Selective Routing with Asuswrt-Merlin

[RMerlin]

So instead of packet marking, is there a better, more reliable way of achieving what once worked in the script i posted above?

If you want to forward all traffic from that specific client, just use the built-in policy routing available on the webui. If however you want to only route traffic to/from a specific port, then you will have to read up on which mark bitmasks are currently used by the firmware (someone listed them a few months ago), build appropriate rules with the appropriate masks, and disable any feature that relies on Trend Micro's DPI engine. Also note that some people reported that fwmarks didn't work properly on the MIPS platform.

 

[sirfragalot]

If you want to forward all traffic from that specific client, just use the built-in policy routing available on the webui. If however you want to only route traffic to/from a specific port, then you will have to read up on which mark bitmasks are currently used by the firmware (someone listed them a few months ago), build appropriate rules with the appropriate masks, and disable any feature that relies on Trend Micro's DPI engine. Also note that some people reported that fwmarks didn't work properly on the MIPS platform.

Ok, thanks again. . . I will stick to the built-in policy routing for now. Out of interest is there anyway the destination could be checked via a dns lookup every hour or so and updated accordingly just incase the end point's IP isnt static.

 

[Martineau]

Ok, thanks again. . . I will stick to the built-in policy routing for now. Out of interest is there anyway the destination could be checked via a dns lookup every hour or so and updated accordingly just incase the end point's IP isnt static.

You can configure dnsmasq to dynamically create an ipset for the target destination/domain..

e.g. Netflix.com DNS requests are added to ipset NetflixUSA (if they don't already exist)
(It took dnsmasq about 8 hours overnight to collate the following IPs...I assume my Roku was responsible for causing DNS lookups overnight?)

admin@RT-AC68U:/jffs/scripts# ./IPSET_List.sh NetflixUSA

IPSET NetflixUSA==>
    38.88.23.28     38.88.23.45     38.88.23.67     38.88.23.70     38.88.23.88    38.88.23.175    38.88.23.182    38.88.23.197    38.88.23.237    38.95.179.27    38.95.179.42    38.95.179.65    38.95.179.68    38.95.179.95   38.95.179.168   38.95.179.234   38.95.179.248    38.130.79.28    38.130.79.37    38.130.79.55   38.130.79.117   38.130.79.130   38.130.79.153   38.130.79.156   38.130.79.241   67.138.110.12   67.138.110.15   67.138.110.58   67.138.110.91  67.138.110.209  67.138.110.226
IPSET NetflixUSA Total:  31

then manually (or use a cron scheduled script) convert the ipset to the appropriate VPN Client NVRAM variable when required:

e.g. force ipset NetflixUSA via VPN Client 2

admin@RT-AC68U:/jffs/scripts# ./IPSET_to_RPDB.sh NetflixUSA 2

Existing Rule count: 1 for <Dummy2>172.0.0.2>0.0.0.0>VPN (Current NVRAM usage: 29 bytes)

ip rule add from 0/0 to 38.88.23.28 table 112 prio 10302
ip rule add from 0/0 to 38.88.23.45 table 112 prio 10303
ip rule add from 0/0 to 38.88.23.67 table 112 prio 10304
ip rule add from 0/0 to 38.88.23.70 table 112 prio 10305
ip rule add from 0/0 to 38.88.23.88 table 112 prio 10306
ip rule add from 0/0 to 38.88.23.175 table 112 prio 10307
ip rule add from 0/0 to 38.88.23.182 table 112 prio 10308
ip rule add from 0/0 to 38.88.23.197 table 112 prio 10309
ip rule add from 0/0 to 38.88.23.237 table 112 prio 10310
ip rule add from 0/0 to 38.95.179.27 table 112 prio 10311
ip rule add from 0/0 to 38.95.179.42 table 112 prio 10312
ip rule add from 0/0 to 38.95.179.65 table 112 prio 10313
ip rule add from 0/0 to 38.95.179.68 table 112 prio 10314
ip rule add from 0/0 to 38.95.179.95 table 112 prio 10315
ip rule add from 0/0 to 38.95.179.168 table 112 prio 10316
ip rule add from 0/0 to 38.95.179.234 table 112 prio 10317
ip rule add from 0/0 to 38.95.179.248 table 112 prio 10318
ip rule add from 0/0 to 38.130.79.28 table 112 prio 10319
ip rule add from 0/0 to 38.130.79.37 table 112 prio 10320
ip rule add from 0/0 to 38.130.79.55 table 112 prio 10321
ip rule add from 0/0 to 38.130.79.117 table 112 prio 10322
ip rule add from 0/0 to 38.130.79.130 table 112 prio 10323
ip rule add from 0/0 to 38.130.79.153 table 112 prio 10324
ip rule add from 0/0 to 38.130.79.156 table 112 prio 10325
ip rule add from 0/0 to 38.130.79.198 table 112 prio 10326
ip rule add from 0/0 to 38.130.79.241 table 112 prio 10327
ip rule add from 0/0 to 67.138.110.12 table 112 prio 10328
ip rule add from 0/0 to 67.138.110.15 table 112 prio 10329
ip rule add from 0/0 to 67.138.110.58 table 112 prio 10330
ip rule add from 0/0 to 67.138.110.86 table 112 prio 10331
ip rule add from 0/0 to 67.138.110.91 table 112 prio 10332
ip rule add from 0/0 to 67.138.110.209 table 112 prio 10333
ip rule add from 0/0 to 67.138.110.226 table 112 prio 10334

