Skip to content

American Netflix on any device without VPN or site-wide DNS changes – using pfSsense

by Finn Espen Gundersen on April 14th, 2014

It seems like everyone is finding ways to watch American Netflix content. While it is easy with one of many plugins on the computer, it gets harder on devices such as iPad or PS3 and even more so on Chromecast with its hard-coded google DNS. Some people will also want a solution for the home router, covering all devices at once.

The most common fix is to get a VPN. Usable from the computer, iPad, Chromecast or a sufficiently advanced router, a VPN routes your traffic through a server in the US. The main drawback is speed. Most VPN providers are over-subscribed and, in general, it will be hard to get Super HD streaming – at least with any stability and on more than one device. You will also want to separate your other browsing traffic from the VPN to avoid the speed loss, and avoid having all websites think you are from the US. All in all, a solution with drawbacks.

Another common fix is to get a custom DNS provider such as unblock-us.com or unotelly.com. After the extremely easy sign-up you just change your DNS server settings to point to theirs. The custom DNS will return the addresses to their own US-based servers (reverse proxies) for all Netflix-related lookups. All other traffic flows normally.

This avoids the speed loss of a VPN as the actual streaming goes directly from Netflix’s servers to your home. It also does not affect your other web traffic. Usually a cheaper service than a VPN, this seems like the perfect solution. It does, however, have a slight security implication: the DNS provider can see all your lookups and could in theory log or divert some of it.

What we want is to divert only relevant lookups to the proxy provider’s DNS. This is accomplished in pfSense by adding a domain override in the DNS Forwarder. The web gui for the domain override adds wildcards, so an entry for netflix.com will also cover all subdomains. We accomplish our task by adding the following to Services | DNS Forwarder | Domain Overrides and making sure the box “Query DNS servers sequentially” is checked:

netflix.com 208.122.23.23
netflix.net 208.122.23.23
rhapsody.com 208.122.23.23
pandora.com 208.122.23.23
hulu.com 208.122.23.23

The IP address is for the DNS server of unblock-us. Only the first two lines are necessary for Netflix, the others are for Rhapsody, Pandora and Hulu.

For the unbehaving Chromecast, with its hard-coded Google DNS, we are forced to add a NAT rule to reroute all DNS requests. In Firewall | NAT | Port Forward, add a new rule with these settings:

RDR: Unchecked
Interface: LAN
Protocol: UDP/TCP
Source: IP of your Chromecast
Source port: any
Destination: any
Destination port: DNS (53)
Redirect target IP: the DNS server of unblock-us or similar service
Redirect target port: DNS (53)

Chromecast pfSense NAT

All in all this is a perfect solution. Switching regions can be done either in the DNS provider’s web interface, or by disabling the pfSense settings.

From → FreeBSD, Webtech

7 Comments
  1. Lisa Reardon permalink

    The DNS option is better than using a VPN regarding content streaming because you can achieve direct connection with the media station ex. hulu and avoid the “middle-man”. Personally, I am using UnoTelly which is similar to Unblock-us. Perhaps you should check UnoTelly as well if you haven’t done so.

  2. For a better understanding of how to use VPN or DNS Proxies to change/unblock American Netflix see https://thevpn.guru/netflix-proxy-region-how-to-change-dns-vpn

  3. Scarlett Snow permalink

    That’s a good article Finn. I personally prefer UnoTelly. It’s similar to Smart DNS Proxy but they offer a DNS server close to physical location and I can achieve better performance.

  4. Abhainn permalink

    Use VPN to unlock these restriction Its easy to install and use from pc, laptop and smartphones try https://www.onevpn.com/streaming-vpn/

  5. Kenneth permalink

    I’m quite new to pfSense so blogs like yours were extremely helpful when I was getting started.
    I had NAT rule set up and it used to work for me. Happily using my appletv with Getflix for several months. All of a sudden (maybe a couple of weeks ago) it doesn’t anymore.
    I tried changing the source from the alias i had been using all this while to my device IP address but still didn’t work.

    It seems like the NAT port forward rule is being ignored.
    I wonder if it’s caused by a pfSense update? I’m using 2.4.4 release p2.
    I wonder if it’s because the redirect target IP actually cannot be an external IP?

    I’m kinda at a loss where to even start checking.
    Device IP is not changed and I checked DHCP leases (device IP is static mapped)

    Domain overrides works, but I want only specific devices to use the smartDNS server.

    • Patrick permalink

      You need to create aliases for the devices and then reference the alias when creating the rules.

Leave a Reply

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS