route certain domains through client vpn

[Xentrk]

Another thing to note that may prevent an IPSET list from being populated - routing the same domain to two different IPSET lists. This appears to be an issue but i want to run some more tests to be sure.

For example, say you created the IPSET list US-vpn1 and have pandora.com in it. Then, the next day, you run the script again, but create a new list called US-VPN and also use pandora.com in the list. When the domain is looked up, the IPSET list US-VPN does not get populated. The US-vpn1 list is listed first in dnsmasq. Looks like the match occurs there first. I've noticed this in some recent testing but need to revisit to validate.

For now, if you rename your IPSET lists, make sure to run the script with the original parameters along with the "del" parameter to remove the entry from /jffs/configs/dnsmasq.conf.add. Or, manually delete the entry from /jffs/configs/dnsmasq.conf.add using an editor.

 

[andresmorago]

thanks. i will take into account this info.
regarding the fact that i need to ping the websites first from router so i can assure traffic to vpn, is there a workaround for it? i ve been careful when creating lists by not having duplicates

maybe an idea will be to have the script automatically run a nslookup or ping for each website that i manually store?

 

[Xentrk]

thanks. i will take into account this info.
regarding the fact that i need to ping the websites first from router so i can assure traffic to vpn, is there a workaround for it? i ve been careful when creating lists by not having duplicates

maybe an idea will be to have the script automatically run a nslookup or ping for each website that i manually store?

You shouldn't have to ping or do an nslookup on the site first. There appears to be a setting that is causing this as this never happened on firmware versions 384.10 and below. I will have to look more at the change log for clues and do some testing. I am currently on the 384.12 alpha release. dnsmasq should be adding the ip address dynamically. For now, you can run this script to make sure dns is being cached locally:

#!/bin/sh
if [ -n "$(nvram get dns_local_cache)" ] && [ "$(nvram get dns_local_cache)" != "1" ]; then
    nvram set dns_local_cache="1"
    nvram commit
elif [ -n "$(nvram get dns_local)" ] && [ "$(nvram get dns_local)" != "1" ]; then
    nvram set dns_local="1"
    nvram commit
fi

This appears to fix the issue we identified over the weekend when an nslookup did not populate the ipset list. Other steps to take are:

1. Make sure any old ipset list references are removed from /jffs/configs/dnsmasq.conf.add
2. Once the list is populated with the entries you want, save the ipset list to the backup/restore file location using the command: ipset save ipset_name > /opt/tmp/ipset_name. The cron job will automatically do this at 2 AM. The backup will then be used to restore the list at system boot and the entries don't have to be recreated.

If you have Diversion ad blocker installed, you may try installing and reinstalling. This fixed an issue I was having with entries not appearing in the dnsmasq.log file and helped get things working again.

 

[Xentrk]

@andresmorago, I hope everything is working.

As a follow-up, did you configure /jffs/scripts/nat-start to execute the x3mRouting script? This is required so the ipset list is restored at system boot. I was doing a lot of testing this past weekend and ran into some timing issues when executing from nat-start after I added USB disk checking. I've been testing using the the openvpn-event user script to start the scripts. Appears to have solved the issue and is a better fit. I plan to do some more testing just to make sure. Stay tuned for an update.

Also, I patched the installation menu so the liststats function is appended to /jffs/configs/profile.add if the file already exists. Rerun the installation script. It will detect a new version and prompt you to update.

I appreciate your feedback with the project.

