Selective Routing with Asuswrt-Merlin

Martineau

Part of the Furniture
How I can route by VPN only abroad traffic, except home country traffic?
It is trivial to selectively route countries as you can use the same IPSET technique used for selectively routing specific domains such as Netflix.
i.e. Create the IPSET for the WAN
Code:
IPSET ViaWAN                 <- this IPSET group contains separate IPSETs e.g.
      IPSET Bermuda          <- this IPSET contains ALL of the Bermuda CIDR ranges
      IPSET Bahamas          <- this IPSET contains ALL of the Bahamas CIDR ranges
then if the target I/P is in any of the IPSETs ViaWAN then it can be tagged to use the WAN interface otherwise everything else would be routed via say VPN Client 1 etc.

NOTE: You could also create explicit country VPN IPSETs and explicitly tag them as required:
Code:
IPSET ViaVPN1                <- this IPSET group contains separate IPSETs e.g.
      IPSET Japan            <- this IPSET contains ALL of the Japan CIDR ranges
IPSET ViaVPN2                <- this IPSET group contains separate IPSETs e.g.
      IPSET Australia        <- this IPSET contains ALL of the Australia CIDR ranges

The main problem would be to correctly populate the IPSETs.
You could use the Country CIDR ranges provided by http://www.ipdeny.com/ as a starting point to initially setup the IPSET(s) and then fine-tune the entries by hand.

e.g. Suppose in this silly example I want to ensure I always use the Sony site in Japan...is the following correct? (I'm in the UK)
Code:
nslookup www.sony.co.jp

Name:      www.sony.co.jp
Address 1: 2a02:26f0:ec:48b::2542 g2a02-26f0-00ec-048b-0000-0000-0000-2542.deploy.static.akamaitechnologies.com
Address 2: 184.87.184.111 a184-87-184-111.deploy.static.akamaitechnologies.com

wget  -q -O - 'https://api.ipdata.co/184.87.184.111' | grep -E "country"
    "country_name": "Netherlands",
    "country_code": "NL",

Clearly whilst the URL may imply Japan, actually it is hosted in Europe!

So whilst the country routing RPDB/iptables rules are simple, ensuring that the country IPSET is correctly populated isn't quite so simple.
 

Xentrk

Part of the Furniture
@Martineau brings up a good point about list accuracy. From https://iplists.firehol.org/

Each time an ipset is updated we check it against the MaxMind GeoLite2 country, the IPDeny.com country, the IP2Location.com Lite country and the IPIP.net country databases, to find the list's unique IPs per country.

If you are going to install this IP list as a blocklist / blacklist at a firewall, it is important to know which countries will be mainly affected, since you are going to block access from/to these IPs.

All lists suffer from false positives to some degree, so using this IP list at your firewall might block some of your users or customers.
@Adamm is using the ipdeny.com list for country blocking in Skynet, the Asus Firewall Addition.
 

Adamm

Part of the Furniture
@Martineau brings up a good point about list accuracy. From https://iplists.firehol.org/


@Adamm is using the ipdeny.com list for country blocking in Skynet, the Asus Firewall Addition.

Fwiw while Martineau has a valid point, it was probably a bad example as the host isn't static (or maybe that makes it a great example :p). The website he listed is hosted on a CDN so he is being served content from a local server. But yes, just because a domain has a specific countries TLD, it doesn't mean the content is hosted there.
 

frustin

Occasional Visitor
RTFM ? :p
Finally, you should save the IPSETs at regular intervals (using a cru aka cron schedule), then you can restore the populated IPSETs from say firewall-start when the router is rebooted.

Please can you tell me how this would look?
 

Xentrk

Part of the Furniture

Xentrk

Part of the Furniture
I also have some ipset scripts that I need to update to make them more efficient, such as restoring at boot rather than performing a lookup on the domain names and loading into the ipset list at boot time.

To save ipset rules to other file
ipset save > /jffs/config/ipset.list

To restore ipset rules
ipset restore -! < /jffs/config/ipset.list

To clean up IPs, you could have a script that runs daily during off hours. The script will destroy the current list, then update the list by performing nslookup on the domain names. There are some code samples buried in this thread on looping thru the IPv4 addresses returned from an nslookup and loading into the list.

Here is some sample code that performs a restore of the ipset lists.
https://www.centos.org/forums/viewtopic.php?t=47247

ipset performance
https://blog.n0dy.radio/2013/05/19/faster-ipset-loading/
 

frustin

Occasional Visitor
I also have some ipset scripts that I need to update to make them more efficient, such as restoring at boot rather than performing a lookup on the domain names and loading into the ipset list at boot time.

