Xentrk
Part of the Furniture
Thanks. I will have to update the LAN Client Routing feature to use those files if they exist. Stay tuned...
x3mRouting x3mRouting ~ Modified OpenVPN Client Screen for 386.1 Asuswrt-Merlin release (31 Jan 2020 update)
- Thread starter Xentrk
- Start date
Thanks @Xentrk , it works. You have done some magic.
From syslog, there are two instances it is being run. The first one return with error but the second time it gets completed. What do you think?
Feb 2 20:41:09 RT-AC86U-DBA8 (x3mRouting.sh): 8959 Starting Script Execution server=2 ipset_name=AstroGo
Feb 2 20:41:09 RT-AC86U-DBA8 (x3mRouting.sh): 8959 Error! Mandatory PREROUTING rule for IPSET name AstroGo does not exist.
...snipped...
Feb 2 20:41:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 9489 Routing rules created for IPSET list AstroGo
snipped...
Feb 2 20:41:15 RT-AC86U-DBA8 (x3mRouting.sh): 11706 Starting Script Execution server=2 ipset_name=AstroGo
Feb 2 20:41:15 RT-AC86U-DBA8 (x3mRouting.sh): 11706 Completed Script
Problem solved! The script wasn’t executable. I ran: chmod a+rx /jffs/scripts/*
Now it’s up and running at boot. Thanks
Xentrk
Part of the Furniture
I had another report about a firewall-start issue about the permission this past week. I did apply a patch the other day but realized yesterday that it only applies to new installs. The last hot patch I applied to x3mMenu will perform a repair on firewall-start when selectng option 5 - Update x3mRouting Repo.
question, i am routing Akamai ASN# through the VPN and it works great with the streaming service i am using. however, by blocking the entire Akamai ASN i noticed couple sites that won't work. for example CVS.com (it says it can only open in the US) my question, is there a way to whitelist the CVS IP range while still blocking all Akamai ASN number? i tried to put the CVS ip range through the WAN but it seems like the ASN routing is taking over. does it make sense?
Xentrk
Part of the Furniture
Try changing the order of the events so the rule for CVS matches before the rule for Akamai. Can you do some more analysis on the streaming service to see if you can obtain the domain names rather than having to route an entire CDN? Option 4 contains some tools you can use. The ASN Lookup Tool is a good start followed by the autoscan.sh script. You should first use the follow the log file option in diversion to see if you spot a common name in the query A records. You don't need to be concerned with the reply records. The ipset feature built into dnsmasq will automatically add the ipv4 addresses returned by the reply records. Then, use the autoscan.sh script to search for the keyword and it will report back the top level domain name and the FQDN records being queried.
Last edited:
Changing the order of the entry didn’t help. Tried few times before, didn’t work!
I will try to dig deeper, all my searches before led me to Akamai. Will try again. Thx
Perhaps can check in /jffs/configs/dnsmasq.conf.add if there is any old sequence still there? Not sure if this is necessary but I find that some time delete the ipset name and then start with a clean one worth a try.
I think I'm on the right page to ask for this info.
I am using my paid VPN with openvpn protocol. I have already created some tunnel rules regarding the devices I use every day. Now I would like to activate the guest line on my router, so that if I have people at home, they connect to this. I would like to make sure that everyone who connects to the guest line is directed to the VPN. Is it possible with x3mrouting?
Can I also manage the use of the vpn client servers or do I need another app?
I am using my paid VPN with openvpn protocol. I have already created some tunnel rules regarding the devices I use every day. Now I would like to activate the guest line on my router, so that if I have people at home, they connect to this. I would like to make sure that everyone who connects to the guest line is directed to the VPN. Is it possible with x3mrouting?
Can I also manage the use of the vpn client servers or do I need another app?
Detail information is in this link:
GitHub - Xentrk/x3mRouting: Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware
Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - Xentrk/x3mRouting
github.com
I don't know about Dim1 and Dim2. I leave it as default Dim1 DST and Dim2 empty. It works for what I wanted so I didn't explore on this settings.
OK thank you very muchDetail information is in this link:
GitHub - Xentrk/x3mRouting: Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware
Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - Xentrk/x3mRouting
I don't know about Dim1 and Dim2. I leave it as default Dim1 DST and Dim2 empty. It works for what I wanted so I didn't explore on this settings.
Martineau
Part of the Furniture
IPSET brief definition
Basically an IPSET can contain thousands of entries and needs only a single firewall rule to very efficiently match the contents.
The IPSETs created by X3mRouting are considered 1-DIMensional because each entry contains only one column value i.e. an IP address
e.g. 1st column is an IP address used by the domain
Code:
xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxxThe firewall rule needs to know if the column represents a source or destination IP, so as X3mRouting is Selectively routing to a domain such as 'bbc.co.uk'
we need to set
DIM1=DST If we added another column to the IPSET
e.g. 2nd column is a port so we now have a 2-DIMension IPSET
Code:
xxx.xxx.xxx.xxx nnnn
bad.xxx.xxx.xxx nnnnNow for the firewall rule, how should it evaluate the port match? - inbound or outbound?
so we need to set
DIM2=SRC or DIM2=DST as appropriate.
Last edited:
Hi @Xentrk,
Previously I use
x3mRouting 1 0 ipset_name=AstroGo autoscan=astro
and it auto generated ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
Everything works fine. But then I find the ipset AstroGo keeps growing until I realized I am adding way more that what I needed to the ipset.
After redo again with more specific query, I trim it down to only 3 IP.
Update: I have change to manual ip mode like this now in nat-start.
Everything is working fine.