 

[andresmorago]

hi @Xentrk

thanks for updating the installation script. ill do more testing and let you know anything else i find
i have also moved the lines from nat-start to openvpn-event. please let me know if im doing the script right.
all i want is to have some websites (which i store on dnsmasq.conf.add) and all amazon list to be routed to my vpn client 1.

openvpn-event

#!/bin/sh

#starts vpn routing
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 US_vpn
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US

#checks for dns local caching
if [ -n "$(nvram get dns_local_cache)" ] && [ "$(nvram get dns_local_cache)" != "1" ]; then
    nvram set dns_local_cache="1"
    nvram commit
elif [ -n "$(nvram get dns_local)" ] && [ "$(nvram get dns_local)" != "1" ]; then
    nvram set dns_local="1"
    nvram commit
fi

dnsmasq.conf.add

dhcp-option=lan,42,10.0.0.1 # ntpMerlin
server=/pool.ntp.org/1.1.1.1

ipset=/pandora.com/US_vpn
ipset=/ifconfig.io/US_vpn

so far, so good...i think

admin@RT-AC68U-5358:/jffs/scripts# liststats
AMAZON-US - 331
Skynet-Blacklist - 143517
Skynet-BlockedRanges - 14667
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 3440
US_vpn - 174

admin@RT-AC68U-5358:/jffs/scripts# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 203 packets, 49400 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    34152   21M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x1000
2     8235 3788K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn dst MARK or 0x1000

 

[andresmorago]

sorry for the extra post but i dont want to make previous any longer

i see this line on /opt/tmp/US_vpn
create.....
should it be there?

create US_vpn hash:net family inet hashsize 1024 maxelem 65536
add US_vpn 54.85.213.229
add US_vpn 18.235.29.41
add US_vpn 54.89.15.213
add US_vpn 34.192.92.205

because, its not on
/opt/tmp/AMAZON-US

100.24.0.0/13
107.20.0.0/14
107.23.255.0/26
13.248.103.0/24
13.248.108.0/24
150.222.2.0/24

 

[Xentrk]

sorry for the extra post but i dont want to make previous any longer

i see this line on /opt/tmp/US_vpn
create.....
should it be there?

create US_vpn hash:net family inet hashsize 1024 maxelem 65536
add US_vpn 54.85.213.229
add US_vpn 18.235.29.41
add US_vpn 54.89.15.213
add US_vpn 34.192.92.205

because, its not on
/opt/tmp/AMAZON-US

100.24.0.0/13
107.20.0.0/14
107.23.255.0/26
13.248.103.0/24
13.248.108.0/24
150.222.2.0/24

That is the correct. The restore file will have the "add ipset_name" entries before the IP address.

 

[Xentrk]

hi @Xentrk

thanks for updating the installation script. ill do more testing and let you know anything else i find
i have also moved the lines from nat-start to openvpn-event. please let me know if im doing the script right.
all i want is to have some websites (which i store on dnsmasq.conf.add) and all amazon list to be routed to my vpn client 1.

openvpn-event

#!/bin/sh

#starts vpn routing
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 US_vpn
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US

#checks for dns local caching
if [ -n "$(nvram get dns_local_cache)" ] && [ "$(nvram get dns_local_cache)" != "1" ]; then
    nvram set dns_local_cache="1"
    nvram commit
elif [ -n "$(nvram get dns_local)" ] && [ "$(nvram get dns_local)" != "1" ]; then
    nvram set dns_local="1"
    nvram commit
fi

dnsmasq.conf.add

dhcp-option=lan,42,10.0.0.1 # ntpMerlin
server=/pool.ntp.org/1.1.1.1

ipset=/pandora.com/US_vpn
ipset=/ifconfig.io/US_vpn

so far, so good...i think

admin@RT-AC68U-5358:/jffs/scripts# liststats
AMAZON-US - 331
Skynet-Blacklist - 143517
Skynet-BlockedRanges - 14667
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 3440
US_vpn - 174

admin@RT-AC68U-5358:/jffs/scripts# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 203 packets, 49400 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    34152   21M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x1000
2     8235 3788K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set US_vpn dst MARK or 0x1000

You only need to run the sript for the local DNS caching one time. It updates an nvram value and will persist after a reboot. But a firmware upgrade may change it back to the default of No or 0.

I will send you the openvpn-event code and instructions I am using when I return home from work later today. You only want to run the IPSET shell scripts when the routing has been completed and not when the client is terminated. The script I use handles this.

