x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Chris_J]

Sorry, yes, I should have mentioned: I am using Yaz-Fi to route VPN 2 through Guest Network 3.

I'm fine to use the ipset on my main Wifi network for now then, if this needs some further investigation.

Could I please just check with you, once I run the shell command as above, is there another step that I'm missing, or should that now start to route Netflix traffic over the WAN interface? I tried this but I receive the proxy error, so it must still be coming across the VPN. This is on my normal 192.168.1.0 subnet (no guest Wifi).

 

[Xentrk]

Sorry, yes, I should have mentioned: I am using Yaz-Fi to route VPN 2 through Guest Network 3.

I'm fine to use the ipset on my main Wifi network for now then, if this needs some further investigation.

Could I please just check with you, once I run the shell command as above, is there another step that I'm missing, or should that now start to route Netflix traffic over the WAN interface? I tried this but I receive the proxy error, so it must still be coming across the VPN. This is on my normal 192.168.1.0 subnet (no guest Wifi).

You will need to automatically execute the script at system boot and when you start or bounce the VPN client. If you only use Method 3 - x3mRouting IPSET Shell Script Method, you can execute the scripts from /jffs/scripts/nat-start.

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

Make sure to chmod 755 /jffs/scripts/nat-start to make nat-start executable.

There is another option using openvpn-event you can read about on the README in the run scripts at system boot section.

There was one edge case where the load script had to be called from both nat-start and from openvpn-event. Since you are routing NF to the WAN iface, placing the load script in /jffs/scripts/nat-start should suffice.

 

[Chris_J]

Thanks for your help. I added the shell script loading line to the bottom of /jffs/scripts/nat-start and also chmoded it. Still no joy, unfortunately.

I've checked that the ipset is being created properly and also that it is being populated with the Netflix ip address, which it is, but traffic is not running over the WAN (I did a soft reboot of the router too).

I'm wondering whether the problem is with the routing rules I have set up in the VPN client config? I have added a rule to route all ip address through the VPN 1, unless they fall with a certain range which I use for my Sonos speakers, as they do not like the VPN. The device I'm testing on (Shield) has an ip address that uses VPN 1, since I want to use the VPN for other streams, just not for any Netflix traffic.

The ipset takes precedence over this, right?

 

[Xentrk]

Thanks for your help. I added the shell script loading line to the bottom of /jffs/scripts/nat-start and also chmoded it. Still no joy, unfortunately.

I've checked that the ipset is being created properly and also that it is being populated with the Netflix ip address, which it is, but traffic is not running over the WAN (I did a soft reboot of the router too).

I'm wondering whether the problem is with the routing rules I have set up in the VPN client config? I have added a rule to route all ip address through the VPN 1, unless they fall with a certain range which I use for my Sonos speakers, as they do not like the VPN. The device I'm testing on (Shield) has an ip address that uses VPN 1, since I want to use the VPN for other streams, just not for any Netflix traffic.

The ipset takes precedence over this, right?

The routing rules for Netflix over the WAN interface will be a higher priority than the other routing rules defined in the Policy Routing section on the OpenVPN Client screen.

At the SSH command line, type the command ip rule to display the priority of the routing rules. Rules are applied in the order the list is displayed. The lower the priority number the higher the priority. In the example below, the WAN rule is the one with priority 9990:

0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9992:   from all fwmark 0x7000/0x7000 lookup ovpnc4
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10104:  from 192.168.1.150 lookup ovpnc1
10105:  from 192.168.1.151 lookup ovpnc1
10106:  from 192.168.1.153 lookup ovpnc1
10107:  from 192.168.1.154 lookup ovpnc1
10301:  from 192.168.1.165 lookup ovpnc2
10302:  from 192.168.1.149 lookup ovpnc2
10303:  from 192.168.1.152 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default

Also, you may need to add a DummyVPN entry in the VPN Client GUI if you require the ability to exploit the Accept DNS Configuration=Exclusive option that only creates the appropriate DNSVPN iptable chain if the Policy Rules table isn't empty.

