Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Netflix vs. QoS

  1. #1
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Question Netflix vs. QoS

    Help.

    I just stumbled on the fact that bypassing three different devices in order to get their traffic shaped by QoS causes Netflix to break. It used to work in my home quite nicely, for years. They broke during this past year, prior to my recent 12.1.1/12.1.2 updates. I can't identify any common landmarks, in fact the Roku streamer stopped working months after the first Blu-ray quit.

    I replaced the Blu-ray player, blaming the issue on Sony. The new one worked only because I was lazy and didn't create a new Bypass rule for it - until tonight.

    The Roku is on Wi-Fi. The Sony Blu-ray player is wired. The NGFW is router on a single /24 network, with the Wi-Fi AP on the inside.

    I am using Lite applications.

    The QoS custom rules are by the static IP addresses. The QoS priorities for the High priority these two devices are assigned to have Upload reservation of 33%, limit of 75% and Download Reservation of 33%, Limit of 75%.

    Edit: It turns out, it is bypass alone that is causing the trouble. Disabling the QoS Custom Rules does not allow Netflix to work. The specific Netflix Error is NW-8-17.

    This makes no sense to me. My next step would be to put Wireshark on it, but I am not ready to start dissecting packets.
    Does anyone have any bright ideas, before I get into that?

    Thanks, Jim A.
    Last edited by Jim.Alles; 12-10-2016 at 10:45 PM. Reason: further testing

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    I have a bypassed bluray player, and smart TV that are working just fine. My wife and kids would murder me in my sleep if that stuff stopped working so I feel your pain.

    Can you access Netflix from any other device?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Well, yeah. And from there it is straightforward break/fix. If I bypass the desktop computer IP address, I can't load https://www.netflix.com/. period. chrome or IE.

    I only need one bypass rule (source).

    I am not tunneling IPv6. No VPN involved. OpenDNS is enforced.

    I am beginning if it has anything to do with their DRM and EME


  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    yeah, but this desktop I'm now now isn't bypassed, and it works. The Bluray player in the livingroom is bypassed and it works too.

    The error indicates a connection fault, so I'm wondering if you're not just having issues with the ISP's peering, but why a bypass would seem to trip that up is beyond me.

    I mean, it's not like the UVM can make a connection unless the kernel can maintain it, and all bypass does is get the UVM out of the way so the kernel can go to town.

    What are you using for DNS?
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    internal, dnsmasq
    208.67.222.222
    208.67.220.220

    Comcast is the ISP
    If you think I got Grumpy

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default a clue?

    https://www.flashrouters.com/blog/20...-vpn-smartdns/
    According to TorrentFreak among others, the Netflix app began to force or hardcode a Google DNS lookup. To the average user this means nothing. But for the enraged, this meant that the Netflix app now prevents being tricked by DNS masking tools.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    If that's the case, you may have an ISP that's messing with DNS queries to Google, and that's what's breaking it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    That is probably the difference between our two networks; I block all DNS queries to the outside, except from dnsmasq. And dnsmasq is set to OpenDNS - for their domain filtering.

    But Bypass should have no effect.

    And even when Netflix is working (host not bypassed), there is no UDP port 53 traffic leaking out to Google DNS.
    I am now wondering how can Netflix work, at all - inverting my complaint.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    I wonder if the same hack the streamers use will fix you then...

    static route 8.8.8.8/32 -> local IP of Untangle.

    Repeat for 8.8.4.4

    That should redirect traffic without them impacting your filter rules.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,798

    Default

    Quote Originally Posted by Jim.Alles View Post
    That is probably the difference between our two networks; I block all DNS queries to the outside, except from dnsmasq. And dnsmasq is set to OpenDNS - for their domain filtering.

    But Bypass should have no effect.
    How are you accomplishing the DNS block? If it via the firewall in the rack, then bypassing those devices will suddenly allow them to use a different DNS, which could end up hijacked by your ISP.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Page 1 of 3 123 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2