Sorry this is a bit long. Trying to convey all the troubleshooting I did.
I've been using XG for a few weeks now and everything is reasonably fine tuned to support my usage. Whenever I run into a site blocked by my rules, I create an FQDN host definition for that site, add it to a "Trusted Sites" FQDN Group, and all is well. My wife even has a set of instructions I made for her to follow this process and open up the occasional blocked site she runs into.
My firewall rules essentially go like this (in order):
1.) Streaming bypass - If any LAN client on the A/V VLAN is accessing a "Trusted Site" or a site in the USA, allow it, and do not do any HTTP/HTTPS malware scanning or apply any web filter policy. This is how our streaming devices are able to use Netflix, Hulu, etc. Eventually I might cut down the rule to only allow a list of "streaming sites" instead of leaving it so open...
2.) FQDN whitelist - If any LAN client is accessing a "Trusted Site", allow it, but enforce HTTP/HTTPS malware scanning and web filtering policy.
3.) Allow all USA - If any LAN client is accessing a site in the USA, allow it, but enforce HTTP/HTTPS malware scanning and web filtering policy.
4.) Drop all and Log - does exactly what it says. :) If it's not in the USA and not in the Trusted list, it's blocked.
So, everything had been working perfectly until last night, when my daughter showed me that the Netflix app on her tablet (on the A/V VLAN) couldn't contact Netflix. Neither my wife's PC nor mine (neither of which are on the A/V VLAN) could access www.netflix.com either, it was blocked. In my web filter log I saw several subdomains [___].netflix.com coming up as blocked, all pointing to firewall rule #4 "drop and log".
After some digging around, I noticed that several of these blocked Netflix sites (though not all) were being hosted in Ireland, on what looked like an Amazon ISP per the whois records. That seemed strange, but at least it was an explanation, so I did my normal thing and created FQDN hosts in the "Trusted Hosts" group for each one being blocked. Now this was the weird part: the sites continued to be blocked afterwards. My 1st and 2nd rules showed that the sites being blocked were in the list of trusted FQDNs, and I even toggled the rules off and back on to "refresh them" but the sites were all still blocked and Netflix would not work.
Not particularly related, but just a side point, I have www.Amazon.co.uk in my "Trusted Sites" list as well, and it happens to be hosted in Ireland, and it was working perfectly last night while all this was going on with Netflix.
Eventually, I added "allow Ireland" to my 3rd rule, and everything immediately worked perfectly. The thing is, I don't want to open up an entire country just to allow Netflix, and I don't understand why adding FQDNs did not work to let Netflix.com and several of its subdomains through the firewall.
Has anyone else had issues similar to this with Netflix in the last day or two? Maybe it's not Netflix related at all, and just something about the rules not "refreshing" properly to accept the newly defined FQDN hosts? Maybe I just need to reboot the whole router? (Normally that would have been one of my first steps, but I couldn't do it last night, and won't be able to until tonight). Any thoughts would be welcome, as I'd eventually like to remove Ireland from my rule and go back to "normal". Thanks!
This thread was automatically locked due to age.