x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware (1-Nov-2020)

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

CannaLucente

Occasional Visitor
Hi Xentrk,

I am trying to add a rule to have a specific ip routed via a different VPN client. When I set it up in the Merlin UI, the rule gets added with a priority too low (10901 in the example below).

Code:
[email protected]:/tmp/home/root# ip rule show
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 192.168.50.1 lookup main
10002:  from 192.168.50.63 lookup main
10003:  from 192.168.50.111 lookup main
10004:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10005:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10006:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10007:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10008:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10009:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10010:  from 192.168.50.35 lookup main
10011:  from all to 192.168.1.1 lookup main
10101:  from 192.168.50.0/24 lookup ovpnc1
10901:  from 192.168.50.227 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

Do I have a way to change the priority so that I can put it before 10101? I have tried the following commands but none worked :-(

ip rule add 192.168.50.227 table ovpnc5 metric 10012
ip rule add 192.168.50.227 lookup ovpnc5 metric 10012
ip route add 192.168.50.227 via ovpnc5 metric 10012

What am I doing wrong?

Thanks!
 

Xentrk

Part of the Furniture
Hi Xentrk,

I am trying to add a rule to have a specific ip routed via a different VPN client. When I set it up in the Merlin UI, the rule gets added with a priority too low (10901 in the example below).

Code:
[email protected]:/tmp/home/root# ip rule show
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 192.168.50.1 lookup main
10002:  from 192.168.50.63 lookup main
10003:  from 192.168.50.111 lookup main
10004:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10005:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10006:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10007:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10008:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10009:  from 192.168.50.227 to 198.xx.yy.zzz lookup main
10010:  from 192.168.50.35 lookup main
10011:  from all to 192.168.1.1 lookup main
10101:  from 192.168.50.0/24 lookup ovpnc1
10901:  from 192.168.50.227 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

Do I have a way to change the priority so that I can put it before 10101? I have tried the following commands but none worked :-(

ip rule add 192.168.50.227 table ovpnc5 metric 10012
ip rule add 192.168.50.227 lookup ovpnc5 metric 10012
ip route add 192.168.50.227 via ovpnc5 metric 10012

What am I doing wrong?

Thanks!
I see the issue. Rule 10101 is higher priority than 10901. First match is on priority 10101 which takes precedence over priority 10901.

Reversing the VPN clients may be the easiest approach. Otherwise, you have to code a custom solution. The config of client 5 should be replaced with the content of client 1 and vice versa.

Here is how to delete and add a priority.
Code:
ip rule del prio 10012
ip rule add from 192.168.50.227 table ovpnc5 prio 10012
 
Last edited:

CannaLucente

Occasional Visitor
Hi Xentrk,

thanks for your reply!

I agree swapping VPN1 with VPN5 would make it easier as I could manage everything from the UI. At the moment I was only running some tests as I wasn't sure I actually needed this dedicated routing.

For whatever reason the code you suggested was giving me an error but I have managed to push the rule through by adding a "from", i.e.

Code:
ip rule add from 192.168.50.227 table ovpnc5 prio 10012

Interestingly enough, adding only priority 10012 wasn't working.
I also had to create a rule for the VPN Client 5 (priority 10901 in the log below) in order for my device with IP 192.68.50.227 to use VPN client 5.
I am not sure whether this may be related to me having set the policy rules as strict so something else gets created once you create the first routing rule (my VPN client 5 doesn't have any other rules).
Not sure if this makes any sense?

Code:
[email protected]:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 192.168.50.1 lookup main
10002:  from 192.168.50.63 lookup main
10003:  from 192.168.50.111 lookup main
10004:  from 192.168.50.227 to 198.28.92.137 lookup main
10005:  from 192.168.50.227 to 198.28.92.138 lookup main
10006:  from 192.168.50.227 to 198.28.92.139 lookup main
10007:  from 192.168.50.227 to 198.28.69.137 lookup main
10008:  from 192.168.50.227 to 198.28.69.138 lookup main
10009:  from 192.168.50.227 to 198.28.69.139 lookup main
10010:  from 192.168.50.35 lookup main
10011:  from all to 192.168.1.1 lookup main
10012:  from 192.168.50.227 lookup ovpnc5
10101:  from 192.168.50.0/24 lookup ovpnc1
10901:  from 192.168.50.227 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

Anyway, all is working now, thanks a lot!
 

