Selective Routing for Netflix

[Xentrk]

Thought I would share this teaser. The pfSense package pfBlockerNG supports the ability to create IPv4 lists thru the gui. No coding required to load IPv4 lists into ipset lists on pfSense. It can all be done thru the web gui. Here is how it looks for json files:

Here is how to configure using the AS Number.

 

[T. Utech]

Xentrk,

That looks very nice and polished.

The selective routing script seemed to work for me for a day, but is no longer working. I'm puzzled. The only other thing I've got working on my router is Martineau's IPSET Blocking script to dynamically ban malicious IPs from here: https://raw.githubusercontent.com/MartineauUK/IPSET_Block/master/IPSET_Block.sh

When I take a look at the ip rule command I get this:

0:      from all lookup local
9988:   from all fwmark 0xc lookup 12
9989:   from all fwmark 0xa lookup 10
9990:   from all fwmark 0x7000 lookup main
32766:  from all lookup main
32767:  from all lookup default

When I run the iptables -nvL PREROUTING -t mangle --line command I get this:

Chain PREROUTING (policy ACCEPT 581K packets, 714M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     102K   11M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.10-192.168.1.254 MARK set 0xa
2        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 MARK set 0xc
3    65808 3656K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x7000
4      593  327K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZONAWS dst MARK or 0x7000
5      311 30108 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AKAMAI dst MARK or 0x7000

So I'm confused since it appears to be working as it should but Netflix comes up with the "You appear to be using a proxy..." message and refuses to play. That happens on my Nexus Player and laptop. It's doubly strange since it seemed to work for the first day but not after that and I changed nothing.

 

[Xentrk]

Xentrk,

That looks very nice and polished.

The selective routing script seemed to work for me for a day, but is no longer working. I'm puzzled. The only other thing I've got working on my router is Martineau's IPSET Blocking script to dynamically ban malicious IPs from here: https://raw.githubusercontent.com/MartineauUK/IPSET_Block/master/IPSET_Block.sh

When I take a look at the ip rule command I get this:

0:      from all lookup local
9988:   from all fwmark 0xc lookup 12
9989:   from all fwmark 0xa lookup 10
9990:   from all fwmark 0x7000 lookup main
32766:  from all lookup main
32767:  from all lookup default

When I run the iptables -nvL PREROUTING -t mangle --line command I get this:

Chain PREROUTING (policy ACCEPT 581K packets, 714M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     102K   11M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.10-192.168.1.254 MARK set 0xa
2        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443 MARK set 0xc
3    65808 3656K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x7000
4      593  327K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZONAWS dst MARK or 0x7000
5      311 30108 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AKAMAI dst MARK or 0x7000

So I'm confused since it appears to be working as it should but Netflix comes up with the "You appear to be using a proxy..." message and refuses to play. That happens on my Nexus Player and laptop. It's doubly strange since it seemed to work for the first day but not after that and I changed nothing.

Please try the version in the first post. From my testing on Asus Merlin and pfSense, the akamai IPv4 addresses should not be needed, only the Netflix and Amazon AWS. So let's eliminate the akamai as an issue.

Do you call the script from nat-start? If not, then it may stop working as you describe.

I see a potential issue with the ip rule order. The WAN interface 0x7000 needs to be the highest priority (lower number is higher priority) . Here is mine for example.

0:      from all lookup local
4000:   from all fwmark 0x7000/0x7000 lookup main
4002:   from all to 108.160.151.39 lookup ovpnc2
4997:   from all fwmark 0x3000/0x3000 lookup ovpnc3
4998:   from all fwmark 0x2000/0x2000 lookup ovpnc2
5000:   from all fwmark 0x1000/0x1000 lookup ovpnc1
<snip>

How many OpenVPN clients do you have active? And, is Redirect Internet Traffic = Policy Rules.
Please post a pic of your OpenVPN clients settings if you still have issues. Redact any sensitive information before posting. Also, provide the router model and firmware version.

 

[Xentrk]

I just finished testing the script in the first post and will walk you thru the steps I did.

All of my routing scripts get executed from /jffs/scripts/nat-start. I moved nat-start to nat-start.bk and bounced the WAN iface to clear existing ip rules and iptable rules I had in place. I have three VPN clients running on my router with Policy Rules. But no devices are configured to use them. As a result, all traffic defaults to the WAN. When I run ip rule, this is what shows up.

