VM blocking Netflix?

Is Virgin Media blocking access to Netflix on it's ShoddyHub?

At a relative's place who have VIVID200 and the SuperHub 3.0 I tried Netflix to find out it doesn't work. Fast.com doesn't do the speed test. Realised all packets sent to Netflix.com are lost.

Ran diagnostics on the VM site, on the Hub, restarted the Hub. Issue persists.

Put Hub in Modem mode and connected an old Cisco router, and wow, Netflix works now!

I cannot believe it is intentional, most likely a local problem.

Virgin Media will be peering directly with Netflix OpenConnect and using their caching appliances to reduce transit costs. See https://openconnect.netflix.com/en_gb/

All fine here in Derry, N.Ireland...

Thanks for the link.
Perhaps it works when I set up my own router because I set it to use Google DNS, whereas the SH3 doesn't have any custom DNS settings.

Or it's the persistent PUMA chipset stuff that is plauging their equipment...

I've had to take my own router off as it is old and doesn't have 802.11AC, but as soon as I set the SH3 to Router mode, Netflix stopped working again!

Going to have to spend some time ringing them up, I guess!

Possible that for one reason or another Netflix have blocked your IP, this can occur if someone prior had your IP and was doing something strange e.g. your IP was part of a denial of service against the site.

When in modem mode, it will give you a different IP, hence why it likely works then.

That's my immediate thought chain anyway.

I've written on the VM support forums and provided them with a tracert, someone suggested Netflix IS blocking the IP, so I contacted Netflix support who said they don't block IP's and for me to contact the ISP to get them to "reset the DNS" (doesn't sound right to me!). I've no time to call VM yet but when I do I'm sure it'll be a fun couple of hours wasted talking to idiots who keep asking me to reboot my equipment

Fine here. They can hardly block it when they use their internet system to deliver it to the Tivo.

So I was told when mine didn't work - it's all in the SH3 now for each system.

Virgin Media told me (after an hour on the phone going through the router reset charade) it's Netflix blocking the IP because it doesn't recognise the region (I think this is false, it worked fine before with this same IP). They said many other customers are having this issue and it would be resolved within a week. An arbitrary number given how we've had this issue for months now.

I then contacted Netflix who were going to call back with their "research team" and they have, a few days ago, spent 3 hours on the phone with me doing some WIreshark and other tests.

Turns out that Virgin Media is blocking secure connections on port 443 and this is why I can't use the service.

I have yet to contact VM about it, just don't have the time yet.

I've had issues with Netflix for a while, not that it don't work but servers sometimes won't connect, whilst others will.... I personally think it it might be routing issues or peering failures/congestion maybe.

In reply to a post by Saltank:

Turns out that Virgin Media is blocking secure connections on port 443 and this is why I can't use the service.

But I can use USENET on port 443 with SSL and no problems?

Isn't that odd?

if Virgin Media was blanket blocking port 443 then web browsing would be broken for many sites, and no-one would be doing online banking so clearly this is incorrect info or only affecting Netflix e.g. a problem with the CDN

In reply to a post by MrSaffron:

if Virgin Media was blanket blocking port 443 then web browsing would be broken for many sites, and no-one would be doing online banking so clearly this is incorrect info or only affecting Netflix e.g. a problem with the CDN

Reminds me of the 1999 to 2002 era with NTL cable where they "played" with proxy caches. Often if the proxy went down all web (80 and 443) would fail, even though 443 couldn't be cached.

For capacity reasons the VM domestic network will be regional, and it could be a fault in a regional centre.

In reply to a post by MrSaffron:

if Virgin Media was blanket blocking port 443 then web browsing would be broken for many sites, and no-one would be doing online banking so clearly this is incorrect info or only affecting Netflix e.g. a problem with the CDN

Exactly what I was thinking - 443 is SSL full stop.

In reply to a post by 23Prince:

Exactly what I was thinking - 443 is SSL full stop.

Er, to be accurate, 443 is secure HTTP (https). SSL is obsolete and insecure, replaced by TLS, and hopefully 1.1 or better version 1.2. You can easily use TLS on any other protocol, such as POP or IMAP as well.

In reply to a post by jchamier:

In reply to a post by 23Prince:

Exactly what I was thinking - 443 is SSL full stop.

Er, to be accurate, 443 is secure HTTP (https). SSL is obsolete and insecure, replaced by TLS, and hopefully 1.1 or better version 1.2. You can easily use TLS on any other protocol, such as POP or IMAP as well.

right okay well - same thing to me.

In reply to a post by 23Prince:

In reply to a post by jchamier:

In reply to a post by 23Prince:

Exactly what I was thinking - 443 is SSL full stop.

Er, to be accurate, 443 is secure HTTP (https). SSL is obsolete and insecure, replaced by TLS, and hopefully 1.1 or better version 1.2. You can easily use TLS on any other protocol, such as POP or IMAP as well.

right okay well - same thing to me.

SSL is deprecated. There's a large difference between SSLv2 and TLSv1.2. From a security perspective SSL versions should not be used. We regard the use of SSLv2/v3 a High Risk finding for client work, which is the same risk ranking we give transmission of usernames and passwords over HTTP (ie no encryption) or management of a network device over TELNET (again no encryption). In effect we are saying use of these legacy protocols is akin to not encrypting what-so-ever and often times worse since it can give a false sense of security and lure a user into entering a password / username they would not enter on an unencrypted form.