You can also use the command

iptables -nvL PREROUTING -t mangle --line

to display the number of packets and bytes traversing the iptables rule which can be used as confirmation that traffic is being routed according to the rule:

Chain PREROUTING (policy ACCEPT 5808K packets, 6404M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        1    60 MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2     661K  863M MARK       all  --  tun15  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        1    60 MARK       all  --  tun14  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4    76880   70M MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
5    2030K 2737M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
6        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
7        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK set 0x1000
8    1067K   60M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set HULU_WEB dst MARK set 0x1000
9    33488 6945K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON dst MARK set 0x1000
10    129K 9898K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set MOVETV dst MARK set 0x3000
11   27284 5635K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set CBS_WEB dst MARK set 0x3000
12       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK set 0x4000

 

[Chris_J]

The routing rules appear exactly as I would expect, so that looks fine to me:

0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
10001:    from 192.168.1.30/31 lookup main
10002:    from 192.168.1.32/29 lookup main
10101:    from 192.168.2.0/24 lookup ovpnc1
10102:    from 192.168.1.0/24 lookup ovpnc1
10301:    from 192.168.7.0/24 lookup ovpnc2
32766:    from all lookup main
32767:    from all lookup default

Addresses that are in the different subnets are guest Wifi networks that I have set up that run over different VPN clients.

The ip rules table gives the following output:

Chain PREROUTING (policy ACCEPT 8209 packets, 3950K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    18130   23M MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2      18M   24G MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3      315 19167 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x8000

The number of bytes sent/received on entry No.3 changes if I open Netflix on any device on the network. The problem is, I still receive the proxy error on Netflix Android TV and nothing loads when using the Netflix mobile.

Regarding the dummy VPN, I'm not using Exclusive DNS routing for any of the VPN clients, as I'm running Diversion Ad blocker, as well as DNSFilter (set to router) and DNS privacy (DoT). Therefore, my VPN clients have accept DNS config = Disabled.

I suspect I've made everything very complicated, certainly in terms of DNS settings, so it's difficult to trace what is going wrong here. I may go with plan B and simply have another guest Wifi network that routes over WAN iface. Then when anyone wants to use Netflix, they can switch to this. Not as elegant as your solution, but never mind

Thanks again!

 

[Xentrk]

You are the first one I know of to try to use x3mRouting with YazFi.

Can you define routing rules for each device on your network rather than using the Guest Network method of YazFi? You can either specify each client or range of IP addresses in the OpenVPN Client GUI Policy Routing Section or install Option 1 - x3mRouting LAN Clients Method which gives you a list of each client and allows you to easily assign the interface for the client.

 

[Chris_J]

My main use for YazFi is to have separate networks for any IoT devices, isolating them from the rest of the network. Also, I like to have one network where the VPN is off, for redundancy.

I can't really define the rules for each client separately, as the rules generally change depending on what the user is doing. For example, my laptop is usually connected to VPN1 for everyday use, however, when I work from home, I have to connect into my company network using their own VPN client. I would then switch to the guest network with VPN off, in order to avoid routing a VPN over VPN (which cripples the network speeds).

I agree with your previous comment, that there may be some clashes with YazFi and your project.

 

[Xentrk]

My main use for YazFi is to have separate networks for any IoT devices, isolating them from the rest of the network. Also, I like to have one network where the VPN is off, for redundancy.

I can't really define the rules for each client separately, as the rules generally change depending on what the user is doing. For example, my laptop is usually connected to VPN1 for everyday use, however, when I work from home, I have to connect into my company network using their own VPN client. I would then switch to the guest network with VPN off, in order to avoid routing a VPN over VPN (which cripples the network speeds).

I agree with your previous comment, that there may be some clashes with YazFi and your project.

I think the problem is because the guest Wi-Fi you are connected to is on a different subnet than the LAN IP address. But I need more time to look into it. There may be an iptables rule that can bridge the two together. Similar to the recently added update to x3mRouting that allows users to connect to a VPN Client interface when connecting remotely from the router's VPN Server.

