Selective Routing for Netflix

[Xentrk]

I just succesfully installed the script and make it working but now i'm stuck with nat-start:
Do you guys have idea why i dont have many default scripts? How can i install em?

admin@DSL-AC68U-52B8:/jffs/scripts# ls -l

-rwxr-xr-x    1 admin    root         63592 May 23 18:54 amtm
-rwxr-xr-x    1 admin    root         20846 May 23 19:10 install_x3mRouting.sh
-rwxr-xr-x    1 admin    root            76 May 23 19:08 post-mount
-rwxr-xr-x    1 admin    root           223 May 23 19:08 post-mount.div
-rwxr-xr-x    1 admin    root            77 May 23 19:08 services-stop
-rwxr-xr-x    1 admin    root         32582 May 23 20:23 spdmerlin
drwxrwxrwx    2 admin    root             0 May 23 19:10 x3mRouting

Edit:
Ok, noob here. I understood that i NEED to create it. Added my lines with nano and chmod it 777 and it seems to have started at boot and NETFLIX works! now i need to figure out amazon prime video
Edit2:
Figured out amazon from Italy. I added the global region!

I love success stories. Glad you got it working. You are the first DSL user I know of using the selective routing feature. I really like the features of the scripts which eliminates the need to edit the files. The passing of parameters make them very flexible and more user friendly for new or less technical users.

You can also look into WinSCP or MobaXterm or similar client software to give you a more user friendly editor and interface. Many to choose from. Mobaxterm has an SFTP session that gives you a windows explorer type of view into the operating system. You have to install the entware package openssh-sftp-server to use an SFTP client though.

The Amazon region to use may depend on your location. Not sure yet. Need more user feedback from across the globe. I use the US region for Prime. I've not used the Global region. My only concern about Global is that some services host on Amazon servers and using Global may have unintended consequences. Something to keep an eye on. For example, some IP addresses for BBC domains I have harvested are owned by Netflix in Ireland.

 

[sugar0]

The Amazon region to use may depend on your location. Not sure yet. Need more user feedback from across the globe. I use the US region for Prime. I've not used the Global region. My only concern about Global is that some services host on Amazon servers and using Global may have unintended consequences. Something to keep an eye on. For example, some IP addresses for BBC domains I have harvested are owned by Netflix in Ireland.

I'm from Italy and added AMAZON US and EU but was still blocked. Do you think that doing some investigation router side on which IP's it connects to is usefull or a waste of time?

 

[Xentrk]

I'm from Italy and added AMAZON US and EU but was still blocked. Do you think that doing some investigation router side on which IP's it connects to is usefull or a waste of time?

No need. I just remember looking at the IPv4 addresses in the global region when I added the feature to specify region. I need to look at them again. I think the global IP addresses were unique compared to the O addresses of the other regions rather than "all encompassing" of the other regions. You got me curious now and I want to take another look at it.

There is another entware package called "whob" that I use to lookup ownership of IP addresses.

#whob 54.154.243.142

IP: 54.154.243.142
Origin-AS: 16509
Prefix: 54.154.0.0/16
AS-Path: 293 6453 16509
AS-Org-Name: Amazon.com, Inc.
Org-Name: Amazon Technologies Inc.
Net-Name: AMAZON
Cache-Date: 1558686171
Latitude: 53.343990
Longitude: -6.267190
City: Dublin
Region: Dublin City
Country: Ireland
Country-Code: IE

On the internet, https://ipinfo.io/, https://www.ultratools.com/ and https://bgp.he.net/ are my favorite.

 

[sugar0]

I was just thinking that ,in order to know if some traffic that doesen't belong to the streaming services itself ,is bypassed with the rules set in IPSET?
Is there some tool that i can use that monitor this behavior? If you understand what i mean and if it's usefull or not.

 

[Xentrk]

I was just thinking that ,in order to know if some traffic that doesen't belong to the streaming services itself ,is bypassed with the rules set in IPSET?
Is there some tool that i can use that monitor this behavior? If you understand what i mean and if it's usefull or not.

I looked at the Global region and compared with a few other regions and believe my statement is correct that it is not all encompassing of the other region. But I may be wrong and need to use a CIDR calculator to break out the CIDR IP address range to get individual IP addresses to compare with.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

One method to audit the traffic being routed is to use the command "ipset -L ipset_name" to list out the ip addresses. Then, use the "whob" command or one of the online tools to see who owns the IP address. Keep in mind that most of the streaming services use Content Delivery Networks and you may see IP addresses owned by akamai or other similar services. Don't worry too much about this. I have been using the services on the project repository for several years and have tuned them to be very specific to their service.

 

[sugar0]

One method to audit the traffic being routed is to use the command "ipset -L ipset_name" to list out the ip addresses. Then, use the "whob" command or one of the online tools to see who owns the IP address. Keep in mind that most of the streaming services use Content Delivery Networks and you may see IP addresses owned by akamai or other similar services. Don't worry too much about this. I have been using the services on the project repository for several years and have tuned them to be very specific to their service.

I was talking about the actual ip's that i being routed. Sort of a log of ip's routed to either wan, vpn1 vpn2 etc. Just for curiosity! I don't think it actually matters to anyone

 

[DiFran01]

@Xentrk I got a deal on an RT-AC88U and have flashed Merlin 384.11_2 will this setup work with your script to route the Streaming traffic around the VPN? if so, can you send me a link where I can download the script as well as some instructions on how to install it?

 

[Xentrk]

@Xentrk I got a deal on an RT-AC88U and have flashed Merlin 384.11_2 will this setup work with your script to route the Streaming traffic around the VPN? if so, can you send me a link where I can download the script as well as some instructions on how to install it?