Xentrk

Part of the Furniture
Hi Xentrk,

thanks for your reply!

I agree swapping VPN1 with VPN5 would make it easier as I could manage everything from the UI. At the moment I was only running some tests as I wasn't sure I actually needed this dedicated routing.

For whatever reason the code you suggested was giving me an error but I have managed to push the rule through by adding a "from", i.e.

Code:
ip rule add from 192.168.50.227 table ovpnc5 prio 10012

Interestingly enough, adding only priority 10012 wasn't working.
I also had to create a rule for the VPN Client 5 (priority 10901 in the log below) in order for my device with IP 192.68.50.227 to use VPN client 5.
I am not sure whether this may be related to me having set the policy rules as strict so something else gets created once you create the first routing rule (my VPN client 5 doesn't have any other rules).
Not sure if this makes any sense?

Code:
[email protected]:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 192.168.50.1 lookup main
10002:  from 192.168.50.63 lookup main
10003:  from 192.168.50.111 lookup main
10004:  from 192.168.50.227 to 198.28.92.137 lookup main
10005:  from 192.168.50.227 to 198.28.92.138 lookup main
10006:  from 192.168.50.227 to 198.28.92.139 lookup main
10007:  from 192.168.50.227 to 198.28.69.137 lookup main
10008:  from 192.168.50.227 to 198.28.69.138 lookup main
10009:  from 192.168.50.227 to 198.28.69.139 lookup main
10010:  from 192.168.50.35 lookup main
10011:  from all to 192.168.1.1 lookup main
10012:  from 192.168.50.227 lookup ovpnc5
10101:  from 192.168.50.0/24 lookup ovpnc1
10901:  from 192.168.50.227 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

Anyway, all is working now, thanks a lot!
I fixed my post to add the missing "from". Glad you got it working. But the ip rule will get purged when you bounce the vpn or restart the router. If you have x3mRouting installed, you can take advantage of the openvpn-event script features. For example, you could create vpnclient5-route-up script in /jffs/scripts/x3mRouting and add the commands to modify the rules as appropriate.
 

CannaLucente

Occasional Visitor
Hi Xentrk,

now that the above is solved I am looking at a way to make it better :)

Rather than having a generic rule for the whole traffic of the device to go via VPN5, I just want a specific subset of traffic to go to the VPN5.

I don't think I can create a simple rule in the UI of VPN Client 5 with source and destination IP as my destination is a DNS name.

So I have done the following:

Code:
x3mRouting ALL 5 IPSET4 dnsmasq=18xxxx.xxx.space src=192.168.50.227

Now my question is... how do I monitor if my traffic is actually been routed via VPN5 or not?

Is there a log which shows which interface requests are routed to, so I can make sure that every other traffic (i.e. not in IPSET4) is not routed via VPN5?

Thanks again for this fantastic tool!
 

Xentrk

Part of the Furniture
Hi Xentrk,

now that the above is solved I am looking at a way to make it better :)

Rather than having a generic rule for the whole traffic of the device to go via VPN5, I just want a specific subset of traffic to go to the VPN5.

I don't think I can create a simple rule in the UI of VPN Client 5 with source and destination IP as my destination is a DNS name.

So I have done the following:

Code:
x3mRouting ALL 5 IPSET4 dnsmasq=18xxxx.xxx.space src=192.168.50.227

Now my question is... how do I monitor if my traffic is actually been routed via VPN5 or not?

Is there a log which shows which interface requests are routed to, so I can make sure that every other traffic (i.e. not in IPSET4) is not routed via VPN5?

Thanks again for this fantastic tool!
For ipset lists, you can monitor the packets traversing the iptables chain using the code below:
Code:
iptables -nvL PREROUTING -t mangle --line

For LAN clients, I use the "ip rule" command. You can also use a whatismyip.com site from the client to confirm the end point.
 

CannaLucente

Occasional Visitor
I fixed my post to add the missing "from". Glad you got it working. But the ip rule will get purged when you bounce the vpn or restart the router. If you have x3mRouting installed, you can take advantage of the openvpn-event script features. For example, you could create vpnclient5-route-up script in /jffs/scripts/x3mRouting and add the commands to modify the rules as appropriate.

