Policy Rules or Selective Routing Question

[yorgi]

I finally understood how policy rules works with merlin VPN

I have a 2 part question in regards to sites where I have encountered more then 1 IP address.

for example when you do nslookup ebay.com you get 6 IP address's and they are not always the same.
do I have to put all 6 CDIR range in the Policy rules for ebay to go through WAN instead of VPN?

66.211.162.12 66.211.160.86 66.211.185.25 66.135.209.52 66.211.181.123 66.135.216.190

for Facebook you get 2 different IP ranges
66.220.144.0/20 and 173.252.64.0/18

do we have to enter all the CDIR ranges for each IP subnet in order for the traffic to go through properly?

for example with Facebook
would I have to put 3 rules like this?

192.168.1.0/24 0.0.0.0 lface VPN
0.0.0.0 66.220.144.0/20 lface WAN
0.0.0.0 173.252.64.0/18 lface WAN

any help will be appreciated

 

[RMerlin]

If they get returned by an nslookup, then yes, it means you will potentially use any of these IPs, and therefore you should either enter all those IPs, or enter the whole subnet using CIDR notation (if they're within the same subnet).

 

[yorgi]

If they get returned by an nslookup, then yes, it means you will potentially use any of these IPs, and therefore you should either enter all those IPs, or enter the whole subnet using CIDR notation (if they're within the same subnet).

Thats what I figured

Is there a program we can run or some other way to know if the traffic is really passing via WAN or VPN when you setup these policy based routes?

 

[RMerlin]

Thats what I figured

Is there a program we can run or some other way to know if the traffic is really passing via WAN or VPN when you setup these policy based routes?

A traceroute might work (haven't tested it).

 

[pcpumpkin]

Would this also work to bypass VPN on Netflix?

 

[yorgi]

Would this also work to bypass VPN on Netflix?

Yes you can but you need to add all of the address below to get the entire range of netflix IP
This is fixed and is the right way. I goofed earlier.

SOURCE IP DESTINATION IP lface
0.0.0.0 107.20.177.0/24 WAN
0.0.0.0 107.20.154.0/24 WAN
0.0.0.0 174.129.2.0/24 WAN
0.0.0.0 75.101.139.0/24 WAN
0.0.0.0 54.243.253.0/24 WAN
0.0.0.0 50.19.210.0/24 WAN
0.0.0.0 23.23.191.0/24 WAN
0.0.0.0 54.204.2.0/24 WAN
0.0.0.0 54.204.43.0/24 WAN
0.0.0.0 54.225.192.0/24 WAN
0.0.0.0 23.21.190.0/24 WAN
0.0.0.0 107.20.151.0/24 WAN

 

[pcpumpkin]

Thanks, I'll give it a go tonight. Are you currently able to get that VPN netflix bypass to work?

 

[yorgi]

Thanks, I'll give it a go tonight. Are you currently able to get that VPN netflix bypass to work?

I dont have netflix. But the address's I gave you will work.

 

[pcpumpkin]

Thanks. Works

 

[yorgi]

Thanks. Works

 

[yorgi]

Thanks. Works

Hi it should not have worked because I made an error
You have to reverse what I did. I fixed it in the example I gave you
this is the right way, I goofed sorry about that.

SOURCE IP DESTINATION IP lface
0.0.0.0 107.20.177.0/24 WAN
0.0.0.0 107.20.154.0/24 WAN
0.0.0.0 174.129.2.0/24 WAN
0.0.0.0 75.101.139.0/24 WAN
0.0.0.0 54.243.253.0/24 WAN
0.0.0.0 50.19.210.0/24 WAN
0.0.0.0 23.23.191.0/24 WAN
0.0.0.0 54.204.2.0/24 WAN
0.0.0.0 54.204.43.0/24 WAN
0.0.0.0 54.225.192.0/24 WAN
0.0.0.0 23.21.190.0/24 WAN
0.0.0.0 107.20.151.0/24 WAN

 

[RSJ]

Hello! I'm hunting for a solution and found this. However, it doesn't seem to be working and I'm not sure if it's related to the Netflix IP addresses or other rules I have for selective routing. I have this rule for my Amazon FireTv box which I would like to run through the VPN except when using Netflix.

SourceIP Destination IP Iface
192.168.2.201 (FireTV IP) 0.0.0.0 VPN

 

[yorgi]

Hello! I'm hunting for a solution and found this. However, it doesn't seem to be working and I'm not sure if it's related to the Netflix IP addresses or other rules I have for selective routing. I have this rule for my Amazon FireTv box which I would like to run through the VPN except when using Netflix.

