netflix proxy/unblocker false detection

Did anybody noticed that Netflix just became useless due to tons of proxy/unblocker false detection on CGNAT ranges?
Even my home network is dual stack, i am absolutely sure there is no proxy/vpn/whatsoever (but ipv4 part is over CGNAT) - and i got "proxy/unblocker" message on my personal TV.
And many other ISP sysadmins told me that recently this is a massive problem, and netflix support is frankly inadequate and does not want to solve the problem.
I will not be surprised that they will begin to actively lose users due to such a shameful silly screwed up algorithm.
Who in sober mind blocks all legit users due probably one or two suspicious users behind same IP range?

This isn't a new problem - for years, services that track what a single
IP address does can deny access if something looks amiss.

Of course, CG-NAT is a reality, but perhaps Netflix find it will be
easier to lose some customers than building infrastructure and support
to work out what is valid CG-NAT vs. mischief.

Probably would have been an easier case if Netflix didn't support IPv6,
but alas...


Try the contact information on this page to resolve it:

wow. blaming support for IPv6 rather than using cgnat is a huge stretch of credibility

I have no idea what's going through Netflix's mind - it's all, as my
American friend would say, conjecturbation on my part.

CG-NAT isn't new, and if Netflix are still not able to consider it a
"fixed issue", there is probably a reason why that is.

Ultimately, reaching out to them and asking their position on the matter
seems like a path to an answer.


Actually it’s a good thing that Netflix does support IPv6 for this. As any device using Netflix via IPv6 from your ISP would likely correctly be protected as not a VPN or proxy.

The problem is the ISPs that deploy CGNAT without also deploying IPv6 is ridiculous. They are directly affected by the death of IPv4 yet will not deploy IPv6, to me that is unacceptable.

Unfortunately as well you have devices such as Roku who still refuse to support IPv6 at all, so even if said ISP deployed IPv6 at least users using Roku would still be in the same boat.

If you or others are not receiving a satisfactory reply from us (Netflix) on this issue, please feel free to reach out directly and I’ll make sure it gets handled.

So far as we know, we handle CGNAT (and IPv6) appropriately. Sometimes ranges get reassigned and the data that we have gets stale - this happens quite often since formal runout, and so sometimes we’re behind the ball on it, but be assured that we take this seriously.


This problem has been bothering operators in Lebanon for more than a month, and frankly they have not received any reasonable answers yet. IP's are the same for several years, no changes, but all of sudden users start to get reduced list of titles (only netflix originals) and popup messages.
Maybe some of the clients are doing something bad, but in fact its not right to block legitimate clients with them because they are behind same CGNAT IP, I know for sure that I am using an absolutely normal account of the highest plan, on my absolutely ordinary Smart TV for last year, without any changes, i am in the same IP pool, but yet i have problem.
And if someone doing something bad, we(ISP) can assist and if there is enough info, we move such people to different IP pool or if there is clear proof of wrongdoing we can even disconnect such clients. But we are getting nothing at all from support, except template "we are working hard on your problem", which is kind of disrespectful and enough.

Today I tried it myself as a client, and as result it was 4 hour standoff in live chat, as support tried to feed me usual "we are working hard on your problem" and as i didnt accepted usual script/templates anymore, it turned into outright mockery on me, sending me literally same message template again and again, until i realised that i was wasting my time with reasoning.
At the end, i received an answer that temporarily ok for me, but i hope the problem will be resolved properly soon, if it reached the right person, due my polite persistence.*
At least today we got new contact, email for geosupport, and i have some hope that it will be more helpful, at least 3 ISP representatives mailed them.
And i know for sure that i'm not going to give up until i find proper solution.

*Which cost me and my cat a lot of stress today.
(I couldn’t feed the cat because of the live chat timeouts, and he just keep meowing under the table demanding food).


By some reason my smart TV doesn't use IPv6 for Netflix, even everything else in same network using it properly (even developed for ESP8266/ESP32 - IPv6 enabled apps).

And what is worse:
"Netflix Kimberly
The Network settings is to check if it is in Automatic not specifically to search for VPN and Proxy in that area, but that is okay. Then please remember that IPv6 is not allowed and should be disabled. With all these done, please contact your Internet Service provider to get further clarification on this matter. I will send you an email with some other information to consult with XXXX. Please give me a moment to send it to you"

Honestly, this is very confusing suggestion from Netflix support (i have native ipv6!).
Looking to there is definitely some issues for other users too.

