x3mRouting x3mRouting ~ Modified OpenVPN Client Screen for 386.1 Asuswrt-Merlin release (31 Jan 2020 update)

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Xentrk

Part of the Furniture
Applies to those who use the modified OpenVPN Client Screen available in x3mRouting + 386.1 release.

RMerlin made some updates to the OpenVPN Client Screen in the 386.1. I need another day to merge the change into the x3mRouting master branch. If you want to proceed immediately, you can download the updated screen with the following command.

Code:
curl -fsL --retry 3 --connect-timeout 3 -o "/jffs/addons/x3mRouting/Advanced_OpenVPNClient_Content.asp" https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-386.1/Advanced_OpenVPNClient_Content.asp
 
Last edited:

Xentrk

Part of the Furniture
Bump updated thread. Please see above.
 

figorr

Regular Contributor
I recently installed the x3mRouting script, options 1 and 2.

When I went to edit the file /jffs/scripts/x3mRouting/x3mRouting_client_rules I found the file was completely empty. The file had 0 bytes.

And It doesn't look like this
#########################################################
# Assign the interface for each LAN client by entering #
# the appropriate interface number in the first column #
# 0 = WAN #
# 1 = OVPNC1 #
# 2 = OVPNC2 #
# 3 = OVPNC3 #
# 4 = OVPNC4 #
# 5 = OVPNC5 #
#########################################################
0 192.168.1.150 SamsungTV
1 192.168.1.151 Samsung-Phone
2 192.168.1.152 Asus-Laptop
2 192.168.1.153 iPad
1 192.168.1.154 Lenovo-Laptop

I tried to reinstall option 1 ... but the file was still empty.

I had more or less about 30 connected devices, so I don't know if I am missing something.
 

Xentrk

Part of the Furniture
I recently installed the x3mRouting script, options 1 and 2.

When I went to edit the file /jffs/scripts/x3mRouting/x3mRouting_client_rules I found the file was completely empty. The file had 0 bytes.

And It doesn't look like this


I tried to reinstall option 1 ... but the file was still empty.

I had more or less about 30 connected devices, so I don't know if I am missing something.
The option requires that you first create static DHCP reservations for your clients on the LAN-DHCP Server page. It won't work for dynamic leases. I apologize as I don't make it clear in the README. I will update it and also display a message if no records were retrieved. I suspect that is what is going on. The script gets the IP addresses and hostnames from the nvram values below. You can see if they exist by issuing the commands below:

nvram get dhcp_hostnames
nvram get dhcp_staticlist
 

abir1909

Regular Contributor

Hi Xentrk,​

I created Ipset and set it up on my open vpn routing policy in the GUI. however, it doesn't seem to start after reboot. i set up the VPN to start on boot but the ipset routing wont work. i have to manually turn off the vpn and turn it back on to have it work.

i checked "Nat-Start" script and the line is in there.
what am i missing? Thanks
 

Attachments

  • Screen Shot 2021-02-01 at 7.32.26 PM.png
    Screen Shot 2021-02-01 at 7.32.26 PM.png
    134.6 KB · Views: 62
  • Screen Shot 2021-02-01 at 7.35.23 PM.png
    Screen Shot 2021-02-01 at 7.35.23 PM.png
    285.7 KB · Views: 57
Last edited:

Xentrk

Part of the Furniture

Hi Xentrk,​

I created Ipset and set it up on my open vpn routing policy in the GUI. however, it doesn't seem to start after reboot. i set up the VPN to start on boot but the ipset routing wont work. i have to manually turn off the vpn and turn it back on to have it work.

i checked "Nat-Start" script and the line is in there.
what am i missing? Thanks
Please enter the following command to display the PREROUTING IPTABLES Chains for the mangle table:

Code:
iptables -nvL PREROUTING -t mangle --line

Use the "liststats" command to see the number of entries in the IPSET list you created.

I suspect the issue may be with the test case you are using to route akamai traffic thru the VPN. In my experience, it isn't necessary for selective routing of streaming services. What is your goal?