IPSET NetflixUSA Total:  33

nvram set vpn_client2_client="<Dummy2>172.0.0.2>0.0.0.0>VPN<NetflixUSA1>0.0.0.0>38.88.23.28>VPN<NetflixUSA2>0.0.0.0>38.88.23.45>VPN<NetflixUSA3>0.0.0.0>38.88.23.67>VPN<NetflixUSA4>0.0.0.0>38.88.23.70>VPN<NetflixUSA5>0.0.0.0>38.88.23.88>VPN<NetflixUSA6>0.0.0.0>38.88.23.175>VPN<NetflixUSA7>0.0.0.0>38.88.23.182>VPN<NetflixUSA8>0.0.0.0>38.88.23.197>VPN<NetflixUSA9>0.0.0.0>38.88.23.237>VPN<NetflixUSA10>0.0.0.0>38.95.179.27>VPN<NetflixUSA11>0.0.0.0>38.95.179.42>VPN<NetflixUSA12>0.0.0.0>38.95.179.65>VPN<NetflixUSA13>0.0.0.0>38.95.179.68>VPN<NetflixUSA14>0.0.0.0>38.95.179.95>VPN<NetflixUSA15>0.0.0.0>38.95.179.168>VPN<NetflixUSA16>0.0.0.0>38.95.179.234>VPN<NetflixUSA17>0.0.0.0>38.95.179.248>VPN<NetflixUSA18>0.0.0.0>38.130.79.28>VPN<NetflixUSA19>0.0.0.0>38.130.79.37>VPN<NetflixUSA20>0.0.0.0>38.130.79.55>VPN<NetflixUSA21>0.0.0.0>38.130.79.117>VPN<NetflixUSA22>0.0.0.0>38.130.79.130>VPN<NetflixUSA23>0.0.0.0>38.130.79.153>VPN<NetflixUSA24>0.0.0.0>38.130.79.156>VPN<NetflixUSA25>0.0.0.0>38.130.79.198>VPN<NetflixUSA26>0.0.0.0>38.130.79.241>VPN<NetflixUSA27>0.0.0.0>67.138.110.12>VPN<NetflixUSA28>0.0.0.0>67.138.110.15>VPN<NetflixUSA29>0.0.0.0>67.138.110.58>VPN<NetflixUSA30>0.0.0.0>67.138.110.86>VPN<NetflixUSA31>0.0.0.0>67.138.110.91>VPN<NetflixUSA32>0.0.0.0>67.138.110.209>VPN<NetflixUSA33>0.0.0.0>67.138.110.226>VPN"

Expected NVRAM usage: 1287 bytes

admin@RT-AC68U:/jffs/scripts#

However, you will quickly exhaust the number of slots (100) available for VPN selective target addresses.
There are at least 30 different IP aliases for Netflix.com so three popular domains Netflix.com,Gmail.com and Facebook.com would probably completely fill the number of slots and still would not be a complete list of all of the IP address used by the three domains.
(Obviously if there are contiguous/consective IP aliases ranges, then the list may be reduced by specifying a subnet/mask but in the NetflixUSA example shown above they are all unfortunately discrete addresses.)

Furthermore, the amount of free NVRAM will be reduced, so I find that it is easier to use the fwmark technique to use the dynamically (dnsmasq) maintained ipset directly

e.g. I have created 3 static rules to selectively route ipsets as shown below:

admin@RT-AC68U:/jffs/scripts# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 20955 packets, 4331K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      115  5909 MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2      105  5231 MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4        0     0 MARK       all  --  !eth0  *       0.0.0.0/0            xxx.xxx.xxx.xxx        MARK or 0x8000
5      718 67659 BWDPI_FILTER  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
6        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN1Domains dst MARK or 0x1000
7       81  6542 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN2Domains dst MARK or 0x2000
8        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set WAN0Domains dst MARK or 0x7000
9        3   164 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            multiport sports 5000:5001 MARK or 0x7000
10     557 93482 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 10.88.8.114-10.88.8.114 multiport dports 80,443 MARK or 0x2000

admin@RT-AC68U:/jffs/scripts#

You will of course need to add the appropriate RPDB rules for the fwmarks

e.g. rules 10000,10001 and 100002 etc. (if using 380.63)

admin@RT-AC68U:/jffs/scripts# ip rule
0:    from all lookup local
10000:    from all fwmark 0x7000 lookup main
10001:    from all fwmark 0x1000 lookup NewYork
10002:    from all fwmark 0x2000 lookup HongKong
10101:    from 172.0.0.1 lookup NewYork
10102:    from 168.0.0.1 to 173.230.240.197 lookup NewYork
10301:    from 172.0.0.2 lookup HongKong
32766:    from all lookup main
32767:    from all lookup default
admin@RT-AC68U:/jffs/scripts#

but using the above allows me to set domains that must be routed to either a specific VPN or the WAN

 

[RMerlin]

Or collect the IPs over a period of time, then form subnets out of them (since I'd expect Netflix to only have a limited number of different subnets within a specific region).

