x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

suxus

Occasional Visitor
Hello, i think i use the wrong method (1. x3mRouting for LAN Clients Method) to watch Netflix. Is it right that i must use method 2 (x3mRouting OpenVPN Client Screen & IPSET Shell Scripts Method) when i want watching Netflix so that the routing for Netflix goes thru the WAN and not thru VPN?

When yes, how can remove/delete method 1?

Greeting
 

Xentrk

Part of the Furniture
Hello, i think i use the wrong method (1. x3mRouting for LAN Clients Method) to watch Netflix. Is it right that i must use method 2 (x3mRouting OpenVPN Client Screen & IPSET Shell Scripts Method) when i want watching Netflix so that the routing for Netflix goes thru the WAN and not thru VPN?

When yes, how can remove/delete method 1?

Greeting
Type option
[7] = Remove x3mRouting Repository
to remove. Then, use AMTM to reinstall the x3mRouting menu.

You should use Method 3 if you need to route Netflix to the WAN interface. Method 3 supports routing for both WAN and VPN interfaces. Method 2 only allows for routing to the VPN interface.
 

suxus

Occasional Visitor
Thank you very much. One little question, if my iPad use VPNConnection1 and i want watch thru this VPN Connection then i must use the parameter 1 (0=WAN/1=VPN1/2=VPN2 ...)?
 

Xentrk

Part of the Furniture
Thank you very much. One little question, if my iPad use VPNConnection1 and i want watch thru this VPN Connection then i must use the parameter 1 (0=WAN/1=VPN1/2=VPN2 ...)?
Correct, here is the complete list:
Code:
# 0 = WAN                                               #
# 1 = OVPNC1                                            #
# 2 = OVPNC2                                            #
# 3 = OVPNC3                                            #
# 4 = OVPNC4                                            #
# 5 = OVPNC5
 

suxus

Occasional Visitor
Hello
At the moment can't watch Netflix Switzerland, i don't know whats wrong. I have install method 3 (x3mRouting using the IPSET Shell Scripts Method)

Code:
[email protected]:/tmp/home/root# liststats
NETFLIX - 152
Code:
[email protected]:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 297K packets, 147M bytes)
num   pkts bytes target     prot opt in     out     source               destination     
1    44227   56M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
Code:
[email protected]:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
9995:    from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:    from 192.168.99.160 lookup ovpnc1
10102:    from 192.168.99.79 lookup ovpnc1
10103:    from 192.168.99.154 lookup ovpnc1
10104:    from 192.168.99.104 lookup ovpnc1
10105:    from 192.168.99.12 lookup ovpnc1
10106:    from 192.168.99.51 lookup ovpnc1
10107:    from 192.168.99.53 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default
My nat_start file
Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
And under Tools - other settings
Wan: Use local caching DNS server as system resolver (default: No) = YES

I try it on my iPad and the iPad use VPN Connection 1. Did I forget something or did wrong?

Is not the idea behind that script, that all devices that use VPN Connection 1 from the router, will the Netflix traffic route thru WAN and for all others traffic will use the VPN? In the posts from @Torson i see that he use IFace = 0, is this right, i think i must use IFace=1 or is behind this posts another idea.

Thank you very much
 

Attachments

Last edited:

Xentrk

Part of the Furniture
Hello
At the moment can't watch Netflix Switzerland, i don't know whats wrong. I have install method 3 (x3mRouting using the IPSET Shell Scripts Method)

Code:
[email protected]:/tmp/home/root# liststats
NETFLIX - 152
Code:
[email protected]:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 297K packets, 147M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    44227   56M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
Code:
[email protected]:/tmp/home/root# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
9995:    from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:    from 192.168.99.160 lookup ovpnc1
10102:    from 192.168.99.79 lookup ovpnc1
10103:    from 192.168.99.154 lookup ovpnc1
10104:    from 192.168.99.104 lookup ovpnc1
10105:    from 192.168.99.12 lookup ovpnc1
10106:    from 192.168.99.51 lookup ovpnc1
10107:    from 192.168.99.53 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default
My nat_start file
Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
And under Tools - other settings
Wan: Use local caching DNS server as system resolver (default: No) = YES

I try it on my iPad and the iPad use VPN Connection 1. Did I forget something or did wrong?

Is not the idea behind that script, that all devices that use VPN Connection 1 from the router, will the Netflix traffic route thru WAN and for all others traffic will use the VPN? In the posts from @Torson i see that he use IFace = 0, is this right, i think i must use IFace=1 or is behind this posts another idea.

Thank you very much
The output of this command shows that the iptables routing rule did not get created.
Code:
iptables -nvL PREROUTING -t mangle --line
You should have seen an entry like this:
Code:
7        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK set 0x1000
Run the script from the command line and see if the rule got created. Look in the system log for any messages that may help.

The numbers indicate the interface. Most people use the script to route Netflix traffic to the WAN interface since Netflix blocks shared/known VPN servers.

0 = Route to WAN interface
1 = