x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware (1-Nov-2020)

[mikekourey]

Dear all,

I set in Asus Merlin VPN Director:
Local IP: 192.168.1.192/28, Remote IP: any, Interface: VPN Client 1(IFACE:OVPN1),

and then, in x3mRouting:
x3mRouting 1 0 MYIPSET

The result is exactly what I wanted as below:
all traffic for all of my LAN routed to WAN, except 192.168.1.192-192.168.1.207.
For this range all of destination IPs routed to OVPN1 except MYIPSET destination IPs that routed to WAN.

Now I want to have a VPN server on my Asus router with similar routing policy. I mean, for each mobile phone or device that make a VPN to this VPN server 1, all traffic be routed to OVPN1 except traffic for destination IPs of MYIPSET list that want to be routed to the WAN of Asus router. by below codes:

x3mRouting server=1 client=1
x3mRouting server=1 ipset_name=MYIPSET

and after making VPN from a mobile phone to VPN server1, I have all traffic routed to OVPN1 including MYIPSET.

How can I exclude MYIPSET in this case?

Thanks in advance for your help.

 

[chongnt]

Dear all,

I set in Asus Merlin VPN Director:
Local IP: 192.168.1.192/28, Remote IP: any, Interface: VPN Client 1(IFACE:OVPN1),

and then, in x3mRouting:
x3mRouting 1 0 MYIPSET

The result is exactly what I wanted as below:
all traffic for all of my LAN routed to WAN, except 192.168.1.192-192.168.1.207.
For this range all of destination IPs routed to OVPN1 except MYIPSET destination IPs that routed to WAN.

Now I want to have a VPN server on my Asus router with similar routing policy. I mean, for each mobile phone or device that make a VPN to this VPN server 1, all traffic be routed to OVPN1 except traffic for destination IPs of MYIPSET list that want to be routed to the WAN of Asus router. by below codes:

x3mRouting server=1 client=1
x3mRouting server=1 ipset_name=MYIPSET

and after making VPN from a mobile phone to VPN server1, I have all traffic routed to OVPN1 including MYIPSET.

How can I exclude MYIPSET in this case?

Thanks in advance for your help.

Hi, how about remove these two
x3mRouting server=1 client=1
x3mRouting server=1 ipset_name=MYIPSET
and use VPN Director? Something like Local IP: vpn server subnet, Iface: OVPN1

If it still does not work, then add this in /jffs/scripts/nat-start. With this, you can even remove x3mRouting 1 0 MYIPSET

iptables -t mangle -D PREROUTING -m set --match-set MYIPSET dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -m set --match-set MYIPSET dst -j MARK --set-mark 0x8000/0x8000

 

[mikekourey]

Hi, how about remove these two
x3mRouting server=1 client=1
x3mRouting server=1 ipset_name=MYIPSET
and use VPN Director? Something like Local IP: vpn server subnet, Iface: OVPN1

If it still does not work, then add this in /jffs/scripts/nat-start. With this, you can even remove x3mRouting 1 0 MYIPSET

iptables -t mangle -D PREROUTING -m set --match-set MYIPSET dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -m set --match-set MYIPSET dst -j MARK --set-mark 0x8000/0x8000

Dear Chongnt

Thanks for your help;

please be informed that I added
Local IP: 192.168.10.0/28, Remote IP: any, Interface: VPN Client 1(IFACE:OVPN1)
(192.168.10.0/28 is my PPTP local IP range devices)

before to VPN Director, and I don't have any problem for routing VPN Server to OVPN1; the problem is only that I want the traffic of VPN Server with destination MYIPSET route to WAN (and bypass the general above VPN Director rule).

 

[chongnt]

Dear Chongnt

Thanks for your help;

please be informed that I added
Local IP: 192.168.10.0/28, Remote IP: any, Interface: VPN Client 1(IFACE:OVPN1)
(192.168.10.0/28 is my PPTP local IP range devices)

before to VPN Director, and I don't have any problem for routing VPN Server to OVPN1; the problem is only that I want the traffic of VPN Server with destination MYIPSET route to WAN (and bypass the general above VPN Director rule).