What firmwmare version are you using?
 

abir1909

Regular Contributor
Please enter the following command to display the PREROUTING IPTABLES Chains for the mangle table:

Code:
iptables -nvL PREROUTING -t mangle --line

Use the "liststats" command to see the number of entries in the IPSET list you created.

I suspect the issue may be with the test case you are using to route akamai traffic thru the VPN. In my experience, it isn't necessary for selective routing of streaming services. What is your goal?

What firmwmare version are you using?
ASUSWRT-Merlin RT-AC86U 386.1_0 Sat Jan 30 20:22:26 UTC 2021
RT-AC86U-0C20:/tmp/home/root# nano /jffs/scripts/nat-start
RT-AC86U-0C20:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 470K packets, 189M bytes)
num pkts bytes target prot opt in out source destina tion
1 18065 2010K MARK all -- br0 * 0.0.0.0/0 0.0.0.0 /0 match-set MAKO dst MARK or 0x1000
 

abir1909

Regular Contributor
what do you mean by test case?
I am routing Akamai steaming services through my VPN to unblock geo location streaming. and it's working. the only problem that it won't start at boot. the VPN client shows on in the GUI after boot but the IP set isn't routed. once I turn it off and back on, only then its routed through the VPN client. thanks
 

Xentrk

Part of the Furniture
ASUSWRT-Merlin RT-AC86U 386.1_0 Sat Jan 30 20:22:26 UTC 2021
RT-AC86U-0C20:/tmp/home/root# nano /jffs/scripts/nat-start
RT-AC86U-0C20:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 470K packets, 189M bytes)
num pkts bytes target prot opt in out source destina tion
1 18065 2010K MARK all -- br0 * 0.0.0.0/0 0.0.0.0 /0 match-set MAKO dst MARK or 0x1000
Packets are traversing the iptables chain as indicated by the value in the "pkts" column.
 

chongnt

Regular Contributor
Hi Xentrk, I might have similar issue with abir1909.
In my case, I route my phone to VPN client 1. I also linked up VPN server 2 to VPN client 1, so that in case I am not at home I can have it work the same way.
However, one local tv app do not like the VPN tunnel. I have install all 4 options of your scripts to get it works

Here is how I do it:
1. x3mRouting server=2 client=1
1. x3mRouting 1 0 ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
2. add ipset in VPN Client 1 GUI
1612241201617.png

3. x3mRouting server=2 ipset_name=AstroGo

It works well. My phone TV apps go through WAN interface regardless if my phone is connected to Wifi or dial in via VPN Server 2.

The problem is it seems the IPSET is not sticky after a reboot.
I get the following error when I try to manually enter the command:
[email protected]:/tmp/home/root# /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
(x3mRouting.sh): 32719 Starting Script Execution server=2 ipset_name=AstroGo
(x3mRouting.sh): 32719 Error! Mandatory PREROUTING rule for IPSET name AstroGo does not exist.
[email protected]:/tmp/home/root#

One way I find it will work is go to VPN Client GUI and click Apply button on the bottom of the page. Now my phone connected to the router wifi can stream the TV app.
I can then apply the rule to route the ipset to server 2.
[email protected]:/tmp/home/root# /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
(x3mRouting.sh): 3960 Starting Script Execution server=2 ipset_name=AstroGo
(x3mRouting.sh): 3960 Completed Script Execution
[email protected]:/tmp/home/root#

What could be the problem?
 

Xentrk

Part of the Furniture
what do you mean by test case?
I am routing Akamai steaming services through my VPN to unblock geo location streaming. and it's working. the only problem that it won't start at boot. the VPN client shows on in the GUI after boot but the IP set isn't routed. once I turn it off and back on, only then its routed through the VPN client. thanks
Test case = how are you verifying/testing that it works. For example, going to a specific website or streaming media site.

But I see you have a different issue.

First, check if you have a phantom lock file in /tmp directory. x3mRouting prevents concurrent processing each instance queues up. x3mRouting will wait 180 seconds before aborting. First check if a lock file exists (it should not).