 

[Xentrk]

For method 3, the IPSET Shell Script method, calling the scripts from /jffs/scripts/nat-start should be all that is required to have the scripts auto start on system boot. The routing rules will survive OpenVPN Clients down events.

However, if one uses Method 3 combined with Method 1 - Selective Routing for LAN Clients, the routing for the OpenVPN Client will get deleted if you bounce or turn off the OpenVPN Client. I have a plan to fix this issue. It is an edge case but needs to be addressed. An new option will be added for the fix.

Inside of /jffs/scripts/openvpn-event will be the line 'sh /jffs/scripts/x3mRouting/openvpn-event':

Spoiler: openvpn-event

#!/bin/sh
###########################################################################################################
# John9527
# https://www.snbforums.com/threads/f...lts-releases-v39e3.18914/page-238#post-294825
############################################################################################################

scr_name="$(basename $0)[$$]"

case "$1" in
"tun11")
vpn_name="client1"
;;
"tun12")
vpn_name="client2"
;;
"tun13")
vpn_name="client3"
;;
"tun14")
vpn_name="client4"
;;
"tun15")
vpn_name="client5"
;;
"tun21")
vpn_name="server1"
;;
"tun22")
vpn_name="server2"
;;
*)
vpn_name=""
;;
esac

# Call appropriate script based on script_type
vpn_script_name="vpn$vpn_name-$script_type"

# Check script state/use nvram to save last script run
vpn_script_state=$(nvram get vpn_script_state)
nvram set vpn_script_state="$vpn_script_name"
if [ "$vpn_script_name" = "$vpn_script_state" ]; then
echo "VPN script" $vpn_script_name "already run" | logger -t "$scr_name"
exit 0
fi

if [[ -f "/jffs/scripts/$vpn_script_name" ]] ; then
echo "Running /jffs/scripts/$vpn_script_name $*" | logger -t $scr_name
sh /jffs/scripts/$vpn_script_name $*
else
echo "Script not defined for event: "$vpn_script_name | logger -t $scr_name
exit 0
fi

exit 0

When an OpenVPN up event has completed, it will run a script called vpnclientX-route-up, where the X is the OpenVPN Client number. The vpnclientX-route-up script will execute the x3mRouting script instead of having it be done from /jffs/scripts/nat-start. I will change the script so all of the files will be in the project repository. Still working out the design of this update and may phase in some of the steps before it can be fully automated behind the scenes.

Spoiler: vpnclient1-route-up

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON_US US

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 HULU_WEB hulu.com,hulustream.com,akamaihd.net

logger -st "($(basename "$0"))" $$ Ending Script Execution

May 29 19:29:39 RT-AC88U-8248 openvpn-routing: Completed routing policy configuration for client 1
May 29 19:29:39 RT-AC88U-8248 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1584 10.24.0.14 10.24.0.13)
May 29 19:29:39 RT-AC88U-8248 openvpn-event[2583]: Running /jffs/scripts/vpnclient1-route-up tun11 1500 1584 10.24.0.14 10.24.0.13
May 29 19:29:39 RT-AC88U-8248 (vpnclient1-route-up): 2597 Starting Script Execution
May 29 19:29:39 RT-AC88U-8248 (load_AMAZON_ipset_iface.sh): 2604 Starting Script Execution
May 29 19:29:39 RT-AC88U-8248 (load_AMAZON_ipset_iface.sh): 2604 Selective Routing Rule via VPN Client 1 created for AMAZON_US (TAG fwmark 0x1000/0x1000)
May 29 19:29:39 RT-AC88U-8248 (load_AMAZON_ipset_iface.sh): 2604 Completed Script Execution
May 29 19:29:39 RT-AC88U-8248 (load_ASN_ipset_iface.sh): 2786 Starting Script Execution
May 29 19:29:40 RT-AC88U-8248 (load_ASN_ipset_iface.sh): 2786 Selective Routing Rule via VPN Client 1 created for NETFLIX (TAG fwmark 0x1000/0x1000)
May 29 19:29:40 RT-AC88U-8248 (load_ASN_ipset_iface.sh): 2786 Ending Script Execution
May 29 19:29:40 RT-AC88U-8248 (load_DNSMASQ_ipset_iface.sh): 2884 Starting Script Execution
May 29 19:29:40 RT-AC88U-8248 rc_service: service 2944:notify_rc restart_dnsmasq
May 29 19:29:40 RT-AC88U-8248 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
May 29 19:29:40 RT-AC88U-8248 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May 29 19:29:40 RT-AC88U-8248 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May 29 19:29:41 RT-AC88U-8248 (load_DNSMASQ_ipset_iface.sh): 2884 Selective Routing Rule via VPN Client 1 created for HULU_WEB (TAG fwmark 0x1000/0x1000)
May 29 19:29:41 RT-AC88U-8248 (load_DNSMASQ_ipset_iface.sh): 2884 Completed Script Execution
May 29 19:29:41 RT-AC88U-8248 (vpnclient1-route-up): 2597 Ending Script Execution
May 29 19:29:41 RT-AC88U-8248 ovpn-client1[2103]: Initialization Sequence Completed

