Using ipset to selectively route domains to a VPN client?

[Odkrys]

@Martineau When you add iptables rules vlibxtables.so.7 file grows. Maybe that's not a problem.
@Ted Danson Could you please post again your script ? and lsmod also for more info.

And I think this is not the case, but try dos2unix once.

cat /jffs/scripts/nat-start

lsmod

 

[bigjess007]

Unfortunately it seems that I too am in the same boat here. I have a RT-AC68U on the latest firmware (380.68_4) and am getting the dreaded "iptables: No chain/target/match by that name".

I started in the Selective Routing with Asuswrt-Merlin thread trying to get certain traffic to route straight to WAN bypassing VPN, but after getting the error and reading through and finding others with the error there was a post that redirected to this thread. And I'm pretty much in the same boat.

Is there any fix here? Is there any info I can provide so that we can get this fixed? Pretty important for me, and I'm guessing the others too.

Thanks in advance.

 

[Ted Danson]

@Martineau When you add iptables rules vlibxtables.so.7 file grows. Maybe that's not a problem.
@Ted Danson Could you please post again your script ? and lsmod also for more info.

And I think this is not the case, but try dos2unix once.

Apologies for the late reply to this. As requested:

@RT-AC5300-05B0:/jffs/scripts# cat /jffs/scripts/nat-start.sh
#!/bin/sh
modprobe xt_set
#USA VPN IPSET RULE
ip rule del prio 9991 2> /dev/null > /dev/null
ip rule add from 0/0 fwmark 0x1000 table ovpnc1 prio 9991

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set ukvpn src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set ukvpn src,dst -j MARK --set-mark 0x1000/0x1000

#UK VPN IPSET RULE
ip rule del prio 9992 2> /dev/null > /dev/null
ip rule add from 0/0 fwmark 0x2000 table ovpnc2 prio 9992

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set usavpn src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set usavpn src,dst -j MARK --set-mark 0x2000/0x2000

Module                  Size  Used by    Tainted: P
ip_set_hash_ip         19239  2
xt_set                  7395  0
tun                    12274  0
ip_set                 23793  2 ip_set_hash_ip,xt_set
ct_notification         1684  0
bw_forward             93980  1 ct_notification
IDP                   529198  1 bw_forward
nls_cp437               4474  0
nf_nat_sip              5031  0
nf_conntrack_sip       15713  1 nf_nat_sip
nf_nat_h323             4761  0
nf_conntrack_h323      33807  1 nf_nat_h323
nf_nat_rtsp             3202  0
nf_conntrack_rtsp       4067  1 nf_nat_rtsp
nf_nat_ftp              1144  0
nf_conntrack_ftp        4909  1 nf_nat_ftp
ip6table_mangle          934  0
sr_mod                 10842  0
cdrom                  30901  1 sr_mod
cdc_mbim                3129  0
qmi_wwan                5780  0
cdc_wdm                 7252  2 cdc_mbim,qmi_wwan
cdc_ncm                 8750  1 cdc_mbim
rndis_host              4936  0
cdc_ether               3187  1 rndis_host
asix                   10832  0
usbnet                 11165  6 cdc_mbim,qmi_wwan,cdc_ncm,rndis_host,cdc_ether,asix
mii                     3367  2 asix,usbnet
usblp                  10321  0
ohci_hcd               17918  0
ehci_hcd               31941  0
thfsplus               85433  0
tntfs                 467362  3
tfat                  191383  0
ext2                   53816  0
ext4                  222314  0
crc16                   1007  1 ext4
jbd2                   49581  1 ext4
ext3                  106581  1
jbd                    42863  1 ext3
mbcache                 4599  3 ext2,ext4,ext3
usb_storage            34402  2
sg                     20031  0
sd_mod                 22199  4
scsi_wait_scan           416  0
scsi_mod              108826  4 sr_mod,usb_storage,sg,sd_mod
usbcore               102962 13 cdc_mbim,qmi_wwan,cdc_wdm,cdc_ncm,rndis_host,cdc_ether,asix,usbnet,usblp,ohci_hcd,ehci_hcd,usb_storage
ip6t_LOG                4494  0
ip6table_filter          750  1
jffs2                  91550  1
zlib_deflate           19489  1 jffs2
nf_nat_pptp             1602  0
nf_conntrack_pptp       3355  1 nf_nat_pptp
nf_nat_proto_gre         887  1 nf_nat_pptp
nf_conntrack_proto_gre     3296  1 nf_conntrack_pptp
dhd                  2275898  0
dpsta                   2744  0
igs                    12371  1 dhd
emf                    21593  2 dhd,igs
et                     52543  0
ctf                    19647  0