Edited by ukhardy07 (Sat 17-Mar-18 17:05:49)

yup.. ok

It didn't seem like all packets over 443 were being blocked, just the encrypted ones, and the ones which I thought were directly trying to display content from Netflix' local servers at Virgin Media's locations all over London. For example ipv4-c016-rom001-ix....... and occ-0-784-778.1.nflxs....... Here's a screenshot

Netflix said they have had issues with the SuperHub 3.0 in particular but I think it's up to me now to chase Virgin Media for a resolution as they don't know what to do it seems.

"It didn't seem like all packets over 443 were being blocked, just the encrypted ones"

If that was the case then online banking would not work, since it relies on HTTPS transport over 443 as well as many other things.

If somehow they are blocking encrypted 443 packets for just one service, that might suggest some interception and certificate checking. Or a certificate is invalid, i.e. out of date

The certificates (or at least one of them!) seems to check out

And if it was a problem then wouldn't all users be having the same issue? :/

Still haven't had time to call VM and find out what's going on, a week ago they promised it will work today. Alas it hasn't been resolved, obviously.

To add some input, port 443 is the port used to securely transmit almost all data online. It by default is encrypted, so there are no packets going through unencrypted.

The statement "It didn't seem like all packets over 443 were being blocked, just the encrypted ones" cannot be true therefore, as if it's not encrypted it will go via a different port e.g. port 80. What Netflix have convinced you of here does not seem accurate.

If we go back to basics, if you connect just one device (ideally a phone or iPad type device that is less likely to have any kind of malware), and disconnect everything else, does Netflix still not work?

You got any custom DNS, malware protection, firewalls, edited any router settings beyond factory settings?

Here is the most likely answer:
1. Virginmedia is not blocking netflix - imagine the uproar if every customer could not use it.
2. Virginmedia is not blocking port 443 - port 443 is used by many things, netflix, online banking, instagram, facebook, twitter, snapchat, dropbox etc - if we assume they are blocking port 443 we are to believe virginmedia users can basically not use their internet. Again imagine the uproar.

I think time to go back to the drawing board on this one. To rule out the machine, can you set a phone up as a hotspot and confirm it works fine via that? ie outside the virginmedia network.

Edited by ukhardy07 (Sun 18-Mar-18 20:29:55)

Hi,

Have you tried to set the DNS Server IP address of the network card to Google's DNS? This would override to DNS Server IP address received from the Superhub 3.0ac.

HTH,

Yes, as one of the troubleshooting steps this is what I've tried on multiple devices. Can't change the DNS on the SH3 though.

In reply to a post by ukhardy07:

To add some input, port 443 is the port used to securely transmit almost all data online. It by default is encrypted, so there are no packets going through unencrypted.

The statement "It didn't seem like all packets over 443 were being blocked, just the encrypted ones" cannot be true therefore, as if it's not encrypted it will go via a different port e.g. port 80. What Netflix have convinced you of here does not seem accurate.

If we go back to basics, if you connect just one device (ideally a phone or iPad type device that is less likely to have any kind of malware), and disconnect everything else, does Netflix still not work?

You got any custom DNS, malware protection, firewalls, edited any router settings beyond factory settings?

Here is the most likely answer:
1. Virginmedia is not blocking netflix - imagine the uproar if every customer could not use it.
2. Virginmedia is not blocking port 443 - port 443 is used by many things, netflix, online banking, instagram, facebook, twitter, snapchat, dropbox etc - if we assume they are blocking port 443 we are to believe virginmedia users can basically not use their internet. Again imagine the uproar.

I think time to go back to the drawing board on this one. To rule out the machine, can you set a phone up as a hotspot and confirm it works fine via that? ie outside the virginmedia network.

It is 100% the SH3 as my Netflix works everywhere else (LTE or WiFi). It's not the machine, but the modem/router itself, as Netflix on multiple devices doesn't work through it. I've tried 4 different methods of accessing the service to no avail.

It sounds to me like your IP address has been blocked. Netflix is unique in the way that it has it's data at the ISP level. This means when you access Netflix, you are not actually getting data from Netflix's servers, but instead you are using servers that the ISP (VM in your case) has set aside for Netflix.

It might be an idea to contact VM and ask them for a new IP address and see what difference that makes (I'm pretty sure that will cure it).

I know this might seem very odd, but could this simply be down to the Mac address of the device you are trying to use ?
Saying this because i have a TV that was linked to Netflix and for a couple of months i subscribed. That TV's Netflix app won't let me look at Netflix now unless i re-subscribe. I also have a 4k bluray player that has never been connected to Netflix. Just signed up to Netflix on that player for the months free trial. Obviously it's still the same IP as the tv, the only difference is the Mac address of the device.
As the app itself is installed on a device by device basis, could that be the real issue here ?

As it's effecting all of their devices connected to their VM connection, it would not be the Mac address that is blocking Netflix (Mac addresses are unique to each device).

In reply to a post by robertcrowther:

It sounds to me like your IP address has been blocked. Netflix is unique in the way that it has it's data at the ISP level. This means when you access Netflix, you are not actually getting data from Netflix's servers, but instead you are using servers that the ISP (VM in your case) has set aside for Netflix.

It might be an idea to contact VM and ask them for a new IP address and see what difference that makes (I'm pretty sure that will cure it).

I've tried two times now and they say they can't because it's "dynamic" but I guess that's as much as the tech support in India can do. have yet to call them back and ask to elevate the ticket.

If you've got a VM shop near you (not one of those kiosk's they have in shopping centres) they will be able to do it for you.