 

[sirfragalot]

You can configure dnsmasq to dynamically create an ipset for the target destination/domain..

e.g. Netflix.com DNS requests are added to ipset NetflixUSA (if they don't already exist)
(It took dnsmasq about 8 hours overnight to collate the following IPs...I assume my Roku was responsible for causing DNS lookups overnight?)

Thanks...how do I do this

 

[Martineau]

Thanks...how do I do this

RTFM ?

Example for '*netflix.com' tracking to IPSET 'Netflix'

Commands:

ipset -N Netflix iphash

echo "ipset=/netflix.com/Netflix" >>/jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

nslookup netflix.com

ipset -L Netflix

Explanation.....

Step 1. Create the IPSET...NOTE: ipset v4 syntax (as shown) should still work for ipset v6 which is now available on ARM routers using firmware 380.63

admin@RT-AC68U:/tmp/home/root# ipset -N Netflix iphash

....check if it is created

admin@RT-AC68U:/tmp/home/root# ipset -L Netflix
Name: Netflix
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8248
References: 0
Members:

Step 2. Configure dnsmasq (/jffs/configs/dnsmasq.conf.add) with 'ipset=' directives (use editor of choice nano/vi/WinSCP/notepad++ etc. ) or for a quick'n'dirty addition via the command line...

admin@RT-AC68U:/tmp/home/root# echo "ipset=/netflix.com/Netflix" >>/jffs/configs/dnsmasq.conf.add

...instruct dnsmasq to use the new config

admin@RT-AC68U:/tmp/home/root# service restart_dnsmasq

Step 3. Perform any action on a device to cause a DNS reference i.e. open target web page, ping etc.

admin@RT-AC68U:/tmp/home/root# nslookup netflix.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      netflix.com
Address 1: 38.130.79.37

Step 4. Check if the IPSET is populated with an IP address

admin@RT-AC68U:/tmp/home/root# ipset -L Netflix
Name: Netflix
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8264
References: 0
Members:
38.130.79.37

If you now periodically check the IPSET, hopefully it will be populated with additional IP adresses depending on the related activity.

By default, dnsmasq will use the DNS as configured on the router to resolve the IP addresses.

However, you can add a matching 'server=' (for the 'ipset=') directive to /jffs/configs/dnsmasq.conf.add

server=/netflix.com/xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is either a SmartDNS or preferably (if this is a concern, to prevent DNS leaks ) a DNS server exclusive to the VPN Client.

Unfortunately, my VPN supplied DNS are non-static 10.xxx.xxx.xxx addresses which change each time the VPN Client is started...

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       172.0.0.1            0.0.0.0/0            to:10.200.199.1
2        0     0 DNAT       all  --  *      *       168.0.0.1            0.0.0.0/0            to:10.200.199.1

Chain DNSVPN2 (6 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       172.0.0.2            0.0.0.0/0            to:10.200.192.1

so I need to use a script to dynamically modify the IPSET related 'server=' directives in /jffs/configs/dnsmasq.conf.add every time the VPN Client is started.

Finally, you should save the IPSETs at regular intervals (using a cru aka cron schedule), then you can restore the populated IPSETs from say firewall-start when the router is rebooted.

Regards,

 

[sirfragalot]

RTFM ?

Example for '*netflix.com' tracking to IPSET 'Netflix'

Commands:

ipset -N Netflix iphash

echo "ipset=/netflix.com/Netflix" >>/jffs/configs/dnsmasq.conf.add
service restart_dnsmasq

nslookup netflix.com

ipset -L Netflix

Explanation.....

Step 1. Create the IPSET...NOTE: ipset v4 syntax (as shown) should still work for ipset v6 which is now available on ARM routers using firmware 380.63

admin@RT-AC68U:/tmp/home/root# ipset -N Netflix iphash

....check if it is created

admin@RT-AC68U:/tmp/home/root# ipset -L Netflix
Name: Netflix
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8248
References: 0
Members:

Step 2. Configure dnsmasq (/jffs/configs/dnsmasq.conf.add) with 'ipset=' directives (use editor of choice nano/vi/WinSCP/notepad++ etc. ) or for a quick'n'dirty addition via the command line...

admin@RT-AC68U:/tmp/home/root# echo "ipset=/netflix.com/Netflix" >>/jffs/configs/dnsmasq.conf.add

...instruct dnsmasq to use the new config

admin@RT-AC68U:/tmp/home/root# service restart_dnsmasq

Step 3. Perform any action on a device to cause a DNS reference i.e. open target web page, ping etc.

admin@RT-AC68U:/tmp/home/root# nslookup netflix.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      netflix.com
Address 1: 38.130.79.37

Step 4. Check if the IPSET is populated with an IP address

admin@RT-AC68U:/tmp/home/root# ipset -L Netflix
Name: Netflix
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8264
References: 0
Members:
38.130.79.37

If you now periodically check the IPSET, hopefully it will be populated with additional IP adresses depending on the related activity.

By default, dnsmasq will use the DNS as configured on the router to resolve the IP addresses.

However, you can add a matching 'server=' (for the 'ipset=') directive to /jffs/configs/dnsmasq.conf.add

server=/netflix.com/xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is either a SmartDNS or preferably (if this is a concern, to prevent DNS leaks ) a DNS server exclusive to the VPN Client.

Unfortunately, my VPN supplied DNS are non-static 10.xxx.xxx.xxx addresses which change each time the VPN Client is started...