It's definitely working in the sense that visited domains are put in to their respective sets, but that's as far as it goes. Nothing is then sent over the respective VPN clients.

Hope this gets fixed as it would be great to have working. Thanks so much again to everyone for all your help and trying to solve this, it is much appreciated.

 

[Odkrys]

When you typed command in shall directly, were you get error message?

ipset create ukvpn iphash
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set ukvpn src,dst -j MARK --set-mark 0x1000/0x1000

 

[Xentrk]

Unfortunately it seems that I too am in the same boat here. I have a RT-AC68U on the latest firmware (380.68_4) and am getting the dreaded "iptables: No chain/target/match by that name".

I started in the Selective Routing with Asuswrt-Merlin thread trying to get certain traffic to route straight to WAN bypassing VPN, but after getting the error and reading through and finding others with the error there was a post that redirected to this thread. And I'm pretty much in the same boat.

Is there any fix here? Is there any info I can provide so that we can get this fixed? Pretty important for me, and I'm guessing the others too.

Thanks in advance.

I feel bad for the AC68U owners experiencing this issue.
Makes me wonder if the firewall is even working.

 

[bigjess007]

I feel bad for the AC68U owners experiencing this issue.
Makes me wonder if the firewall is even working.

Holy crap. Is that a possibility? I don't understand all of this enough to have even known I needed to be worried about that. Can we test that? If so how. Everything is flowing through the VPN as far as I can tell, atleast when I check my IP it's a VPN IP (so I am guessing everything is flowing through the VPN....)

 

[Xentrk]

Holy crap. Is that a possibility? I don't understand all of this enough to have even known I needed to be worried about that. Can we test that? If so how. Everything is flowing through the VPN as far as I can tell, atleast when I check my IP it's a VPN IP (so I am guessing everything is flowing through the VPN....)

You should see blocks being logged in the system log file. I doubt there is a problem as we probably would have seen it by now now. Most firewalls use iptables. Still a mystery why this issue seems to only impact AC68U routers.

 

[Ted Danson]

When you typed command in shall directly, were you get error message?

ipset create ukvpn iphash
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set ukvpn src,dst -j MARK --set-mark 0x1000/0x1000

Nope no error message.

Here's something odd. If I run ./net-stat.sh I get the chain error. Yet if I run

touch /tmp/000nat-start

and then run

./nat-start.sh

I get no error message.

Regardless, if I check the iptables there is no entry named PREROUTING at all. I can create that entry manually, but I shouldn't have to right?

 

[Odkrys]

\
Regardless, if I check the iptables there is no entry named PREROUTING at all. I can create that entry manually, but I shouldn't have to right?

Turn off ai-protection and try again.
And change the file name to nat-start not nat-start.sh

/jffs/scripts/nat-start is right path.

 

[Ted Danson]

Turn off ai-protection and try again.
And change the file name to nat-start not nat-start.sh

/jffs/scripts/nat-start is right path.

Thanks, I renamed the file and turned off AI protection. Same problem.

One other thing to add. I was testing by adding ipleak.net to the different ipsets I made and sure enough the dns resolves to a different IP as I change what it should resolve to each time. So that part is working. Just the chains are still not listed in iptables and thus that part is still failing.

Will I try adding the firewall lines manually just to see? Also, if I reboot the router the ipsets I created are missing when I do an ipset --list after reboot.

 

[Odkrys]

So that part is working. Just the chains are still not listed in iptables and thus that part is still failing.

Will I try adding the firewall lines manually just to see? Also, if I reboot the router the ipsets I created are missing when I do an ipset --list after reboot.