To save ipset rules to other file
ipset save > /jffs/config/ipset.list

To restore ipset rules
ipset restore -! < /jffs/config/ipset.list

To clean up IPs, you could have a script that runs daily during off hours. The script will destroy the current list, then update the list by performing nslookup on the domain names. There are some code samples buried in this thread on looping thru the IPv4 addresses returned from an nslookup and loading into the list.

Here is some sample code that performs a restore of the ipset lists.
https://www.centos.org/forums/viewtopic.php?t=47247

ipset performance
https://blog.n0dy.radio/2013/05/19/faster-ipset-loading/

thanks!

i've bought a usb flash drive to store the ipset.list, to avoid the constant writes to the router's flash.

what does the -! do in the restore?

did you have any issue with using the VPN's DNS servers with netflix? I read that adding server=/netflix.com/<your dns e.g. google> would be solve this? i tried with my Dyn DNS server but it didnt work.
 

Xentrk

Part of the Furniture
thanks!

i've bought a usb flash drive to store the ipset.list, to avoid the constant writes to the router's flash.

what does the -! do in the restore?

did you have any issue with using the VPN's DNS servers with netflix? I read that adding server=/netflix.com/<your dns e.g. google> would be solve this? i tried with my Dyn DNS server but it didnt work.
You can use the -! or -exist flag. From the ipset man page:
-!, -exist
Ignore errors when exactly the same set is to be created or already added entry is added or missing entry is deleted.
Netflix does not care what DNS you use. They do block known VPN providers by detecting connections from the same source IP address. This flags the IP as a shared proxy or VPN server. You then get the proxy error in NF.

A service that offers a private streaming IP is the workaround. Please see my post here for more explanation. https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/
 

frustin

Occasional Visitor
You can use the -! or -exist flag. From the ipset man page:
-!, -exist
Ignore errors when exactly the same set is to be created or already added entry is added or missing entry is deleted.
Netflix does not care what DNS you use. They do block known VPN providers by detecting connections from the same source IP address. This flags the IP as a shared proxy or VPN server. You then get the proxy error in NF.

A service that offers a private streaming IP is the workaround. Please see my post here for more explanation. https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/
NordVPN offers private IPs as a service, i might look at that if all else fails but it turns out that i have:
Code:
ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990
which is wrong. I need a routing table that points to the WAN/ISP as the default gateway.

i thought the reason i couldnt connect to netflix and was because my i was using my vpn's dns.
 

Martineau

Part of the Furniture
.....it turns out that i have:
Code:
ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990
which is wrong. I need a routing table that points to the WAN/ISP as the default gateway

The title of the thread is Selective Routing !!! :rolleyes:

So if you enable Selective Routing....

upload_2018-6-20_18-24-46.png


(adjusting for your LAN subnet if it isn't 192.168.1.1) then hit Apply.

The firmware will create separate routing tables for the appropriate VPN Client connection, and will leave table 'main (254)' untouched to allow the 0x7000 fwmark tagging via the WAN to work correctly:
e.g.
Code:
0x7000 - WAN
0x1000 - VPN Client #1
0x2000 - VPN Client #2
0x3000 - VPN Client #3
0x4000 - VPN Client #4
0x5000 - VPN Client #5
 

frustin

Occasional Visitor
thank you for the explanation!

i wasnt joining up the selective routing with the policy rules, on the router.

My i ask how you know that the fwmark's are correct? e.g. 0x7000 == wan etc. is it written somewhere?
 

Martineau

Part of the Furniture
thank you for the explanation!

i wasnt joining up the selective routing with the policy rules, on the router.

No problem.

99% of users want to route either ALL LAN traffic via the VPN, or selectively route LAN devices/subnets to target IPs/subnets via the VPN (with ALL LAN traffic via the WAN by default).

You are in the 1% that wants a non-intuitive reverse solution - hence the need for the two explicit rules.;)

My i ask how you know that the fwmark's are correct?

I don't :eek:;)

e.g. 0x7000 == wan etc. is it written somewhere?

No
Asus reserved fwmarks are not fully documented/disclosed but developers @john9527 / @RMerlin picked their own, so I chose these fwmarks, and although not a formal standard, I see other script writers have adopted my numbering scheme.

Whilst these informal fwmarks have successfully worked for years, clearly Broadcom/Asus may decide to use these fwmarks for their own upurposes in the future, and the Selective Routing of IPSets,Ports and MACs that rely on these unofficial fwmarks will fail. :oops:

However you are fee to choose your own, providing they do not conflict with current/future reserved fwmarks.
 