Code:
ls -al /tmp | grep x3mRouting.lock

if you see one, please remove it.
Code:
rm /tmp/x3mRouting.lock

x3mRouting.sh sends output to the system log. Please check the system log as to why it's not starting at boot. You can search on the name x3mRouting.sh
 

Xentrk

Part of the Furniture
Hi Xentrk, I might have similar issue with abir1909.
In my case, I route my phone to VPN client 1. I also linked up VPN server 2 to VPN client 1, so that in case I am not at home I can have it work the same way.
However, one local tv app do not like the VPN tunnel. I have install all 4 options of your scripts to get it works

Here is how I do it:
1. x3mRouting server=2 client=1
1. x3mRouting 1 0 ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
2. add ipset in VPN Client 1 GUI
View attachment 30151
3. x3mRouting server=2 ipset_name=AstroGo

It works well. My phone TV apps go through WAN interface regardless if my phone is connected to Wifi or dial in via VPN Server 2.

The problem is it seems the IPSET is not sticky after a reboot.
I get the following error when I try to manually enter the command:
[email protected]:/tmp/home/root# /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
(x3mRouting.sh): 32719 Starting Script Execution server=2 ipset_name=AstroGo
(x3mRouting.sh): 32719 Error! Mandatory PREROUTING rule for IPSET name AstroGo does not exist.
[email protected]:/tmp/home/root#

One way I find it will work is go to VPN Client GUI and click Apply button on the bottom of the page. Now my phone connected to the router wifi can stream the TV app.
I can then apply the rule to route the ipset to server 2.
[email protected]:/tmp/home/root# /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
(x3mRouting.sh): 3960 Starting Script Execution server=2 ipset_name=AstroGo
(x3mRouting.sh): 3960 Completed Script Execution
[email protected]:/tmp/home/root#

What could be the problem?
Please post /jffs/scripts/nat-start so I can confirm the order of events. Per the message the IPSET list AstroGo isn't created yet when it tries to apply the rule to route VPN server traffic to the IPSET list AstroGo.
 

abir1909

Regular Contributor
Test case = how are you verifying/testing that it works. For example, going to a specific website or streaming media site.

But I see you have a different issue.

First, check if you have a phantom lock file in /tmp directory. x3mRouting prevents concurrent processing each instance queues up. x3mRouting will wait 180 seconds before aborting. First check if a lock file exists (it should not).

Code:
ls -al /tmp | grep x3mRouting.lock

if you see one, please remove it.
Code:
rm /tmp/x3mRouting.lock

x3mRouting.sh sends output to the system log. Please check the system log as to why it's not starting at boot. You can search on the name x3mRouting.sh
No such file x3mRouting.lock

System log:
b 1 19:10:17 (x3mRouting): 4299 Starting Script Execution ipset_name=MAKO asnum=AS20940
Feb 1 19:10:17 kernel: ip_set: protocol 6
Feb 1 19:10:17 (x3mRouting): 4299 IPSET created: MAKO hash:net family inet hashsize 1024 maxelem 65536
Feb 1 19:10:21 (x3mRouting): 4299 sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=MAKO asnum=AS20940 added to /jffs/scripts/nat-start
Feb 1 19:10:21 (x3mRouting): 4299 Completed Script Execution
 

chongnt

Regular Contributor
Please post /jffs/scripts/nat-start so I can confirm the order of events. Per the message the IPSET list AstroGo isn't created yet when it tries to apply the rule to route VPN server traffic to the IPSET list AstroGo.

Here is the output:

[email protected]:/jffs/scripts# more nat-start
#!/bin/sh

sleep 10 # During the boot process nat-start may run multiple times so this is required

touch /tmp/000nat-start
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 client=1


#sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ipset_name=AstroGo autoscan=astro
/bin/sleep 2s # give 2s buffer
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv

/bin/sleep 8s # give 8s buffer for VPN server2 to route AstroGo to WAN
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
touch /tmp/000nat-start

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 VPN_IP dnsmasq=whatsmyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WAN_IP dnsmasq=whatismyipaddress.com

[email protected]:/jffs/scripts#
 

Xentrk

Part of the Furniture
Here is the output:

[email protected]:/jffs/scripts# more nat-start
#!/bin/sh

sleep 10 # During the boot process nat-start may run multiple times so this is required

touch /tmp/000nat-start
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 client=1


#sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ipset_name=AstroGo autoscan=astro
/bin/sleep 2s # give 2s buffer
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv

/bin/sleep 8s # give 8s buffer for VPN server2 to route AstroGo to WAN
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
touch /tmp/000nat-start

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 VPN_IP dnsmasq=whatsmyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WAN_IP dnsmasq=whatismyipaddress.com

[email protected]:/jffs/scripts#
The order of the entries looks good. What is the purpose of the "touch /tmp/000nat-start?

x3Routing is designed to prevent concurrent processing. The first entry will run and create a lock file. Other entries will queue up and try to run every 3 seconds. It will give up after 180 seconds. During boot, another process may be preventing the first x3mRouting entry to run which then prevents the second line from running. If that is so, then AstroGo does not get created and the third x3mRouting entry can't be created because the IPSET list does not exist. The x3mRouting.sh entries in the System Log will tell us if this occurred. If so, I may need to increase the wait time max.

I need to see some more information to see if it is indeed a wait time issue. But I want to do it without the wait entries you have as x3mRouting should be handling.

Please backup your nat-start

Code:
cp /jffs/scripts/nat-start /jffs/scipts/nat-start.bkup

Edit or replace the current nat-start with the following.
Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 client=1
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 VPN_IP dnsmasq=whatsmyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WAN_IP dnsmasq=whatismyipaddress.com

BTW, the 4th entry probably overrides the 5th entry as it is matched first. The 4th entry says to bypass the VPN for any client devices assigned to use the VPN tunnel for whatismyaddress.com. But the 5th one says to route ALL whatismyipaddress.com lookups to VPN Client 1.

Now, reboot. Validate the iptables rules are in place:

iptables -nvL PREROUTING -t mangle --line

iptables -nvL POSTROUTING -t nat --line

Check the System Log and search backwards for x3mRouting.sh to when you rebooted. Then, follow the log forward to see if it exited due to wait time issue as described above.
 

abir1909

Regular Contributor
Test case = how are you verifying/testing that it works. For example, going to a specific website or streaming media site.

But I see you have a different issue.

First, check if you have a phantom lock file in /tmp directory. x3mRouting prevents concurrent processing each instance queues up. x3mRouting will wait 180 seconds before aborting. First check if a lock file exists (it should not).

Code:
ls -al /tmp | grep x3mRouting.lock

if you see one, please remove it.
Code:
rm /tmp/x3mRouting.lock

x3mRouting.sh sends output to the system log. Please check the system log as to why it's not starting at boot. You can search on the name x3mRouting.sh
Is that the issue?
“ x3mRouting.sh): 3585 Starting Script Execution ipset_name=MAKO asnum=AS20940
Feb 1 22:12:18 custom_script: Found firewall-start, but script is not set executable! “
 

chongnt

Regular Contributor
...snipped...
touch /tmp/000nat-start are just stuff I see in some of the thread. After run then I realized it just create a file under /tmp. I guess the purpose is to check if and when the nat-start is being run. So I add a bit here and there and it gets more messy.