And final nail, local providers with OCA who does peering - don't provide IPv6 peering at all, and ISP i am using is too small to be qualified for OCA. Since bandwidth is very expensive here, it is no-go to push ipv6 and cutting off themself from cheaper(than "international capacity") OCA peering.
Still, i tried, in browser it seems worked, but anyway i'm not going to watch movies on my desktop, while i have 4k screen, and also there is tons of users who don't have IPv6 enabled routers (they just buy cheapest brand).

If you don't use some kind of device to connect to Netflix, if you have
a reasonably modern TV that supports a native Netflix app as well as
IPv6, you'd be good to go.

Sadly, PlayStation still don't support IPv6. Hopefully, it comes with
the PS5, although I see no reason why the PS4 and PS3 can't.


This seems to suggest Netflix detect for an block IPv6 transported over
a 6-in-4 tunnel.

Is this what you have?

Can't say I've ever heard of this issue. Interesting...


I realize this list is for network operators, but as a user, when your
ISP doesn't provide IPv6, this is not possible. Even with
tunnelbrokers like HE as they are blocked at Netflix. I have to put
rules in my firewall to force the clients in my network to use the non-
HE addresses.


I take his statement more as:

  “If Netflix wasn’t doing IPv6, they’d be in more of a corner
  to resolve CGNAT issues. Since they support IPv6, likely their
  response to CGNAT issues is ``Press your provider to do IPv6,
  it’s better.’’”

Likely, that is true. Support for IPv6 isn’t at fault here. Rather, the
reality that IPv6 is a relatively easy way to offer a much better user
experience than CGNAT is in play here.


I can’t speak for Netflix, but the reality is that there’s really no good
way to “fix” CGNAT other than migrating to IPv6 and eliminating it.

CGNAT by its nature combines multiple subscribers behind a single address.

When you make subscribers indistinguishable to the content provider, then
any subscriber in the group committing abuse is likely to get all the
subscribers in the group cut off. There’s no good way around that.

Expecting content providers to maintain some sort of record of every
eyeball provider’s CGNAT port mapping policy in order to do more granular
filtering simply does not scale.

So I don’t know how (or even if) Netflix will answer, but were I in their
shoes, I’d probably answer as follows:

  “IPv4 is a technology which has been extended well past its
  ability to provide a good user experience. CGNAT, while it
  allows providers to try and extend the lifetime of IPv4
  ultimately provides an increasingly degraded user experience.
  We fully support IPv6. Deploying IPv6 support is the best
  path to providing an improved user experience on Netflix
  vs. CGNAT and IPv4.”

Seriously, if you were Netflix, what would be the point of putting serious
investment into attempts to solve what will become an increasingly intractable
problem when you already have a clear solution that scales and requires
relatively easy and inherently necessary upgrades by the eyeball ISP that
you’ve already completed on your side?


Yo Mark!


Sadly, PlayStation still don't support IPv6. Hopefully, it comes with
the PS5,

Don't hold your breath. It's most likely not related to the capabilities
of the hardware, or even the kernel running on the platform.

although I see no reason why the PS4 and PS3 can't.

My guess is that there is no IPv6 support because the backend doesn't
support it. I've seen this at previous employers where the network was ready
for IPv6, but back-end applications were lagging. And that might require
development on a lot of games as well.

Perhaps we should start a rumor: "IPv6 has a lower ping!". We'll get
thousands of gamers protesting for v6 in front of Sony's HQ :slight_smile:



I believe they’re only blocking the HE v6 prefixes used for the VPN service.

Correct they block’s tunnel broker IP’s because they practically are at least for the sense of geo restrictions “VPN” that can be used to get around said geo restriction.

As much as I hate it as I use said tunnel service it is understandable and I don’t really blame Netflix for this, I blame the content producer/owners and the industry as a whole for mandating such restrictive practices.

Using that as an argument against Netflix for bad labeling of IP blocks at least in terms of IPv6 is not fair.

I don't use any VPN service of HE but I still get errors from Netflix
when my client chooses my HE tunnel prefix as it's source.

Or I guess I should say I was, the last time I tried and have since
rejected Netflix's IPv6 hosts when the source address is the HE tunnel,
so force clients to choose a different source address.