Hi, so by adding the VPN Server subnet to OVPN1, ipset MYIPSET from your dial in vpn client still goes through OVPN1?

If so, then I suggest to add the following in nat-start.

iptables -t mangle -D PREROUTING -m set --match-set MYIPSET dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -m set --match-set MYIPSET dst -j MARK --set-mark 0x8000/0x8000

I only use x3mRouting to create ipset but edit the iptables manually. It works for me. My local TV apps go through WAN regardless if I am connected to LAN, or dial in via VPN that is tunnel out through another VPN client. Hopefully I don't missed out other changes. Can you check what is the output of the following:

iptables -nvL PREROUTING -t mangle --line
ip rule

 

[mikekourey]

Hi, so by adding the VPN Server subnet to OVPN1, ipset MYIPSET from your dial in vpn client still goes through OVPN1?

If so, then I suggest to add the following in nat-start.

iptables -t mangle -D PREROUTING -m set --match-set MYIPSET dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -m set --match-set MYIPSET dst -j MARK --set-mark 0x8000/0x8000

I only use x3mRouting to create ipset but edit the iptables manually. It works for me. My local TV apps go through WAN regardless if I am connected to LAN, or dial in via VPN that is tunnel out through another VPN client. Hopefully I don't missed out other changes. Can you check what is the output of the following:

iptables -nvL PREROUTING -t mangle --line
ip rule

Dear chongnt,
By your last two lines code, my problem resolved. Thanks a lot for your help.

 

[chongnt]

Dear chongnt,
By your last two lines code, my problem resolved. Thanks a lot for your help.

Glad it helps. Once you put that in nat-start, this setting will survive a reboot. You can remove “x3mRouting 1 0 MYIPSET” in nat-start as these two lines also covers it.

 

[mikekourey]

Glad it helps. Once you put that in nat-start, this setting will survive a reboot. You can remove “x3mRouting 1 0 MYIPSET” in nat-start as these two lines also covers it.

I just run your commands and in boot will delete. Would you please tell me how could I edit nat-start file?

 

[chongnt]

I just run your commands and in boot will delete. Would you please tell me how could I edit nat-start file?

You can edit the file using vi or nano from ssh session. If you prefer something like windows GUI, can also use winscp.

 

[chongnt]

By the way, please make sure to add the two lines after x3mRouting command in nat-start file.

 

[mikekourey]

Th

By the way, please make sure to add the two lines after x3mRouting command in nat-start file.

Thanks, well saved and tested after reboot.

 

[mister]

Dear all,
I am observing a strange behaviour , where I need your support.

My situation:
VPN 1 ---> Netflix working
VPN 2 ---> Amazon prime working
VPN 4 --> Should route the rest.

Problem: Arlo is not working if I route all the amazon traffic via VPN 2.


I installed the option 3 and 4 in the amtm menu of x3mrouting.

My nat-start config file is the following:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Ending Script Execution
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 ARLO dnsmasq=arlo.com,arloxcld.com
#sh /jffs/scripts/x3mRouting/x3mRouting ALL 2 AMAZON autoscan=amazon
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-EU aws_region=EU
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-US aws_region=US
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-CA aws_region=CA
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-AP aws_region=AP
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-CN aws_region=CN
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-GLOBAL aws_region=GLOBAL
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-SA aws_region=SA
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 netflixauto autoscan=netflix,nflxext,nflximg,nflxso,nflxvideo,nflx,netfl,nflx
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIXdnsmasq dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,netflix.net,


I want to force all my traffic from the arlo device 192.168.1.131 to VPN1.
The VPN director entry has no effect --> it is not working.
Even if I am adding an entry to force the IP adress to WAN, no chance....

If I am shutting down VPN 2 , Arlo is working without problems, but then Amazon prime video not.....


Why has arlo a conflict with amazon prime video?
Any ideas how to solve that ? The ARLO listsstats are not populated......



Thanks a lot for your comments.

 

[mister]

If I modify the nat-start in the below way, Arlo is working , but not amazon video, because amazon blocks this vpn:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Ending Script Execution
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 ARLO dnsmasq=arlo.com,arloxcld.com
#sh /jffs/scripts/x3mRouting/x3mRouting ALL 1 AMAZON autoscan=amazon
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-EU aws_region=EU
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-US aws_region=US
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-CA aws_region=CA
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-AP aws_region=AP
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-CN aws_region=CN
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-GLOBAL aws_region=GLOBAL
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-SA aws_region=SA
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 netflixauto autoscan=netflix,nflxext,nflximg,nflxso,nflxvideo,nflx,netfl,nflx
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIXdnsmasq dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,netflix.net,

So I want to force the specific devices to use VPN1, all the others should use VPN2



The follwing nat-start doesn´t work as well:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 ARLO dnsmasq=arlo.com,arloxcld.com
#sh /jffs/scripts/x3mRouting/x3mRouting ALL 1 AMAZON autoscan=amazon
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-EU aws_region=EU src=192.168.1.131
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-US aws_region=US src=192.168.1.131
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-CA aws_region=CA src=192.168.1.131
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-AP aws_region=AP src=192.168.1.131
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-CN aws_region=CN src=192.168.1.131
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-GLOBAL aws_region=GLOBAL src=192.168.1.131

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-SA aws_region=SA
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-EU aws_region=EU
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-US aws_region=US
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-CA aws_region=CA
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-AP aws_region=AP
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-CN aws_region=CN
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-GLOBAL aws_region=GLOBAL
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-SA aws_region=SA

 

[mister]

If I substitute
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-GLOBAL aws_region=GLOBAL src=192.168.1.131

through
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON-GLOBAL aws_region=GLOBAL src=192.168.1.131

it seems to work. It seems to me, that it is working because of the higher priority of the WAN policies.
But normally OVPNC1 should have higher priority than OVPNC2, so even that should work as well.... (the other way round (changed OPVNC 1 and 2) I tested as well, it doesn´t work also)

Is there another code I could try instead of all 1 or 1 0 ?

 

[chongnt]

Dear all,
I am observing a strange behaviour , where I need your support.

My situation:
VPN 1 ---> Netflix working
VPN 2 ---> Amazon prime working
VPN 4 --> Should route the rest.

Problem: Arlo is not working if I route all the amazon traffic via VPN 2.


I installed the option 3 and 4 in the amtm menu of x3mrouting.

My nat-start config file is the following:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Ending Script Execution
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 ARLO dnsmasq=arlo.com,arloxcld.com
#sh /jffs/scripts/x3mRouting/x3mRouting ALL 2 AMAZON autoscan=amazon
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-EU aws_region=EU
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-US aws_region=US
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-CA aws_region=CA
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-AP aws_region=AP
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-CN aws_region=CN
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-GLOBAL aws_region=GLOBAL
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-SA aws_region=SA
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 netflixauto autoscan=netflix,nflxext,nflximg,nflxso,nflxvideo,nflx,netfl,nflx
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIXdnsmasq dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,netflix.net,


I want to force all my traffic from the arlo device 192.168.1.131 to VPN1.
The VPN director entry has no effect --> it is not working.
Even if I am adding an entry to force the IP adress to WAN, no chance....

If I am shutting down VPN 2 , Arlo is working without problems, but then Amazon prime video not.....


Why has arlo a conflict with amazon prime video?
Any ideas how to solve that ? The ARLO listsstats are not populated......



Thanks a lot for your comments.

I don’t have Arlo and Amazon prime. You have created a blanket ipset for aws and route it to VPN2. My guess is Arlo probably uses Amazon web services too. While ipset ARLO dnsmasq=arlo.com,arloxcld.com is routed through VPN1, if Arlo also looking for certain domain hosted in aws, these traffic will go to VPN2 instead.
I’m not familiar with Amazon prime. If you can create a more specific ipset for it, it will probably solve your issue.

 

[chongnt]

So I want to force the specific devices to use VPN1, all the others should use VPN2

I don’t not fully understand your use case. If above is your requirement, VPN Director alone will do. There is no need to use x3mRouting.

 

[mister]

Hi Chongnt,
thanks a lot for your input.

What I want to do, is that each device in the LAN can use Netflix, Amazonprime video and so on. Because some VPN support Netflix while Amazon prime is blocked , you have to route the traffic depended which service you want to use.

So all amazon prime traffic is routed via VPN 2, all Traffic for Netflix via VPN1 . So - normally I don´t want to use the vpn Director because all traffic from ONE device is routed via ONE VPN.

With x3mrouting with the described configuration everything is fine, execpt for my Arlo System. It looses the connection. Ok, my idea was than, that the Arlo device should ignore x3mrouting and everything is routed via VPN1 ---> not working

I tested my configuration and the problem seems to be the amazon prime video policy routes in the nat-start.
If they are active with the parameter "ALL 2" it doesn´t work.

So I modified my testings in the described way and the only configuration which seems to work is, if "the arlo device looks amazon prime video via WAN" --- meaning that the filter for amazon prime video have to routed to wan for that device.

I know, that the priority of the policy rules are WAN > VPN 1 >VPN2>..... VPN5

So I don´t understand, why the combination
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-GLOBAL aws_region=GLOBAL src=192.168.1.131

is not working wheras the combination
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON-GLOBAL aws_region=GLOBAL src=192.168.1.131
works as expected in combination with
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-GLOBAL aws_region=GLOBAL

as policy rules for the other devices execpt Arlo.

 

[chongnt]

Hi Chongnt,
thanks a lot for your input.

What I want to do, is that each device in the LAN can use Netflix, Amazonprime video and so on. Because some VPN support Netflix while Amazon prime is blocked , you have to route the traffic depended which service you want to use.

So all amazon prime traffic is routed via VPN 2, all Traffic for Netflix via VPN1 . So - normally I don´t want to use the vpn Director because all traffic from ONE device is routed via ONE VPN.

With x3mrouting with the described configuration everything is fine, execpt for my Arlo System. It looses the connection. Ok, my idea was than, that the Arlo device should ignore x3mrouting and everything is routed via VPN1 ---> not working

I tested my configuration and the problem seems to be the amazon prime video policy routes in the nat-start.
If they are active with the parameter "ALL 2" it doesn´t work.

So I modified my testings in the described way and the only configuration which seems to work is, if "the arlo device looks amazon prime video via WAN" --- meaning that the filter for amazon prime video have to routed to wan for that device.

I know, that the priority of the policy rules are WAN > VPN 1 >VPN2>..... VPN5

So I don´t understand, why the combination
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AMAZON-GLOBAL aws_region=GLOBAL src=192.168.1.131

is not working wheras the combination
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON-GLOBAL aws_region=GLOBAL src=192.168.1.131
works as expected in combination with
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 AMAZON-GLOBAL aws_region=GLOBAL

as policy rules for the other devices execpt Arlo.

You are right. I think you need x3mRouting. It is sort of an extension to what VPN Director offers. Say I use VPN Director to route my phone to VPN1. All traffic from my phone will send out through VPN1. Traffic from my other devices will go through WAN. Then I use x3mRouting to create an ipset netflix to VPN2. What happen is all netflix traffic will go through VPN2. Regardless if I watch netflix on my phone or other devices, it will go through VPN2. Other traffic from my phone still go through VPN1. You cannot say VPN Director does not work.

From this link, Arlo uses Amazon Web Services (AWS) for data storage.

Arlo has opened a new data center in the US for North American training providers

Recently, we announced a new Arlo data center in Canada. We have again added to our growing list of secure data storage centers around the world with a

www.arlo.co

One of the reason is the blanket amazon ipset not only covers amazon prime, but everything else by aws. I think this is why when you route amazon ipset to VPN2, it breaks Arlo because Arlo also use aws. If you can fine tune the amazon ipset to only covers amazon prime this will likely solves your issue.

By the way, I have never try setting up two x3mRouting rules with the same ipset. Perhaps you can also add source ip for another device for amazon prime and see how it goes?