Replaced with the new nat-start and rebooted. The symptom are the same. Phone connected to wifi cannot stream with the TV apps as it goes through VPN Client 1. I have to go to VPN Client 1 GUI page click apply button and then the phone TV apps is stream correctly via WAN. I have collected the boot messages.
tail -1000 messages | grep x3m
May 5 13:05:22 (x3mRouting.sh): 2522 Entware not available - wait time 117 secs left
Feb 2 14:37:01 (x3mRouting.sh): 2522 Entware not available - wait time 116 secs left
Feb 2 14:37:02 (x3mRouting.sh): 2522 Entware not available - wait time 115 secs left
Feb 2 14:37:03 (x3mRouting.sh): 2522 Entware not available - wait time 114 secs left
Feb 2 14:37:04 (x3mRouting.sh): 2522 Entware not available - wait time 113 secs left
Feb 2 14:37:05 x3mRouting: Configuring policy rules for client 1
Feb 2 14:37:05 (x3mvpnrouting.sh): 4403 Completed routing policy configuration for client 1
Feb 2 14:37:05 (x3mRouting.sh): 2522 Entware not available - wait time 112 secs left
Feb 2 14:37:05 (x3mRouting.sh): 4763 Starting Script Execution server=2 client=1
Feb 2 14:37:06 (x3mRouting.sh): 4763 x3mRouting Lock File in use by PID 2522 - wait time 177 secs left
Feb 2 14:37:06 x3mRouting: Configuring policy rules for client 2
Feb 2 14:37:06 (x3mvpnrouting.sh): 4812 Completed routing policy configuration for client 2
Feb 2 14:37:06 (x3mRouting.sh): 2522 Entware not available - wait time 111 secs left
Feb 2 14:37:07 (x3mRouting.sh): 2522 Entware not available - wait time 110 secs left
Feb 2 14:37:08 (x3mRouting.sh): 2522 IPSET restored: AstroGo from /opt/tmp/AstroGo
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 Created fwmark 0x1000/0x1000
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 IPSET created: WAN_IP hash:net family inet hashsize 1024 maxelem 65536
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 CRON schedule created: #WAN_IP# '0 2 * * * ipset save WAN_IP'
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 Selective Routing Rule via VPN Client 1 created for WAN_IP fwmark 0x1000/0x1000
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 Completed Script Execution
Feb 2 14:37:10 RT-AC86U-DBA8 (x3mRouting.sh): 6445 Starting Script Execution ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
Feb 2 14:37:10 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 2
Feb 2 14:37:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): 6491 Completed routing policy configuration for client 2
Feb 2 14:37:10 RT-AC86U-DBA8 (x3mRouting.sh): 6445 CRON schedule created: #AstroGo# '0 2 * * * ipset save AstroGo'
Feb 2 14:37:10 RT-AC86U-DBA8 (x3mRouting.sh): 6445 Completed Script Execution
Feb 2 14:37:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Removing rule 10101 from routing policy
Feb 2 14:37:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Removing rule 10102 from routing policy
Feb 2 14:37:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Deleting PREROUTING Chain 2 for IPSET List WAN_IP
Feb 2 14:37:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 00 Deleting fwmark 0x1000/0x1000
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 ip rule add from 10.16.0.0/24 table ovpnc1 priority 10101
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 10.16.0.0/24 to through VPN client 1
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 ip rule add from 192.168.1.55 table ovpnc1 priority 10102
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.1.55 to through VPN client 1
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Routing rules created for IPSET list AstroGo
Feb 2 14:37:12 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 1
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Completed routing policy configuration for client 1
Feb 2 14:37:12 RT-AC86U-DBA8 openvpn-event[7002]: Running /jffs/scripts/x3mRouting/vpnclient1-route-up tun11 1500 1584 10.8.3.12
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mRouting.sh): 4763 Completed Script Execution
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 7655 Starting Script Execution 1 0 ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Removing rule 10301 from routing policy
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 7655 CRON schedule created: #AstroGo# '0 2 * * * ipset save AstroGo'
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 7655 Completed Script Execution
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Deleting PREROUTING Chain 1 for IPSET List AstroGo
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 8134 Starting Script Execution server=2 ipset_name=AstroGo
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 ip rule add from 192.168.2.0/24 table ovpnc2 priority 10301
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.2.0/24 to through VPN client 2
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Created fwmark 0x2000/0x2000
Feb 2 14:37:14 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 2
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Completed routing policy configuration for client 2
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8134 Error! Mandatory PREROUTING rule for IPSET name AstroGo does not exist.
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 Starting Script Execution 1 0 VPN_IP dnsmasq=whatsmyipaddress.com
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 CRON schedule created: #VPN_IP# '0 2 * * * ipset save VPN_IP'
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 Selective Routing Rule via WAN deleted for VPN_IP fwmark 0x8000/0x8000
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 Selective Routing Rule via WAN created for VPN_IP fwmark 0x8000/0x8000
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 Completed Script Execution
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Starting Script Execution ALL 1 WAN_IP dnsmasq=whatismyipaddress.com
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Created fwmark 0x1000/0x1000
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8688 CRON schedule created: #WAN_IP# '0 2 * * * ipset save WAN_IP'
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Selective Routing Rule via VPN Client 1 deleted for WAN_IP fwmark 0x1000/0x1000
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Selective Routing Rule via VPN Client 1 created for WAN_IP fwmark 0x1000/0x1000
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Completed Script Execution
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8966 Starting Script Execution ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
Feb 2 14:37:16 RT-AC86U-DBA8 (x3mRouting.sh): 8966 CRON schedule created: #AstroGo# '0 2 * * * ipset save AstroGo'
Feb 2 14:37:16 RT-AC86U-DBA8 (x3mRouting.sh): 8966 Completed Script Execution