I can see how YazFi helps for your use case from your explanation. I have my laptop configured on the router to use one of the OpenVPN client interface. When I need to connect to a site I support, I need to first log into an SSH session on my router and delete the rule to route my laptop to the OpenVPN client interface so I get routed to the WAN. If I don't, I experience a very sluggish connection since I am traversing through two different tunnels + the encryption overhead.

 

[Xentrk]

@Chris_J
When you run the command ip route, do you see a linet for the guest wifi? It would look something like this but "tun13" is the interface for OpenVPN Client 3.

10.34.1.142 dev tun13  proto kernel  scope link  src 10.34.1.141

What I am interested in is the interface name listed after the word "dev".

 

[Chris_J]

10.8.0.0/16 dev tun12  proto kernel  scope link  src 10.8.253.65
10.8.2.0/24 dev tun11  proto kernel  scope link  src 10.8.2.2
127.0.0.0/8 dev lo  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
192.168.2.0/24 dev wl0.1  proto kernel  scope link  src 192.168.2.1
192.168.5.0/24 dev wl1.1  proto kernel  scope link  src 192.168.5.1
192.168.6.0/24 dev wl1.2  proto kernel  scope link  src 192.168.6.1
192.168.7.0/24 dev wl1.3  proto kernel  scope link  src 192.168.7.1

Just for clarification, from the YazFi configuration, guest Wifi iface names are called up as follows:

2.4GHZ
1 = wl0.1
2 = wl0.2
3 = wl0.3

5Ghz
1 = wl1.1
2 = wl1.2
3 = wl1.3

 

[Xentrk]

10.8.0.0/16 dev tun12  proto kernel  scope link  src 10.8.253.65
10.8.2.0/24 dev tun11  proto kernel  scope link  src 10.8.2.2
127.0.0.0/8 dev lo  scope link
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
192.168.2.0/24 dev wl0.1  proto kernel  scope link  src 192.168.2.1
192.168.5.0/24 dev wl1.1  proto kernel  scope link  src 192.168.5.1
192.168.6.0/24 dev wl1.2  proto kernel  scope link  src 192.168.6.1
192.168.7.0/24 dev wl1.3  proto kernel  scope link  src 192.168.7.1

Just for clarification, from the YazFi configuration, guest Wifi iface names are called up as follows:

2.4GHZ
1 = wl0.1
2 = wl0.2
3 = wl0.3

5Ghz
1 = wl1.1
2 = wl1.2
3 = wl1.3

Thanks! I will install YazFi tomorrow on my router to test the iptable rules I think are required to make it work.

 

[Jack Yaz]

Thanks! I will install YazFi tomorrow on my router to test the iptable rules I think are required to make it work.

Now's a good time if you need me to implement anything, as I'm currently adding a feature to YazFi to give me a break before the release of a new script

 

[Xentrk]

@Chris_J

I had success with routing NETFLIX with the following iptables commands when connected to the Guest Network client.

iptables -t nat -A POSTROUTING -s 192.168.7.0/24  -o br0 -j MASQUERADE
iptables -t mangle -A PREROUTING -i wl1.3 -m set --match-set NETFLIX dst -j MARK --set-mark 0x8000/0x8000

If it works, please let me know and I can write a user friendly script that does the configuration.

To make it permanent, install Option 6 - OpenVPN Event script. Then, in /jffs/scripts/x3mRouting, create the following scripts and chmod to 755:

vpnclientX-route-up (X=vpn client number Guest WiFi configured to use)

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

iptables -t nat -D POSTROUTING -s 192.168.7.0/24  -o br0 -j MASQUERADE 2>/dev/null
iptables -t nat -A POSTROUTING -s 192.168.7.0/24  -o br0 -j MASQUERADE
iptables -t mangle -D PREROUTING -i wl1.3 -m set --match-set NETFLIX dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i wl1.3 -m set --match-set NETFLIX dst -j MARK --set-mark 0x8000/0x8000
logger -st "($(basename "$0"))" $$ Ending Script Execution

vpnclientX-down (X=vpn client number Guest WiFi configured to use)

#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
iptables -t nat -D POSTROUTING -s 192.168.7.0/24  -o br0 -j MASQUERADE 2>/dev/null
iptables -t mangle -D PREROUTING -i wl1.3 -m set --match-set NETFLIX dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
logger -st "($(basename "$0"))" $$ Ending Script Execution

@Jack Yaz, does not appear that any changes will be required to YazFi.

