persistent ipset create

[frustin]

RT-AC86U using merlin 384.5 firmware.

I'm trying to get netflix to bypass VPN using ipset.

I've read a lot on it. I've created the dnsmasq.conf.add

ipset=/netflix.com/nflxext.com/amazonaws.com/amazon.com/amazon.co.uk/bbc.co.uk/BYPASS_VPN

But i know i need to create the BYPASS_VPN. I can do this on the command line: ipset create BYPASS_VPN hash:ip but not in the config. What's the command to create and make it persistent so after reboot i can see the list again using ipset list?
EDIT2: Seems the only way to make it persistent is a start up/shutdown script whereby a ipset save and restore is run.

Also at what stage will it dynamically fill BYPASS_VPN with the ip's from that list of domains?
EDIT1: I used nslookup netflix.com cause a DNS reference. that's populated it.

I've also added to nat-start:

TAG_MARK=0x7000

ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990

iptables -D PREROUTING -t mangle -m set --match-set BYPASS_VPN dst -j MARK --set-mark $TAG_MARK/$TAG_MARK
iptables -A PREROUTING -t mangle -m set --match-set BYPASS_VPN dst -j MARK --set-mark $TAG_MARK/$TAG_MARK

EDIT3: I've implemented all this, ipset list shows the IP addresses. The next issue I think might be because DNS is pointing to NordVPN's DNS servers.
I read that using server=/netflix.com/<ip of Dyn DNS server> should bypass the VPN DNS. But that didnt seem to work. When i tried to run nslookup netflix.com there was an error in the router log that said the Dyn DNS IP can not do (i cant remember exactly) recursive lookups or something.

 

[eibgrad]

The following is NOT going to work.

ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990

The main routing table has been overridden to point to the VPN as the default gateway. So merely pointing your marked packets back to that same table accomplishes nothing.

In order to bypass the VPN, you need to create an *alternate* routing table that points to the WAN/ISP as the default gateway, mark packets that meet your criteria, then finally add an ip rule that traps on that mark and directs those packets to the alternate routing table.

 

[frustin]

The following is NOT going to work.

ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990

The main routing table has been overridden to point to the VPN as the default gateway. So merely pointing your marked packets back to that same table accomplishes nothing.

In order to bypass the VPN, you need to create an *alternate* routing table that points to the WAN/ISP as the default gateway, mark packets that meet your criteria, then finally add an ip rule that traps on that mark and directs those packets to the alternate routing table.

Thank you for your response. I've literally just come to the conclusion this was the issue but only by elimination of all other possibilities. I'm afraid i've simply copied and pasted that command, without understanding what it does.

ip rule del prio 9990
ip rule add from 0/0 fwmark 0x7000 table main prio 9990

more like this?