Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 25 Jul 2011 14:07:02 -0400
From:      John Nielsen <lists@jnielsen.net>
To:        Randy Bush <randy@psg.com>
Cc:        FreeBSD Net <net@freebsd.org>
Subject:   Re: netflix from japan
Message-ID:  <D1FE4BEB-7DE0-44B0-A2F0-B7AE7D40DB7E@jnielsen.net>
In-Reply-To: <m2oc0kss6m.wl%randy@psg.com>
References:  <m2oc0kss6m.wl%randy@psg.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 23, 2011, at 3:38 PM, Randy Bush wrote:

> netflix streaming is not allowed to japan where we live.  i can tunnel
> to a server in one of my racks in the states.  the tokyo border is a
> soekris running FreeBSD 8.  it will kinda look like
>=20
>               .------------------------------.
>               |                              |
>               |                     b --wlan0| ......  Apple TV
>               |                     r        |
>    WAN IIJ    |                     i --- vr1|
>    PPP/NAT ---|vr0[PPPoE][ppp]tun0--d        | 192.168.0.0/24
> Public IP Addr |                     g --- vr2| LAN hosts,
>               |                     e        | DHCP Clients
>               |                     0 --- vr3| ...
>               |                              |
>               `------------------------------'
>=20
> ---
>=20
>    % cat /etc/ppp/ppp.conf
>    iij:
>     set device PPPoE:vr0
>     set MRU 1454
>     set MTU 1454
>     accept CHAP
>     enable lqr
>     add default HISADDR
>     nat enable yes
>     nat port tcp 192.168.0.33:51332 51332
>     nat port udp 192.168.0.33:51332 51332
>     nat port tcp 192.168.0.12:22 42022
>     set authname foo
>     set authkey bar
>=20
> ---
>=20
> there seem to be at least two sets of problems
>=20
>  o what are the ip addys and ports involved in netflix streaming =
set-up
>    and delivery?
>=20
>  o how to tunnel just those to/from a server in the states?
>=20
> anyone with suggestions?

I use my FreeBSD router at home for similar purposes from time to time =
(getting past draconian firewalls, working around various types of =
broken-ness in public WiFi networks, etc). I don't have many specific =
comments on your setup outlined above, but I hope that outlining my =
approach will give you some ideas.

On the side with "good" (unrestricted, etc) connectivity (home, in my =
case):
FreeBSD router w/ public IP.
NAT - I use IPFW but any solution should work
OpenVPN running as a TCP server on port 443 (for maximum chance of being =
reachable through draconian firewalls). Other VPN / tunneling solutions =
should work here. For some types of traffic (like streaming video) TCP =
is not ideal so if you don't have firewall issues use UDP and a more =
standard port.
NAT should be configured to work with VPN traffic.


On the restricted/broken side:
Any computer/OS that supports OpenVPN or whatever VPN/tunneling solution =
you use (FreeBSD, Linux, Mac, Windows, jailbroken iPhone...). This can =
be set up on a single device (laptop, etc) or on a router/gateway =
machine so the whole network benefits.
For somewhat restrictive but otherwise decent networks:
	Establish VPN connection
	Add static route(s) for restricted IP's using VPN server =
internal IP
For really broken networks, route ALL traffic through VPN:
	Use IP (not DNS name) for server in VPN config)
	Establish VPN connection
	Add static route using local gateway for VPN server external IP
	Delete existing (local) default gateway
	Add VPN server internal IP as default gateway
	Use VPN server or other known good server for DNS
There are some in-between combinations as well; just make sure to think =
about DNS and leave a working route for your VPN packets to follow.

Works like a charm, but keep in mind that the VPN download speed is the =
server side's upload speed. More of an issue for my home connection than =
for a datacenter link I imagine. To get your questions answered I would =
suggest setting up a general solution (get the VPN/tunnel and NAT =
working between your two gateways) and then do some experimenting. You =
could maybe start by forwarding all traffic from the LAN over the =
tunnel, start tcpdump on your local gateway, and fire up a show on the =
Apple TV. Then analyze the result--pay attention to the DNS requests as =
well as the actual data streams. Probably easiest just to identify the =
IP's being used then use whois to extrapolate them to IP blocks. Add =
static routes that use your tunnel for the IP ranges you identify. =
Repeat as needed.

If you want to be more specific than that (route based on LAN source IP =
or specific IP/port combinations) you should look in to using setfib and =
friends (possibly within your firewall ruleset).

HTH,

JN




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D1FE4BEB-7DE0-44B0-A2F0-B7AE7D40DB7E>