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       172.0.0.1            0.0.0.0/0            to:10.200.199.1
2        0     0 DNAT       all  --  *      *       168.0.0.1            0.0.0.0/0            to:10.200.199.1

Chain DNSVPN2 (6 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       172.0.0.2            0.0.0.0/0            to:10.200.192.1

so I need to use a script to dynamically modify the IPSET related 'server=' directives in /jffs/configs/dnsmasq.conf.add every time the VPN Client is started.

Finally, you should save the IPSETs at regular intervals (using a cru aka cron schedule), then you can restore the populated IPSETs from say firewall-start when the router is rebooted.

Regards,

Ah. . . I didn't realize dnsmasq service needed a bounce after I added the ipset config! Hence why I couldn't get any members! Doh.

The host I am resolving will only ever be on 1 IP address at any time, they don't use akamai or anything. . . Is there a way of instructing dnsmasq to just overwrite the IPSet with whatever IP it resolves at the run-time, instead of updating a cumulative list?

Thanks again,
Jon

 

[Martineau]

Is there a way of instructing dnsmasq to just overwrite the IPSet with whatever IP it resolves at the run-time, instead of updating a cumulative list?

Ipset 'garbage collection' to remove expired/obsolete member entries isn't built-in but assumes the responsibility for maintaining valid entries is handled by the ipset creator? (I could invariably be wrong! )
So since dnsmasq didn't create the ipset (it only submits the timely ipset add request) it seems unreasonable for us to expect that it should perform any ipset member validation/maintenance?

I suppose the dumbest/most stupid way would be to run

ipset -F Netflix

say every minute! , but as I posted earlier, I used to use a script to convert the ipset member entries into appropriate RPDB NVRAM variables, so you could use a similar technique to only maintain one valid IP address - with or without ipset/dnsmasq!

However, in the ipset v6 man pages (whoops! I appear to have inadvertently followed my own RTFM advice! ) , there are now a couple of previously unavailable directives that, when used to initially create the ipset, may provide automated built-in functionality to limit the number of member entries in the ipset to a minimum as per your requirement - caveat emptor!

Regards,

 

[sirfragalot]

Ipset 'garbage collection' to remove expired/obsolete member entries isn't built-in but assumes the responsibility for maintaining valid entries is handled by the ipset creator? (I could invariably be wrong! )
So since dnsmasq didn't create the ipset (it only submits the timely ipset add request) it seems unreasonable for us to expect that it should perform any ipset member validation/maintenance?

I suppose the dumbest/most stupid way would be to run

ipset -F Netflix

say every minute! , but as I posted earlier, I used to use a script to convert the ipset member entries into appropriate RPDB NVRAM variables, so you could use a similar technique to only maintain one valid IP address - with or without ipset/dnsmasq!

However, in the ipset v6 man pages (whoops! I appear to have inadvertently followed my own RTFM advice! ) , there are now a couple of previously unavailable directives that, when used to initially create the ipset, may provide automated built-in functionality to limit the number of member entries in the ipset to a minimum as per your requirement - caveat emptor!

Regards,

Thanks again. . . I will have a play this weekend as and when I get opportunity.

 

[BRING GUNS]

I've got a VPN hooked up to my AC66U (latest Merlin firmware) and I want to route all traffic around the VPN except for traffic on a single port on a single machine (TCP 52751). Basically I just want a single program to run through the VPN. I tried to get a script working by searching various threads but I know next to nothing about coding or networking so I wasn't successful.

Any help would be appreciated

 

[Martineau]

...AC66U (latest Merlin firmware) I want to route all traffic around the VPN except for traffic on a single port on a single machine (TCP 52751). Basically I just want a single program to run through the VPN.

You should always specify the actual firmware version as 'latest RMerlin firmware' means nothing - particularly for future readers!

For your question, the answer differs depending on the firmware version i.e. is it <380.63??

e.g. for Selective port (not 'program') routing via VPN Client 1...

SSH / Telnet to router and issue (cut'n'paste ...no scripting )

ip rule add fwmark 0x1000 table 111 prio 10001

iptables -t mangle -A PREROUTING -i br0 --src xxx.xxx.xxx.xxx -p tcp -m multiport --dport 52751 -j MARK --set-mark 0x1000/0x1000

then see if it works.

If successful then add the following commands to /jffs/scripts/nat-start (OK I lied a little bit about no scripting! )
NOTE: The additional delete commands precede the add commands to ensure that duplicate rules are not created.

ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table 112 prio 10002

iptables -t mangle -D PREROUTING -i br0 --src xxx.xxx.xxx.xxx -p tcp -m multiport --dport 52751 -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 --src xxx.xxx.xxx.xxx -p tcp -m multiport --dport 52751 -j MARK --set-mark 0x2000/0x2000

If not successful then post output from commands

ip rule

iptables -nvL PREROUTING -t mangle --line | grep br0

General syntax for routing multiple devices/ports via VPN Clients...

where y is the VPN Client instance (1 thru 5)

ip rule del fwmark 0xy000
ip rule add fwmark 0xy000 table 11y prio 1000y

iptables -t mangle -D PREROUTING -i br0 --src xxx.xxx.xxx.xxx,zzz.zzz.zzz.zzz -p tcp -m multiport --dport nn,pp  -j MARK --set-mark 0xy000/0xy000
iptables -t mangle -A PREROUTING -i br0 --src xxx.xxx.xxx.xxx,zzz.zzz.zzz.zzz -p tcp -m multiport --dport nn,pp  -j MARK --set-mark 0xy000/0xy000

NOTE: RMerlin could eliminate the need for you to manually issue the ip rule add command(s) by hardcoding all of them in vpnrouting.sh in much the same way as he recently 'sneaked' in the following crucial 'fwmark' compatible code into his script

# Unsure if necessary, but most policy-based routing scripts disable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done

 

[BRING GUNS]

I'm running Merlin firmware 380.63_2 on an AC66U.