 

[andresmorago]

@Xentrk, hello
just curious. should your script load_MANUAL_ipset_iface.sh run a service restart_dnsmasq at the end of its execution?

May 31 10:33:30 (load_MANUAL_ipset_iface.sh): 9685 Starting Script Execution
May 31 10:33:30 (load_MANUAL_ipset_iface.sh): 9685 IPSET created: US_vpn hash:net family inet hashsize 1024 maxelem 65536
May 31 10:33:30 (load_MANUAL_ipset_iface.sh): 9685 Selective Routing Rule via VPN Client 1 created (TAG fwmark 0x1000/0x1000)
May 31 10:33:30 (load_MANUAL_ipset_iface.sh): 9685 Ending Script Execution

also, im seeing some errors when running your script

admin@RT-AC68U-5358:/jffs/scripts# sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 US_vpn
(load_MANUAL_ipset_iface.sh): 9685 Starting Script Execution
(load_MANUAL_ipset_iface.sh): 9685 IPSET created: US_vpn hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Error in line 1: Syntax error: cannot parse create: resolving to IPv4 address failed
(load_MANUAL_ipset_iface.sh): 9685 Selective Routing Rule via VPN Client 1 created (TAG fwmark 0x1000/0x1000)
(load_MANUAL_ipset_iface.sh): 9685 Ending Script Execution

thanks

 

[Xentrk]

@Xentrk, hello
just curious. should your script load_MANUAL_ipset_iface.sh run a service restart_dnsmasq at the end of its execution?

May 31 10:33:30 (load_MANUAL_ipset_iface.sh): 9685 Starting Script Execution
May 31 10:33:30 (load_MANUAL_ipset_iface.sh): 9685 IPSET created: US_vpn hash:net family inet hashsize 1024 maxelem 65536
May 31 10:33:30 (load_MANUAL_ipset_iface.sh): 9685 Selective Routing Rule via VPN Client 1 created (TAG fwmark 0x1000/0x1000)
May 31 10:33:30 (load_MANUAL_ipset_iface.sh): 9685 Ending Script Execution

also, im seeing some errors when running your script

admin@RT-AC68U-5358:/jffs/scripts# sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 US_vpn
(load_MANUAL_ipset_iface.sh): 9685 Starting Script Execution
(load_MANUAL_ipset_iface.sh): 9685 IPSET created: US_vpn hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Error in line 1: Syntax error: cannot parse create: resolving to IPv4 address failed
(load_MANUAL_ipset_iface.sh): 9685 Selective Routing Rule via VPN Client 1 created (TAG fwmark 0x1000/0x1000)
(load_MANUAL_ipset_iface.sh): 9685 Ending Script Execution

thanks

The Manual script doesn't need to restart dnsmasq like the DNSMASQ method does. That is because the manual script does not create an entry in dnsmasq.conf.add.

