Using ipset to selectively route domains to a VPN client?

[Ted Danson]

This is possibly an interesting find. When I do iptables --list, the following is one of the entries:

Chain PREROUTING (0 references)
target     prot opt source               destination

 

[Martineau]

ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0

But did the command actually physically add the rule to the PREROUTING Chain, or did it fail?

Can you issue (to see the libiptc)

iptables --verbose -t mangle -vL PREROUTING

The only way I seem to be able to replicate a similar failure is with this command:

iptables --verbose -t mangle -A PREROUTING -j TRACE

This shows that the '-j TRACE' request syntax is understood as a valid target by my version of iptables, but the TRACE module isn't actually loaded/supported.
i.e. issue

iptables -j TRACE -h

and the very last line describes the 'TRACE' directive usage.

However. this doesn't bode well assuming this hypothesis is valid, as this would imply that the '-j MARK' target module also isn't loaded/supported on your RT-AC5300?
i.e. issue

iptables -j MARK -h

and similarly the last lines shows the '-j MARK' directive usage.

I know it's a cliché, but all I can now suggest is that you backup your conguration either using the GUI or @john9527's utility, then wipe/reset your RT-AC5300 to factory default, and without customising any options except for SSH access, try and create any '-t mangle' PREROUTING Chain rules.

NOTE: There should be no need to manually explicitly create the '-t mangle PREROUTING' chain!

 

[Xentrk]

Apparently there are previous reports of RT-AC68U owners suffering the same frustrating issues, but I have just tried the commands on three separate RMerlin firmware loaded RT-AC68U units and none exhibit the same error messages about 'No chain/target/match by that name'; either by copy'n'paste or manually typing the command, so I doubt it is RT-AC5300 specific.

Perhaps this is the same iptables issue @kman is reporting on the Selective Routing Thread.

 

[Ted Danson]

Xentrk: Indeed, that looks like a similar issue. My only difference in setup is that I have DNS set to exclusive on my client vpn's.

Martineau: I am able to issue this command:
iptables --verbose -t mangle -vL PREROUTING

But I am not sure what I am looking for. Getting a little out of my depth here so need a bit of steering!

I hope not to have to restore my configs after a factory reset but hey ho, if I have to to help sort this out so be it. Happy to help out if we have stumbled on a problem and you need a guineapig to fix it.

 

[Martineau]

Xentrk: Indeed, that looks like a similar issue. My only difference in setup is that I have DNS set to exclusive on my client vpn's.

Martineau: I am able to issue this command:
iptables --verbose -t mangle -vL PREROUTING

But I am not sure what I am looking for. Getting a little out of my depth here so need a bit of steering!

I hope not to have to restore my configs after a factory reset but hey ho, if I have to to help sort this out so be it. Happy to help out if we have stumbled on a problem and you need a guineapig to fix it.

Just post the output.

Clearly you are not under any obligation to waste time and effort - particularly where you have a heavily customised router, nor indeed can take the downtime if others need uninterrupted Internet access.

It is a peculiar issue and as I have been recommending those two very simple rules for ages, I am embarrassed to find that 50% of them don't work for everyone

P.S. I don't believe this is PEBKAC related so any assistance to the community would, I'm sure be appreciated.

 

[Ted Danson]

No worries at all. Happy to help as I'd really like to get this working alongside my current dnsmasq.conf.add for selective routing. Just if you lot knacker my router and the wife doesn't get to watch Peter Andre and the dancing celebrity ballroom thing on the telly then you will know about it!

I'll post the output here, just concious if there's anything I need to redact:

iptables --verbose -t mangle -vL PREROUTING
Chain PREROUTING (policy ACCEPT 1 packets, 52 bytes)
 pkts bytes target     prot opt in     out     source               destination
    1    60 MARK       all  --  tun11  any     anywhere             anywhere             MARK xset 0x1/0x7
    1    60 MARK       all  --  tun12  any     anywhere             anywhere             MARK xset 0x1/0x7
 197K  140M BWDPI_FILTER  udp  --  eth0   any     anywhere             anywhere
 275K   58M ACCEPT     all  --  any    any     anywhere             anywhere   
libiptc vlibxtables.so.7. 2424 bytes.
Table `mangle'
Hooks: pre/in/fwd/out/post = 0/2f8/390/4c0/558
Underflows: pre/in/fwd/out/post = 260/2f8/428/4c0/558
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `tun11'/XXXXXX..........to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 60 bytes
Cache: 00000000
Target name: `MARK' [40]

Entry 1 (152):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `tun12'/XXXXXX..........to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 60 bytes
Cache: 00000000
Target name: `MARK' [40]

Entry 2 (304):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `eth0'/XXXXX...........to `'/................
Protocol: 17
Flags: 00
Invflags: 00
Counters: 196648 packets, 139568182 bytes
Cache: 00000000
Target name: `' [40]
verdict=1696

Entry 3 (456):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 275304 packets, 58316588 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 4 (608):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 1 packets, 52 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 5 (760):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 216903 packets, 37164781 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 6 (912):
SRC IP: 192.168.1.0/255.255.255.0
DST IP: 192.168.1.0/255.255.255.0
Interface: `'/................to `br0'/XXXX............
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `MARK' [40]