You should to make ipset with script when reboot router.

ipset create ukvpn iphash
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set ukvpn src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -L -v

No error message, but the rule wasn't added on the table? really weird.

 

[Ted Danson]

Correct. I run ./nat-start and it gives me 2 chain errors. I run ./nat-start again, I get no errors.

I run iptables --list and PREROUTING is not anywhere to be seen.

 

[Odkrys]

Correct. I run ./nat-start and it gives me 2 chain errors. I run ./nat-start again, I get no errors.

I run iptables --list and PREROUTING is not anywhere to be seen.

iptables --list only show filter table.

use

iptables -t mangle -L -v

 

[Ted Danson]

This looks interesting!

@RT-AC5300-05B0:/jffs/scripts# ./nat-start
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
@RT-AC5300-05B0:/jffs/scripts# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 616 packets, 122K bytes)
 pkts bytes target     prot opt in     out     source               destination  
 1769  204K MARK       all  --  tun21  any     anywhere             anywhere             MARK xset 0x1/0x7
 1884  325K BWDPI_FILTER  udp  --  eth0   any     anywhere             anywhere  
    0     0 MARK       tcp  --  br0    any     anywhere             anywhere             match-set usavpn src,dst MARK or 0x1000
    0     0 MARK       tcp  --  br0    any     anywhere             anywhere             match-set ukvpn src,dst MARK or 0x2000
    0     0 MARK       tcp  --  br0    any     anywhere             anywhere             match-set indiavpn src,dst MARK or 0x3000

Chain INPUT (policy ACCEPT 451 packets, 87084 bytes)
 pkts bytes target     prot opt in     out     source               destination  

Chain FORWARD (policy ACCEPT 165 packets, 35072 bytes)
 pkts bytes target     prot opt in     out     source               destination  
    0     0 MARK       all  --  any    br0     192.168.1.0/24       192.168.1.0/24       MARK xset 0x1/0x7

Chain OUTPUT (policy ACCEPT 454 packets, 115K bytes)
 pkts bytes target     prot opt in     out     source               destination  

Chain POSTROUTING (policy ACCEPT 619 packets, 150K bytes)
 pkts bytes target     prot opt in     out     source               destination  

Chain BWDPI_FILTER (1 references)
 pkts bytes target     prot opt in     out     source               destination  
    0     0 DROP       udp  --  eth0   any     anywhere             anywhere             udp spt:bootpc dpt:bootps
    0     0 DROP       udp  --  eth0   any     anywhere             anywhere             udp spt:bootps dpt:bootpc
@RT-AC5300-05B0:/jffs/scripts#

I should add I created a third ipset too. Still had to create the ipset again after reboot.

Same issues with AI Protection on or off. I'd prefer to keep it on.

 

[Odkrys]

add the ipset command in nat-start script..lol

modprobe xt_set
ipset create ukvpn iphash
ipset create usavpn iphash

#USA VPN IPSET RULE

 

[Ted Danson]

That would help! Doh!

Done.

Still not working properly but I guess we are getting somewhere.

 

[Odkrys]

Ok your router doesn't have problem.
Now all you need are proper scripts.

Look for openvpn-event script, vpnclientX-route-up script and nat-start script in selective routing related thread.

 

[Ted Danson]

Ah OK so I have the foundations in place but now need to start telling stuff where to go?

To be honest, I'd like to try a small test to see if I can get one specific site/streaming service (NBA.com / NBA League Pass) routing to one VPN client. If I can do that then I'm pretty much set for the other 2 VPN clients. Example being using another VPN client to route BBC iPlayer to it. Then another VPN client to route some specific USA sites and streaming services to that do not need a Smart DNS.

Ideally what I would like to do after that is only have a few domains going to the different VPN clients. Everything else can just go straight through the WAN and bypass VPN. The reason for this is that I then have my dnsmasq.conf.add file in place to route domains over smart dns providers. Anything else just uses an alternate DNS service.

I had a look through the main selective routing thread but there are so many results within it with conflicting configurations that I really do not know where to start.

Glad to know my router is OK though and it was mainly down to my stupidity.