Ipv6 tunnel + force some webs to use ipv4

I have working ipv6 tunnel (I am using HE) and it is working fine. With one problem - its IP is geo located in US, so I have problem with some services which identify that as proxy.

Typical example is Netflix which says I am using proxy or addblocker.

Is there easy and stable way how to force certain services to use ipv4 instead/block ipv6 for them?

That applies for ipv6 the same as for ipv4, or why should it be different?

Geo fencing, e.g. by Netflix, is based on geo ip (v4/6) databases and/or Autonomous System (AS) numbers

My ipv4 adress is correctly recognized as CZ located so I have no problems with accessing Netflix.

By further research it looks like they are blocking that ipv6 tunnel globally as they identify that as proxy. So only solution could be something like “use ipv6 tunnel to everything except netflix”.

try VPN policy based routing possible? - SW help - Turris forum perhaps since it is a matter of routing (via ISP or via VPN tunnel) rather than of ipv4 vs ipv6

That seems a bit contradictory to the initial statement. To my understanding you are saying that without the tunnel Netflix works but it does not with the tunnel? Which brings back the matter of routing.

If you find out which IPv6 prefixes does the service use, you can block outgoing traffic in the firewall like this:

config rule
    option name 'Avoid IPv6 for Seznam'
    option src 'lan'
    option dest 'wan'
    option proto 'tcp'
    option dest_port '443'
    option dest_ip '2a02:598:6666:1::/64'
    option target 'REJECT'
1 Like

I am really curious about this - blocking outgoing ipv6 traffic then switches the client’s traffic to ipv4?

It depends on client / application what is primary and fallback settings. Important is that if DNS returns just A and not AAAA records then it will use IPv4 even when IPv6 is allowed.

In most cases yes, certainly with web browsers. Some poorly written apps (like openssl s_client) will stop on first failure, but any standard application will try other addresses when first one is unreachable. Because the firewall will actively reject connection, there will be no fallback delay.

Not important at all. If you block outgoing IPv6, then you don’t have to touch the DNS. Filtering AAAA answers in DNS resolver is another solution of this problem, though.

Yes but it’s bit longer because first you ask DNS, receive answer and then you get blocked by firewall. Some apps then don’t retry IPv4 fallback. If you tell them directly AAAA doesn’t exist they go automatically for IPv4. Of course this is only valid if direct IP address is not requested by application.
Ultimate solution is what you proposed of course but with risk of no IPv4 retry as you said.

Blocking the ipv6 traffic via firewall though does not switch the traffic routing between the CZ ISP and the US tunnel remote node.

If the ipv6 tunnel with the US endpoint/ remote node (ip) is up, and unless some split routing is in place, all traffic will exit in the US and the ip, whether v4 or v6, is the same geo location. Same if the tunnel is down and all traffic routes through the CZ ISP.

Or I am missing something?

I just answered your question.

True is that it is not clear to me if @michal has problems with IPv4 over IPv6 hurricane tunnel or with IPv6 tunnel itself or IPv6 over IPv6.

He asked

but nothing about selective routing.

@michal this can be useful maybe? Selective Routing for Netflix | SNBForums
Of course you can’t use it 1:1

1 Like

Right, my bad from the beginning. It was not clear to me that HE is hurrican electric and that tunnel not being a vpn tunnel but the HE ipv6 tunnel (broker).

For that purpose VPN Policy based routing is not a solution then.

1 Like