#ip rule
0:      from all lookup local

For the next step, I configured my laptop set to use OVPNC1 in the web gui. I checked Netflix and see it is routed to the VPN.

# ip rule
0:      from all lookup local
10101:  from 192.168.22.152 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

I run the netflix_wan.sh script to route Netflix traffic to the WAN. I checked Netflix and see it is routed to the WAN. The WAN prior is a lower number than the ip rule for my laptop. Lower numbers get higher priority.

# ip rule
0:      from all lookup local
9990:   from all fwmark 0x7000/0x7000 lookup main
10101:  from 192.168.22.152 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

 

[robahearts]

Hello all. So I just applied this to my AC-86U and Amazon seems to work but with Netflix Im still getting the unblocker or proxy message. Can anyone help?

More info:

ip rule
admin@RT-AC66R-CF18:/jffs# ip rule
0: from all lookup local
9990: from all fwmark 0x7000/0x7000 lookup main
10101: from 192.168.1.126 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

iptables -nvL PREROUTING -t mangle --line
admin@RT-AC66R-CF18:/jffs# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 760K packets, 854M bytes)
num pkts bytes target prot opt in out source destination
1 292K 373M MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 0 0 MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
3 21688 2571K MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
4 13858 819K MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst,dst MARK or 0x7000

ip route show | grep tun
10.8.0.0/24 dev tun21 proto kernel scope link src 10.8.0.1
10.17.10.5 dev tun11 proto kernel scope link src 10.17.10.6

cat /rom/etc/iproute2/rt_tables
100 wan0
111 ovpnc1
112 ovpnc2
113 ovpnc3
114 ovpnc4
115 ovpnc5
200 wan1

 

[Xentrk]

Hello all. So I just applied this to my AC-86U and Amazon seems to work but with Netflix Im still getting the unblocker or proxy message. Can anyone help?

More info:

ip rule
admin@RT-AC66R-CF18:/jffs# ip rule
0: from all lookup local
9990: from all fwmark 0x7000/0x7000 lookup main
10101: from 192.168.1.126 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

iptables -nvL PREROUTING -t mangle --line
admin@RT-AC66R-CF18:/jffs# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 760K packets, 854M bytes)
num pkts bytes target prot opt in out source destination
1 292K 373M MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 0 0 MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
3 21688 2571K MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
4 13858 819K MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst,dst MARK or 0x7000

ip route show | grep tun
10.8.0.0/24 dev tun21 proto kernel scope link src 10.8.0.1
10.17.10.5 dev tun11 proto kernel scope link src 10.17.10.6

cat /rom/etc/iproute2/rt_tables
100 wan0
111 ovpnc1
112 ovpnc2
113 ovpnc3
114 ovpnc4
115 ovpnc5
200 wan1

The diagnostics look okay to me. You say you have an AC86U. But in the prompts, I see RT-AC66R. What firmware version are you running? What do you have set for Accept DNS Configuration? Try Exclusive at first. If you still have issues, change it to Strict. And in the Custom Configuration section, add the line:
dhcp-option DNS some.dns.ip.address, e.g. dhcp-option DNS 9.9.9.9

9.9.9.9 is the Quad9 DNS servers that block evil domains. You can pick any public DNS server that you prefer.

If that does not work, I have another selective routing script that is more robust and has additional flexibility to see if that fixes it for you.

 

[robahearts]

The diagnostics look okay to me. You say you have an AC86U. But in the prompts, I see RT-AC66R. What firmware version are you running? What do you have set for Accept DNS Configuration? Try Exclusive at first. If you still have issues, change it to Strict. And in the Custom Configuration section, add the line:
dhcp-option DNS some.dns.ip.address, e.g. dhcp-option DNS 9.9.9.9

9.9.9.9 is the Quad9 DNS servers that block evil domains. You can pick any public DNS server that you prefer.

If that does not work, I have another selective routing script that is more robust and has additional flexibility to see if that fixes it for you.

Whoa I just noticed that but it is AC86U.

Accept DNS Configuration is set to Exclusive so I'll try Strict. I will also try the dhcp-option DNS 9.9.9.9 and will report back.

 

[robahearts]

Whoa I just noticed that but it is AC86U.

Accept DNS Configuration is set to Exclusive so I'll try Strict. I will also try the dhcp-option DNS 9.9.9.9 and will report back.

View attachment 12119

Still not working. Also I noticed I had to run your script everytime I reboot the router, and once I run the script I get the following:

checking shared-SelectiveRouting-whitelist
file found, no further checks
RTNETLINK answers: No such file or directory
iptables: No chain/target/match by that name.