What I want to do is have a torrent client on my desktop run its traffic through the VPN and all other traffic on that machine and all other machines go through the WAN as normal. I assume the simplest way to do that would be to set the torrent client to a specific port (randomly chose 52571) and then route that port through the VPN but if there's an easier/better way I'm open to all suggestions.

You might need to hold my hand a bit here because like I said I know next to nothing about scripting or linux/unix and not much more about networking.
I've got WinSCP hooked up to the router but how do I run those commands? Just through the terminal option? Does it matter what directory I'm in at the time? And how do I know if they worked or not?

What else besides the routing code does the script need to work? #!/bin/sh at the start and ???
Do I need to save it as a .bash or something with notepad++?

I tried making a file called nat-start in /jffs/scripts/ containing:

#!/bin/sh

ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 10001

iptables -t mangle -D PREROUTING -i br0 --src 192.168.1.5 -p tcp -m multiport --dport 52751 -j MARK --set-mark 01y000/0x1000
iptables -t mangle -A PREROUTING -i br0 --src 192.168.1.5 -p tcp -m multiport --dport 52751 -j MARK --set-mark 0x1000/0x1000

chmod a+rx /jffs/scripts/nat-start

(octal changed to 0777)

But that doesn't seem to work.

Thanks for all your help!

 

[Martineau]

use

[howto] run those commands?Just through the terminal option?
Does it matter what directory I'm in at the time?
And how do I know if they worked or not?

1. Yes...assuming you are referring to WinSCP otherwise use PuTTY/XShell5 client etc.
2. No
3. Ever heard of error messages?
(You may also issue the display commands as provided in my original reply to check the commands rules were actually added.)


You really should read the Wiki

https://github.com/RMerl/asuswrt-merlin/wiki

Extract (re-edited) from the article https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing-(manual-method)

Spoiler: Wiki instructions to use WinSCP to create and test router custom scripts

You will need to have SSH enabled on your router.

To enable SSH on Merlin do this:

Under “Advanced Settings” on the left bar click “Administration”.

Under “Miscellaneous” make sure these are set as follows:

Enable SSH - LAN Only (or LAN + WAN if you really need WAN access to SSH)

Allow SSH Port Forwarding - No

SSH service port - 22

Allow SSH access from WAN - No

Allow SSH password login - Yes

Enable SSH Brute Force Protection - No

After you made the changes hit apply.

STEP G:

Please read Final Notes before copying scripts to the router.

You are now ready to create scripts on the router:

Download winSCP

Install WinSCP then start it up.

To make a new connection fill in the fields as follows:
File Protocol – SCP (NOTE: MAKE SURE IT IS SET TO SCP)
Hostname: 192.168.xx.x replace x with values of your routers IP address
Username/Password: Whatever you use to login to the router Port 22

Save login settings and then hit Login.

This will log you into your router.


There will be two folder tree panes. On the right is your router's folder tree.

In the router folder tree, you need to go up to the /root folder, where you will see the /jffs folder under the root.
double click on the /jffs Folder then double click the /jffs/scripts Folder.

(If you have created script using notepad++ on the local Windows machine - Navigate on the left folder tree and find the scripts you created....simply drag'n'drop the script to right folder tree.)

To create scripts directly on the router using the WinSCP editor.... Hit Shift+F4 to open a new script.

Once the file is created/copied, right click > Properties > Click the three 'eXecution' boxes or manually Change Octal to 0777

You may now test the script in the WinSCP terminal

Hit Ctrl-T

A command console window should open. You should now be able to test the script from within /jffs/scripts

Enter

cd /jffs/scripts
./scriptname

or for debugging

sh -x scriptname

A Reboot will be required to ensure the script is executed during the boot process
e.g. for nat start/firewall-start etc.
NOTE: Ensure you have selected 'Enable JFFS custom scripts and configs' on the Administration->System page.

Close WinSCP

Also cut'n'paste seems difficult? ...there is a typo in your command implementation.

iptables -t mangle -D PREROUTING -i br0 --src 192.168.1.5 -p tcp -m multiport --dport 52751 -j MARK --set-mark 01y000/0x1000

If my simplistic solution doesn't work for you, then there are posts from far more knowledgeable gurus who have 'been there done that':

http://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-25#post-289502
who may assist further.

P.S. Now that you have clarified which 'program' you want to route via the VPN, I must state I don't use torrent software so sadly I will be unable to assist further.


Good luck

 

[BRING GUNS]

Fixing the typo seems to have made the script function properly. If I change the port to 80 then checking my IP through my browser shows the VPN IP. Perfect! Thanks for the help Martineu.

