1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

persistent ipset create

Discussion in 'Asuswrt-Merlin' started by frustin, Jun 19, 2018.

  1. frustin

    frustin Occasional Visitor

    Joined:
    Apr 9, 2010
    Messages:
    41
    RT-AC86U using merlin 384.5 firmware.

    I'm trying to get netflix to bypass VPN using ipset.

    I've read a lot on it. I've created the dnsmasq.conf.add
    Code:
    ipset=/netflix.com/nflxext.com/amazonaws.com/amazon.com/amazon.co.uk/bbc.co.uk/BYPASS_VPN
    But i know i need to create the BYPASS_VPN. I can do this on the command line: ipset create BYPASS_VPN hash:ip but not in the config. What's the command to create and make it persistent so after reboot i can see the list again using ipset list?
    EDIT2: Seems the only way to make it persistent is a start up/shutdown script whereby a ipset save and restore is run.

    Also at what stage will it dynamically fill BYPASS_VPN with the ip's from that list of domains?
    EDIT1: I used nslookup netflix.com cause a DNS reference. that's populated it.

    I've also added to nat-start:
    Code:
    TAG_MARK=0x7000
    
    ip rule del prio 9990
    ip rule add fwmark $TAG_MARK table main prio 9990
    
    iptables -D PREROUTING -t mangle -m set --match-set BYPASS_VPN dst -j MARK --set-mark $TAG_MARK/$TAG_MARK
    iptables -A PREROUTING -t mangle -m set --match-set BYPASS_VPN dst -j MARK --set-mark $TAG_MARK/$TAG_MARK
    EDIT3: I've implemented all this, ipset list shows the IP addresses. The next issue I think might be because DNS is pointing to NordVPN's DNS servers.
    I read that using server=/netflix.com/<ip of Dyn DNS server> should bypass the VPN DNS. But that didnt seem to work. When i tried to run nslookup netflix.com there was an error in the router log that said the Dyn DNS IP can not do (i cant remember exactly) recursive lookups or something.
     
    Last edited: Jun 20, 2018
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. eibgrad

    eibgrad Occasional Visitor

    Joined:
    Feb 20, 2017
    Messages:
    23
    The following is NOT going to work.

    Code:
    ip rule del prio 9990
    ip rule add fwmark $TAG_MARK table main prio 9990
    The main routing table has been overridden to point to the VPN as the default gateway. So merely pointing your marked packets back to that same table accomplishes nothing.

    In order to bypass the VPN, you need to create an *alternate* routing table that points to the WAN/ISP as the default gateway, mark packets that meet your criteria, then finally add an ip rule that traps on that mark and directs those packets to the alternate routing table.
     
  4. frustin

    frustin Occasional Visitor

    Joined:
    Apr 9, 2010
    Messages:
    41
    Thank you for your response. I've literally just come to the conclusion this was the issue but only by elimination of all other possibilities. I'm afraid i've simply copied and pasted that command, without understanding what it does.
    Code:
    ip rule del prio 9990
    ip rule add from 0/0 fwmark 0x7000 table main prio 9990
    more like this?
     
    Last edited: Jun 20, 2018
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!