A simple tutorial of how to route netflix traffic to ISP, while other traffic can be routed to VPN. On EdgeRouter or other Linux routers supports IPSet.
https://nflx.ksc91u.info/as-nflx
If you have trouble restore from this file, try with -exist flag /sbin/ipset -exist restore < as-nflx
You can find netflix AS on bgpview.io. Download all prefixes with bgpview api.
https://api.bgpview.io/asn/40027/prefixes
Or use ASAllow to generate ipset files.
[main]
#prefixes of providers which should be looked up dynamically (using ripestat)
ASN=AS40027 #netflix
ASN=AS2906 #netflix streaming
nocomment #output nocomment or edgerouter won't restore it.
The output file will look like
create AS_nflx hash:net family inet hashsize 1024 maxelem 65536
add AS_nflx 192.173.92.0/24
add AS_nflx 23.246.6.0/24
add AS_nflx 192.173.67.0/24
add AS_nflx 198.38.121.0/24
Remove the first line, and scp file to edgerouter ubnt@ubnt:/config/user-data/as-nflx
Next, create a Network Group on EdgeRouter GUI called AS_nflx.
List of netflix API servers
www.us-east-1.internal.dradis.netflix.com.
www.us-east-2.internal.dradis.netflix.com.
www.us-west-1.internal.dradis.netflix.com.
www.us-west-2.internal.dradis.netflix.com.
www.eu-west-1.internal.dradis.netflix.com.
prod.http1.us-west-1.internal.dradis.netflix.com.
prod.http1.us-west-2.internal.dradis.netflix.com.
prod.http1.us-east-1.internal.dradis.netflix.com.
prod.http1.us-east-2.internal.dradis.netflix.com.
prod.http1.eu-west-1.internal.dradis.netflix.com.
mobile.prod.us-west-1.internal.dradis.netflix.com.
mobile.prod.us-west-2.internal.dradis.netflix.com.
mobile.prod.us-east-1.internal.dradis.netflix.com.
mobile.prod.us-east-2.internal.dradis.netflix.com.
mobile.prod.eu-west-1.internal.dradis.netflix.com.
www.netflix.com
netflix.com
#!/bin/bash
/sbin/ipset -exist restore </config/user-data/as-nflx
for n in `cat /config/user-data/netflix`
do
for i in `host $n|grep IPv4|cut -d " " -f 5 `
do
echo "Add nflx $i"
/sbin/ipset add AS_nflx $i 2>/dev/null
done
done
Then cronjob with root sudo crontab -e
*/20 * * * * /config/user-data/update-nflx.sh
Now you can use network group AS_nflx for rule based routing. Take part of my config for example.
Traffic to netflix will go through lb-group G, which is my group of 4 pppoe connections. Other traffic will go to lb-group VPN_OUT.
rule 70 {
action modify
destination {
group {
network-group AS_nflx
}
}
modify {
lb-group G
}
source {
address 192.168.1.64/26
}
}
rule 71 {
action modify
destination {
group {
network-group !AS_nflx
}
}
modify {
lb-group VPN_OUT
}
source {
address 192.168.1.64/26
}
}
Netflix hosts API servers in US and Europe only, those CNAMES are what I found with DNSChecker, a global DNS lookup tools. The mobile-* CNAMES are requested by Windows 10 Netflix App, observed with tcpdump on udp port 53.
If more host names/IP blocks should be added, need DNSMasq to log all queries. But this is sufficient for me now.