Selective Routing for Netflix

[Xentrk]

Any updates on your update? I've royally badgered my set up after diversion ad block update and thinking I could mess with IPSET directly.

weirdly some domains respect the diversion route and some go through the VPN

Update: Sorted it using new script on github.

Everything is working. I need to test the install script and remove some debugging messages. I was hoping to go live this weekend but Murphy showed up and changed my plans. Also need to make updates to the README. I will Target completion end of April.

 

[Stevens243]

As it appears that this may allow me to bring my Roku's back into the VPN realm AND potentially allow my mobile Amazon app to function fully, I'll ask: how it going? Need any assistance or test support? I hope your work/life schedule is going well!

 

[Xentrk]

As it appears that this may allow me to bring my Roku's back into the VPN realm AND potentially allow my mobile Amazon app to function fully, I'll ask: how it going? Need any assistance or test support? I hope your work/life schedule is going well!

Thanks for the post. I sent you a PM with instructions.

 

[Stevens243]

Thanks for the post. I sent you a PM with instructions.

I got it. I will have questions when I install, probably on Friday. Thank you sir.

 

[Stevens243]

Ok, it's question time: I use Nordvpn (router client) and use Roku's for the TV's in the house. Netflix and amazon sometimes don't work (I think AWS is just playing whack-a-mole with the VPN IP's) so, policy wise, I put the Roku's on the WAN side of things and all is well. I cannot use the Amazon app on the mobile devices with this set up I currently have. I'm also running diversion, and skynet on my 86U (merlin 384.11) so I have DNS configuration disabled to use the DoT DNS and still get diversion ad blocking. I do also have an 88U in AP (wired) in my config, also on 384.11.

A: Do I need to change anything with this setup to use this script?
B: Do I need to remove the policy rules for the roku's before I proceed to step 2?
C: If I can leave my current policy rules alone (disabled), do I need to setup the dummy VPN?
D: Lastly, so I can try to understand, why create IPSET rules then delete them? I assume that it's creating the proper routes in the JFFS directory but I don't understand why it needs to be deleted...

Thanks

 

[Xentrk]

Ok, it's question time: I use Nordvpn (router client) and use Roku's for the TV's in the house. Netflix and amazon sometimes don't work (I think AWS is just playing whack-a-mole with the VPN IP's) so, policy wise, I put the Roku's on the WAN side of things and all is well. I cannot use the Amazon app on the mobile devices with this set up I currently have. I'm also running diversion, and skynet on my 86U (merlin 384.11) so I have DNS configuration disabled to use the DoT DNS and still get diversion ad blocking. I do also have an 88U in AP (wired) in my config, also on 384.11.

A: Do I need to change anything with this setup to use this script?
B: Do I need to remove the policy rules for the roku's before I proceed to step 2?
C: If I can leave my current policy rules alone (disabled), do I need to setup the dummy VPN?
D: Lastly, so I can try to understand, why create IPSET rules then delete them? I assume that it's creating the proper routes in the JFFS directory but I don't understand why it needs to be deleted...

Thanks

Sorry, your post didn't get flagged or if it did, I didn't see it.

No need to remove your streaming device from the Policy Rules screen. You can route it to whatever location you want. The x3mRouting rules take a higher priority. For example, the streaming device is set to use LA by default. But NF and AWS are routed to the WAN. So, all traffic other than NF and AWS will be routed to LA.

For AWS, the US region works great for Prime Video.

sh load_AMAZON_ipset_iface.sh 0 AMAZON-US US

For NF, you can try the DNSMASQ method

sh load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Or the ASN method

sh load_ASN_ipset_iface.sh 0 NETFLIX AS2906

Both work for me.

The requirement is to have policy rules enabled. I recommend you also put the Router IP address in the Policy Rules section and route it to the WAN. You only need the DummyVPN entry if you need to exploit the Accept DNS Configuration = Exclusive and are using the LAN Selective Routing method and there are no clients listed in the screen.

For the x3mRouting Shell Script Method, the del option deletes the IPSET list + the iptables routing rule. It does not delete the backup file from /opt/tmp though. This is by design. For example, say you mostly watch CBS All Access and have it route to a server in LA. But as it happens, your local football team is playing in an out of market city and you can't watch it locally. So, you configure a VPN client for New York. You then run the script and pass it the del directive to remove routing from the LA server. Then, you run the script again without the "del" parameter passing the client number for the New York VPN client. You have now changed routing for CBS All Access from LA to New York!

Use this command to display the routing rules and the status for packets

iptables -nvL PREROUTING -t mangle --line

 

[TonyK132]

Thanks for the post. I sent you a PM with instructions.

Hello - Are the instructions specific enough to allow a non-expert to install the NF and Prime solutions? If yes, are they only available via PM? I use both NF and Prime (and likely HBO Now and maybe BBC). My Roku and my smartTVs are also outside my VPN (PIA) but I too would like to bring them back in the VPN.