I would suggest to run these commands and get the output with different x3mRouting rules to have a better view.

iptables -nvL PREROUTING -t mangle --line
ip rule

 

[mister]

You are right. I think you need x3mRouting. It is sort of an extension to what VPN Director offers. Say I use VPN Director to route my phone to VPN1. All traffic from my phone will send out through VPN1. Traffic from my other devices will go through WAN. Then I use x3mRouting to create an ipset netflix to VPN2. What happen is all netflix traffic will go through VPN2. Regardless if I watch netflix on my phone or other devices, it will go through VPN2. Other traffic from my phone still go through VPN1. You cannot say VPN Director does not work.

From this link, Arlo uses Amazon Web Services (AWS) for data storage.

Arlo has opened a new data center in the US for North American training providers

Recently, we announced a new Arlo data center in Canada. We have again added to our growing list of secure data storage centers around the world with a

www.arlo.co

One of the reason is the blanket amazon ipset not only covers amazon prime, but everything else by aws. I think this is why when you route amazon ipset to VPN2, it breaks Arlo because Arlo also use aws. If you can fine tune the amazon ipset to only covers amazon prime this will likely solves your issue.

By the way, I have never try setting up two x3mRouting rules with the same ipset. Perhaps you can also add source ip for another device for amazon prime and see how it goes?

I would suggest to run these commands and get the output with different x3mRouting rules to have a better view.

iptables -nvL PREROUTING -t mangle --line
ip rule

Dear Chongnt,
thanks for your reply.
I assume your idea is right with Arlo. But on the other hand, why it didn´t work, if I route everything (including Arlo) over VPN2 ? I tested that as well without success.
Where can I edit the iptables via nano ? I want to take a look, if there are routes left, which are not displayed in VPN director or the Nat-start file.


Here come the results of the commands, currently with Arlo over WAN:

/tmp/home/root# iptables -nvL PREROUTING -t mangle --line


Chain PREROUTING (policy ACCEPT 522K packets, 438M bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7
2 31545 37M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x1000
3 1509 640K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x1000
4 9673 13M MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x1000
5 0 0 MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x1000
6 9673 13M MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x8000
7 0 0 MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x8000
8 26327 35M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.133 match-set AMAZON-EU dst MARK or 0x8000
9 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.133 match-set AMAZON-US dst MARK or 0x8000
10 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set ARLO dst MARK or 0x1000
11 29021 36M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-EU dst MARK or 0x8000
12 578 67591 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-US dst MARK or 0x8000
13 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-CA dst MARK or 0x8000
14 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-AP dst MARK or 0x8000
15 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-CN dst MARK or 0x8000
16 6379 392K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-GLOBAL dst MARK or 0x8000
17 31380 37M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x2000
18 1460 624K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x2000
19 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-CA dst MARK or 0x2000
20 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-AP dst MARK or 0x2000
21 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-CN dst MARK or 0x2000
22 7581 563K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-GLOBAL dst MARK or 0x2000
23 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-SA dst MARK or 0x2000
24 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIXdnsmasq dst MARK or 0x1000


