Bypass Netflix on pfsense

can you just bypass Netflix so that netflix does not go through my ovpn. Because when I want to watch a certain series, it says that I have a proxy, vpn or similar.

I am using pfsense latest version

You can just route all traffic on that devices IP address to go out the proper gateway. I’m not sure you can routing based on application.

it’s a shame because just want to let through netflix where my devices are inside the vpn tunnel

DO you have split tunnel vpn?

There is a way to do this… it works Netflix, but it does not work with Prime; Netflix is one of AWS largest clients.

My first step was to install the AWS for Powershell modules. Once the PS modules are up and running, you can poll the various AWS regions for a listing of their servers. Since I live in California, I poll the AWS West and Northwest regions for the list of IP addresses I need.

I created an alias for Netflix IPs, and directed pfSense to poll an URL on a local intranet for the listings that populates the alias with the Netflix server IPs.

Then configure a Gateway Group in pfSense… one for your WAN and one for your VPN. (This piece is the secret sauce that makes is all work!). Create a firewall rule that says if the traffic on xyz network is destined for one of the IPs listed in the Netflix alias, go out the WAN; otherwise route the traffic out the VPN.

I scratched my head on this one for a while. If you need more info, let me know.

1 Like

This is brilliant.
I am a totally new to pfSense. I think is a superb firewall software.

Recently I managed to setup NordVPN into my pfSense setup, works fine and won’t bypass pfBlockerNG nor leak DNSs. However, as you state Prime does not play with a VPN on, nor other services such as DirecTVGo. So I would like to know if you could (please) tell me a bit more in detail how to achieve such app-specific VPN-tunnel-splitting.

Thank you.

I do have a VPN service but I don’t have any bypass rules. Don’t think you can do it such that an application can bypass the VPN.

However, the way I would do it would be to create an alias with the IP addresses that bypass the VPN, in the rules I would add an entry with the destination pointing to the IP address list alias with the gateway set to the ISP WAN.

Personally I’d always recommend vlans with devices moving between networks then you absolutely know where traffic is going which is less error prone.

1 Like

Did that but for some reason Prime and Netflix can’t access their servers. Into these same boxes, YouTube and DirectTV seemed to work just fine.

To give some context; when running tests in Netflix it fails to connect to all its servers (e.g.: netflix nw-2-5) but also states there is internet connectivity.

Now that the alias has been created to these two devices and poiting to the WAN as gateway; why Netflix and Prime stopped having access to their servers.

Presumably you have to find all the IP addresses that Netflix and Prime use.

No. Actually I am trying to learn and apply the VLAN and hopefully be able to split streaming devices from those using the VPN.