I can still play from Amazon but not from Netflix

 

[Xentrk]

Still not working. Also I noticed I had to run your script everytime I reboot the router, and once I run the script I get the following:

checking shared-SelectiveRouting-whitelist
file found, no further checks
RTNETLINK answers: No such file or directory
iptables: No chain/target/match by that name.

I can still play from Amazon but not from Netflix

RTNETLINK answers: No such file or directory

The message comes from the ip rule del line. It is best practice to ensure that a rule does not exist before adding/inserting to prevent duplicates. The message is stating that the rule does not exist. If you run it back to back, you should not see the message. You can uncomment the set -xo line to confirm the line of code that is throwing the message. Just need the set -x for now. In fact, leave it on until we figure it out to make sure everything is running okay.

Do you have entware installed?

The other messages are okay. The first ones means you are not use AB-Solution and Skynet. As a result, ipinfo site does not need to be added to the shared whitelist. You will get the iptables message the first time you run the script. I will update the script to send the warning message to /dev/null.

What I would do is bounce the WAN interface. You can do this by doing an apply settings on the WAN gui page. Then, run the script and test.

If it works, we will need to call the script from the user script file /jffs/nat-start. However, I see I need to update the script to prevent it from being run concurrently. This can happen when the WAN or OpenVPN clients update their IP. By placing it in nat-start, it will be on cruise control.

Double check that your IPSET lists are being populated. Syntax is
ipset -L set-name, e.g. ipset -L NETFLIX

go to the ipinfo.io website to make sure it is not being blocked.

I have to be out and about for the afternoon. I will look things over upon my return.

 

[robahearts]

RTNETLINK answers: No such file or directory

The message comes from the ip rule del line. It is best practice to ensure that a rule does not exist before adding/inserting to prevent duplicates. The message is stating that the rule does not exist. If you run it back to back, you should not see the message. You can uncomment the set -xo line to confirm the line of code that is throwing the message. Just need the set -x for now. In fact, leave it on until we figure it out to make sure everything is running okay.

Do you have entware installed?

The other messages are okay. The first ones means you are not use AB-Solution and Skynet. As a result, ipinfo site does not need to be added to the shared whitelist. You will get the iptables message the first time you run the script. I will update the script to send the warning message to /dev/null.

What I would do is bounce the WAN interface. You can do this by doing an apply settings on the WAN gui page. Then, run the script and test.

If it works, we will need to call the script from the user script file /jffs/nat-start. However, I see I need to update the script to prevent it from being run concurrently. This can happen when the WAN or OpenVPN clients update their IP. By placing it in nat-start, it will be on cruise control.

Double check that your IPSET lists are being populated. Syntax is
ipset -L set-name, e.g. ipset -L NETFLIX

go to the ipinfo.io website to make sure it is not being blocked.

I have to be out and about for the afternoon. I will look things over upon my return.

Thank you for the help/

I am running AB-Solution and Skynet. ipinfo.io is whitelisted and I can visit the site with no issues.

I added calling the script from nat-start so is there after rebooting.

 

[Xentrk]

Thank you for the help/

I am running AB-Solution and Skynet. ipinfo.io is whitelisted and I can visit the site with no issues.

I added calling the script from nat-start so is there after rebooting.

I will need to update the code to add the lock file logic or you may experience duplicate ip rule entries when placing it in nat-start. I'll post an update soon.

Are you testing using a web browser or a media streaming device, such as Roku or Apple TV?

The only thing I can think of right now is to have you use the Amazon json file as the source for Amazon IP addresses rather than ipinfo.io/AS16509. The json file contains the global list of Amazon AWS locations. The code to extract the json file is listed in this post. The instructions are in the code comments.

 

[robahearts]

I will need to update the code to add the lock file logic or you may experience duplicate ip rule entries when placing it in nat-start. I'll post an update soon.

Are you testing using a web browser or a media streaming device, such as Roku or Apple TV?

The only thing I can think of right now is to have you use the Amazon json file as the source for Amazon IP addresses rather than ipinfo.io/AS16509. The json file contains the global list of Amazon AWS locations. The code to extract the json file is listed in this post. The instructions are in the code comments.