/tmp/home/root# ip rule
0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
9990: from all fwmark 0x8000/0x8000 lookup main
9994: from all fwmark 0x2000/0x2000 lookup ovpnc2
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10010: from 192.168.1.1 lookup main
10011: from 192.168.1.0/24 to 192.168.0.1 lookup main
10012: from 192.168.1.0/24 to 192.168.2.1 lookup main
10013: from 192.168.1.0/24 to 192.168.0.114 lookup main
10014: from 192.168.1.0/24 to 192.168.0.112 lookup main
10015: from 192.168.0.112 to 192.168.1.0/24 lookup main
10016: from 192.168.0.114 to 192.168.1.0/24 lookup main
10017: from 192.168.10.0/24 to 192.168.1.77 lookup main
10018: from 192.168.1.77 to 192.168.10.0/24 lookup main
10019: from 192.168.1.88 to 192.168.10.0/24 lookup main
10020: from 192.168.10.0/24 to 192.168.1.88 lookup main
10021: from 192.168.10.0/24 to 192.168.1.0/24 lookup main
10022: from 192.168.1.0/24 to 192.168.10.0/24 lookup main
10023: from 192.168.99.0 lookup main
10024: from 192.168.1.77 to 192.168.99.0/24 lookup main
10025: from 192.168.1.88 to 192.168.9.0/24 lookup main
10026: from 192.168.1.0/24 to 192.168.99.0/24 lookup main
10027: from 192.168.99.0/24 to 192.168.1.0/24 lookup main
10028: from 192.168.1.88 to 192.168.98.0/24 lookup main
10029: from 192.168.1.77 to 192.168.98.0/24 lookup main
10030: from 192.168.98.0 lookup main
10031: from 192.168.98.0/24 to 192.168.1.77 lookup main
10032: from 192.168.98.0/24 to 192.168.1.88 lookup main
10033: from 192.168.0.1 to 192.168.1.0/24 lookup main
10034: from 192.168.1.91 to 192.168.98.0/24 lookup main
10035: from 192.168.98.0/24 to 192.168.1.91 lookup main
10036: from 192.168.1.91 to 192.168.99.0/24 lookup main
10037: from 192.168.99.0/24 to 192.168.1.91 lookup main
10038: from 192.168.1.1 lookup main
10039: from 192.168.1.0/24 to 192.168.0.1 lookup main
10040: from 192.168.1.0/24 to 192.168.2.1 lookup main
10041: from 192.168.1.0/24 to 192.168.0.114 lookup main
10042: from 192.168.1.0/24 to 192.168.0.112 lookup main
10043: from 192.168.10.0/24 lookup main
10044: from 192.168.1.55 to 192.168.10.0/24 lookup main
10045: from 192.168.10.0/24 to 192.168.1.55 lookup main
10046: from 192.168.0.112 to 192.168.1.0/24 lookup main
10047: from 192.168.0.114 to 192.168.1.0/24 lookup main
10048: from 192.168.0.1 to 192.168.1.0/24 lookup main
10049: from 192.168.1.88 to 192.168.10.0/24 lookup main
10050: from 192.168.1.77 to 192.168.10.0/24 lookup main
10051: from 192.168.10.0/24 to 192.168.1.0/24 lookup main
10052: from 192.168.1.0/24 to 192.168.10.0/24 lookup main
10053: from 192.168.99.0 lookup main
10054: from 192.168.1.77 to 192.168.99.0/24 lookup main
10055: from 192.168.1.88 to 192.168.99.0/24 lookup main
10056: from 192.168.1.0/24 to 192.168.99.0/24 lookup main
10057: from 192.168.99.0/24 to 192.168.1.0/24 lookup main
10058: from 192.168.1.1 lookup main
10059: from 192.168.1.0/24 to 192.168.0.1 lookup main
10060: from 192.168.1.0/24 to 192.168.2.1 lookup main
10061: from 192.168.1.77 to 192.168.98.0/24 lookup main
10062: from 192.168.98.0/24 to 192.168.1.77 lookup main
10063: from 192.168.98.0/24 to 192.168.1.88 lookup main
10064: from 192.168.1.88 to 192.168.98.0/24 lookup main
10065: from 192.168.1.134 lookup main
10210: from 192.168.1.66 lookup ovpnc1
10810: from 192.168.1.0/24 lookup ovpnc4
10811: from 192.168.98.0/24 lookup ovpnc4
11010: from 192.168.12.0/24 lookup ovpnc5
11011: from 192.168.12.0/24 lookup ovpnc5
11012: from 192.168.1.0/24 lookup ovpnc5
11013: from 192.168.33.0/24 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default


the result of liststats:
AMAZON-AP - 1240
AMAZON-CA - 126
AMAZON-CN - 167
AMAZON-EU - 1197
AMAZON-GLOBAL - 190
AMAZON-SA - 209
AMAZON-US - 2496
ARLO - 0
NETFLIXdnsmasq - 0

 

[Sonyrolfy]

For Amazon Prime video i only use dnsmasq option 3.

x3mRouting 5 0 amazonvideo.com dnsmasq=amazonvideo.com

Maybe it helps.