For the manual script, it is expecting the the backup/restore file to only contain IPv4 addresses. It is a different format than the backup/restore file of the DNSMASQ method.

For example, I manually created a list called BBC stored in /opt/tmp/BBC which contains the IPv4 address. It contains the following entries that I got from some external sources on the web:

132.185.0.0/16
132.185.112.0/20
132.185.128.0/20
132.185.144.0/20
132.185.240.0/20
212.58.224.0/19

I also created the list called BBC_WEB using the DNSMASQ method via the entry:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net

The backup/restore file looks like this:

create BBC_WEB hash:net family inet hashsize 1024 maxelem 65536
add BBC_WEB 212.58.244.68
add BBC_WEB 87.248.222.204
add BBC_WEB 178.79.253.183
add BBC_WEB 117.121.250.129
add BBC_WEB 212.58.249.187
add BBC_WEB 54.229.41.135
add BBC_WEB 212.58.249.213
add BBC_WEB 117.121.249.213
add BBC_WEB 54.194.80.76
add BBC_WEB 117.121.249.182
<snip>

If you have mined IPv4 addresses using the DNSMASQ method and then decide to convert or change the list to use the manual method, edit the file so it only contains IPv4 addresses before saving the file to the backukp/restore location in /opt/tmp.

 

[Xentrk]

@andresmorago, the repo code and README has been updated with a new option 4 to use openvpn-event to load the ipset lists at boot time. The option is only needed if you use Method 1 + Method 3 together. But you can still use it if you only have Method 3 installed. Just remove any entries from /jffs/scripts/nat-start.

 

[andresmorago]

Thanks for this. Will test but I believe I’ll stick with method 3 by itself

 

[abir1909]

Hi Xentrk, I spent hours trying to figure out how to create the IP set. I installed your script. i am trying to add Mako.co.il to go through my vpn client 1. would you please help to how it being done.
many thanks. Ryan

 

[Xentrk]

Hi Xentrk, I spent hours trying to figure out how to create the IP set. I installed your script. i am trying to add Mako.co.il to go through my vpn client 1. would you please help to how it being done.
many thanks. Ryan

Right now, the scrips only work with IPv4 addrsses. Support for IPv6 is coming soon.

You can use the DNSMASQ script. The syntax is:

load_DNSMASQ_ipset_iface.sh   {[0|1|2|3|4|5]  ipset_name  domains[,...]} ['autoscan'] [del]  [dir='directory']

You can try using the top level domain co.il as follows:

load_DNSMASQ_ipset_iface.sh  1 MAKO co.il

This will create an IPSET list using the top level domain co.il. The IP addresses for any domain ending with co.il will get added to the IPSET list MAKO when dnsmasq does a lookup on the domain name and route the traffic to the interface you specified.

Optionally, if you have already visited the site, any domains ending in co.il will be in the dnamasq.log file. You can use the autoscan parameter to retrieve those domains:

load_DNSMASQ_ipset_iface.sh 1 MAKO co.il autoscan

Or, you can manually create an ipset list. An nslookup on mako.co.il returns the following IP addresses:

199.203.59.151
5.100.251.149
62.90.188.216
5.100.248.61
82.166.147.132

You can then create a file in /opt/tmp/ directory called MAKO and add the ip addresses to the file.

Then use the MANUAL version of the script as follows:

load_MANUAL_ipset_iface.sh 1 MAKO

Sometimes, I also look at the webpage source code to see if other domains are being used on a website. For example, I see the domain mako-publishers.com in the source code. That may be a domain that you will have to add. Example:

load_DNSMASQ_ipset_iface.sh  1 MAKO co.il,mako-publishers.com

And, if you are still having issues, you may need to mine dnsmasq to see what domains are being queried when you visit the site. I describe how to do this in the netflix-vpn-bypass repo readme using the script getdomainnames.sh.