I'm using a NVidia Shield TV. I try the jsonfile suggestion but I get a bunch of errors like these:

ipset v6.32: Syntax error: cannot parse "ip_prefix":: resolving to IPv4 address failed
ipset v6.32: Syntax error: '13",' is invalid as number
ipset v6.32: Syntax error: cannot parse "region":: resolving to IPv4 address failed
ipset v6.32: Syntax error: cannot parse "us: resolving to IPv4 address failed
ipset v6.32: Syntax error: cannot parse "service":: resolving to IPv4 address failed
ipset v6.32: Syntax error: cannot parse "AMAZON": resolving to IPv4 address failed
ipset v6.32: Syntax error: cannot parse }: resolving to IPv4 address failed
ipset v6.32: Syntax error: cannot parse {: resolving to IPv4 address failed
ipset v6.32: Syntax error: cannot parse "ip_prefix":: resolving to IPv4 address failed
ipset v6.32: Syntax error: '15",' is invalid as number

 

[Xentrk]

I'm using a NVidia Shield TV. I try the jsonfile suggestion but I get a bunch of errors like these:

I’ve seen good reviews on the tv box you have.

I don’t think I saw that msg when I tested the json parser script the other day. I have seen that msg once before but the ipset still got populated.
Check that the ipset got populated. E.g. ipset -L listname

Probably not necessary:
Update entware: opkg update
Then, check the version of ipset and jq.

 

[Xentrk]

Not sure if this has any bearing.

DNS and Dnsmasq are handled differently with selective routing combined with AB-Solution over vpn tunnel. I have to set Accept DNS Configuration to Strict. In the custom config, enter dhcp-option DNS some.dns.ip.address e.g 9.9.9.9. These settings have helped Torguard and PIA customers. If I see Accept DNS Configuration to Exclusive, then ABS does not work over the vpn tunnel. If I do not add the dhcp-option line when using Strict, I have routing issues. Can not download files from an SSH session for example. No wonder the blocking files were not getting updated!

Do you assign a DNS on the WAN page?

 

[robahearts]

I’ve seen good reviews on the tv box you have.

I don’t think I saw that msg when I tested the json parser script the other day. I have seen that msg once before but the ipset still got populated.
Check that the ipset got populated. E.g. ipset -L listname

Probably not necessary:
Update entware: opkg update
Then, check the version of ipset and jq.

ipset is not getting populated. I enabled debudding and ran it again. This is hat I get

Merlin@RT-AC86U-CE18:/jffs/scripts# ./get_aws.sh
errexit off
noglob off
ignoreeof off
interactive off
monitor off
noexec off
stdin off
xtrace on
verbose off
noclobber off
allexport off
notify off
nounset off
vi off
pipefail off
+ basename ./get_aws.sh
+ logger -t (get_aws.sh) 15587 Starting ./get_aws.sh.
+ wget https://ip-ranges.amazonaws.com/ip-ranges.json -O /jffs/scripts/ip-ranges.json
--2018-02-28 13:51:45-- https://ip-ranges.amazonaws.com/ip-ranges.json
Resolving ip-ranges.amazonaws.com... 13.33.74.37, 13.33.74.94, 13.33.74.21, ...
Connecting to ip-ranges.amazonaws.com|13.33.74.37|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 156545 (153K) [application/json]
Saving to: '/jffs/scripts/ip-ranges.json'

/jffs/scripts/ip-ranges.json 100%[=============================================================>] 152.88K --.-KB/s in 0.04s

2018-02-28 13:51:45 (3.43 MB/s) - '/jffs/scripts/ip-ranges.json' saved [156545/156545]

+ ipset create AMAZONAWS hash:net family inet hashsize 1024 maxelem 65536
+ jq -r .prefixes[] | select(.region=="us-east-1")
+ ipset add AMAZONAWS {
ipset v6.32: Syntax error: cannot parse {: resolving to IPv4 address failed
+ ipset add AMAZONAWS "ip_prefix":
ipset v6.32: Syntax error: cannot parse "ip_prefix":: resolving to IPv4 address failed
+ ipset add AMAZONAWS "18.204.0.0/14",
ipset v6.32: Syntax error: '14",' is invalid as number
it just keeps going until the end:
+ unset IPv4
+ basename ./get_aws.sh
+ logger -t (get_aws.sh) 17608 Ending... ./get_aws.sh.