Unfortunately I must be misunderstanding how torrent programs use ports or something because setting the script and my torrent client to use the same port and then using an IP testing torrent to check the IP still shows my client broadcasting my regular IP to other clients. Not good!

I think I'll just have to call it a failed experiment and deal with the mild inconvenience of turning the VPN on when I want to torrent something and off when I want to play a game or whatever. Unless someone else can provide some insight

 

[Martineau]

Fixing the typo seems to have made the script function properly. If I change the port to 80 then checking my IP through my browser shows the VPN IP.

Many thanks for the positive feedback

Does the torrent work if you add the torrent client (xxx.xxx.xxx.xxx dest 0.0.0.0 vpn) to the Policy routing on the GUI? i.e. everything goes via the VPN?

P.S. I find that for testing purposes, it is best to specify both port 80 and 443, particularly if you want a VPN end-point map as some of the geo-location aware URLs use https:// so when testing the port routing redirection it may appear that it doesn't work!

I must get a life as I wrote a 400 line script to basically generate/delete the single VPN Port selection iptables command.

Spoiler: VPN_PortSelect.sh

admin@RT-AC68U:/jffs/scripts# ./VPN_PortSelect.sh 1 hp-envy14 80,443

(VPN_PortSelect.sh): 14671 VPN Client Selective PORT routing.....[1 hp-envy14 80,443]
(VPN_PortSelect.sh): 14671 Selective Port 80,443 routing from 10.88.8.114 (HP-Envy14) via VPN Client 1 using fwmark 0x1000 now enabled.
 
        fwmark Rules
        ============
5        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN1Domains dst MARK or 0x1000
6        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN2Domains dst MARK or 0x2000
7        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set WAN0Domains dst MARK or 0x7000
8        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            multiport sports 5000:5001 MARK or 0x7000
9        0     0 MARK       tcp  --  br0    *       10.88.8.114          0.0.0.0/0            multiport dports 80,443 MARK or 0x1000

admin@RT-AC68U:/jffs/scripts# ./VPN_PortSelect.sh help

#=====================================================================================================================
# Selective PORT routing to VPN (or WAN if say a NAS is forced out via the VPN)
#
#   e.g.   VPN_PortSelect [ status | status full ] | [ help | -h ] | { 0 | 1 | 2 | 3 | 4 | 5 } { IP_Address_list | host_name_list | all } { port1[,port2] } [ src | dst | del ] [ del ]
#
#          VPN_PortSelect 2 hp-envy14 80,443  
#                       Ports 80 and 443 for the HP-Envy14 device will be routed via VPN Client 2
#                       Check using http://whatismyipaddress.com/ or other geo-location aware checker
#          VPN_PortSelect 2 hp-envy14 80,443 del  
#                       Ports 80 and 443 for the HP-Envy14 device will be no longer be routed via VPN Client 2
#          VPN_PortSelect 2 hp-envy13,hpenvy14 !80,443  
#                       ALL Ports except ports 80 and 443 for both the HP-Envy13 and HP-Envy14 devices will be routed via VPN Client 2
#          VPN_PortSelect 2 10.88.8.66 22,9001:9005  
#                       Ports 22 and 9001 thru 9005 for the 10.88.8.66 device will be routed via VPN Client 2
#          VPN_PortSelect 0 all 80,443
#                       Ports 80 and 443 for all devices will be routed via WAN
#                       (Assumes that ALL traffic is via the VPN!!!)
#          VPN_PortSelect 0 all 5000,5001 src
#                       Ports 5000 and 5001 will be routed IN via WAN assuming Port Forwarding is also configured!
#                       (Assumes that ALL outbound traffic from the NAS is via the VPN!!!)
#          VPN_PortSelect 1 cameras 80,8080
#                       Ports 80 and 8080 for the 'cameras' device group will be routed via VPN Client 1
#                       (Assumes /jffs/configs/IPGroups exists with valid pair entry - Uppercase text!)
#                                    e.g. CAMERAS   10.88.8.11:10.88.8.13
#                                         or
#                                         PHONES   10.88.8.156,10.88.8.172
#
#

# https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing
CODE]
[/SPOILER]

 

[scavenger]

Guys I have a question for which I've looked for an answer for a while.. I live in the US and use PIA as my VPN provider.

I use transmission via entware on my RT-AC66U. Hence currently I had EVERYTHINg going through my VPN client.

Now since I also use netflix on various devices, netflix has stopped working as it detects a VPN (on any/all devices).

How do I let netflix bypass the VPN while keeping all else going through the VPN? Is there a way to enable that? I tried using policy rules to let certain devices to bypass VPN completely, but I suspect by using policy rules I've somehow stopped transmission from going through VPN as well?

A bit of a necroreply here, but I didn't see a response to your post and I've been struggling with this lately. It requires an inversion of the normal "everything out the WAN" logic, so I haven't found a way to ditch the mangle tables for the GUI RPDB / ip rule method, though I think the answer is back around post 300-310. I'm in the US, don't trust my ISP, but need my stories, so it's a complete inversion of why most people use VPNs I suspect.