 

[abir1909]

Right now, the scrips only work with IPv4 addrsses. Support for IPv6 is coming soon.

You can use the DNSMASQ script. The syntax is:

load_DNSMASQ_ipset_iface.sh   {[0|1|2|3|4|5]  ipset_name  domains[,...]} ['autoscan'] [del]  [dir='directory']

You can try using the top level domain co.il as follows:

load_DNSMASQ_ipset_iface.sh  1 MAKO co.il

This will create an IPSET list using the top level domain co.il. The IP addresses for any domain ending with co.il will get added to the IPSET list MAKO when dnsmasq does a lookup on the domain name and route the traffic to the interface you specified.

Optionally, if you have already visited the site, any domains ending in co.il will be in the dnamasq.log file. You can use the autoscan parameter to retrieve those domains:

load_DNSMASQ_ipset_iface.sh 1 MAKO co.il autoscan

Or, you can manually create an ipset list. An nslookup on mako.co.il returns the following IP addresses:

199.203.59.151
5.100.251.149
62.90.188.216
5.100.248.61
82.166.147.132

You can then create a file in /opt/tmp/ directory called MAKO and add the ip addresses to the file.

Then use the MANUAL version of the script as follows:

load_MANUAL_ipset_iface.sh 1 MAKO

Sometimes, I also look at the webpage source code to see if other domains are being used on a website. For example, I see the domain mako-publishers.com in the source code. That may be a domain that you will have to add. Example:

load_DNSMASQ_ipset_iface.sh  1 MAKO co.il,mako-publishers.com

And, if you are still having issues, you may need to mine dnsmasq to see what domains are being queried when you visit the site. I describe how to do this in the netflix-vpn-bypass repo readme using the script getdomainnames.sh.

Huge Thanks for that. i got it to work using the AS Numbers. wanted to mention i am using method 2 with the GUI integrated.
couple questions: Do I have to enter each AS number under different IP sets or can I put several AS numbers under one name? if so how do I do it?
I am having trouble to configure how to Auto restore IP set after reboot. thanks for the help.

 

[Xentrk]

Huge Thanks for that. i got it to work using the AS Numbers. wanted to mention i am using method 2 with the GUI integrated.
couple questions: Do I have to enter each AS number under different IP sets or can I put several AS numbers under one name? if so how do I do it?
I am having trouble to configure how to Auto restore IP set after reboot. thanks for the help.

Right now, the ASN script method only supports one AS number per ipset list. To have the ipset list restored at system boot, you need to execute the script from /jffs/scripts/nat-start. For example:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset.sh AMAZON-US US

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh HULU AS23286
sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh NETFLIX AS2906

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh HULU_WEB hulu.com,hulustream.com,akamaihd.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh CBS_WEB cbs.com,cbsnews.com,cbssports.com,cbsaavideo.com,omtrdc.net,akamaihd.net,irdeto.com,cbsi.com,cbsig.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh MOVETV movetv.com

Make sure nat-start is executable: chmod 755 /jffs/scripts/nat-start

If using the DNSMASQ method, a cron job is created which saves any IP addresses collected at 2:00 AM and saves them to the ipset save/restore location in /opt/tmp or the save/restore location specified by the user.

 

[abir1909]

Right now, the ASN script method only supports one AS number per ipset list. To have the ipset list restored at system boot, you need to execute the script from /jffs/scripts/nat-start. For example:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset.sh AMAZON-US US

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh HULU AS23286
sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh NETFLIX AS2906

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh HULU_WEB hulu.com,hulustream.com,akamaihd.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh CBS_WEB cbs.com,cbsnews.com,cbssports.com,cbsaavideo.com,omtrdc.net,akamaihd.net,irdeto.com,cbsi.com,cbsig.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh MOVETV movetv.com

Make sure nat-start is executable: chmod 755 /jffs/scripts/nat-start


If using the DNSMASQ method, a cron job is created which saves any IP addresses collected at 2:00 AM and saves them to the ipset save/restore location in /opt/tmp or the save/restore location specified by the user.