[email protected]:/# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 790 packets, 185K bytes)
num pkts bytes target prot opt in out source destination
1 1203 409K MARK all -- tun22 * 0.0.0.0/0 0.0.0.0/0 match-set AstroGo dst MARK or 0x1000
2 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set VPN_IP dst MARK or 0x8000
3 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set WAN_IP dst MARK or 0x1000
[email protected]:/#
[email protected]:/# iptables -nvL POSTROUTING -t nat --line
Chain POSTROUTING (policy ACCEPT 497 packets, 41467 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * tun12 192.168.2.0/24 0.0.0.0/0 /* 2.4GHz Guest 1 */
2 13 780 MASQUERADE all -- * tun12 0.0.0.0/0 0.0.0.0/0
3 917 71970 MASQUERADE all -- * tun11 0.0.0.0/0 0.0.0.0/0
4 609 45056 PUPNP all -- * ppp0 0.0.0.0/0 0.0.0.0/0
5 63 6113 MASQUERADE all -- * ppp0 !110.159.94.16 0.0.0.0/0
6 0 0 MASQUERADE all -- * vlan500 !169.254.236.60 0.0.0.0/0
7 15 5104 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
8 0 0 MASQUERADE all -- * tun11 10.16.0.0/24 0.0.0.0/0
[email protected]:/#
 

Xentrk

Part of the Furniture
Is that the issue?
“ x3mRouting.sh): 3585 Starting Script Execution ipset_name=MAKO asnum=AS20940
Feb 1 22:12:18 custom_script: Found firewall-start, but script is not set executable! “
The permission issue should be unrelated. To fix, type the command

Code:
chmod 755 /jffs/scripts/firewall-start

Keep searching down for "x3mRouting.sh): 3585" to see if it completed.
 

figorr

Regular Contributor
The option requires that you first create static DHCP reservations for your clients on the LAN-DHCP Server page. It won't work for dynamic leases. I apologize as I don't make it clear in the README. I will update it and also display a message if no records were retrieved. I suspect that is what is going on. The script gets the IP addresses and hostnames from the nvram values below. You can see if they exist by issuing the commands below:

nvram get dhcp_hostnames
nvram get dhcp_staticlist
Thank you, I created the static DHCP reservations, but using the YAzDHCP script, in order to increase the number of manual assignments above of 64. I think the script clears the nvram and stores the static DCHCP static reservations in another location.
YazDHCP adds 3 lines to dnsmasq.conf.add to configure DHCP reservations:

addn-hosts=/jffs/addons/YazDHCP.d/.hostnames # YazDHCP_hostnames
dhcp-hostsfile=/jffs/addons/YazDHCP.d/.staticlist # YazDHCP_staticlist
dhcp-optsfile=/jffs/addons/YazDHCP.d/.optionslist # YazDHCP_optionslist
So using both commands ...

nvram get dhcp_hostnames
nvram get dhcp_staticlist

there is no results. nvram is clear of DCHP reservations.
 
Last edited:

Xentrk

Part of the Furniture
touch /tmp/000nat-start are just stuff I see in some of the thread. After run then I realized it just create a file under /tmp. I guess the purpose is to check if and when the nat-start is being run. So I add a bit here and there and it gets more messy.