Installation instructions are located here: https://github.com/Xentrk/x3mRouting.

I am waiting for the 384.12 release to be launched before doing a formal launch and creating a new thread on the forum.

 

[Kingp1n]

Installation instructions are located here: https://github.com/Xentrk/x3mRouting.

I am waiting for the 384.12 release to be launched before doing a formal launch and creating a new thread on the forum.

Will this work with Hulu as well?

 

[Xentrk]

Will this work with Hulu as well?

Yes. It will work with any service as long one knows the top level domains, ASN or IP addresses to use. Hulu is one of the services I used in the development of the project. You can use the Hulu example I provided on the README to create the IPSET list and route to the interface of your choice.

 

[Kingp1n]

Xentrk....I'm kind of a noob reading thru the instructions and which method to use...all I'm tryin to do is use Hulu, Netflix, and Prime and im currently using PIA VPN. Which method wld you recommend for a simple set up that may allow me to use these services with VPN enabled. Does one method over the other provide any benefits? Again sorry for the noob questions.

 

[Xentrk]

Xentrk....I'm kind of a noob reading thru the instructions and which method to use...all I'm tryin to do is use Hulu, Netflix, and Prime and im currently using PIA VPN. Which method wld you recommend for a simple set up that may allow me to use these services with VPN enabled. Does one method over the other provide any benefits? Again sorry for the noob questions.

Use Method 3, Shell Script Method. With this method, you can set it and forget it and not worry about compatibility with firmware versions.

 

[Kingp1n]

Use Method 3, Shell Script Method. With this method, you can set it and forget it and not worry about compatibility with firmware versions.

So I'm attempting to install method 3. I see 4 files (load Amazon, load ASN, load DNSMASQ & load MANUAL) under the scripts/x3mRouting folder when using winscp. Do I need edit any of these files? Also under the jjfs/scripts folder under the nat-start file I added the lines below is this correct?:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 HULU_WEB hulu.com,hulustream.com,akamaihd.net

 

[Xentrk]

So I'm attempting to install method 3. I see 4 files (load Amazon, load ASN, load DNSMASQ & load MANUAL) under the scripts/x3mRouting folder when using winscp. Do I need edit any of these files? Also under the jjfs/scripts folder under the nat-start file I added the lines below is this correct?:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 HULU_WEB hulu.com,hulustream.com,akamaihd.net

Thanks for using the scripts. No editing of the scripts is required. The passing of the parameters eliminates the need for users to edit the scripts. nat-start looks good. Use the following command to confirm packets are being routed in the iptables PREROUTING chain.

iptables -nvL PREROUTING -t mangle --line

 

[Kingp1n]

Xentrk ...last question...this sld work if I'm using PIA VPN correct? I was trying yesterday but I don't think it was working.

 

[Xentrk]

Xentrk ...last question...this sld work if I'm using PIA VPN correct? I was trying yesterday but I don't think it was working.

It's because Netflix, Hulu and Amazon Prime block known VPN servers. You have to use a service like TorGuard Private IP to get around the blocks if you want to use a VPN. What some people do is use the scripts to route Netflix, Hulu and Amazon Prime to bypass the VPN and route the streaming traffic to the WAN interface. In the VPN policy screen, you can create a rule to have all of your network traffic or selected devices to the VPN. Then, use the scripts to bypass the VPN for Netflix, Hulu and Amazon Prime.

 

[Kingp1n]

It's because Netflix, Hulu and Amazon Prime block known VPN servers. You have to use a service like TorGuard Private IP to get around the blocks if you want to use a VPN. What some people do is use the scripts to route Netflix, Hulu and Amazon Prime to bypass the VPN and route the streaming traffic to the WAN interface. In the VPN policy screen, you can create a rule to have all of your network traffic or selected devices to the VPN. Then, use the scripts to bypass the VPN for Netflix, Hulu and Amazon Prime.

Would this be by using method 3 as well? My setup is currently setup by all devices gng to VPN except for my router. Wld I use your script by using method 3 at this point or you recommend using another option...thanks and sorry for all the questions

 

[Xentrk]

Would this be by using method 3 as well? My setup is currently setup by all devices gng to VPN except for my router. Wld I use your script by using method 3 at this point or you recommend using another option...thanks and sorry for all the questions

Happy to help!

A common configuration where you want your entire LAN to go through the VPN, but not the router itself. Enter the following rules in the Policy Routing section of the OpenVPN Client Screen:

LAN_IPs 192.168.1.0/24 0.0.0.0 VPN
Router 192.168.1.1 0.0.0.0 WAN

Netflix, Hulu and Amazon Prime will now detect you are using a VPN. To watch Netflix, Hulu and Amazon Prime, you can use the scripts to bypass PIA VPN by specifying WAN as the interface using a 0:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HULU_WEB hulu.com,hulustream.com,akamaihd.net

Those services will now see that you are not using a VPN and will allow you to stream.

The streaming media rules have a higher priority than the rules entered in the OpenVPN Client screen and will always go thru the WAN iface. All other traffic will go thru the VPN.

 

[Kingp1n]

you can use the scripts to bypass PIA VPN by specifying WAN as the interface using a 0:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HULU_WEB hulu.com,hulustream.com,akamaihd.net

Those services will now see that you are not using a VPN and will allow you to stream.

The streaming media rules have a higher priority than the rules entered in the OpenVPN Client screen and will always go thru the WAN iface. All other traffic will go thru the VPN.

And u input this command under the nat-start file? Thanks for all assistance

 

[Xentrk]

And u input this command under the nat-start file? Thanks for all assistance

Correct. Placing the commands in nat-start will run the scripts at boot.