Thanks for fixing it! OK didn't realise I need to recreate the rule in those cases. Will have a look at the script you mentioned, I am a complete newbie so will probably need to come back for further help :)
 

CannaLucente

Occasional Visitor
For ipset lists, you can monitor the packets traversing the iptables chain using the code below:
Code:
iptables -nvL PREROUTING -t mangle --line

Ah right! I see this, which looks correct as 0x3000 is VPN5 while 0x8000 is WAN.

Code:
[email protected]:/tmp/home/root# iptables -nvL PREROUTING -t mangle --
line
Chain PREROUTING (policy ACCEPT 80210 packets, 32M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      58M   69G BWDPI_FILTER  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
2    19345 3150K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON dst MARK or 0x8000
3      662  177K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x8000
4     8039  499K MARK       all  --  br0    *       192.168.50.227        0.0.0.0/0            match-set IPSET4 dst MARK or 0x3000

For LAN clients, I use the "ip rule" command. You can also use a whatismyip.com site from the client to confirm the end point.

Ah that's an option too, right. I was worried the underlying IP could change so having the IPSET querying the dnsmasq made me feel more future proof... But maybe that's not the case...

In any case, the first method (with IPSET) should work also in case of router reset, right?
 

Sean Rhodes

Regular Contributor
I learned a lot since that conversation.

This is the latest iteration that works for BBC using the dnsmasq method.

Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB dnsmasq=bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net
If copy/paste the above in an SSH session, x3mRouting will create all of the necessary entries. Note that my rule is to route all BBC traffic to VPN Client 3. Adjust the VPN client as necessary.

See if this solves your issues first before trying other solutions. I tested on iPlayer app on iPad, Firefox on Win10 and FireTV. You shouldn't have to rerun the script.

The issue with the GUI is I have to keep it current with the firmware versions are they are released. Best to stay away from using the GUI if you don't intend to stay current with the firmware releases.

Thanks Xentrk, its working fine so far. I had to perform a nuclear reset due to a dnsmasq issue, but thats for another post. I installed the 384.18 branch from the link you sent me, and then installed the options 1 & 3.

Since there are quite a few differences in the setup from my original post, I have some questions to clarify my understanding of how it all works.

1. In the /jffs/scripts/x3mRouting/x3mRouting_client_rules file, I have set my Apple TV and Roku TV both to 3 for OVPNC3 and the rest to 0 foe the WAN - I assume this is where it pulls all the IP's to route through the VPn?

2. I noticed in my nat-start file, It's calling the script you sent me
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB dnsmasq=bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net
- what exactly is that doing and where does BBC_WEB get stored (i'm assuming that's an IPSET that's tied to the IP rules?)

3. In the VPN GUI, I set client 3 with my VPN server info, and added my AppleTV IP address 10.0.1.60, and left all the other fields blank. Do I even need that added? I assume it pulls the IP's from the x3mRouting_client_rules file as stated in point 1. above?
 

Xentrk

Part of the Furniture
Ah right! I see this, which looks correct as 0x3000 is VPN5 while 0x8000 is WAN.

Code:
[email protected]:/tmp/home/root# iptables -nvL PREROUTING -t mangle --
line
Chain PREROUTING (policy ACCEPT 80210 packets, 32M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      58M   69G BWDPI_FILTER  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
2    19345 3150K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON dst MARK or 0x8000
3      662  177K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x8000
4     8039  499K MARK       all  --  br0    *       192.168.50.227        0.0.0.0/0            match-set IPSET4 dst MARK or 0x3000



Ah that's an option too, right. I was worried the underlying IP could change so having the IPSET querying the dnsmasq made me feel more future proof... But maybe that's not the case...

In any case, the first method (with IPSET) should work also in case of router reset, right?
Another method I use in my development to confirm traffic is going to the right interface is to also include a website in the IPSET list that informs you of your IP addresss e.g. whatismyipaddress.com, whatismyip.com

In the case of whatismyipaddress.com, you can do an "nslookup whatismyipaddress.com" to get the IPv4 addresses. If I recall, there are two IPv4 addresses associated with the site. Add these two IP to the IPSET list using the ipset add command:

ipset add SETNAME ADD-ENTRY

e.g. ipset add IPSET4 xxx.xxx.xxx.xxx

To remove:
ipset del SETNAME DEL-ENTRY
 

Xentrk

Part of the Furniture
Thanks Xentrk, its working fine so far. I had to perform a nuclear reset due to a dnsmasq issue, but thats for another post. I installed the 384.18 branch from the link you sent me, and then installed the options 1 & 3.