Last edited:

frustin

Occasional Visitor
To be clear, I do want to route all traffic to the VPN, and only by exception route via WAN e.g. netflix/amazon.

It's sort of working. When VPN (Client #1) is enabled i can now browse to netflix.com and amazon.co.uk (prime) and can look at the film listings, but i cant play the films. It still says i'm using a proxy for netflix.com while Amazon.co.uk (UK prime) does work.

looks like netflix block for UK NordVPN address ranges
 
Last edited:

Xentrk

Part of the Furniture
To be clear, I do want to route all traffic to the VPN, and only by exception route via WAN e.g. netflix/amazon.

It's sort of working. When VPN (Client #1) is enabled i can now browse to netflix.com and amazon.co.uk (prime) and can look at the film listings, but i cant play the films. It still says i'm using a proxy for netflix.com while Amazon.co.uk (UK prime) does work.

looks like netflix block for UK NordVPN address ranges
Change the setting to route all traffic over the tunnel and try NF again. If you get the proxy error, then it will confirm that your provider does not work with NF.

If it does work, then it points to a issue with your selective routing script.

More info about Netflix in this thread that may be of help.

https://www.snbforums.com/threads/selective-routing-for-netflix.42661/
 

zperetz

New Around Here
Hi, I've finally lost my hope to solve by myself the issue of my RT-AC68U with 384.7-0 onboard, and can't get ipset routing working.

I'm trying to have selective routing over VPN just on the base of ipset with number of IPs. However, even this simple task has no solution for me for the moment.

I live in 192.168.1.0/24, my VPN Client2 setup:



..and I'm trying to use modified script from this thread:
Code:
[email protected]:/jffs/scripts# cat vpn-route-nat
#!/bin/sh

sleep 5

logger -t "($(basename $0))" $$ Starting vpn-route-nat..." $0${*:+ $*}."
# Uncomment the line below for debugging

set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536

# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)

# ipset VPNTEST is created outside and checked

# WAN ip rule
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

# VPN Client 2 ip rule
ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table ovpnc2 prio 9991

ip route flush cache

###########################################################
# LAN to WAN devices
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# LAN to VPN Client 2 ip's
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000

logger -t "($(basename $0))" $$ Ending vpn-route-nat..." $0${*:+ $*}."

OK, let's start from scratch - VPN is down. Check ipset, routing rules and mangle table. Traceroute shows the normal way over my ISP:
Code:
ASUSWRT-Merlin RT-AC68U 384.7-0 Sun Oct  7 16:42:19 UTC 2018
[email protected]:/jffs/scripts# ipset list VPNTEST
Name: VPNTEST
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 262144
Size in memory: 428
References: 0
Number of entries: 2
Members:
103.216.218.144
195.82.146.214
[email protected]:/jffs/scripts# ipset test VPNTEST 103.216.218.144
103.216.218.144 is in set VPNTEST.
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  6.324 ms  4.531 ms  13.241 ms
 2^C
[email protected]:/jffs/scripts# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
[email protected]:/jffs/scripts# ip route show table ovpnc2
[email protected]:/jffs/scripts# iptables -t mangle -vnL PREROUTING
Chain PREROUTING (policy ACCEPT 4651K packets, 3407M bytes)
 pkts bytes target     prot opt in     out     source               destination
[email protected]:/jffs/scripts#

Starting VPN on Client 2 and testing if it works (all tests are done with ip from VPNTEST):
Code:
[email protected]:/jffs/scripts# service start_vpnclient2

Done.
[email protected]:/jffs/scripts# ifconfig tun12
tun12     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:100 errors:0 dropped:213 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:120468 (117.6 KiB)
[email protected]:/jffs/scripts# ip route show table ovpnc2
107.173.80.33 via 95.220.192.1 dev eth0
95.220.192.1 dev eth0  proto kernel  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
10.8.0.0/24 dev tun12  proto kernel  scope link  src 10.8.0.2
95.220.192.0/19 dev eth0  proto kernel  scope link  src 95.220.207.238
127.0.0.0/8 dev lo  scope link
0.0.0.0/1 via 10.8.0.1 dev tun12
128.0.0.0/1 via 10.8.0.1 dev tun12
default via 95.220.192.1 dev eth0
[email protected]:/jffs/scripts# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  3.062 ms  5.708 ms  19.245 ms
 2  *^C
[email protected]:/jffs/scripts# ip route add 103.216.218.144 dev tun12
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  10.8.0.1 (10.8.0.1)  138.710 ms  138.701 ms  138.344 ms
 2  107-175-92-130-host.colocrossing.com (107.175.92.130)  138.450 ms  138.589 ms  140.468 ms
 3  10.8.28.85 (10.8.28.85)  139.191 ms  10.8.21.101 (10.8.21.101)  139.137 ms  10.8.28.85 (10.8.28.85)  139.198 ms
 4  10.8.12.33 (10.8.12.33)  138.868 ms  10.8.12.21 (10.8.12.21)  159.795 ms  10.8.12.33 (10.8.12.33)  170.771 ms
 5  10.8.25.141 (10.8.25.141)  138.635 ms  10.8.24.73 (10.8.24.73)  138.914 ms  10.8.25.141 (10.8.25.141)  139.010 ms
 6  78.152.61.30 (78.152.61.30)  138.974 ms^C
[email protected]:/jffs/scripts# ip route del 103.216.218.144 dev tun12
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  3.062 ms  5.708 ms  19.245 ms
 2  *^C