When I run ipset list for AMAZONAWS I only see this:

Name: AMAZONAWS
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 352
References: 0
Number of entries: 0
Members:

- Accept DNS Configuration is set to Strict
- Under Custom configuration I have dhcp-option DNS 9.9.9.9
- No DNS on the WAN page

 

[Xentrk]

ipset is not getting populated. I enabled debudding and ran it again. This is hat I get


When I run ipset list for AMAZONAWS I only see this:



- Accept DNS Configuration is set to Strict
- Under Custom configuration I have dhcp-option DNS 9.9.9.9
- No DNS on the WAN page

Did you install the entware package jq? It is required to parse the json file.

Do you have IPv6 enabled?

Run this command to find the version of ipset: ipset -v

ipset v6.32, protocol version: 6

for jq:

jq --help
jq - commandline JSON processor [version 1.5]
<snip>

 

[robahearts]

Did you install the entware package jq? It is required to parse the json file.

Do you have IPv6 enabled?

Run this command to find the version of ipset: ipset -v

ipset v6.32, protocol version: 6

for jq:

jq --help
jq - commandline JSON processor [version 1.5]
<snip>

- IPv6 is Disabled.
- jq (1.5-2a)
- ipset v6.32, protocol version: 6

 

[Xentrk]

- IPv6 is Disabled.
- jq (1.5-2a)
- ipset v6.32, protocol version: 6

Try using quad9 or another public dns for the wan DNS. Then, retest. I am away right now. I will rerun it again when I get home tonight.

 

[Xentrk]

Here is a revised script. I created separate ipset lists for NETFLIX and AMAZONAWS to help in debugging which one may be an issue.

#!/bin/sh
####################################################################################################
# Script: IPSET_Netflix3.sh
# Author: Xentrk
# 1-Mar-2018 Version 3.0
#
#####################################################################################################
# Script Description:
#
# The purpose of this script is for selective routing of Netflix traffic using
# Autonomous System Numbers (ASNs). ASNs are assigned to entities such as Internet
# Service Providers and other large organizations that control blocks of IP addresses.
#
# Netflix and other services that use Amazon AWS servers are blocking VPN's.
#
# This script will
#   1. Create shared whitelist entry for ipinfo.io in /jffs/shared-SelectiveRouting-whitelist for use by AB-Solution and Skynet.
#      Otherwise, ipinfo.io may be blocked and the script will not work.
#    2. Obtain the IPv4 addresses used by Netflix and Amazon AWS USA from ipinfo.io.
#      IPv6 addresses are excluded in this version.
#   3. Create the IPSET list NETFLIX
#   4. Add the IPv4 address to the IPSET list NETFLIX
#   5. Route IPv4 addresses in IPSET list NETFLIX to WAN interface.
#
# Note 1: IPSET syntax differs between version 6 and 4.5
#             Syntax for ipset v6
#                ipset create WAN0 list:set
#                ipset add WAN0 setlist (e.g. SPEEDTEST)
#             for routers running ipset v4.5 (ipset -V)
#                ipset -N WAN0 setlist (e.g. SPEEDTEST)
#
# Note 2: In the event one needs to use IPv6 in the future, the syntax is: ipset -N NETFLIX-v6 hash:net family ipv6
#
# Note 3: Troubleshooting
#
#            You can use these sites for AS validation and troubleshooting to lookup ASNs:
#
#               https://bgp.he.net/AS16509 (Click on the prefixes tab to view IP addresses)
#               http://ipinfo.io/AS2906
#
# Note 4: Required OpenVPN Client Settings
#
#         - Redirect Internet Traffic = Policy Rules or Policy Rules (Strict)
#         - Others?
#
#######################################################################
logger -t "($(basename $0))" $$ Starting IPSET_Netflix.sh..." $0${*:+ $*}."

# Uncomment for debugging
set -x

# Prevent script from running concurrently when called from nat-start

PROGNAME=$(basename "$0")
LOCKFILE_DIR=/tmp
LOCK_FD=200

lock() {
    local prefix=$1
    local fd=${2:-$LOCK_FD}
    local lock_file=$LOCKFILE_DIR/$prefix.lock

    # create lock file
    eval "exec $fd>$lock_file"

    # acquier the lock
    flock -n $fd \
        && return 0 \
        || return 1
}

eexit() {
    local error_str="$@"
    echo $error_str
    exit 1
}

main() {
    lock $PROGNAME \
        || eexit "Only one instance of $PROGNAME can run at one time."