Since there are quite a few differences in the setup from my original post, I have some questions to clarify my understanding of how it all works.

1. In the /jffs/scripts/x3mRouting/x3mRouting_client_rules file, I have set my Apple TV and Roku TV both to 3 for OVPNC3 and the rest to 0 foe the WAN - I assume this is where it pulls all the IP's to route through the VPn?

2. I noticed in my nat-start file, It's calling the script you sent me
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB dnsmasq=bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net
- what exactly is that doing and where does BBC_WEB get stored (i'm assuming that's an IPSET that's tied to the IP rules?)

3. In the VPN GUI, I set client 3 with my VPN server info, and added my AppleTV IP address 10.0.1.60, and left all the other fields blank. Do I even need that added? I assume it pulls the IP's from the x3mRouting_client_rules file as stated in point 1. above?
1. You can use the "ip rule" command to confirm the RPDB rules for LAN devices. Those devices assigned to use the WAN won't appear on the list as the WAN0 is the default interface.

2. In a nutshell, the ipset feature is integrated into dnsmasq. When a query on a domain containing the top level domain name is performed, dnsmasq will load the IPv4 entry in the IPSET list. You can view the contents of the list using the "ipset -L MYLIST" command, where MYLIST is the name of you ipset list. At 2AM, the list is backed up to /opt/tmp/MYLIST so it can be reloaded at boot. You can view the entreis in dnsmasq.log file as follows:

grep ipset /opt/var/log/dnsmasq.log
Code:
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 34.235.252.0 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 52.45.65.128 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 54.221.137.245 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:43:57 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:57 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:57 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:57 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:58 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:58 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:58 dnsmasq[15642]: reply ipset.netfilter.org is <CNAME>
IPSET Man Page

3. The LAN Client Routing feature of x3mRouting and the ability to use the GUI to also create rules for LAN clients can coexist. The code first processes the entries in the GUI before appending the entries defined by using the LAN Client Routing feature. It does not check for duplicate entries. Use the "ip rule" command to view. Not sure if I answered the question though.
 

Sean Rhodes

Regular Contributor
1. You can use the "ip rule" command to confirm the RPDB rules for LAN devices. Those devices assigned to use the WAN won't appear on the list as the WAN0 is the default interface.

2. In a nutshell, the ipset feature is integrated into dnsmasq. When a query on a domain containing the top level domain name is performed, dnsmasq will load the IPv4 entry in the IPSET list. You can view the contents of the list using the "ipset -L MYLIST" command, where MYLIST is the name of you ipset list. At 2AM, the list is backed up to /opt/tmp/MYLIST so it can be reloaded at boot. You can view the entreis in dnsmasq.log file as follows:

grep ipset /opt/var/log/dnsmasq.log
Code:
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 34.235.252.0 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 52.45.65.128 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 54.221.137.245 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:43:57 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:57 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:57 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:57 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:58 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:58 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:58 dnsmasq[15642]: reply ipset.netfilter.org is <CNAME>
IPSET Man Page

3. The LAN Client Routing feature of x3mRouting and the ability to use the GUI to also create rules for LAN clients can coexist. The code first processes the entries in the GUI before appending the entries defined by using the LAN Client Routing feature. It does not check for duplicate entries. Use the "ip rule" command to view. Not sure if I answered the question though.
This helps! Thanks Xentrk
 

Sean Rhodes

Regular Contributor
1. You can use the "ip rule" command to confirm the RPDB rules for LAN devices. Those devices assigned to use the WAN won't appear on the list as the WAN0 is the default interface.

