x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

Oh thats weird, it seems the "original" NETFLIX entry is missing:

Chain PREROUTING (policy ACCEPT 19M packets, 18G bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    6450K 7049M IMQ        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           IMQ: todev 0
2      142  7668 TTL        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            TTL match TTL == 1 TTL set to 64
3    19844 2606K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x8000
4     2837  158K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX2 dst MARK or 0x8000
5     3643 2143K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-EU dst MARK or 0x8000
6    20867 1830K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x8000
7     7938  927K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIXDNSMASQ dst MARK or 0x8000

Where are the VPN Client entries in the output? Should look something like this:

1        1    60 MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2     661K  863M MARK       all  --  tun15  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        1    60 MARK       all  --  tun14  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7

Do you see the fwmarks when you type the command ip rule? An entry will only exist for the routing rule. So if you only route to the WAN, you will only see the "lookup main".

0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9992:   from all fwmark 0x7000/0x7000 lookup ovpnc4
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1

What is your router model and firmware version?

 

[Froghut]

I'm using a RT-AC86U with firmware version 384.16_0. here's the complete output of those two commands:

ASUSWRT-Merlin RT-AC86U 384.16_0 Sun Apr  5 17:38:01 UTC 2020
XXX@RT-AC86U-CF98:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
10001:  from 192.168.1.1 lookup main
10002:  from all to 85.13.163.170 lookup main
10101:  from 192.168.1.0/24 lookup ovpnc1
10102:  from 10.8.0.0/24 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
XXX@RT-AC86U-CF98:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 19M packets, 18G bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    6601K 7147M IMQ        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           IMQ: todev 0
2      164  8856 TTL        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            TTL match TTL == 1 TTL set to 64
3    20179 2731K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x8000
4     2853  162K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX2 dst MARK or 0x8000
5     3743 2158K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-EU dst MARK or 0x8000
6    22206 1930K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x8000
7     7954  931K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIXDNSMASQ dst MARK or 0x8000

 

[Xentrk]

I'm using a RT-AC86U with firmware version 384.16_0. here's the complete output of those two commands:

ASUSWRT-Merlin RT-AC86U 384.16_0 Sun Apr  5 17:38:01 UTC 2020
XXX@RT-AC86U-CF98:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
10001:  from 192.168.1.1 lookup main
10002:  from all to 85.13.163.170 lookup main
10101:  from 192.168.1.0/24 lookup ovpnc1
10102:  from 10.8.0.0/24 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
XXX@RT-AC86U-CF98:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 19M packets, 18G bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    6601K 7147M IMQ        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           IMQ: todev 0
2      164  8856 TTL        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            TTL match TTL == 1 TTL set to 64
3    20179 2731K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x8000
4     2853  162K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX2 dst MARK or 0x8000
5     3743 2158K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-EU dst MARK or 0x8000
6    22206 1930K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x8000
7     7954  931K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIXDNSMASQ dst MARK or 0x8000

Thank you. Not sure why the VPN Client MARK xset 0x1/0x7 rules are not created for you. I'll have to dig around. So, is NF and the other items bypassing the VPN? It appears to from the output above.

If you still have issues, set Accept DNS Configuration = Exclusive to bypass the pihole and see what happens. You will still use the DNS of the VPN service.

 

[Froghut]

I'm pretty sure Netflix (at least partially) is still bypassing the VPN - when I execute the "iptables -nvL PREROUTING -t mangle --line" command while browsing the netflix website I can see increased packets count for both NETFLIX2 and NETFLIXDNSMASQ. When I set Accept DNS Configuration to Exclusive I see the Netflix US content on the website (since that is what the VPN DNS does using "geo-routing", whatever that is) - but I will still get VPN errors since at least part of the traffic is not routed through VPN.
So to summarize, When I'm routing everything through VPN (traffic + DNS) it works but I get US content, if both bypass VPN it used to work (and I get content from my country). Using a mix (traffic through WAN, DNS from VPN, or other way around) I get "You are using a VPN" errors.
So my guess is that some Netflix traffic is not bypassing VPN which might be because of the missing NETFLIX entry in the iptables?

 

[Xentrk]

I'm pretty sure Netflix (at least partially) is still bypassing the VPN - when I execute the "iptables -nvL PREROUTING -t mangle --line" command while browsing the netflix website I can see increased packets count for both NETFLIX2 and NETFLIXDNSMASQ. When I set Accept DNS Configuration to Exclusive I see the Netflix US content on the website (since that is what the VPN DNS does using "geo-routing", whatever that is) - but I will still get VPN errors since at least part of the traffic is not routed through VPN.
So to summarize, When I'm routing everything through VPN (traffic + DNS) it works but I get US content, if both bypass VPN it used to work (and I get content from my country). Using a mix (traffic through WAN, DNS from VPN, or other way around) I get "You are using a VPN" errors.
So my guess is that some Netflix traffic is not bypassing VPN which might be because of the missing NETFLIX entry in the iptables?

