabilized and now it says connected and running.
The first part is done, now I have to figure out how to get the "all-inclusive" netflix.
I have just figured out that the profile in the PPTP Client setup was the wrong one. It was the one for my VPN connection to Mikrotik, not default. When I changed it to default it stabilized and now it says connected and running.
The first part is done, now I have to figure out how to get the "all-inclusive" netflix.
Re: Can't get Policy based routing VPN to work
Sorry to post twice, is there a way to route all traffic to a specific set of ip addresses? For example, I know that all the traffic I need to route through VPN is going to servers at x.y.z.0/24 (I'm not sure it's supposed to be written like this, it means x.y.z.1-x.y.z.254)?
Sent from my SM-G985F using Tapatalk
Sent from my SM-G985F using Tapatalk
Re: Can't get Policy based routing VPN to work
Does your VPN provider support IPSEC/IKE2? If so, you can configure using this guide: viewtopic.php?f=23&t=169273
I haven't got a chance to play much with PPTP and not sure if I ever will because this protocol is very unsafe.
I haven't got a chance to play much with PPTP and not sure if I ever will because this protocol is very unsafe.
Re: Can't get Policy based routing VPN to work
It looks as they do. Which one works best?
I managed to do what I wanted in the previous post, but everything is very slow. Would ipsec or ike2 work faster?
Sent from my SM-G985F using Tapatalk
I managed to do what I wanted in the previous post, but everything is very slow. Would ipsec or ike2 work faster?
Sent from my SM-G985F using Tapatalk
Re: Can't get Policy based routing VPN to work
If everything works but very slowly, chances are high that you haven't prevented the default action=fasttrack-connection rule in chain=forward of /ip firewall filter from acting on the packets which need the policy routing. Most packets belonging to fasttracked connections bypass the mangle rules, so they don't get any routing-mark and take the wrong route (the default one), hence they get NATed with a different source address than those which took the correct route, so the recipient ignores them and they have to be retransmitted. Since some fraction of the packets belonging to fasttracked connections takes the slow track, the connections work, thanks to the retransmissions, but very slowly.I managed to do what I wanted in the previous post, but everything is very slow. Would ipsec or ike2 work faster?
Unless your uplink is faster than, say, 200 Mbit/s (don't take me literally), you should not neet to fasttrack connections at all with a hAP ac².
Having said that - IPsec may be faster than PPTP, given that the encryption, although a much stronger one than the one used by PPTP, works faster because on the hAP ac², it is implemented in hardware whereas the PPTP one is not.
Re: Can't get Policy based routing VPN to work
I can not reach the Netflix if i have IPv6 enabled. Or on every 10th try i get netflix to work. I find the solution but i need translatin to Mikrotik talk.
https://www.reddit.com/r/ipv6/comments/ ... d_netflix/
----snip from reddit--------
MSS clamping of 1432, or interface MTU of 1508 with PPPoE MTU of 1500 (note that the config tree in Edgerouter tries to set an MTU of 1412 if it's blank and you make changes to something unrelated)
Since I enabled IPv6 in my house, Netflix has basically not worked - the website doesn't even load. I contacted Netflix support who told me "IPv6 doesn't work with IPv4 tunneling". Now, I'm not expert, but I'm pretty sure I am not tunneling. My ISP provides a /56 prefix, and my router and devices use SLACC to get a public facing IP. Tracert to netflix.com shows a straight IPv6 connection the whole way.
If I disable IPv4 on my PC, I still have connection to IPv6 enabled sites, but Netflix completely refuses to load unless I disable IPv6. Netflix themselves told me I should "disable IPv6" if I want to use Netflix.
I personally would rather not use it, but I have family members in the house who watch Netflix a lot, and it's getting frustrating when casting to Chromecast takes 3+ attempts before it kicks in.
Has anyone else experienced problems?
Edit: Thanks for everyone willing to offer help with my problem. I will be trying connecting with the stock ISP router when I can, but unfortunately living in a house with other people, I can't just start booting everyone offline.
Netflix does occasionally work with Chromecast, just takes a few goes, which is a pain, but I will look into what I can do. I don't think there's any way of limiting certain devices to NATed IPv4, so looks like I'll have to live with the problem for now. Maybe start shoving a WiFi point through an IPv4 only VPN and see if it fixes things
------snip from reddit--------
My isp give me /56 subnet so no VPN is in play here.
My config
https://pastebin.com/7p3gZ3iP
https://www.reddit.com/r/ipv6/comments/ ... d_netflix/
----snip from reddit--------
MSS clamping of 1432, or interface MTU of 1508 with PPPoE MTU of 1500 (note that the config tree in Edgerouter tries to set an MTU of 1412 if it's blank and you make changes to something unrelated)
Since I enabled IPv6 in my house, Netflix has basically not worked - the website doesn't even load. I contacted Netflix support who told me "IPv6 doesn't work with IPv4 tunneling". Now, I'm not expert, but I'm pretty sure I am not tunneling. My ISP provides a /56 prefix, and my router and devices use SLACC to get a public facing IP. Tracert to netflix.com shows a straight IPv6 connection the whole way.
If I disable IPv4 on my PC, I still have connection to IPv6 enabled sites, but Netflix completely refuses to load unless I disable IPv6. Netflix themselves told me I should "disable IPv6" if I want to use Netflix.
I personally would rather not use it, but I have family members in the house who watch Netflix a lot, and it's getting frustrating when casting to Chromecast takes 3+ attempts before it kicks in.
Has anyone else experienced problems?
Edit: Thanks for everyone willing to offer help with my problem. I will be trying connecting with the stock ISP router when I can, but unfortunately living in a house with other people, I can't just start booting everyone offline.
Netflix does occasionally work with Chromecast, just takes a few goes, which is a pain, but I will look into what I can do. I don't think there's any way of limiting certain devices to NATed IPv4, so looks like I'll have to live with the problem for now. Maybe start shoving a WiFi point through an IPv4 only VPN and see if it fixes things
------snip from reddit--------
My isp give me /56 subnet so no VPN is in play here.
My config
https://pastebin.com/7p3gZ3iP
Re: Can't get Policy based routing VPN to work
I understand you're having trouble setting up Policy-Based Routing (PBR) on your VPN. This issue can be tricky, and this happens due to various roadblocks like wrong directions, missing signs, traffic jams, and construction zones. To overcome this issue, OysterVPN is designed to provide the smoothest browsing experience and the highest level of security to any smart device, including Mikrotik routers. MikroTik routers implement the IKv6 security protocol, and the operating system is based on the Linux Kernel and is compatible with a wide range of internet service provider applications. If you are facing challenges in solving this issue, you can read this complete guide https://support.oystervpn.com/tutorials ... ith-ikev2/ to successfully solve this problem.