I think the real solution is in Martineau's Netflix scripts above, but I've had some success doing it the old-school mangle way:

Spoiler: openvpn-event

#!/bin/sh

sleep 2
touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
      done
     
# PIA VPN
# Delete and table 100 and flush any existing rules if they exist.

ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING
     
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".

ip route show table main | grep -Ev ^default | grep -Ev tun11 \
   | while read ROUTE ; do
       ip route add table 100 $ROUTE
   done

ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
               
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
               
#  All LAN traffic routes via the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 0
                   
# WAN Exceptions
# WDLive IP bypasses the PIA VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.11.204 -j MARK --set-mark 1
# Work laptop 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.11.37 -j MARK --set-mark 1
# Work laptop 2
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.11.208 -j MARK --set-mark 1
# Cloud-enabled Printer
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.11.161 -j MARK --set-mark 1

# Netflix (handcrafted from http://ipinfo.io/AS2906)
iptables -t mangle -A PREROUTING -i br0 -d 23.246.0.0/18 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.2.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.3.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.4.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.5.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.6.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.7.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.8.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.9.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.12.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.13.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.14.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.15.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.16.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.17.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.20.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.21.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.22.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.23.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.24.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.25.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.26.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.27.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.28.0/22 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.28.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.29.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.30.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.31.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.36.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.37.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.38.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.39.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.42.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.44.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.45.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.46.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.47.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.48.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.49.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.50.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.51.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.54.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.55.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.56.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.57.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.58.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 23.246.59.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 37.77.184.0/21 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 37.77.186.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 37.77.187.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 37.77.188.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 37.77.189.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 37.77.190.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 37.77.191.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.0.0/17 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.0.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.1.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.2.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.3.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.4.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.5.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.6.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.7.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.10.0/23 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.10.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.12.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.13.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.14.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.15.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.16.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.17.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.18.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.19.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.20.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.21.0/24 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -d 45.57.22.0/24 -j MARK --set-mark 1

[...several dozen more lines deleted...]

exit 0

Ugly? Check. Slow? Check. Unreliable? Check. Needs manual updates? Yep. I need the DPI engine too? Well, forget about it. It's time to convert this mess over to RPDB, so I'll tackle that this weekend by trying to understand the last few pages.

 

[jinx10000]

I am also trying to pass Netflix through the WAN and use my VPN for basically everything else.

I set the policy rules under the VPN to determine which devices should pass through the VPN.

Added this to the dnsmasq.config and restarted dnsmasq... ipset=/whatsmyip.org/netflix.com/nflxext.com/nflximg.com/nflxvideo.net/amazonaws.com/NETFLIX

Installed the xt_set.ko module.

Then ran the following based on items I saw previously in this thread....
ipset -N NETFLIX hash:ip
TAG_MARK=8
ip rule del fwmark $TAG_MARK 2> /dev/null > /dev/null
ip rule add fwmark $TAG_MARK table main prio 1100
ip route flush cache
iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark $TAG_MARK

This seems to work great on my PC. I test it by going to whatsmyip.org and getting my WAN IP and going to ipchicken.com and getting my VPN IP. I can watch Netflix with no issues on my PC. There is some timing issues when I add it to a script. Sometimes it works, sometimes it doesn't... I think I can figure this part out.

The main problem I am having is that on Android, the device is using hardcoded DNS and passing IPs to the router. It is not passing domain names so they are not getting tagged. I tried adding static IPs for google DNS under the LAN router tab. When I did this, Netflix times out.
8.8.4.4/255.255.255.255/192.168.1.1/Metric = 2/LAN
8.8.8.8/255.255.255.255/192.168.1.1/Metric = 2/LAN

I then tried to enter DNS in both the LAN and WAN tabs at separate times (not together). When I did this, Netflix still times out.

Any thoughts on what I might be doing wrong? I am very new at this. Just been doing a lot of reading and a lot of it is going over my head.

Edit:
RT-AC68U 380_63_2

Also, I noticed under statistics that the router can detect what app is being used. Tells me how much traffic is routed through the Netflix app. Is there any way to route to WAN by application?

Edit 2:

Unchecked these 2 items in Lan DHCP tab and put the dns entries in wan and it's been working for a few hours. I'm curious if it will keep working.

Advertise router's IP in addition to user-specified DNS
Forward local domain queries to upstream DNS

 

[Martineau]

TAG_MARK=8
ip rule add fwmark $TAG_MARK table main prio 1100
iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark $TAG_MARK

It is advisable that you stay away from 'reserved' fwmarks already in use by the firmware, and it is probably best to preserve existing fwmarks when adding custom tagging, so I suggest you use the following code to tag/selectively route the NETFLIX ipset

TAG_MARK=0x7000
ip rule add fwmark $TAG_MARK table main prio 9990
iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark $TAG_MARK/$TAG_MARK

Is there any way to route to WAN by application?

Internet applications invariably use a particular resource i.e. a port to create an application socket.

So if you know all of the ports used by the application (tcpdump packet monitoring?), then as you can selectively route the ports, in theory this is effectively routing the application.

However, suppose you want to selectively route applications

Firefox to VPN Client 1
Chrome to WAN

As both of these browsers use port 80 (by default), doing that with 'basic' iptables is difficult but not impossible when using iptables on say a Raspberry Pi/Android etc., but I think not on a router?; despite '-m string BrowserUserAgent'/conntrack usage?
(I'm sure someone will jump in to prove me wrong! )

 

[jinx10000]

Thanks Martineau.

I believe most of the code that I found came from you. I didn't understand what I was doing enough to realize that it was reserved and shouldn't be used. I actually thought you had said you should use the reserved tables to make it easier or something. Like I said, I am totally new to this.