Can you test with taking the pihole out of the mix? Remove the DNS Filter rule and set some DNS on the WAN such as cloudflare. Then, test with the different Accept DNS Configuration settings on the GUI and see what happens for each setting.

Here are some more command to show DNS settings:

iptables --line -t nat -nvL DNSVPN1
iptables --line -t nat -nvL PREROUTING


Sounds like it worked recently. Can you recall a config change that you made around the time when it stopped working?

Also, we need to figure out why you don't see the entry for the client when you query the PREROUTING mangle table.

3    11013   10M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7

 

[Froghut]

This is the output of those commands while the pihole is still configured as DNS server:

XXX@RT-AC86U-CF98:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  *      *       192.168.1.1          0.0.0.0/0
2     3882  250K DNAT       all  --  *      *       192.168.1.0/24       0.0.0.0/0            to:10.11.252.1
3        0     0 DNAT       all  --  *      *       10.8.0.0/24          0.0.0.0/0            to:10.11.252.1
XXX@RT-AC86U-CF98:/tmp/home/root# iptables --line -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 34475 packets, 3430K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        2   104 DNAT       tcp  --  tun11  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:55477 to:192.168.1.10
*** snip a bunch more ports forwarded to .10 ***
18       0     0 DNAT       tcp  --  tun11  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2225 to:192.168.1.10
19       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1122
20       0     0 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
21    3889  250K DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
22     146  8704 VSERVER    all  --  *      *       0.0.0.0/0            192.168.178.35
23       0     0 DNSFILTER  udp  --  *      *       192.168.1.0/24       0.0.0.0/0            udp dpt:53
24       0     0 DNSFILTER  tcp  --  *      *       192.168.1.0/24       0.0.0.0/0            tcp dpt:53

and here after setting 1.1.1.1 as DNS and disabling DNS Filter:

XXX@RT-AC86U-CF98:/tmp/home/root# iptables --line -t nat -nvL DNSVPN1
Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  *      *       192.168.1.1          0.0.0.0/0
2      239 16495 DNAT       all  --  *      *       192.168.1.0/24       0.0.0.0/0            to:10.13.220.1
3        0     0 DNAT       all  --  *      *       10.8.0.0/24          0.0.0.0/0            to:10.13.220.1
XXX@RT-AC86U-CF98:/tmp/home/root# iptables --line -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 2443 packets, 401K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        1    52 DNAT       tcp  --  tun11  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:55477 to:192.168.1.10
*** snip a bunch more ports forwarded to .10 ***
18       0     0 DNAT       tcp  --  tun11  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2225 to:192.168.1.10
19       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:1122
20       0     0 DNSVPN1    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
21     239 16495 DNSVPN1    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
22       6   750 VSERVER    all  --  *      *       0.0.0.0/0            192.168.178.35

It looks like the DNS filter did not actually do anything or am I misreading this?
On the same note, I set the pihole ip as DNS server under LAN -> DHCP Server -> DNS server - but what is the purpose of the setting under WAN -> DNS server? Is that the DNS server the router itself uses?
Anyway, I changed the DNS servers in both places to use 1.1.1.1, disabled the DNS filter, reconnected the Network Interface on my PC to make sure it got the new 1.1.1.1 DNS (which it got), and get the "You are using a VPN error" when trying to watch Netflix.

As to recent config changes, I'm pretty sure I did not change anything around the time the problem appeared.

Also let me say thank you for your help, I really appreciate you taking the time to help me!

 

[Xentrk]

At this point of the test, go into the VPN client screen and experiment with the four Accept DNS Configuration settings. For each setting, check NF to see if it works or if you get the error.

 

[Xentrk]

Note, there is an issue when changing from Accept DNS Configuration = Exclusive to Disabled. The VPN DNS exclusive routing rules will remain in effect. It does not happen when changing from Exclusive to Strict or Relaxed. It is patched in the next firmware release. The work around is when going from Exclusive to Strict is to disable the VPN client. Then, set Accept DNS Configuration to Strict and restart the client.

 

[Froghut]

So for "Disabled" DNS does not work anymore at all. I tried with "nslookup google.com" and also "nslookup google.com 1.1.1.1" and also 8.8.8.8, it just times out. Same happens for Relaxed.
Using "Strict" DNS works again, NF shows the VPN error (only for some shows again), same for "Exclusive".
One more info, when I tried nslookup google.com while using "Strict", using 1.1.1.1 and 8.8.8.8 I get two different ip's, and while using "Exclusive" I get the same ip (which is to be expected I guess, just thought I'd mention it)
Edit: I went from Exclusive to Disabled and worked my way "up" again, should I retry with disabling the VPN client as you described above?