SourceIP Destination IP Iface
192.168.2.201 (FireTV IP) 0.0.0.0 VPN

when you put the rule for your 192.168.2.201 does traffic go through VPN?
if it does then all you have to do is add this for netflix
192.168.2.201 0.0.0.0 VPN
0.0.0.0 107.20.177.0/24 WAN
0.0.0.0 107.20.154.0/24 WAN
0.0.0.0 174.129.2.0/24 WAN
0.0.0.0 75.101.139.0/24 WAN
0.0.0.0 54.243.253.0/24 WAN
0.0.0.0 50.19.210.0/24 WAN
0.0.0.0 23.23.191.0/24 WAN
0.0.0.0 54.204.2.0/24 WAN
0.0.0.0 54.204.43.0/24 WAN
0.0.0.0 54.225.192.0/24 WAN
0.0.0.0 23.21.190.0/24 WAN
0.0.0.0 107.20.151.0/24 WAN

 

[RSJ]

Hello and thank you very much for the reply. Yes, with my .201 rule the traffic goes out through the VPN with no problem; I've also confirmed the VPN IP address by going to PIA's site as well as ipleak.net. I added all the above rules and still no luck. I get the message from Netflix that says it appears I'm going through a proxy. I've rebooted both my router and the Amazon FireTv, but still no luck. I've attached a screenshot of my rules in case you can see anything else that's wrong. I'm at a loss, but really want to get this working! Thank you very much for any help you can provide.

 

[RSJ]

Just to follow up a bit more. Under my "Advanced Settings" in Merlin, I have my "Accept DNS Configuration" set at "Exclusive" and have confirmed my "Redirect Internet Traffic" is set on "Policy Rules." I'm not sure if I need to mess around with the WAN DNS Settings, but I've tried a couple different configurations, but still no luck connecting to Netflix. What should my WAN DNS Settings be? I had also tried Hulu, but I'm not sure if I have the correct Hulu address to enter into the policy rules. Again, thank you, this is frustrating, but hopefully I can get it fixed.

 

[yorgi]

Just to follow up a bit more. Under my "Advanced Settings" in Merlin, I have my "Accept DNS Configuration" set at "Exclusive" and have confirmed my "Redirect Internet Traffic" is set on "Policy Rules." I'm not sure if I need to mess around with the WAN DNS Settings, but I've tried a couple different configurations, but still no luck connecting to Netflix. What should my WAN DNS Settings be? I had also tried Hulu, but I'm not sure if I have the correct Hulu address to enter into the policy rules. Again, thank you, this is frustrating, but hopefully I can get it fixed.

I think I know what is going on. If you read my guide I mention that you leak DNS when you direct traffic from the VPN tunnel and you show your VPN DNS.
So that is the problem. Netflix got smart and they are using all angles to stop VPN
These rules are good if you use FTP or email because they don't use DNS.
The other suggestion I can make is make a rule that has a specific range for VPN and the rest goes to ISP
this way if you want to go to Netflix just change the IP to an address that is not in the VPN range and your Netflix will work fine.
this is a suggested range

192.168.1.80/28 0.0.0.0 VPN

this range covers 192.168.81-192.168.94 this way any device that you manually assign a static IP that fall in this range will go to VPN
and all other addresses will go to your Local ISP. Also go to LAN DCHP server and in Start pool change it to 192.168.1.100 and end Pool 192.168.1.254
This way you have static IP addresses below 100 and DHCP above 254
you can always right a scrip in windows, mac or Linux that will change from IP to DHCP and vise versa
here is a scrip for windows, simply use notepad and copy and paste everything below and rename it to vpn.bat
make sure that your Ethernet adapter corresponds accordingly. For example if you renamed the adulator for example mypc
then change "Ethernet" to "mypc"
You can see what adaptor name you are using by going to control panel, network and sharing, change adapter settings, look at the Tcp adapter name and change it accordingly. also if you use different IP address for your router make sure you put the same address in gateway.
When you use this script make sure you right click on the vpn.bat file and run as administrator. You will have 2 options, 1 will be for VPN and 2 will be fore Local ISP


@echo off
echo Choose:
echo [A] VPN
echo Local ISP
echo.

:choice
SET /P C=[A,B,]?
for %%? in (A) do if /I "%C%"=="%%?" goto A
for %%? in (B) do if /I "%C%"=="%%?" goto B
goto choice

:A
@echo off
ipconfig /flushdns
netsh interface ip set address name = "Ethernet" source = static addr = 192.168.1.93 mask = 255.255.255.0 gateway = 192.168.1.1
netsh int ip set dns name = "Ethernet" source = dhcp
netsh interface ipv4 add dnsserver "Ethernet" 192.168.1.1 index=1

goto end

:B
@ECHO OFF
ipconfig /flushdns
netsh int ip set address name = "Ethernet" source = dhcp
netsh int ip set dns name = "Ethernet" source = dhcp

goto end

:end

ipconfig /renew Ethernet

 

[RSJ]

Unfortunately, I don't think this will help me out too much. I'm using a total of 5 Amazon FireTV boxes/sticks which have Kodi side loaded. I had set up the VPN specifically to run all the Kodi devices through the VPN, but if Netflix (and Hulu) are blocking VPN IP addresses it's going to render my Asus RT-AC68U pretty much useless. I don't know is there is some type of script out there which could be run on the FireTVs to change from a VPN IP address to a ISP IP address, but even if there were, it'd be highly unlikely the kids would run a script to change the IP forcing the Kodi traffic through the VPN. Very frustrating!!