 

[Xentrk]

Hello - Are the instructions specific enough to allow a non-expert to install the NF and Prime solutions? If yes, are they only available via PM? I use both NF and Prime (and likely HBO Now and maybe BBC). My Roku and my smartTVs are also outside my VPN (PIA) but I too would like to bring them back in the VPN.

I am doing a soft launch right now via PM which is a good thing as 384.11 resulted in some conflicts that I had to make over last weekend. My plan is to write two accompanying blog articles to go along with the project to help answer FAQ and explain the techniques in more detail to those who need to, can customize for their use case. My go live target is June 1.

I'll send you the information in a PM.

 

[TonyK132]

I am doing a soft launch right now via PM which is a good thing as 384.11 resulted in some conflicts that I had to make over last weekend. My plan is to write two accompanying blog articles to go along with the project to help answer FAQ and explain the techniques in more detail to those who need to, can customize for their use case. My go live target is June 1.

I'll send you the information in a PM.

OK, thanks. I'll sit on my hands for a couple of weeks.

 

[Stevens243]

I am doing a soft launch right now via PM which is a good thing as 384.11 resulted in some conflicts that I had to make over last weekend. My plan is to write two accompanying blog articles to go along with the project to help answer FAQ and explain the techniques in more detail to those who need to, can customize for their use case. My go live target is June 1.

I'll send you the information in a PM.

Please add me. I must have hit the same bumps as you, but I thought I was just mentally deficient and uninstalled the script.

 

[sugar0]

Hello @Xentrk ! I was just looking for a solution for this "problem" and i stumbled upon this thread. You can PM me with the script so i can test it if you need another tester!
Today i'll update to GNUton merlin for DSL-AC68U routers so you can cover this "side" of routers too! Cheers

 

[DiFran01]

Hello @Xentrk, I am new to VPNs, but have been handling Home networking for my family for quite some time. I recently decided to add a VPN service to my router, I opted for CyberGhost as they allow up to 7 devices which allows me to have my router as well as my immediate families cell phones all covered by one subscription. I have a Linksys WRT1900AC Router that I flashed with DD-WRT V3.0-r36698 std (08/22/18) I believe I have the VPN set up correctly as when I go to IPChicken it tells me that my IP address has changed from what it is when I have the VPN Disabled. I also believe it is working because when I go to Netflix, Hulu, and Amazon Prime Video it tells me I am behind a VPN and i need to disable it to use their services. I was looking for a work around that would allow me to route my Streaming services around the VPN to resolve this issue. I apologize If I get long winded or am misunderstanding what I am seeing on this thread as I am new to 3rd party router firmware as well. But if I understand this thread properly, you have a Script that will run when the router is booted up that will route traffic for Netflix, and Amazon Prime Video, and if I am not mistaken it can be adapted for Hulu as well, to route this streaming traffic around the VPN so that these services can be used while the VPN is running, and all other traffic will stay protected in the VPN Tunnel. If this is the case, will this work on my router and firmware, and if so how can I get a copy of this script and directions on how to install it and any other software or scripts that I may need to make this work. It sounds like in the next couple of weeks or so you plan to have a new version released, so I understand if I need to wait until then. Once I get everything working on my setup, I also have a Family member that Has a Linksys e2500 running AdvancedTomato Version 3.5-140Max, I will be configuring their VPN, also CyberGhost, as well. Would this script work on their setup as well?

 

[Xentrk]

Hello @Xentrk ! I was just looking for a solution for this "problem" and i stumbled upon this thread. You can PM me with the script so i can test it if you need another tester!
Today i'll update to GNUton merlin for DSL-AC68U routers so you can cover this "side" of routers too! Cheers

Hi @sugar0 ,

You are free to use the project. The repo on GitHub is here: https://github.com/Xentrk

Some info on policy routing is in this post:
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

The OpenVPN Client Screen + Shell Script method works with 384.11 and 384.11_2 firmware. There are some changes I have to make for this method to work with the 384.12 alpha. With this method, you can only route traffic thru the VPN tunnel.

The stand alone Shell Script method can work with any 384.xx firmware version. This method allows you to route traffic thru either the WAN or VPN tunnel. I recommend starting with this method. Let me know if you have questions.