# check shared-SelectiveRouting-whitelist so ipinfo.io is not blocked
# by AB-Solution and Skynet

echo -e "\n checking shared-SelectiveRouting-whitelist"
if [ -s "/jffs/shared-SelectiveRouting-whitelist" ];then
  echo " file found, no further checks"
else
  echo "generating missing file"
  echo "ipinfo.io" > /jffs/shared-SelectiveRouting-whitelist
fi

ipset create NETFLIX hash:net family inet hashsize 1024 maxelem 65536

#Pull all IPv4s listed for Netflix USA - AS2906
netsv4=`curl http://ipinfo.io/AS2906 2>/dev/null | grep -E "a href.*2906\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
  ipset add NETFLIX $net
done
unset netsv4

# Download Amazon AWS json file
wget https://ip-ranges.amazonaws.com/ip-ranges.json -O /jffs/scripts/ip-ranges.json

# Create IPSET lists
ipset create AMAZONAWS hash:net family inet hashsize 1024 maxelem 65536

#Pull all IPv4s listed for Amazon AWS

for IPv4 in `jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json`
do
  ipset add AMAZONAWS $IPv4
done
unset IPv4

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
ip rule del prio 9990
ip rule add from 0/0 fwmark 0x7000/0x7000 table main prio 9990
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set AMAZONAWS dst,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set AMAZONAWS dst,dst -j MARK --set-mark 0x7000/0x7000

logger -t "($(basename $0))" $$ Ending IPSET_Netflix.sh..." $0${*:+ $*}."
}
main

I first verified that my laptop was assigned to use ovpnc1

ip rule
0:      from all lookup local
10101:  from 192.168.22.152 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

I validated my public ip and and that netflix went thru the vpn tunnel. I then ran the script.

Here is a snip of the output where the json file is downloaded.

wget https://ip-ranges.amazonaws.com/ip-ranges.json -O /jffs/scripts/ip-ranges.json
--2018-03-01 19:52:27--  https://ip-ranges.amazonaws.com/ip-ranges.json
Resolving ip-ranges.amazonaws.com... 54.230.14.242, 54.230.14.67, 54.230.14.58, ...
Connecting to ip-ranges.amazonaws.com|54.230.14.242|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 154591 (151K) [application/json]
Saving to: '/jffs/scripts/ip-ranges.json'

/jffs/scripts/ip-ranges.json   100%[===================================================>] 150.97K   239KB/s    in 0.6s

2018-03-01 19:52:30 (239 KB/s) - '/jffs/scripts/ip-ranges.json' saved [154591/154591]

+ ipset create TESTAMAZONAWS hash:net family inet hashsize 1024 maxelem 65536
+ jq -r .prefixes | .[].ip_prefix
+ ipset add TESTAMAZONAWS 13.32.0.0/15
+ ipset add TESTAMAZONAWS 13.35.0.0/16
<snip>

Netflix is now routed to the WAN.

Please test on your end and let me know how it goes.

 

[robahearts]

Here is a revised script. I created separate ipset lists for NETFLIX and AMAZONAWS to help in debugging which one may be an issue.

#!/bin/sh
####################################################################################################
# Script: IPSET_Netflix3.sh
# Author: Xentrk
# 1-Mar-2018 Version 3.0
#
#####################################################################################################
# Script Description:
#
# The purpose of this script is for selective routing of Netflix traffic using
# Autonomous System Numbers (ASNs). ASNs are assigned to entities such as Internet
# Service Providers and other large organizations that control blocks of IP addresses.
#
# Netflix and other services that use Amazon AWS servers are blocking VPN's.
#
# This script will
#   1. Create shared whitelist entry for ipinfo.io in /jffs/shared-SelectiveRouting-whitelist for use by AB-Solution and Skynet.
#      Otherwise, ipinfo.io may be blocked and the script will not work.
#    2. Obtain the IPv4 addresses used by Netflix and Amazon AWS USA from ipinfo.io.
#      IPv6 addresses are excluded in this version.
#   3. Create the IPSET list NETFLIX
#   4. Add the IPv4 address to the IPSET list NETFLIX
#   5. Route IPv4 addresses in IPSET list NETFLIX to WAN interface.
#
# Note 1: IPSET syntax differs between version 6 and 4.5
#             Syntax for ipset v6
#                ipset create WAN0 list:set
#                ipset add WAN0 setlist (e.g. SPEEDTEST)
#             for routers running ipset v4.5 (ipset -V)
#                ipset -N WAN0 setlist (e.g. SPEEDTEST)
#
# Note 2: In the event one needs to use IPv6 in the future, the syntax is: ipset -N NETFLIX-v6 hash:net family ipv6
#
# Note 3: Troubleshooting
#
#            You can use these sites for AS validation and troubleshooting to lookup ASNs:
#
#               https://bgp.he.net/AS16509 (Click on the prefixes tab to view IP addresses)
#               http://ipinfo.io/AS2906
#
# Note 4: Required OpenVPN Client Settings
#
#         - Redirect Internet Traffic = Policy Rules or Policy Rules (Strict)
#         - Others?
#
#######################################################################
logger -t "($(basename $0))" $$ Starting IPSET_Netflix.sh..." $0${*:+ $*}."