Here is a weird problem. I have nothing but a dummy in VPN Client 2. If I go to VPN page GUI Client 2 turn off and turn on the button everything is fine. In scMerlin, if I reset VPN Client 1, everything is working fine. Somehow whenever I use scMerlin to reset VPN Client 2, both AstroGo route will get deleted.
I am not sure why reset of VPN Client 2 in scMerlin will have such effect. I added iptables for AstroGo in vpnclient2-route-up which seems to solve the issue. I don't need this in vpnclient1-route-up script though.
Previously I use
x3mRouting 1 0 ipset_name=AstroGo autoscan=astro
and it auto generated ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv
Everything works fine. But then I find the ipset AstroGo keeps growing until I realized I am adding way more that what I needed to the ipset.
After redo again with more specific query, I trim it down to only 3 IP.
Update: I have change to manual ip mode like this now in nat-start.
Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 client=1
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ipset_name=AstroGo ip=13.228.31.33,13.250.167.128,18.140.144.126
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 DummyVPN2 dnsmasq=dummyvpn2.meEverything is working fine.
Code:
RPDB Rules
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9994: from all fwmark 0x2000/0x2000 lookup ovpnc2
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10001: from 192.168.1.1 lookup main
10101: from 10.16.0.0/24 lookup ovpnc1
10102: from 192.168.1.2 lookup ovpnc1
10103: from 192.168.1.11 lookup ovpnc1
10104: from 192.168.1.21 lookup ovpnc1
10105: from 192.168.1.91 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
Client ovpnc1 port 1194 udp
default via 10.8.2.1 dev tun11
10.8.2.0/24 dev tun11 proto kernel scope link src 10.8.2.2
Client ovpnc2 port 443 tcp-client
default via 10.7.1.1 dev tun12
10.7.1.0/24 dev tun12 proto kernel scope link src 10.7.1.3
Client ovpnc3 port 1194 udp
Client ovpnc4 port 1194 udp
Client ovpnc5 NOT configured
Table main
default via 60.51.46.254 dev ppp0
FWMARK Tagging
Chain PREROUTING (policy ACCEPT 356 packets, 648K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set DummyVPN2 dst MARK or 0x2000
2 0 0 MARK all -- tun22 * 0.0.0.0/0 0.0.0.0/0 match-set AstroGo dst MARK or 0x8000
3 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AstroGo dst MARK or 0x8000
4 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set WAN_IP dst MARK or 0x8000
5 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set VPN_IP dst MARK or 0x1000Here is a weird problem. I have nothing but a dummy in VPN Client 2. If I go to VPN page GUI Client 2 turn off and turn on the button everything is fine. In scMerlin, if I reset VPN Client 1, everything is working fine. Somehow whenever I use scMerlin to reset VPN Client 2, both AstroGo route will get deleted.
Code:
RPDB Rules
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9994: from all fwmark 0x2000/0x2000 lookup ovpnc2
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10001: from 192.168.1.1 lookup main
10101: from 10.16.0.0/24 lookup ovpnc1
10102: from 192.168.1.2 lookup ovpnc1
10103: from 192.168.1.11 lookup ovpnc1
10104: from 192.168.1.21 lookup ovpnc1
10105: from 192.168.1.91 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
Client ovpnc1 port 1194 udp
default via 10.8.2.1 dev tun11
10.8.2.0/24 dev tun11 proto kernel scope link src 10.8.2.2
Client ovpnc2 port 443 tcp-client
default via 10.7.2.1 dev tun12
10.7.2.0/24 dev tun12 proto kernel scope link src 10.7.2.2
Client ovpnc3 port 1194 udp
Client ovpnc4 port 1194 udp
Client ovpnc5 NOT configured
Table main
default via 60.51.46.254 dev ppp0
FWMARK Tagging
Chain PREROUTING (policy ACCEPT 862 packets, 167K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set WAN_IP dst MARK or 0x8000
2 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set VPN_IP dst MARK or 0x1000
3 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set DummyVPN2 dst MARK or 0x2000I am not sure why reset of VPN Client 2 in scMerlin will have such effect. I added iptables for AstroGo in vpnclient2-route-up which seems to solve the issue. I don't need this in vpnclient1-route-up script though.
Code:
admin@RT-AC86U-DBA8:/tmp/mnt/amtm/entware/tmp# more /jffs/scripts/x3mRouting/vpnclient2-route-up
#!/bin/sh
logger "VPN Client 2 coming up ..."
iptables -t mangle -D PREROUTING -i br0 -m set --match-set DummyVPN2 dst -j MARK --set-mark 0x2000/0x2000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set DummyVPN2 dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -D PREROUTING -i tun22 -m set --match-set AstroGo dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i tun22 -m set --match-set AstroGo dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set AstroGo dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set AstroGo dst -j MARK --set-mark 0x8000/0x8000
Last edited:
Hi Xentrk, is there a way to view the ipsets I created? What’s the command to show the ip sets and what they contain? (ASN/ Domains)
Thanks
Similar threads
- Locked
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
|
|
VPNMON VPNMON-R3 v1.8.3 -Jan 17, 2026- Monitor OpenVPN/Wireguard WAN/Dual-WAN Health & Random Reset Multiple Connections (Available in AMTM!) - 1.9.0Beta1! | Asuswrt-Merlin AddOns | 222 |
Similar threads
Latest threads
-
BQ16 Pro jumping between mesh loses internet on devices. Suggestions?
- Started by jucytec
- Replies: 1
-
-
seeing random ssh/dropbear connection attempts from some local windows machines in logs
- Started by lgkahn
- Replies: 16
-
-
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!