Solution on TunnelBroker (HEnet) IPv6 with Netflix and Disney+

So, its not new that many users has experienced problems after setting up an IPv6 internet access that suddenly Disney+ on some TVs stop working (in my case an LG just plainly saying that supposedly the tv is not connected to the internet and in Samsung that the internet connect is not fast enough error 42).
What really pisses me off is that the official answer from Disney+ support is just to f* up the clients internet connection by disabling IPv6 (what a way to go!)
Anyways, Ive remembered that back in the days of DD-WRT had the same problems with Netflix, and for that problem they came out with this set of rules:
ip6tables -I FORWARD -d 2406:da00:ff00::/48 -j DROP
ip6tables -I FORWARD -d 2600:1407:19::/48 -j DROP
ip6tables -I FORWARD -d 2607:f8b0:4001::/48 -j DROP
ip6tables -I FORWARD -d 2620:108:700f::/48 -j DROP
ip6tables -I FORWARD -d 2a01:578:3::/48 -j DROP

So I proceeded with something like that but for Disney+ and I came out with:
ip6tables -I FORWARD -d 2600:1403:5400::/48 -j DROP
ip6tables -I FORWARD -d 2600:9000::/34 -j DROP
ip6tables -I FORWARD -d 2620:10b:7001::/48 -j DROP
ip6tables -I FORWARD -d 2a05:d018:423::/48 -j DROP

In LuCI my setup is like this:
Network->Firewall->Traffic Rules (Add)
General settings
Name: Block-Disneyplusv6
Protocol: TCP, UDP
Source zone: lan
Destination zone: Any zone (forward)
Destination address: 2600:1403:5400::/48, 2600:9000::/34, 2620:10b:7001::/48, 2a05:d018:423::/48
Action: Drop
Advanced Settings:
Restrict to address family: IPv6 only

With this setup I was able on Samsung tv to use the app without any problems and on the LG tv can load up the app, but unfortunately when trying to play something is still a little bit of buggy, sometimes it will play without any problems other time you have to try to play it 2 to 3 times, but once its playing its stable.

I hope that this helps anyone and please lets try narrow the net range (or if needed to add more ranges) so the solution could something more stable and without having to block that amount of networks (some parts are from Akamai).

The cause of the issue could be related to DNS which is routed differently than your IPv6 traffic.

1 Like

I configured my DNS to fake ignorance of IPV6 for specific domains. I'm not actively using Netflix but this should still work.

1 Like

Have followed @vgaetera advice, but had to go a little more forward and since there is little info or guidelines on this matter I decided to post my final solution and many thanks for pointing me out to the right direction.

So as said, Ive proceeded as the guide said by creating a DNS hijack rule as:
Network > Firewall > Port Forwards
Name: Intercept-DNS
Protocol: TCP+UDP
Source zone: LAN
External port: 53
Destination zone: Unespecified (other devices are welcome to set Input)

But this will only cover IPv4 DNS query, it will be necessary to do a different procedure with IPv6, for this you will need to install the package "ip6tables-mod-nat" and with it put this commands on on the bottom before "exit 0" line:
System > Startup > Local Startup
ip6tables -t nat -I PREROUTING -i br-lan -p udp ! -d (ROUTER IPv6 ADDRESS LOCATED ON LAN INTERFACE) --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "Intercept-DNS"
ip6tables -t nat -I PREROUTING -i br-lan -p tcp ! -d (ROUTER IPv6 ADDRESS LOCATED ON LAN INTERFACE) --dport 53 -j REDIRECT --to-ports 53 -m comment --comment "Intercept-DNS"

So after all of this, both IPv4 and IPv6 DNS query are processed by the DNS of the router, so you need to filter the IPv6 addresses of Netflix and Disney+, for this you need to do this you need to do the config changes through SSH:
edit /etc/config/dhcp (I prefer using VI)
Add this lines on the bottom of "config dnsmasq"
list address '/netflix.com/::'
list address '/netflix.net/::'
list address '/nflxext.com/::'
list address '/nflximg.net/::'
list address '/nflxvideo.net/::'
list address '/nflxso.net/::'
list address '/disneyplus.com/::'
list address '/bamgrid.com/::'
list address '/bam.nr-data.net/::'
list address '/cdn.registerdisney.go.com/::'
list address '/cws.conviva.com/::'
list address '/d9.flashtalking.com/::'
list address '/disney-portal.my.onetrust.com/::'
list address '/disneyplus.bn5x.net/::'
list address '/disneyplus.com.ssl.sc.omtrdc.net/::'
list address '/js-agent.newrelic.com/::'
list address '/disney-plus.net/::'
list address '/dssott.com/::'
list address '/adobedtm.com/::'
list server '/netflix.com/#'
list server '/netflix.net/#'
list server '/nflxext.com/#'
list server '/nflximg.net/#'
list server '/nflxvideo.net/#'
list server '/nflxso.net/#'
list server '/disneyplus.com/#'
list server '/bamgrid.com/#'
list server '/bam.nr-data.net/#'
list server '/cdn.registerdisney.go.com/#'
list server '/cws.conviva.com/#'
list server '/d9.flashtalking.com/#'
list server '/disney-portal.my.onetrust.com/#'
list server '/disneyplus.bn5x.net/#'
list server '/disneyplus.com.ssl.sc.omtrdc.net/#'
list server '/js-agent.newrelic.com/#'
list server '/disney-plus.net/#'
list server '/dssott.com/#'
list server '/adobedtm.com/#'

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.