Since Netflix now blocks access for IPv6 traffic from HE.net I can't watch anything unless I disable the tunnel. An alternative that's other people have used successfully is to block outgoing access to the Netflix IPv6 addresses. I've tried that by creating a network group and adding the two IPv6 netblocks that I see my system trying to use which are:
2406:da00:ff00::/48
2620:108:700f::/48
I've tried applying the rule to the out, in and local rules and none of them seem to work. I either get no IPv6 traffic at all or all IPv6 traffic with nothing blocked.
Here's what I have for the interface:
root@edgerouter1# show interfaces tunnel
tunnel tun0 {
address 2001:470:xxx:xxx::2/64
description "HE.NET IPv6 Tunnel"
encapsulation sit
firewall {
in {
ipv6-name IPv6_WAN_IN
}
local {
ipv6-name IPv6_WAN_LOCAL
}
out {
ipv6-name IPv6_WAN_OUT
}
}
local-ip xx.xx.xx.xx
multicast disable
remote-ip xx.xx.xx.xx
ttl 255
}
[edit]
And here's the latest thing I've tried for IPv6_WAN_OUT:
ipv6-name IPv6_WAN_OUT {
description "IPv6 packets from the LAN to the router"
rule 21 {
action drop
description "IPv6 drop IPv6-BLOCK destination"
log disable
protocol all
source {
group {
ipv6-network-group IPv6-BLOCK
}
}
}
rule 22 {
action accept
}
}
What am I doing wrong?