I guess I'm also a little confused and will need to read up on this. However, if I'm telling the router to stop using the VPN and to go straight through my ISPs connection, why would Netflix still think I'm connecting to them through the VPN? I live in the U.S. so I don't need the VPN to connect to Netflix for any content, I'm just using it as a added layer of protection for the Kodi boxes. Is this due to the DNS leak?

 

[yorgi]

Unfortunately, I don't think this will help me out too much. I'm using a total of 5 Amazon FireTV boxes/sticks which have Kodi side loaded. I had set up the VPN specifically to run all the Kodi devices through the VPN, but if Netflix (and Hulu) are blocking VPN IP addresses it's going to render my Asus RT-AC68U pretty much useless. I don't know is there is some type of script out there which could be run on the FireTVs to change from a VPN IP address to a ISP IP address, but even if there were, it'd be highly unlikely the kids would run a script to change the IP forcing the Kodi traffic through the VPN. Very frustrating!!

I guess I'm also a little confused and will need to read up on this. However, if I'm telling the router to stop using the VPN and to go straight through my ISPs connection, why would Netflix still think I'm connecting to them through the VPN? I live in the U.S. so I don't need the VPN to connect to Netflix for any content, I'm just using it as a added layer of protection for the Kodi boxes. Is this due to the DNS leak?

Are you running Hulu and Netflix from the same firesticks that are running kodi?
because what I suggested will work for you. worst case scenario get a couple of other boxes to run your netflix and have them on an IP address that is not part of the vpn and if you have other devices are you want to use VPN or Local ISP you can just change IP addresses and you are set.
You don't need to get rid of your router because its not useless. I think you are just missing a few points about selective routing and rules.
You can easily have your setup work without any issues, just by adding another box for hulu and netflix. new tv's have tons of hdmi so I dont see the problem
you can pick up a box for under 100 bucks that will run your hulu and netflix.
use the rule I suggest above
192.168.1.80/28 0.0.0.0 VPN
it covers this in range 192.168.81-192.168.94
that is 13 devices? do you need more? the rest of the IP addresses fall into your Local ISP and the DNS doesn't leak its like having 2 routers in one.
think about it before you get rid of the router.
the solution is right here

 

[RSJ]

I shouldn't have said the router was useless, as that's not really how I feel. It's a really awesome router and the Merlin load makes it simply amazing with all the additional capabilities being added.

Each of the Amazon FireTv boxes/sticks (3 boxes and two sticks) run everything on each device. I'm use it for Amazon Prime video, Netflix, Hulu and Kodi. Kodi (I'm using the FireTVGuru load) shows just as another option like Hulu or Netflix. I'm not sure how what you laid out before would work since I would need to go into each FireTV box/stick and manually change the IP address on there. It seems the script you laid out would only work on a PC/laptop and not on the FireTv running Android.

I have DHCP running on both the Asus router as well as my FIOS router. I know most recommend not doing that, but I don't think it's causing any issues for my network. On my Asus I have a pool from 2.100 through 2.190; I just threw in some random numbers I guess. However, I currently have static IP addresses assigned to all the FireTv boxes which start at 2.201. Each of those devices has a selective routing rule which is 192.168.2.20x 0.0.0.0ifaceVPN.

I was thinking I may be overlooking the easier solution which would be simply changing which router the device is connected to, depending on the activity (either Netflix or Kodi). When the device needs to connect to Kodi just connect to that SSID (in my case "VPN-5G") and then for regular Netflix or Hulu have it connect to the FIOS router. However, when I originally attempted to do this, I was having issues where I would connect to the correct SSID, but it would always pick up an IP address from the FIOS router and never the VPN router. Hopefully that makes sense. I don't know if I have some incorrect setting in Merlin, the FIOS router or some other issue.

Thank you for the script! I made a couple changes since my VPN is on the 192.168.2.x network, but it works great and saves me time since I've been going back and forth changing IPs on my desktop while testing out the VPN and trying to get everything set up. Thank you for all the help! Unless I can get the network to work correctly by connecting to the appropriate SSID, depending on the activity desired for the TV, and having it route me to the VPN or ISP, my best option may be getting a couple additional devices.

 

[RSJ]

Well, I have found a working solution and it was in front of me the entire time. I pretty much talked through it in my previous reply and then it hit me later. It's simple and is already in place! Even though I was hoping I could accomplish this on the router and have it done automatically, the work around is simply to change which SSID I'm connected to and that's all that's needed. When I connect to the FIOS router I can connect to Netflix and Hulu just fine and then when I connect to the VPN everything is encrypted for my Kodi. It's too bad it couldn't be done on the router, but with Netflix continuing their crack down on VPNs I guess this is my next best option.

I do have another question. Under LAN, DNS and WINS Server Settings, should I be using the VPNs DNS IP addresses or use Google, OpenDNS etc?

Thank you very much for your help!!