# Uncomment for debugging
set -x

# Prevent script from running concurrently when called from nat-start

PROGNAME=$(basename "$0")
LOCKFILE_DIR=/tmp
LOCK_FD=200

lock() {
    local prefix=$1
    local fd=${2:-$LOCK_FD}
    local lock_file=$LOCKFILE_DIR/$prefix.lock

    # create lock file
    eval "exec $fd>$lock_file"

    # acquier the lock
    flock -n $fd \
        && return 0 \
        || return 1
}

eexit() {
    local error_str="$@"
    echo $error_str
    exit 1
}

main() {
    lock $PROGNAME \
        || eexit "Only one instance of $PROGNAME can run at one time."

# check shared-SelectiveRouting-whitelist so ipinfo.io is not blocked
# by AB-Solution and Skynet

echo -e "\n checking shared-SelectiveRouting-whitelist"
if [ -s "/jffs/shared-SelectiveRouting-whitelist" ];then
  echo " file found, no further checks"
else
  echo "generating missing file"
  echo "ipinfo.io" > /jffs/shared-SelectiveRouting-whitelist
fi

ipset create NETFLIX hash:net family inet hashsize 1024 maxelem 65536

#Pull all IPv4s listed for Netflix USA - AS2906
netsv4=`curl http://ipinfo.io/AS2906 2>/dev/null | grep -E "a href.*2906\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
  ipset add NETFLIX $net
done
unset netsv4

# Download Amazon AWS json file
wget https://ip-ranges.amazonaws.com/ip-ranges.json -O /jffs/scripts/ip-ranges.json

# Create IPSET lists
ipset create AMAZONAWS hash:net family inet hashsize 1024 maxelem 65536

#Pull all IPv4s listed for Amazon AWS

for IPv4 in `jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json`
do
  ipset add AMAZONAWS $IPv4
done
unset IPv4

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
ip rule del prio 9990
ip rule add from 0/0 fwmark 0x7000/0x7000 table main prio 9990
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set AMAZONAWS dst,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set AMAZONAWS dst,dst -j MARK --set-mark 0x7000/0x7000

logger -t "($(basename $0))" $$ Ending IPSET_Netflix.sh..." $0${*:+ $*}."
}
main

I first verified that my laptop was assigned to use ovpnc1

ip rule
0:      from all lookup local
10101:  from 192.168.22.152 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

I validated my public ip and and that netflix went thru the vpn tunnel. I then ran the script.

Here is a snip of the output where the json file is downloaded.

wget https://ip-ranges.amazonaws.com/ip-ranges.json -O /jffs/scripts/ip-ranges.json
--2018-03-01 19:52:27--  https://ip-ranges.amazonaws.com/ip-ranges.json
Resolving ip-ranges.amazonaws.com... 54.230.14.242, 54.230.14.67, 54.230.14.58, ...
Connecting to ip-ranges.amazonaws.com|54.230.14.242|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 154591 (151K) [application/json]
Saving to: '/jffs/scripts/ip-ranges.json'

/jffs/scripts/ip-ranges.json   100%[===================================================>] 150.97K   239KB/s    in 0.6s

2018-03-01 19:52:30 (239 KB/s) - '/jffs/scripts/ip-ranges.json' saved [154591/154591]

+ ipset create TESTAMAZONAWS hash:net family inet hashsize 1024 maxelem 65536
+ jq -r .prefixes | .[].ip_prefix
+ ipset add TESTAMAZONAWS 13.32.0.0/15
+ ipset add TESTAMAZONAWS 13.35.0.0/16
<snip>

Netflix is now routed to the WAN.

Please test on your end and let me know how it goes.

I ran it and now I see the IPs for Netflix and AmazonAWS. I wont be able to test it until I get home so I'll let you know.

Thank you.