Replaced with the new nat-start and rebooted. The symptom are the same. Phone connected to wifi cannot stream with the TV apps as it goes through VPN Client 1. I have to go to VPN Client 1 GUI page click apply button and then the phone TV apps is stream correctly via WAN. I have collected the boot messages.
tail -1000 messages | grep x3m
May 5 13:05:22 (x3mRouting.sh): 2522 Entware not available - wait time 117 secs left
Feb 2 14:37:01 (x3mRouting.sh): 2522 Entware not available - wait time 116 secs left
Feb 2 14:37:02 (x3mRouting.sh): 2522 Entware not available - wait time 115 secs left
Feb 2 14:37:03 (x3mRouting.sh): 2522 Entware not available - wait time 114 secs left
Feb 2 14:37:04 (x3mRouting.sh): 2522 Entware not available - wait time 113 secs left
Feb 2 14:37:05 x3mRouting: Configuring policy rules for client 1
Feb 2 14:37:05 (x3mvpnrouting.sh): 4403 Completed routing policy configuration for client 1
Feb 2 14:37:05 (x3mRouting.sh): 2522 Entware not available - wait time 112 secs left
Feb 2 14:37:05 (x3mRouting.sh): 4763 Starting Script Execution server=2 client=1
Feb 2 14:37:06 (x3mRouting.sh): 4763 x3mRouting Lock File in use by PID 2522 - wait time 177 secs left
Feb 2 14:37:06 x3mRouting: Configuring policy rules for client 2
Feb 2 14:37:06 (x3mvpnrouting.sh): 4812 Completed routing policy configuration for client 2
Feb 2 14:37:06 (x3mRouting.sh): 2522 Entware not available - wait time 111 secs left
Feb 2 14:37:07 (x3mRouting.sh): 2522 Entware not available - wait time 110 secs left
Feb 2 14:37:08 (x3mRouting.sh): 2522 IPSET restored: AstroGo from /opt/tmp/AstroGo
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 Created fwmark 0x1000/0x1000
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 IPSET created: WAN_IP hash:net family inet hashsize 1024 maxelem 65536
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 CRON schedule created: #WAN_IP# '0 2 * * * ipset save WAN_IP'
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 Selective Routing Rule via VPN Client 1 created for WAN_IP fwmark 0x1000/0x1000
Feb 2 14:37:09 RT-AC86U-DBA8 (x3mRouting.sh): 6119 Completed Script Execution
Feb 2 14:37:10 RT-AC86U-DBA8 (x3mRouting.sh): 6445 Starting Script Execution ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
Feb 2 14:37:10 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 2
Feb 2 14:37:10 RT-AC86U-DBA8 (x3mvpnrouting.sh): 6491 Completed routing policy configuration for client 2
Feb 2 14:37:10 RT-AC86U-DBA8 (x3mRouting.sh): 6445 CRON schedule created: #AstroGo# '0 2 * * * ipset save AstroGo'
Feb 2 14:37:10 RT-AC86U-DBA8 (x3mRouting.sh): 6445 Completed Script Execution
Feb 2 14:37:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Removing rule 10101 from routing policy
Feb 2 14:37:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Removing rule 10102 from routing policy
Feb 2 14:37:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Deleting PREROUTING Chain 2 for IPSET List WAN_IP
Feb 2 14:37:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 00 Deleting fwmark 0x1000/0x1000
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 ip rule add from 10.16.0.0/24 table ovpnc1 priority 10101
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 10.16.0.0/24 to through VPN client 1
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 ip rule add from 192.168.1.55 table ovpnc1 priority 10102
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.1.55 to through VPN client 1
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Routing rules created for IPSET list AstroGo
Feb 2 14:37:12 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 1
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7025 Completed routing policy configuration for client 1
Feb 2 14:37:12 RT-AC86U-DBA8 openvpn-event[7002]: Running /jffs/scripts/x3mRouting/vpnclient1-route-up tun11 1500 1584 10.8.3.12
Feb 2 14:37:12 RT-AC86U-DBA8 (x3mRouting.sh): 4763 Completed Script Execution
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 7655 Starting Script Execution 1 0 ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Removing rule 10301 from routing policy
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 7655 CRON schedule created: #AstroGo# '0 2 * * * ipset save AstroGo'
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 7655 Completed Script Execution
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Deleting PREROUTING Chain 1 for IPSET List AstroGo
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 8134 Starting Script Execution server=2 ipset_name=AstroGo
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 ip rule add from 192.168.2.0/24 table ovpnc2 priority 10301
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.2.0/24 to through VPN client 2
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Created fwmark 0x2000/0x2000
Feb 2 14:37:14 RT-AC86U-DBA8 x3mRouting: Configuring policy rules for client 2
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Completed routing policy configuration for client 2
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8134 Error! Mandatory PREROUTING rule for IPSET name AstroGo does not exist.
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 Starting Script Execution 1 0 VPN_IP dnsmasq=whatsmyipaddress.com
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 CRON schedule created: #VPN_IP# '0 2 * * * ipset save VPN_IP'
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 Selective Routing Rule via WAN deleted for VPN_IP fwmark 0x8000/0x8000
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 Selective Routing Rule via WAN created for VPN_IP fwmark 0x8000/0x8000
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8447 Completed Script Execution
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Starting Script Execution ALL 1 WAN_IP dnsmasq=whatismyipaddress.com
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Created fwmark 0x1000/0x1000
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8688 CRON schedule created: #WAN_IP# '0 2 * * * ipset save WAN_IP'
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Selective Routing Rule via VPN Client 1 deleted for WAN_IP fwmark 0x1000/0x1000
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Selective Routing Rule via VPN Client 1 created for WAN_IP fwmark 0x1000/0x1000
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8688 Completed Script Execution
Feb 2 14:37:15 RT-AC86U-DBA8 (x3mRouting.sh): 8966 Starting Script Execution ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
Feb 2 14:37:16 RT-AC86U-DBA8 (x3mRouting.sh): 8966 CRON schedule created: #AstroGo# '0 2 * * * ipset save AstroGo'
Feb 2 14:37:16 RT-AC86U-DBA8 (x3mRouting.sh): 8966 Completed Script Execution