2. In a nutshell, the ipset feature is integrated into dnsmasq. When a query on a domain containing the top level domain name is performed, dnsmasq will load the IPv4 entry in the IPSET list. You can view the contents of the list using the "ipset -L MYLIST" command, where MYLIST is the name of you ipset list. At 2AM, the list is backed up to /opt/tmp/MYLIST so it can be reloaded at boot. You can view the entreis in dnsmasq.log file as follows:

grep ipset /opt/var/log/dnsmasq.log
Code:
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 34.235.252.0 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 52.45.65.128 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:33:41 dnsmasq[15642]: ipset add NETFLIX-DNS 54.221.137.245 ds-uset1-ext-prod-a-1310415597.us-east-1.elb.amazonaws.com
Nov 19 05:43:57 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:57 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:57 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:57 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:58 dnsmasq[15642]: query[A] ipset.netfilter.org from 192.168.22.152
Nov 19 05:43:58 dnsmasq[15642]: forwarded ipset.netfilter.org to 127.0.0.1
Nov 19 05:43:58 dnsmasq[15642]: reply ipset.netfilter.org is <CNAME>
IPSET Man Page

3. The LAN Client Routing feature of x3mRouting and the ability to use the GUI to also create rules for LAN clients can coexist. The code first processes the entries in the GUI before appending the entries defined by using the LAN Client Routing feature. It does not check for duplicate entries. Use the "ip rule" command to view. Not sure if I answered the question though.
Everything is working, I noticed a couple of times when one show ends the second doesn't always start, and the black screen has a small blocked symbol at the bottom. If I back out and manually select then it works. I suspect iPlayer is making some call which is blocked hence the black screen, so likely an IP has been missed. I presume I should be able to see that in the dns masq correct?

Also would you advise enabling DNS Filter=ON and setting DNS Filter=ROUTER? currently I have them both off after my unbound issue which ended up blocking my whole network
 

Xentrk

Part of the Furniture
Everything is working, I noticed a couple of times when one show ends the second doesn't always start, and the black screen has a small blocked symbol at the bottom. If I back out and manually select then it works. I suspect iPlayer is making some call which is blocked hence the black screen, so likely an IP has been missed. I presume I should be able to see that in the dns masq correct?

Also would you advise enabling DNS Filter=ON and setting DNS Filter=ROUTER? currently I have them both off after my unbound issue which ended up blocking my whole network
With the dnsmasq method, you should have DNSFiler enabled and set to Router so all devices are forced to use DNS specified by the router. Otherwise, DNS on the LAN client takes precedence.

I can make another pass at mining domain names later today to see if some new ones have been added since I last did the analysis. I will let you know what I find out. In gathering those domains, I went to the BBC website and selected all of the options and surfed around. I also did the same with iPlayer on browser and FireTV. What streaming device are you using when testing?
 

Sean Rhodes

Regular Contributor
With the dnsmasq method, you should have DNSFiler enabled and set to Router so all devices are forced to use DNS specified by the router. Otherwise, DNS on the LAN client takes precedence.

I can make another pass at mining domain names later today to see if some new ones have been added since I last did the analysis. I will let you know what I find out. In gathering those domains, I went to the BBC website and selected all of the options and surfed around. I also did the same with iPlayer on browser and FireTV. What streaming device are you using when testing?
I'm using Apple TV 4 for streaming. I have a Roku TV also, but I need to create a UK Roku account in order to download iPlayer onto it (or mirror to it)
 

Xentrk

Part of the Furniture
I'm using Apple TV 4 for streaming. I have a Roku TV also, but I need to create a UK Roku account in order to download iPlayer onto it (or mirror to it)
I used the autoscan.sh and getdomainnames.sh to analyze the domains. autoscan is searching for any domain with the "bbc" reference and outputing the top level domain name. Here is a snip from autoscan.sh:

Code:
 sh autoscan.sh autoscan=bbc

2cnt.net
bbc.com
bbcverticals.com
cloudfunctions.net
co.uk
fastly.net
llnwi.net
net.uk