Entry 7 (1064):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 58343 packets, 21149499 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 8 (1216):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 214171 packets, 28822139 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 9 (1368):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 273405 packets, 50411203 bytes
Cache: 00000000
Target name: `' [40]
verdict=NF_ACCEPT

Entry 10 (1520):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`BWDPI_FILTER'

Entry 11 (1696):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `eth0'/XXXXX...........to `'/................
Protocol: 17
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Match name: `udp'
Target name: `' [40]
verdict=NF_DROP

Entry 12 (1896):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `eth0'/XXXXX...........to `'/................
Protocol: 17
Flags: 00
Invflags: 00
Counters: 1 packets, 323 bytes
Cache: 00000000
Match name: `udp'
Target name: `' [40]
verdict=NF_DROP

Entry 13 (2096):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 6297 packets, 1499273 bytes
Cache: 00000000
Target name: `' [40]
verdict=RETURN

Entry 14 (2248):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 0.0.0.0/0.0.0.0
Interface: `'/................to `'/................
Protocol: 0
Flags: 00
Invflags: 00
Counters: 0 packets, 0 bytes
Cache: 00000000
Target name: `ERROR' [64]
error=`ERROR'

 

[Martineau]

libiptc vlibxtables.so.7. 2424 bytes.
Table `mangle'

Hmm probably isn't relevant, but on my RT-AC68U I have

libiptc vlibxtables.so.7. 3720 bytes.
Table `mangle'

Using the NVRAM save utility, is a godsend, and having had so much practice I can flash and restore an RT-AC68U in about 20mins, with about 3 mins of typing, the rest of the time is taken by the three 5min physical reboots.

Just if you lot knacker my router and the wife doesn't get to watch Peter Andre and the dancing celebrity ballroom thing on the telly then you will know about it!

Yeah tell me about it .. spent 2 hours yesterday evening remotely talking my poor harassed brother-in-law (120miles away) to Factory wipe his RT-AC68U and reconfigure it after it suddenly stopped broadcasting any WiFi signal and my sister was livid that Alexa was no longer available nor her cat-cams etc., ..... she can be surprisingly fierce for a tiny little sibling!

P.S. I'm sure you could ease the pain by funding a shopping day for your wife

 

[Ted Danson]

I feel your pain when it comes with being the goto IT person in the family!

Regarding the output, so it looks like everything is right?

 

[Martineau]

I feel your pain when it comes with being the goto IT person in the family!

Regarding the output, so it looks like everything is right?

Err yes, and I'm sure @Xentrk is keeping me honest!

 

[Martineau]

Regarding the output, so it looks like everything is right?

Apologies, I may have missed (or again can't see ) it, but can you please (re)confirm the iptables version you are running:

iptables   --version

 

[Ted Danson]

No problem.

iptables v1.4.14

 

[Rappy]

I am a third person with an AC68u also seeing the same errors.
My iptables version is also 1.4.14

 

[Odkrys]

If you do not use any kind of firewall scripts, try to add modprobe xt_set in header of your scripts.

 

[Ted Danson]

If you do not use any kind of firewall scripts, try to add modprobe xt_set in header of your scripts.

Thanks for this. Unfortunately it made no difference.

 

[Martineau]

Thanks for this. Unfortunately it made no difference.

Just in case, again probably pointless, but can you provide the output of these commands

cat /proc/net/ip_tables_targets

cat /proc/net/ip_tables_matches

 

[Ted Danson]

Just in case, again probably pointless, but can you provide the output of these commands

cat /proc/net/ip_tables_targets

cat /proc/net/ip_tables_matches

No worries. Here you go:

NOTRACK
NFLOG
CLASSIFY
CONNMARK
MARK
SET
SET
SET
SET
TRIGGER
REJECT
MASQUERADE
LOG
DNAT
SNAT
ERROR
TCPMSS
TOS
DSCP

and

time
string
statistic
state
mac
limit
helper
conntrack
conntrack
connlimit
connbytes
connmark
mark
set
set
set
set
set
u32
addrtype
addrtype
icmp
webstr
tcpmss
recent
multiport
iprange
udplite
udp
tcp

 

[Martineau]

No worries. Here you go:

Thanks, it would appear that the expected modules appear to be correctly defined as being known to the kernel, and the only difference is that I appear to have an extra value for the following:

cat /proc/net/ip_tables_matches

account

 

[Ted Danson]

Weird. I'm on the latest FW, would that make any difference? Wondering what else to try.

 

[Martineau]

Weird. I'm on the latest FW, would that make any difference? Wondering what else to try.

Well as posted previously - why was/is there a difference between the reported libiptc vlibxtables.so.7. versions?
https://www.snbforums.com/threads/u...ains-to-a-vpn-client.41560/page-2#post-351521

so should we compare all the modules??

Unless you can prove that a complete wipe/reset to factory defaults definitely doesn't immediately exhibit the same behaviour (or can try a previous firmware) then I suspect there is very little else to suggest to identify why your environment is broken.

 

[Xentrk]

Weird. I'm on the latest FW, would that make any difference? Wondering what else to try.

@kman and @Rappy have the same issue as you do in the Selective Routing thread.