 

[Xentrk]

Hello @Xentrk, I am new to VPNs, but have been handling Home networking for my family for quite some time. I recently decided to add a VPN service to my router, I opted for CyberGhost as they allow up to 7 devices which allows me to have my router as well as my immediate families cell phones all covered by one subscription. I have a Linksys WRT1900AC Router that I flashed with DD-WRT V3.0-r36698 std (08/22/18) I believe I have the VPN set up correctly as when I go to IPChicken it tells me that my IP address has changed from what it is when I have the VPN Disabled. I also believe it is working because when I go to Netflix, Hulu, and Amazon Prime Video it tells me I am behind a VPN and i need to disable it to use their services. I was looking for a work around that would allow me to route my Streaming services around the VPN to resolve this issue. I apologize If I get long winded or am misunderstanding what I am seeing on this thread as I am new to 3rd party router firmware as well. But if I understand this thread properly, you have a Script that will run when the router is booted up that will route traffic for Netflix, and Amazon Prime Video, and if I am not mistaken it can be adapted for Hulu as well, to route this streaming traffic around the VPN so that these services can be used while the VPN is running, and all other traffic will stay protected in the VPN Tunnel. If this is the case, will this work on my router and firmware, and if so how can I get a copy of this script and directions on how to install it and any other software or scripts that I may need to make this work. It sounds like in the next couple of weeks or so you plan to have a new version released, so I understand if I need to wait until then. Once I get everything working on my setup, I also have a Family member that Has a Linksys e2500 running AdvancedTomato Version 3.5-140Max, I will be configuring their VPN, also CyberGhost, as well. Would this script work on their setup as well?

The project only works on Asuswrt-Merlin firmware. The project requires ipset. I last used an DD-WRT two years ago. At that time, IPSET was not included in the firmware and had to be side loaded.

I used the services you mentioned in the development of the project. If you want to change over to Asus and want the best vpn performance, look at the RT-AC86U or RT-AX88U models. Once in awhile, they go on sale.

 

[DiFran01]

The project only works on Asuswrt-Merlin firmware. The project requires ipset. I last used an DD-WRT two years ago. At that time, IPSET was not included in the firmware and had to be side loaded.

I used the services you mentioned in the development of the project. If you want to change over to Asus and want the best vpn performance, look at the RT-AC86U or RT-AX88U models. Once in awhile, they go on sale.

Thank you for the reply @Xentrk, I had been thinking about upgrading my router anyways, the Linksys has been getting Flaky from time to time, How many devices can these routers handle? between all the Smart devices in my house, I tend to have 20 to 30 devices connected at any given time. would the RT-AC86U handle that kind of load or would you recommend going with the RT-AX88U?

 

[L&LD]

Thank you for the reply @Xentrk, I had been thinking about upgrading my router anyways, the Linksys has been getting Flaky from time to time, How many devices can these routers handle? between all the Smart devices in my house, I tend to have 20 to 30 devices connected at any given time. would the RT-AC86U handle that kind of load or would you recommend going with the RT-AX88U?

Most consumer routers, including all the mentioned models, can reliably handle approximately 32 clients per Radio, per Band.

If you are pushing the limit on the 5GHz band, possibly moving a few less sensitive clients to the 2.4GHz band will help. Otherwise, a Tri-Radio router with two 5GHz radios will be a better solution.

 

[DiFran01]

Most consumer routers, including all the mentioned models, can reliably handle approximately 32 clients per Radio, per Band.

If you are pushing the limit on the 5GHz band, possibly moving a few less sensitive clients to the 2.4GHz band will help. Otherwise, a Tri-Radio router with two 5GHz radios will be a better solution.

Thank you @L&LD for the feedback. I think I should be able limit some of my devices, thermostats, printers, (non critical devices) to the 2.4GHz band which will keep me in the dual band range.

 

[sugar0]

The stand alone Shell Script method can work with any 384.xx firmware version. This method allows you to route traffic thru either the WAN or VPN tunnel. I recommend starting with this method. Let me know if you have questions.

You mean method 3 right?

 

[Xentrk]

You mean method 3 right?

Correct. The difference is method 2 only allows routing thru the VPN interface Method 3 allows routing thru the WAN or VPN interface.

 

[sugar0]

I just succesfully installed the script and make it working but now i'm stuck with nat-start:
Do you guys have idea why i dont have many default scripts? How can i install em?

admin@DSL-AC68U-52B8:/jffs/scripts# ls -l

-rwxr-xr-x    1 admin    root         63592 May 23 18:54 amtm
-rwxr-xr-x    1 admin    root         20846 May 23 19:10 install_x3mRouting.sh
-rwxr-xr-x    1 admin    root            76 May 23 19:08 post-mount
-rwxr-xr-x    1 admin    root           223 May 23 19:08 post-mount.div
-rwxr-xr-x    1 admin    root            77 May 23 19:08 services-stop
-rwxr-xr-x    1 admin    root         32582 May 23 20:23 spdmerlin
drwxrwxrwx    2 admin    root             0 May 23 19:10 x3mRouting

Edit:
Ok, noob here. I understood that i NEED to create it. Added my lines with nano and chmod it 777 and it seems to have started at boot and NETFLIX works! now i need to figure out amazon prime video
Edit2:
Figured out amazon from Italy. I added the global region!