getdomainnames.sh is a little more noisy as it will pick up all traffic from the device specified. I used my laptop and shut down most apps I could. I didn't specify the riddle.com and akamai.net domains and it seems to work.
Code:
a1488.w16.akamai.net
b2rbsov.bidi.live.bbc.co.uk
bbc.map.fastly.net
bitesize.files.bbci.co.uk
boomr.iplayer.api.bbc.co.uk
cdn.riddle.com
childrens-binary.files.bbci.co.uk
childrens-web.files.bbci.co.uk
cookie-oven.api.bbc.co.uk
d1joia3f2630yx.cloudfront.net
e1534.dscb.akamaiedge.net
e3891.dscf.akamaiedge.net
europe-west1-bbc-otg-traf-mgr-bq-prod-4591.cloudfunctions.net
gn-web-assets.api.bbc.com
graph.ibl.api.bbc.co.uk
ibl-live-alb-ibl-edibl-196200881.eu-west-1.elb.amazonaws.com
ibl.api.bbc.co.uk
ibl.api.bbci.co.uk
ichef.bbci.co.uk
idcta.api.bbc.co.uk
iplayer-web.files.bbci.co.uk
live-boom-componen-jfwbkqnbc592-729160446.eu-west-1.elb.amazonaws.com
live-compo-oyhzo7uy78p6-2104956810.eu-west-1.elb.amazonaws.com
live-noti-componen-9nj5c6fwh1nl-1633728249.eu-west-1.elb.amazonaws.com
m.files.bbci.co.uk
ocsp.pki.goog
pki-goog.l.google.com
preferences.notifications.api.bbc.com
static-web-assets.gnl-common.bbcverticals.com
static.files.bbci.co.uk
telemetry.dropbox.com
time.akamai.com
vs-cmaf-push-uk.live.cf.md.bbci.co.uk
vs-dash-uk-live.akamaized.net
weather-broker-cdn.api.bbci.co.uk
weather.files.bbci.co.uk
www.bbc.com
www.riddle.com

I first removed the old entry using the command:
Code:
x3mRouting ipset_name=BBC_WEB del

I chose not to remove the save/restore file though.

New entry below. There was some redendancy in the first one I gave you. Note the IPSET name change. I'll revert back to the prior name once everything checks out okay. So far so good.
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB3 dnsmasq=2cnt.net,bbcverticals.com,cloudfunctions.net,co.uk,bbc.com,fastly.net,gscontxt.net,lllnwi.net,net.uk
See GitHub for more information on the x3mRouting Utility Scripts
 
Last edited:

Xentrk

Part of the Furniture
The ASN Lookup Tool can also help. What I find interesting is AWS servers appear to also be involved. Probably explains why I had issues with using the ASN method. What is interesting is I also have a rule to route Amazon AWS GLOBAL region to my Private IP in USA. The rule is before the BBC rule. It all seems to work though. I have rules to route streaming media to 3 different VPN tunnels.

Code:
asn bbc.uk.com

-----------------------------
| ASN lookup for bbc.uk.com |
-----------------------------

- Resolving "bbc.uk.com"... 10 IP addresses found:

        212.58.249.206 +PTR bbc-vip144.lbh.bbc.co.uk
                       +ASN 2818 (BBC BBC Internet Services, UK, GB)
                       +ORG BBC
                       +NET 212.58.224.0/19 (UK-BBC-991005)
                       +ABU [email protected]
                       +GEO Maidenhead, England (GB)

        212.58.244.210 +PTR bbc-vip174.telhc.bbc.co.uk
                       +ASN 2818 (BBC BBC Internet Services, UK, GB)
                       +ORG BBC
                       +NET 212.58.224.0/19 (BBC-TELHC-WWW-1)
                       +ABU [email protected]
                       +GEO London, England (GB)
<snip>

Code:
asn ibl.api.bbc.co.uk

------------------------------------
| ASN lookup for ibl.api.bbc.co.uk |
------------------------------------

- Resolving "ibl.api.bbc.co.uk"... 8 IP addresses found:

    54.76.62.59 +PTR ec2-54-76-62-59.eu-west-1.compute.amazonaws.com
                +ASN 16509 (AMAZON-02, US)
                +ORG Amazon.com, Inc.
                +NET 54.76.0.0/15 (AMAZON-2011L)
                +ABU [email protected]
                +GEO Dublin, Dublin (IE)

    52.31.93.96 +PTR ec2-52-31-93-96.eu-west-1.compute.amazonaws.com
                +ASN 16509 (AMAZON-02, US)
                +ORG Amazon.com, Inc.
                +NET 52.30.0.0/15 (AMAZON-DUB)
                +ABU [email protected]
                +GEO Dublin, Dublin (IE)
<snip>
 
Last edited:

Sean Rhodes

Regular Contributor
The ASN Lookup Tool can also help. What I find interesting is AWS servers appear to also be involved. Probably explains why I had issues with using the ASN method. What is interesting is I also have a rule to route Amazon AWS GLOBAL region to my Private IP in USA. The rule is before the BBC rule. It all seems to work though. I have rules to route streaming media to 3 different VPN tunnels.