 

[Xentrk]

So for "Disabled" DNS does not work anymore at all. I tried with "nslookup google.com" and also "nslookup google.com 1.1.1.1" and also 8.8.8.8, it just times out. Same happens for Relaxed.
Using "Strict" DNS works again, NF shows the VPN error (only for some shows again), same for "Exclusive".
One more info, when I tried nslookup google.com while using "Strict", using 1.1.1.1 and 8.8.8.8 I get two different ip's, and while using "Exclusive" I get the same ip (which is to be expected I guess, just thought I'd mention it)

Disabled and Relaxed should use the DNS defined on the WAN DNS1 and DNS2 fields on the WAN page. Verify you have it set. Or, you can use the commands:

nvram show | grep wan0_dns

 

[Froghut]

Yes it's set to 1.1.1.1 under WAN DNS. I just tried again with disabling the VPN client, then switching to Disabled and now it works, same for Relaxed. For both I now get the VPN error on NF.

 

[Xentrk]

Yes it's set to 1.1.1.1 under WAN DNS. I just tried again with disabling the VPN client, then switching to Disabled and now it works, same for Relaxed. For both I now get the VPN error on NF.

That makes sense as you are using the VPN and NF is detecting you are using a known VPN server since you are not using the DNS proxy service of the provider.

Keep the Disabled setting for the following two tests.

Create a rule in the GUI to have the streaming device route to the WAN. Try NF and it should be the local NF.

The next test is to remove the rule in the GUI for the device and run the x3mRouting script to route NF to the WAN. Try NF and it should be the local NF.

 

[Froghut]

Ok, for test #1 I deleted all 3 netflix x3mRoutings and it works as expected, with streaming device routed through WAN and normal DNS streaming works and shows local content.
For test #2 I removed the streaming device WAN routing and ran the x3mRouting commands again (this time the first NETFLIX entry also shows again when using "iptables -nvL PREROUTING -t mangle --line" for whatever reason), but I get VPN errors again. But it looks like the routing in general is working since I can see packets going through the NETFLIX* entries:

XXX@RT-AC86U-CF98:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 112K packets, 84M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    71812   82M IMQ        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           IMQ: todev 0
2        6   324 TTL        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            TTL match TTL == 1 TTL set to 64
3     1075 90012 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x8000
4      261  187K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x8000
5     1033 84494 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX2 dst MARK or 0x8000
6      956  735K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-EU dst MARK or 0x8000
7        9   470 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x8000
8     6949 1168K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIXDNSMASQ dst MARK or 0x8000

 

[Xentrk]

Ok, for test #1 I deleted all 3 netflix x3mRoutings and it works as expected, with streaming device routed through WAN and normal DNS streaming works and shows local content.
For test #2 I removed the streaming device WAN routing and ran the x3mRouting commands again (this time the first NETFLIX entry also shows again when using "iptables -nvL PREROUTING -t mangle --line" for whatever reason), but I get VPN errors again. But it looks like the routing in general is working since I can see packets going through the NETFLIX* entries:

XXX@RT-AC86U-CF98:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 112K packets, 84M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    71812   82M IMQ        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           IMQ: todev 0
2        6   324 TTL        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            TTL match TTL == 1 TTL set to 64
3     1075 90012 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x8000
4      261  187K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x8000
5     1033 84494 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX2 dst MARK or 0x8000
6      956  735K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-EU dst MARK or 0x8000
7        9   470 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x8000
8     6949 1168K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIXDNSMASQ dst MARK or 0x8000

Did you have Accept DNS Configuration set to Disabled for test 2?

This is very strange. Can you divulge your VPN Provider? Another forum member may be able to assist if they use x3mRouting with the same provider.

What also bothers me is why you are missing the PREROUTING mangle entry for the VPN Client as shown below:

3    11013   10M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7

I'll check later on this evening as to why this may be occurring.

Another way to test if things are working is to use the dnsmasq method and specify the site whatismyipaddress.com. Then, when you are routed to the VPN, see if the site reports your WAN IP address rather than your VPN address.

 

[Froghut]

Yes, I have set Accept DNS to Disabled for test 2 and I'm using AirVPN.
I used the following line "sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 WIP whatismyipaddress.com" and restarted dnsmasq just to make sure using "service restart_dnsmasq" but it still shows my VPN ip - I also checked using "iptables -nvL PREROUTING -t mangle --line" and the WIP entry shows 0 packets and "ipset -L WIP" also shows 0 entries. I also tried with other ip websites (ipleak.net, whatsimyip.com) but this also did not work, so I guess I'm doing something wrong in general.

