I have Netflix through my cell phone provider as one of their perks. There are 6 lines on the plan but we don’t all live together, but the perk is for all of us since we split the bill. With Netflix restricting shared passwords I’m concerned this is gonna cause a problem since there are three houses that watch on the account.
What I would like to do is set up a split tunnel vpn at each house with the other two sending all of their traffic except for Netflix through the normal route, but send Netflix traffic back to my house so that it all appears to come from the same location. I’ve never done this and wasn’t having luck searching for a guide.
Could someone link to a guide? I have pfsense set up at my place now and can easily deploy it at the other two houses.
I’ve thought about the same thing, but there’s A LOT of IPs on their network. From what I’ve been able to gather, they use AS40027 and also AS2906. There could be more in addition to that. So, you could grab all the subnets advertised from those networks and use that as your main list.
It isn’t as clean, but how about selectively routing all streaming devices through your home and try to avoid the whack-a-mole game of keeping track of Netflix’s CDNs and back-end domain names?
Sure, you’ll forward more than just Netflix streams, but it shouldn’t matter if you have plenty of bandwidth. The full proof way would be to route all their traffic through you, but that makes your environment now ‘production’ and you’re on the hook for any blips/issues. At that point, it may be worth asking yourself / family asking themselves if Netflix is worth the price of admission?
I would hope that T-Mobile accounts receive some kind of exception precisely because a global Netflix account was advertised as a perk for the entire account. Here’s hoping Netflix says something about it publicly.
You could have the firewall only allow netflix devices to access the VPN as opposed to the entire network having access to the VPN.
The real solution you’re looking for is called Application Control. Fortigate has a very good form of it. A Fortigate can use application control to detect services and it can be applied in the firewall rules to change how it’s routed.
Pfsense can’t do this; it can use Snort App ID to detect netflix and other apps (but only for blocking it).
I do the same thing with bbc iplayer. I use policy based routing using source ip address. I assign specific devices to these rules. Easier than maintaining a list of destination cdn IPs.
I understand why netflix wants to stop password sharing, but I would imagine that it is clear to netflix which device/account/etc is absolutely abusing password sharing and which ones aren’t.
Are you on a symmetrical fiber isp? If this is cable forget about it. Your upload speed to those other people have to be able to handle it. Traditional cable internet is hugely asymmetric. I clock around 15-20mbps for 4k Netflix. If you have like 1000/35 only two people could get quality stream and your only left with 5mb.
Expensive layer 7 firewalls can do this. Talking like Palo Alto, Fortigate. Good hardware firewalls too so the processing for all of the IPsec VPN tunnels at your end don’t bog down the cpu.
So you can create IPSEC tunnels from each persons house to hours. Have a unique gateway and maybe using FW rules just route their TVs IPs (make them static / dhcp reservations so they are always the same). But then now EVERYTHING they do on that tv, YouTube, hbo max, Disney+, Pluto tv, etc… would rely on you.
So maybe you can get Netflix CDNs in aliases and use that in rules. But a lot of ISP’s have local Netflix caching servers, so there’s a bit of content that will look like it’s coming from your ISP’s ASN.
This is tough without deep packet inspection or blanket static routing.
Netflix has announced that they released those new rules by mistake, but I would get this setup before they re-change their mind. IMO it’s only a matter of time as shareholders want growth and they’ve saturated the market.
How much data does your ISP allow per month before they charge extra? Having 5 other lines use your bandwidth for watching video is going to eat up data usage pretty quick and it’s worse that they are remoting/VPNing in as it’s going to automatically double the usage - every bit of data they download has to download on your end and upload up to them, times that by 5 and your usage and connection is going to be swamped.
I’m sorry to resurrect this thread but why sending all traffic over the tunnel. Why not just the login process?
I doubt they check your location on every request. Once you have your token. Your good to go.
I don’t think it will be worth the effort in the end. They will be onboarding different subnets and you’ll get strange behaviour on your Netflix devices when you get some traffic going to Netflix on one public IP and some on another, so you would need to keep on top of this.
Most VPN software has split tunneling capabilities like wireguard and openVPN. You can host a VPN server at home and send up split tunneling for this application alone.
You need to set up a VPN server. You can use the ones integrated with pfSense or you can host it on a separate device. After you set up your VPN server then you need to configure your network to accept incoming connections to your VPN server by opening firewall rules and enabling port forwarding if applicable. Then you need to register with a DDNS service or obtain a static IP so you clients can easily connect to you. After that then you need to make client configurations with said VPN software and enable split tunnel to connect back to your house and route netflix.
This seems like the most reliable and least troublesome way to do it. Send streaming devices over the tunnel, everything else out direct. Of course, this won’t work if the steaming device is a laptop etc.
I can’t think of a way they could accomplish that with good accuracy. Serious question: how would they distinguish a case like mine, or a family with kids in college, from a person who just shares the login info with 5 of their friends?
The big picture solution is they need to be able to do that but I’m not sure how.
I do have symmetrical gig on fiber. I’m going to do some testing with a pfsense box I have ready to go with a neighbor and see how far I can get. I feel like this is going to be a fairly deep rabbit hole, but a fun learning experience for me.
No data cap on the current isp. And it’s really just two other locations. Three of us are at my home, two at another home, and 1 at a home on their own.