 

[Xentrk]

Please note that entware pushed an update yesterday. I updated/upgraded to see if the "jq" utility got fixed as I use the utility to parse the Amazon AWS json file to obtain the IP addresses for each region. Unfortunately, it is still broken:

jq: error while loading shared libraries: libonig.so: cannot open shared object file: No such file or directory

For those who use the script for Amazon Prime viewing in the US, you can change to the ASN method and use AS16509.

Edit: I found a fix for the jq issue!!!

From /jffs/scripts directory type the command to find the location of entware and the file that starts with the name libonig.so*:

find / -iname libonig.so*

My command returns:

/tmp/mnt/entware/entware/lib/libonig.so.5

Navigate to the directory (note this is my location, yours may differ)

cd /tmp/mnt/entware/entware/lib

Copy libonig.so.5 to libonig.so

cp libonig.so.5 libonig.so

I updated the Issue on entware GitHub page with the work around solution.

 

[Chris_J]

@Xentrk

Great work! Apologies for the delayed reply, but I now have it up and running as expected on Wifi guest 3! I still have a 'VPN off' network which users could still use for Netflix, but glad this works now on the other network, at least for my sanity!

I'm going to follow the same procedure for BBC, except route this over VPN Client 2.

 

[Xentrk]

@Xentrk

Great work! Apologies for the delayed reply, but I now have it up and running as expected on Wifi guest 3! I still have a 'VPN off' network which users could still use for Netflix, but glad this works now on the other network, at least for my sanity!

I'm going to follow the same procedure for BBC, except route this over VPN Client 2.

That is great news! I can't take full credit though. The forum expert on Selective Routing, @Martineau, is the one who taught me how to bridge two subnets to use the IPSET rules. This project never would have happened without his support and expertise.

 

[Janusz Fornal]

Is there any easy Way to setup netflix only via vpn?? If Yes whats the Best option for expressvpn.

 

[lukaszzsch]

Are you polish? If So, send me PM i will explain you.


(Da się i też uzywam express vpn)

 

[Xentrk]

Is there any easy Way to setup netflix only via vpn?? If Yes whats the Best option for expressvpn.

For me, I route NF to a the client 1 tunnel:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

To have the rule persist at boot, create /jffs/scripts/nat-start

#/bin/sh!
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

Another option is to install option 6 - OpenVPN Event

The, in /jffs/scripts/x3mRouting, create a corresponding script called vpnclientX-route-up for each OpenVPN Client used by x3mRouting, where the "X" is the OpenVPN Client number 1, 2, 3, 4 or 5. Then, add the required entry for each x3mRouting script that requires routing through the OpenVPN Client.

/jffs/scripts/x3mRouting/vpnclient1-route-up

#/bin/sh!
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

If you don't have any entries in the Policy Routing table, create a DummyVPN entry.

 

[Janusz Fornal]

First option give me this:
admin@RT-AC86U-8020:/tmp/home/root# sh /jffs/scripts/x3mRouting/load_ASN_ipset_i
face.sh 1 NETFLIX AS2906
(load_ASN_ipset_iface.sh): 19795 Starting Script Execution
(load_ASN_ipset_iface.sh): 19795 Selective Routing Rule via VPN Client 1 created for NETFLIX (TAG fwmark 0x1000/0x1000)
(load_ASN_ipset_iface.sh): 19795 Ending Script Execution
It looks like everything is going thru vpn. For now my best option is disable openvpn after i finish
watch netflix (its blocking my other streaming services hbogo and amazon)