So, everything is checked and work just fine. Time to apply the script manually (before I tried it in nat-start) and see that ipset based routing is not working:
Code:
[email protected]:/jffs/scripts# ./vpn-route-nat
errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Set cannot be created: set with the same name already exists
+ nvram get lan_ipaddr
+ ipset add LAN_GW 192.168.1.1
ipset v6.32: Element cannot be added to the set: it's already added
+ ip rule del fwmark 0x7000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x7000 table 254 prio 9990
+ ip rule del fwmark 0x2000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat
+ logger -t (vpn-route-nat) 25729 Ending vpn-route-nat... ./vpn-route-nat.
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.185 ms  1.194 ms  1.230 ms
 2^C

Soooo, nothing. No ipset, routing just standard rules are applied.
Few checks to see that script applied the rules:
Code:
[email protected]:/jffs/scripts# ip rule
0:      from all lookup local
9990:   from all fwmark 0x7000 lookup main
9991:   from all fwmark 0x2000 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default
[email protected]:/jffs/scripts# iptables -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 477K packets, 344M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set LAN_GW src,dst MARK or 0x7000
    0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPNTEST dst,dst MARK or 0x2000

Dear Masters of selective routing on WRT Merlin, any of your ideas would be very welcome. Thank you in advance!
 

Xentrk

Part of the Furniture
Hi, I've finally lost my hope to solve by myself the issue of my RT-AC68U with 384.7-0 onboard, and can't get ipset routing working.

Dear Masters of selective routing on WRT Merlin, any of your ideas would be very welcome. Thank you in advance!

From a glance, I see you are missing the bitmask when creating the fwmark. Syntax is fwmark/bitmask e.g. 0x7000/0x7000

I fixed it in the code snip below
Code:
# WAN ip rule
ip rule del fwmark 0x7000/0x7000
ip rule add fwmark 0x7000/0x7000 table 254 prio 9990

# VPN Client 2 ip rule
ip rule del fwmark 0x2000/0x2000
ip rule add fwmark 0x2000/0x2000 table ovpnc2 prio 9991

ip route flush cache

###########################################################
# LAN to WAN devices
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# LAN to VPN Client 2 ip's
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
This should be of help to you. Two different selective routing methods are used on the GitHub repo: https://github.com/Xentrk/netflix-vpn-bypass
 

zperetz

New Around Here
From a glance, I see you are missing the bitmask when creating the fwmark. Syntax is fwmark/bitmask e.g. 0x7000/0x7000

This should be of help to you. Two different selective routing methods are used on the GitHub repo: https://github.com/Xentrk/netflix-vpn-bypass

Xentrk, thank you for trying to help.
Change of fwmark doesn't help:
Code:
[email protected]:/jffs/scripts# ./vpn-route-nat                                                                                                     errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Set cannot be created: set with the same name already exists
+ nvram get lan_ipaddr
+ ipset add LAN_GW 192.168.1.1
ipset v6.32: Element cannot be added to the set: it's already added
+ ip rule del fwmark 0x7000/0x7000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
+ ip rule del fwmark 0x2000/0x2000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x2000/0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat
+ logger -t (vpn-route-nat) 5594 Ending vpn-route-nat... ./vpn-route-nat.
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.597 ms  2.769 ms  2.246 ms
 2  *^C

I didn't get what are 2 different methods, actually. But thank you for link, I understood that no need to have additional WAN rules if they are ok. So I've simplified the script:
Code:
[email protected]:/jffs/scripts# cat vpn-route-nat-v2
#!/bin/sh

sleep 5

logger -t "($(basename $0))" $$ Starting vpn-route-nat..." $0${*:+ $*}."
# Uncomment the line below for debugging

set -xo

# vpn-whitelist is extracted in firewall-start
# test VPNTEST to check routing is created

# VPN Client 2 ip rule
FWMARK_OVPNC2="0x2000/0x2000"

ip rule del fwmark "$FWMARK_OVPNC2"
ip rule add from 0/0 fwmark "$FWMARK_OVPNC2" table ovpnc2 prio 9991

ip route flush cache

# LAN to VPN Client 2 ip's
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark "$FWMARK_OVPNC2"
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark "$FWMARK_OVPNC2"

logger -t "($(basename $0))" $$ Ending vpn-route-nat..." $0${*:+ $*}."