Code:
asn bbc.uk.com

-----------------------------
| ASN lookup for bbc.uk.com |
-----------------------------

- Resolving "bbc.uk.com"... 10 IP addresses found:

        212.58.249.206 +PTR bbc-vip144.lbh.bbc.co.uk
                       +ASN 2818 (BBC BBC Internet Services, UK, GB)
                       +ORG BBC
                       +NET 212.58.224.0/19 (UK-BBC-991005)
                       +ABU [email protected]
                       +GEO Maidenhead, England (GB)

        212.58.244.210 +PTR bbc-vip174.telhc.bbc.co.uk
                       +ASN 2818 (BBC BBC Internet Services, UK, GB)
                       +ORG BBC
                       +NET 212.58.224.0/19 (BBC-TELHC-WWW-1)
                       +ABU [email protected]
                       +GEO London, England (GB)
<snip>

Code:
asn ibl.api.bbc.co.uk

------------------------------------
| ASN lookup for ibl.api.bbc.co.uk |
------------------------------------

- Resolving "ibl.api.bbc.co.uk"... 8 IP addresses found:

    54.76.62.59 +PTR ec2-54-76-62-59.eu-west-1.compute.amazonaws.com
                +ASN 16509 (AMAZON-02, US)
                +ORG Amazon.com, Inc.
                +NET 54.76.0.0/15 (AMAZON-2011L)
                +ABU [email protected]
                +GEO Dublin, Dublin (IE)

    52.31.93.96 +PTR ec2-52-31-93-96.eu-west-1.compute.amazonaws.com
                +ASN 16509 (AMAZON-02, US)
                +ORG Amazon.com, Inc.
                +NET 52.30.0.0/15 (AMAZON-DUB)
                +ABU [email protected]
                +GEO Dublin, Dublin (IE)
<snip>
Thanks for all this info, I'll remove the BBC_WEB IPSET and replace it with the one in the previous post you sent, then tomorrow I'll play with your scripts to get a better feel for it. I want to see if I can duplicate on my iPad using another OVPNC and starting from scratch using your posts.
 
Last edited:

wolvenstein

New Around Here
The AWS region method using US or GLOBAL worked last time I tested it. Or, the ASN method using AS16509, which also happens to be the same ASN used by Netflix.

ASN Lookup Tool Output
Code:
# asn disneyplus.com

---------------------------------
| ASN lookup for disneyplus.com |
---------------------------------

- Resolving "disneyplus.com"... 1 IP address found:

54.71.61.241 +PTR ec2-54-71-61-241.us-west-2.compute.amazonaws.com
              +ASN 16509 (AMAZON-02, US)
              +ORG Amazon.com, Inc.
              +NET 54.70.0.0/15 (AMAZON-2011L)
              +ABU [email protected]
              +GEO Portland, Oregon (US)
<snip>

Code:
# asn netflix.com

------------------------------
| ASN lookup for netflix.com |
------------------------------

- Resolving "netflix.com"... 8 IP addresses found:

   52.18.96.227 +PTR ec2-52-18-96-227.eu-west-1.compute.amazonaws.com
                +ASN 16509 (AMAZON-02, US)
                +ORG Amazon.com, Inc.
                +NET 52.18.0.0/15 (AMAZON-DUB)
                +ABU [email protected]
                +GEO Dublin, Dublin (IE)

This might be the root cause. Because I’m routing Netflix to WAN. Including the ASN and Amazon US region.

Seems this is conflicting with Disney+?
 

Xentrk

Part of the Furniture
This might be the root cause. Because I’m routing Netflix to WAN. Including the ASN and Amazon US region.

Seems this is conflicting with Disney+?
Probably, so many streaming services are using AWS these days. So, using Amazon AWS or ASN method may cast too wide of a net.

In /jffs/scripts/nat-start file, try moving Disney to the top of the file before the Netflix VPN Bypass. Use the dnsmasq method for Disney and Netflix to avoid conflicts.

Disney
dnsmasq=demdex.net,disney-plus.net,disneyplus.co,disneyplus.com,dssott.com,go.com


Netflix
dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

If you still have issues, you may have to get a Private VPN IP address and send all AWS traffic to it. That is what I do for the services that block known VPN servers.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top