So i uninstalled method 2 and installed method 3 and follow the instructions of how to use DNSMASQ method and the IPset list isnt populated. i changed the setting on the router as instructed also disable ad blocker. but i get MAKO 0 (when typing Liststats) any advise? thx

 

[Xentrk]

So i uninstalled method 2 and installed method 3 and follow the instructions of how to use DNSMASQ method and the IPset list isnt populated. i changed the setting on the router as instructed also disable ad blocker. but i get MAKO 0 (when typing Liststats) any advise? thx

Accessing the website in a browser should populate the list. There should be an entry in either the system log or dnsmasq.log file (can't recall which one right now) that the IP addresses was added to the ipset list. I can try to duplicate when I get home from work today. For some reason TBD, doing an nslookup on the domain name is not populating the ipset list. But from some extensive testing I did last Friday, the list still gets populated when using a browser. You can also seed the list by manually adding the IP address entry:

ipset add MAKO 5.100.248.61
ipset add MAKO 82.16.6.147.132

 

[Xentrk]

So i uninstalled method 2 and installed method 3 and follow the instructions of how to use DNSMASQ method and the IPset list isnt populated. i changed the setting on the router as instructed also disable ad blocker. but i get MAKO 0 (when typing Liststats) any advise? thx

The challenge with the DNSMASQ method is knowing the domain names to specify. As you can see in the Hulu example on the readme, one can not simply specify hulu.com. I also had to specify hulustream.com. Looking at the SlingTV website, one wouldn't be able to determine the domain name. I had to determine this by looking at the dnsmasq.log file.

I have determined the domain names for streaming sites using several methods. They each require some analysis.

Method 1
Mine dnsmasq to see what domains are being queried when you visit the site. I describe how to do this in the netflix-vpn-bypass repo readme using the script getdomainnames.sh. The key is to not only visit the site, but also click on all of the menu options. Same with a streaming service using a streaming device. You have to select all of the menus to generate the domain names the service uses. I found other domain names being generated that ended in something other than co.il when selecting the Mako TV option. Not often easy but it works

For example, I did some mining and see the following

 cdn.permutive.com
 static.criteo.net
 iframe.activetrail.biz
 cdn-media.web-view.net
 iframe.activetrail.biz
 widgets.outbrain.com
 cdn-media.web-view.net
 vjl2o.x.incapdns.net

Method 2
Similar to Method 1, you can use the follow the log file function in Diversion and see what domains are being queried. You can screen scrape the output from Diversion, paste in an excel or text file, sort and remove duplicates.

Method 3
View the page source code and search for .com and .net and start creating a list of domains. Not all of the domains are necessary.

I sometimes have to use a combination of one or more of the methods to gather the domain names.

Then, there is the autoscan feature.

sh load_DNSMASQ_ipset.sh MAKO co.il autoscan

The autoscan found two domains with the co.il reference and created the entry in dnsmasq:

ipset=/co.il/edgekey.net/MAKO

Here are the log entries in /opt/var/log/dnsmasq.log:

Jun 26 18:15:26 dnsmasq[10672]: reply www.mako.co.il is <CNAME>
Jun 26 18:15:26 dnsmasq[10672]: reply wilcard.mako.co.il.edgekey.net is <CNAME>

For slingtv, I was only able to determine that I needed to use movetv.com by looking at dnsmasq.log file when watching from my streaming device and seeing what domains were being logged. Entering the sling.com URL for the SlingTV website was of no use as it is separate from the streaming function.

This is where the ASN method may help. If you can find one domain, then do a lookup on the domain to get the IP address, you can then determine the ASN by using the whob or by searching on some of the sites like https://bgp.he.net/.

Then, decide which one you prefer. For example:

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh NETFLIX AS2906

load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net