For a couple of days my wife has been complaining Netflix hasn’t been working on our Nvidia Shield TV device (which I LOVE, by the way). So last night after she is going through full-on House-of-Cards withdrawal, I verify on the devices in our home that we are indeed being blocked because Netflix’ system claims we are using a proxy.
Backgrounder: as most of you know, I work in IT, as some of you may not: I started one of Ontario’s first Internet Service Providers in the mid 90s. I know a thing or two about the Internet, networking, proxies, VPNs, etc.
I phoned their support. They seem like nice folks but they are woefully underequipped to deal with and troubleshoot what happened to me. And they aren’t straightforward with any answers from a technical perspective. Although, the “supervisor” told me he was “Netflix certified” (congratulations by the way, I’m sure that will work out great on your resume). I was explaining that my wife was pretty p’d off, they had me try to stream on another device, and after it too said it was blocked they concluded without a doubt I was using a proxy. “Or my ISP was”. Huh? At this point, I’m furious and tell them to cancel the service. If Netflix is going to go all commando and start indiscriminately blocking people with no way to resolve “false positives” then it is a company I no longer want to deal with, there are alternatives.
So in postmortem I’m trying to decide what exactly had me flagged as using a proxy..
1) I’m using a static IP from my Internet service provider, the whois data shows that it is a Toronto registered IP range. However, it is a small ISP provider. The Netflix support bros balked at my suggestion it could be an IP address misclassification, and told me if it was I had no avenue to resolve this “except through my ISP”.
2) I know my ISP very well, in fact, I have admin access to the Ciscos they use for their L2TP tunnel termination from Bell Canada’s AGAS system (for providing DSL local loop access), and I’ve helped them re-implement their authentication system. I also know the datacentre they are located in at 151 Front Street, and the provider they use, and they are most definitely NOT using a proxy or any other kind of method to falsify the geographic location of their customers.
3) I DO have a VPN at home for my day job (I work from home) – however, it is behind a NAT firewall and only two devices are plugged into it: my work laptop, and my Cisco VoIP phone, and it has no wireless.
4) And this one is interesting, maybe. The reason I have a static IP address from my ISP is for an IPSEC tunnel to a nearby datacentre where I have a bunch of servers colocated. The tunnel provides me with connectivity to my private network at the site for management, and also to do things like offsite backups.
So there are two possibilities here (neither of which I can seem to put forward to them because they don’t appear to have a publicly listed email support address, and their phone support people are very ignorant, clearly). Possibility A) is that they have misclassified the IP address as a “colo IP” – since that’s where proxy services usually put their hardware, or possibility B) they run NMAP or some other scanner against the IPs their users connect from and look for VPN ports. In this case, it is probably that isakmp Port 500 UDP shows up on my static IP address.
In either case, to avoid false positives it would be prudent on their end to check to see how many UNIQUE users are authenticating from the same IP address. A lot? Yes, then it’s probably either a massive wifi hotspot with a lot of people using Netflix, or a proxy. We use one account here, maybe two if my daughter is visiting.
Feel free to comment below, and if any media wish to reach out to me for a demonstration or additional evidence, feel free. In my opinion it is fraud to cut someone off of a service they are in no way misusing by way of a baseless accusation that they will not provide an avenue of resolution for, and a service for which I’ve already paid up to May 5. I guess they are so big now they just feel they are beyond reproach. Time for them to be disrupted by someone else I guess.