 

[chongnt]

Dear Chongnt,
thanks for your reply.
I assume your idea is right with Arlo. But on the other hand, why it didn´t work, if I route everything (including Arlo) over VPN2 ? I tested that as well without success.
Where can I edit the iptables via nano ? I want to take a look, if there are routes left, which are not displayed in VPN director or the Nat-start file.


Here come the results of the commands, currently with Arlo over WAN:

/tmp/home/root# iptables -nvL PREROUTING -t mangle --line


Chain PREROUTING (policy ACCEPT 522K packets, 438M bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- wg21 * 0.0.0.0/0 0.0.0.0/0 /* WireGuard 'server' */ MARK xset 0x1/0x7
2 31545 37M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x1000
3 1509 640K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x1000
4 9673 13M MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x1000
5 0 0 MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x1000
6 9673 13M MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x8000
7 0 0 MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x8000
8 26327 35M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.133 match-set AMAZON-EU dst MARK or 0x8000
9 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.133 match-set AMAZON-US dst MARK or 0x8000
10 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set ARLO dst MARK or 0x1000
11 29021 36M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-EU dst MARK or 0x8000
12 578 67591 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-US dst MARK or 0x8000
13 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-CA dst MARK or 0x8000
14 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-AP dst MARK or 0x8000
15 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-CN dst MARK or 0x8000
16 6379 392K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-GLOBAL dst MARK or 0x8000
17 31380 37M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x2000
18 1460 624K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x2000
19 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-CA dst MARK or 0x2000
20 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-AP dst MARK or 0x2000
21 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-CN dst MARK or 0x2000
22 7581 563K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-GLOBAL dst MARK or 0x2000
23 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-SA dst MARK or 0x2000
24 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIXdnsmasq dst MARK or 0x1000