[email protected]:/# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 790 packets, 185K bytes)
num pkts bytes target prot opt in out source destination
1 1203 409K MARK all -- tun22 * 0.0.0.0/0 0.0.0.0/0 match-set AstroGo dst MARK or 0x1000
2 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set VPN_IP dst MARK or 0x8000
3 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set WAN_IP dst MARK or 0x1000
[email protected]:/#
[email protected]:/# iptables -nvL POSTROUTING -t nat --line
Chain POSTROUTING (policy ACCEPT 497 packets, 41467 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MASQUERADE all -- * tun12 192.168.2.0/24 0.0.0.0/0 /* 2.4GHz Guest 1 */
2 13 780 MASQUERADE all -- * tun12 0.0.0.0/0 0.0.0.0/0
3 917 71970 MASQUERADE all -- * tun11 0.0.0.0/0 0.0.0.0/0
4 609 45056 PUPNP all -- * ppp0 0.0.0.0/0 0.0.0.0/0
5 63 6113 MASQUERADE all -- * ppp0 !110.159.94.16 0.0.0.0/0
6 0 0 MASQUERADE all -- * vlan500 !169.254.236.60 0.0.0.0/0
7 15 5104 MASQUERADE all -- * br0 192.168.1.0/24 192.168.1.0/24
8 0 0 MASQUERADE all -- * tun11 10.16.0.0/24 0.0.0.0/0
[email protected]:/#
This part of the log stood out for me. x3mvpnrouting.sh is removing the rule for AstroGo

Code:
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 7655 CRON schedule created: #AstroGo# '0 2 * * * ipset save AstroGo'
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 7655 Completed Script Execution
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Deleting PREROUTING Chain 1 for IPSET List AstroGo
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mRouting.sh): 8134 Starting Script Execution server=2 ipset_name=AstroGo
Feb 2 14:37:13 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 ip rule add from 192.168.2.0/24 table ovpnc2 priority 10301
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mvpnrouting.sh): Adding route for 192.168.2.0/24 to through VPN client 2
Feb 2 14:37:14 RT-AC86U-DBA8 (x3mvpnrouting.sh): 7750 Created fwmark 0x2000/0x2000

Do you have any entry in the OpenVPN Screen to route ipset list AstroGo? If so, please remove it. If that isn't the root cause, then I have to dig deeper. Also, I just applied a hotfix to fix the firewall-start issue. Please check for updates via the x3mMenu.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top