And you know what? Nothing has changed :(

Code:
[email protected]:/jffs/scripts# ./vpn-route-nat-v2
errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ FWMARK_OVPNC2=0x2000/0x2000
+ ip rule del fwmark 0x2000/0x2000
RTNETLINK answers: No such file or directory
+ ip rule add from 0/0 fwmark 0x2000/0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat-v2
+ logger -t (vpn-route-nat-v2) 6809 Ending vpn-route-nat... ./vpn-route-nat-v2.
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.368 ms  1.195 ms  1.202 ms
 2  *  *^C

I really can't get the source of the issue :(
 

Xentrk

Part of the Furniture
Xentrk, thank you for trying to help.
Change of fwmark doesn't help:
Code:
[email protected]:/jffs/scripts# ./vpn-route-nat                                                                                                     errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset v6.32: Set cannot be created: set with the same name already exists
+ nvram get lan_ipaddr
+ ipset add LAN_GW 192.168.1.1
ipset v6.32: Element cannot be added to the set: it's already added
+ ip rule del fwmark 0x7000/0x7000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
+ ip rule del fwmark 0x2000/0x2000
RTNETLINK answers: No such file or directory
+ ip rule add fwmark 0x2000/0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst,dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat
+ logger -t (vpn-route-nat) 5594 Ending vpn-route-nat... ./vpn-route-nat.
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.597 ms  2.769 ms  2.246 ms
 2  *^C

I didn't get what are 2 different methods, actually. But thank you for link, I understood that no need to have additional WAN rules if they are ok. So I've simplified the script:
Code:
[email protected]:/jffs/scripts# cat vpn-route-nat-v2
#!/bin/sh

sleep 5

logger -t "($(basename $0))" $$ Starting vpn-route-nat..." $0${*:+ $*}."
# Uncomment the line below for debugging

set -xo

# vpn-whitelist is extracted in firewall-start
# test VPNTEST to check routing is created

# VPN Client 2 ip rule
FWMARK_OVPNC2="0x2000/0x2000"

ip rule del fwmark "$FWMARK_OVPNC2"
ip rule add from 0/0 fwmark "$FWMARK_OVPNC2" table ovpnc2 prio 9991

ip route flush cache

# LAN to VPN Client 2 ip's
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark "$FWMARK_OVPNC2"
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark "$FWMARK_OVPNC2"

logger -t "($(basename $0))" $$ Ending vpn-route-nat..." $0${*:+ $*}."

And you know what? Nothing has changed :(

Code:
[email protected]:/jffs/scripts# ./vpn-route-nat-v2
errexit         off
noglob          off
ignoreeof       off
interactive     off
monitor         off
noexec          off
stdin           off
xtrace          on
verbose         off
noclobber       off
allexport       off
notify          off
nounset         off
vi              off
pipefail        off
+ FWMARK_OVPNC2=0x2000/0x2000
+ ip rule del fwmark 0x2000/0x2000
RTNETLINK answers: No such file or directory
+ ip rule add from 0/0 fwmark 0x2000/0x2000 table ovpnc2 prio 9991
+ ip route flush cache
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark 0x2000/0x2000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set VPNTEST dst -j MARK --set-mark 0x2000/0x2000
+ basename ./vpn-route-nat-v2
+ logger -t (vpn-route-nat-v2) 6809 Ending vpn-route-nat... ./vpn-route-nat-v2.
[email protected]:/jffs/scripts# traceroute 103.216.218.144
traceroute to 103.216.218.144 (103.216.218.144), 30 hops max, 38 byte packets
 1  msk-b21-m14.ti.ru (212.1.254.230)  1.368 ms  1.195 ms  1.202 ms
 2  *  *^C

I really can't get the source of the issue :(
I see the error message: iptables: No chain/target/match by that name.
Other AC68U users have reported the same issue when trying selective routing. I did a search and found one user added modprobe xt_set.ko and that fixed his issues. https://www.snbforums.com/threads/n...s-ipset-in-ac68u-v380-66_4.39600/#post-330072
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top