Just curious what does this do differently? $TAG_MARK/$TAG_MARK
Is that what you mean by preserving existing fwmarks or are you referring to removing the ip rule del fwmark line? I figure that del line doesn't do anything since it happens on reboot either way.

I was hoping there was some command like ip route <application> to WAN. lol. Since it is recognizing the application is Netflix coming from android. If I continue to have problems I will look into this tcpdump packet monitoring. For now, I will stick to the current method.

Thank you very much.

 

[Martineau]

I actually thought you had said you should use the reserved tables to make it easier or something.

Reserved route tables 100,200 (Dual WAN) and 111-115 (VPN) are maintained by the firmware for Selective Routing, so it is (usually) no longer necessary for users to create a script to populate them - hence easier!

RPDB rules 10000-11000 (1000-2000 on firmware <380.63) are reserved and could be overwritten by the Selective VPN GUI interface.

Just curious what does this do differently? $TAG_MARK/$TAG_MARK
Is that what you mean by preserving existing fwmarks...

Yes

... or are you referring to removing the ip rule del fwmark line? I figure that del line doesn't do anything since it happens on reboot either way.

In an ideal world, once set, the Selective routing fwmark rules (when added to the -t mangle PREROUTING chain) would be permanent. Unfortunately if you have a TrendMicro enabled router, the DPI engine will arbitrarily flush the -t mangle PREROUTING chain, wiping out your Selective fwmark routing.
So you should put your custom comands in nat-start so that if the DPI (flush) engine runs, your custom commands will be reapplied.

- hence the del command is there to prevent duplicates.

(NOTE:I believe the DPI engine will randomly kick-in when required by TrendMicro (@02:00?) to perform its DB housekeeping i.e. it doesn't happen every day)

Spoiler: my nat-start logic.... works for me! :D

# Is the actual VPN client UP....vpn_clientX_state=2?, or is there a route to the VPN (dev tun1X)?, or does folder /etc/openvpn/clientX exist?
# If so then selective routing tagging will be broken until the '-t mangle PREROUTING' chain is reinstated for the VPN Client
VPN_LIST="1 2 3 4 5"
for VPNID in $VPN_LIST
   do
    VPNROUTE=`ip route show | grep -i "dev tun1"$VPNID`                        # Existing VPN Client Route?
    NVRAM_STATE=`nvram get vpn_client${VPNID}_state`                           # 0=Disconnected;1=Connecting,2=Connected
    [[ -d "/etc/openvpn/client${VPNID}" ]] && OPENVPN_DIR=1 || OPENVPN_DIR=0   # 1=Openvpn Client directory exists
 
    logger -st "($(basename $0))" $$ "Checking if VPN Client$VPNID is UP...."$VPNROUTE
 
    if [ ! -z "$VPNROUTE" ] || [ "$NVRAM_STATE" == "2" ] || [ "$OPENVPN_DIR" -eq 1 ];then
 
     logger -st "($(basename $0))" $$ "**Warning VPN Client$VPNID is UP.... bouncing VPN Client$VPNID...."
 
     # Use my custom script to ensure existing VPN routes are flushed
     #service restart_vpnclient$VPNID
     /jffs/scripts/VPN_Client_Switch.sh $VPNID "off"  # Destroy existing VPN route to prevent ERROR 'routing conflict' on VPN status page
     /jffs/scripts/VPN_Client_Switch.sh $VPNID "on"   # Invokes vpnrouting.sh to restore custom RPDB table 0x1000-0x70000 fwmark entries
 
     # To exploit inbound Openvpn server to outbound VPN client need to NAT the OpenVPN server networks....
     #... or just NAT everything and be done with it?!!!  ;-)
     iptables -t nat -D POSTROUTING -s $(nvram get vpn_server1_sn)/24 -o tun1$VPNID -j MASQUERADE 2> /dev/null > /dev/null
     iptables -t nat -A POSTROUTING -s $(nvram get vpn_server1_sn)/24 -o tun1$VPNID -j MASQUERADE
     logger -st "($(basename $0))" $$ "VPN server 1 " $(nvram get vpn_server1_sn)"/24 inserted in '-t nat POSTROUTING' chain"
    fi
   done

logger -st "($(basename $0))" $$ "Checking RPDB fwmark and '-t mangle PREROUTING' Selective WAN/VPN fwmarks....."

# Create the Selective PORT RPDB fwmark routing and IPSET fwmark -t mangle PREROUTING chain entries.....
/jffs/scripts/VPN_IPSETSelect.sh                     # IPSET e.g. WAN0 and VPN1,VPN2... etc.
/jffs/scripts/VPN_PortSelect.sh 2 HP-Envy14 80,443   # via VPN
/jffs/scripts/VPN_PortSelect.sh 0 all 5000:5001 src  # via WAN

echo " ";echo -e "\t\t\t\tmangle PREROUTING rule config";echo -e "\t\t\t\t============================="
iptables -nvL PREROUTING --line -t mangle | grep -E "0x[1-7]"

echo " ";echo -e "\tRPDB Rules";echo -e "\t=========="
ip rule

# Delete the locking semaphore file
logger -st "($(basename $0))" $$ "nat-start UNLOCKED" `cat $LOCKFILE`

rm $LOCKFILE