/tmp/home/root# ip rule
0: from all lookup local
9810: from all fwmark 0xd2 lookup 210
9990: from all fwmark 0x8000/0x8000 lookup main
9994: from all fwmark 0x2000/0x2000 lookup ovpnc2
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10010: from 192.168.1.1 lookup main
10011: from 192.168.1.0/24 to 192.168.0.1 lookup main
10012: from 192.168.1.0/24 to 192.168.2.1 lookup main
10013: from 192.168.1.0/24 to 192.168.0.114 lookup main
10014: from 192.168.1.0/24 to 192.168.0.112 lookup main
10015: from 192.168.0.112 to 192.168.1.0/24 lookup main
10016: from 192.168.0.114 to 192.168.1.0/24 lookup main
10017: from 192.168.10.0/24 to 192.168.1.77 lookup main
10018: from 192.168.1.77 to 192.168.10.0/24 lookup main
10019: from 192.168.1.88 to 192.168.10.0/24 lookup main
10020: from 192.168.10.0/24 to 192.168.1.88 lookup main
10021: from 192.168.10.0/24 to 192.168.1.0/24 lookup main
10022: from 192.168.1.0/24 to 192.168.10.0/24 lookup main
10023: from 192.168.99.0 lookup main
10024: from 192.168.1.77 to 192.168.99.0/24 lookup main
10025: from 192.168.1.88 to 192.168.9.0/24 lookup main
10026: from 192.168.1.0/24 to 192.168.99.0/24 lookup main
10027: from 192.168.99.0/24 to 192.168.1.0/24 lookup main
10028: from 192.168.1.88 to 192.168.98.0/24 lookup main
10029: from 192.168.1.77 to 192.168.98.0/24 lookup main
10030: from 192.168.98.0 lookup main
10031: from 192.168.98.0/24 to 192.168.1.77 lookup main
10032: from 192.168.98.0/24 to 192.168.1.88 lookup main
10033: from 192.168.0.1 to 192.168.1.0/24 lookup main
10034: from 192.168.1.91 to 192.168.98.0/24 lookup main
10035: from 192.168.98.0/24 to 192.168.1.91 lookup main
10036: from 192.168.1.91 to 192.168.99.0/24 lookup main
10037: from 192.168.99.0/24 to 192.168.1.91 lookup main
10038: from 192.168.1.1 lookup main
10039: from 192.168.1.0/24 to 192.168.0.1 lookup main
10040: from 192.168.1.0/24 to 192.168.2.1 lookup main
10041: from 192.168.1.0/24 to 192.168.0.114 lookup main
10042: from 192.168.1.0/24 to 192.168.0.112 lookup main
10043: from 192.168.10.0/24 lookup main
10044: from 192.168.1.55 to 192.168.10.0/24 lookup main
10045: from 192.168.10.0/24 to 192.168.1.55 lookup main
10046: from 192.168.0.112 to 192.168.1.0/24 lookup main
10047: from 192.168.0.114 to 192.168.1.0/24 lookup main
10048: from 192.168.0.1 to 192.168.1.0/24 lookup main
10049: from 192.168.1.88 to 192.168.10.0/24 lookup main
10050: from 192.168.1.77 to 192.168.10.0/24 lookup main
10051: from 192.168.10.0/24 to 192.168.1.0/24 lookup main
10052: from 192.168.1.0/24 to 192.168.10.0/24 lookup main
10053: from 192.168.99.0 lookup main
10054: from 192.168.1.77 to 192.168.99.0/24 lookup main
10055: from 192.168.1.88 to 192.168.99.0/24 lookup main
10056: from 192.168.1.0/24 to 192.168.99.0/24 lookup main
10057: from 192.168.99.0/24 to 192.168.1.0/24 lookup main
10058: from 192.168.1.1 lookup main
10059: from 192.168.1.0/24 to 192.168.0.1 lookup main
10060: from 192.168.1.0/24 to 192.168.2.1 lookup main
10061: from 192.168.1.77 to 192.168.98.0/24 lookup main
10062: from 192.168.98.0/24 to 192.168.1.77 lookup main
10063: from 192.168.98.0/24 to 192.168.1.88 lookup main
10064: from 192.168.1.88 to 192.168.98.0/24 lookup main
10065: from 192.168.1.134 lookup main
10210: from 192.168.1.66 lookup ovpnc1
10810: from 192.168.1.0/24 lookup ovpnc4
10811: from 192.168.98.0/24 lookup ovpnc4
11010: from 192.168.12.0/24 lookup ovpnc5
11011: from 192.168.12.0/24 lookup ovpnc5
11012: from 192.168.1.0/24 lookup ovpnc5
11013: from 192.168.33.0/24 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default


the result of liststats:
AMAZON-AP - 1240
AMAZON-CA - 126
AMAZON-CN - 167
AMAZON-EU - 1197
AMAZON-GLOBAL - 190
AMAZON-SA - 209
AMAZON-US - 2496
ARLO - 0
NETFLIXdnsmasq - 0

Wow, you have a long list of ip rule.

I am confused with some of the x3mRouting rules applied. For example, you have the same ipset mark 0x1000 (vpn1) and 0x2000 (vpn2). I have no idea how will it behave.

2 31545 37M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x1000

17 31380 37M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x2000

The same for source ip 192.167.1.131

4 9673 13M MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x1000

6 9673 13M MARK all -- br0 * 192.168.1.131 0.0.0.0/0 match-set AMAZON-EU dst MARK or 0x8000

There is also overlapping ip range

8 26327 35M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.133 match-set AMAZON-EU dst MARK or 0x8000

11 29021 36M MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.1.131-192.168.1.136 match-set AMAZON-EU dst MARK or 0x8000

I’m running out of idea. Perhaps better clean up all the rules by using x3mRouting del option and start fresh by adding one rule at a time. Using del option is the easiest way as it will delete the iptable rule and clean up dnsmasq.conf.add, vpnclient-route scripts along with the ipset. You can use the previous command to verify the iptable rules. A reboot afterwards might help too.

You can also try the amazon video rules posted above.