Blocking Netflix IPv6 on Internode using a Mikrotik

Update 9/3/2016: It seems this triggers the VPN-detection mechanism on Netflix’ services, blocking access to all streaming. Thankfully it seems Internode has worked out how to make Netflix content unmetered on IPV6, so it’s no longer required!

Currently access to Netflix via Internode is unmetered, but not if you’re using their IPv6 connectivity. I’ve got a Mikrotik router and wanted to see if I could force it down to IPv4 without disabling connectivity for my desktop machine (which I use mainly for Netflix). It seems just blocking one range (currently) is enough:

  • 2001:44b8:b070:25::/64
  • 2001:44b8:b070:26::/64 (added 11/08/15)

I’ll update it as I find out more, please feel free to leave comments with IP ranges that need blocking. 🙂

It seems if you’re running a DNS server that’s capable of it, you might be able to block AAAA responses for “ipv6*.nflxvideo.net” as the request I was seeing was for “ipv6_1.lagg0.c001.syd001.iinet.isp.nflxvideo.net”. Just another idea.

Implementing firewall rules to block the traffic is fairly simple, here’s the method.

From the command line (updated 9/3/16 for posterity):

add action=reject chain=forward comment="Netflix megarule" disabled=yes dst-address=2001:44b8:b070:20::/61 \
 reject-with=icmp-address-unreachable
add action=reject chain=forward comment=Netflix disabled=yes dst-address=2001:44b8:b070:24::/62 reject-with=\
 icmp-address-unreachable
add action=reject chain=forward comment=Netflix disabled=yes dst-address=2001:44b8:b070:25::/64 reject-with=\
 icmp-address-unreachable
add action=reject chain=forward comment=Netflix disabled=yes dst-address=2001:44b8:b070:26::/64 reject-with=\
 icmp-address-unreachable
add action=reject chain=forward comment=Netflix disabled=yes dst-address=2001:44b8:b070:29::/64 reject-with=\
 icmp-address-unreachable
add action=reject chain=forward comment="Netflix megarule" disabled=yes dst-address=2001:44b8:9010:23::/64 \
 reject-with=icmp-address-unreachable
add action=reject chain=forward comment=.cbr001.iinet.isp.nflxvideo.net disabled=yes dst-address=\
 2001:44b8:9010:24::/64 reject-with=icmp-address-unreachable

From the interface:

Navigate to IPV6, then firewall. From the “Filter Rules” tab click “Add New”

Fill out these details, ignore everything else. It can’t hurt to add a comment as well.

blocknetflixipv6ablocknetflixipv6action

For both options, remember to move the block up higher in your list than other things which may allow the traffic through.