 

[Xentrk]

Yes, I have set Accept DNS to Disabled for test 2 and I'm using AirVPN.
I used the following line "sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 WIP whatismyipaddress.com" and restarted dnsmasq just to make sure using "service restart_dnsmasq" but it still shows my VPN ip - I also checked using "iptables -nvL PREROUTING -t mangle --line" and the WIP entry shows 0 packets and "ipset -L WIP" also shows 0 entries. I also tried with other ip websites (ipleak.net, whatsimyip.com) but this also did not work, so I guess I'm doing something wrong in general.

dnsmasq logging may not be enabled. It is required for the dnsmasq method to work:

Enable dnsmasq Logging

• Navigate to the /jffs/configs directory e.g cd /jffs/config
• Use your SFTP or SSH client to create the dnsmasq.conf.add file
• Add the following entry to /jffs/configs/dnsmasq.conf.add:

log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log

• Save and exit dnsmasq.conf.add
• Restart dnsmasq

service restart_dnsmasq

Or, you can do a nslookup whatismyipaddress.com to get the IPv4 addresses. There are only two of them. Then, add them to the save/restore file e.g. WIMIPADDR in /opt/tmp. Then, use the MANUAL method to create the IPSET list and routing rules.

 

[Xentrk]

@Froghut

Look for a file like the one below:

/tmp/etc/openvpn/fw/client1-fw.sh

display the file using cat

cat client1-fw.sh

This file is what is creating the PREROUTING mangle entry that you don't have. Here is a sample:

#!/bin/sh
iptables -I OVPN -i tun11 -j DROP
iptables -t mangle -I PREROUTING -i tun11 -j MARK --set-mark 0x01/0x7
iptables -t nat -I POSTROUTING -s 192.168.1.0/255.255.255.0 -o tun11 -j MASQUERADE
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

 

[Froghut]

This is crazy, but the USB stick I was using for the router apparently broke and I had to attach a new one ...
I reinstalled Entware and x3mRouting added the dnsmask log commands to dnsmasq.conf.add, and it seems it's working again. I also tried with the dnsmasq method entry for whatismyipaddress.com and that also shows my real ip now. So I guess I was just missing the dnsmasq log entries (and apparently netflix changed something so the ASN method alone was no longer enough for me). Sorry for not realizing this sooner.
Edit: I set the WAN DNS server to 8.8.8.8, set the pihole IP as DNS server in the LAN DHCP setting and enabled DNS Filter to redirect everything to the pihole (to force chromecasts etc to use ppihole). In the pihole dnsmasq.conf I added the netflix domains (the same ones used for the DNSMASQ WAN routing on the asuswrt) to use the router as the upstream DNS server, so those queries can be intercepted there and used for the DNSMAQ routing entry. This way the pihole handles all the DNS queries directly, except for the netflix ones which it hands off to the router.
So thank you very very much for all the time you spent helping me!

As to the missing mangle entry, the file on my router is actually missing the mangle line. Should I add the missing line?

 

[Xentrk]

This is crazy, but the USB stick I was using for the router apparently broke and I had to attach a new one ...
I reinstalled Entware and x3mRouting added the dnsmask log commands to dnsmasq.conf.add, and it seems it's working again. I also tried with the dnsmasq method entry for whatismyipaddress.com and that also shows my real ip now. So I guess I was just missing the dnsmasq log entries (and apparently netflix changed something so the ASN method alone was no longer enough for me). Sorry for not realizing this sooner.
Edit: I set the WAN DNS server to 8.8.8.8, set the pihole IP as DNS server in the LAN DHCP setting and enabled DNS Filter to redirect everything to the pihole (to force chromecasts etc to use ppihole). In the pihole dnsmasq.conf I added the netflix domains (the same ones used for the DNSMASQ WAN routing on the asuswrt) to use the router as the upstream DNS server, so those queries can be intercepted there and used for the DNSMAQ routing entry. This way the pihole handles all the DNS queries directly, except for the netflix ones which it hands off to the router.
So thank you very very much for all the time you spent helping me!

As to the missing mangle entry, the file on my router is actually missing the mangle line. Should I add the missing line?

Glad you got it working. I was running out of ideas as to what the issue could be.

Don' worry about the PREROUTING mangle table entry if everything is working. That entry is created by the firmware. There must be some setting that you have that is not requiring the PREROUTING mangle table entry for your configuration.

 

[k.alle]

I just registered and I am a complete newbie when it comes to networking so please excuse my ignorance.

I have a RT-AX88U router with merlin firmware on it and even managed to get the VPN client to work nicely.
What I would like is to route some specific ports from a certain local IP to WAN side instead of VPN (the other ports continue to go through VPN), can this be done with this script?

I have googled intensively but most instructions is "make a script!" and then the conversation ends.
Problem is I would need someone to hold my hand through the entire process for that to work, and that is why I am now asking here.

Thanks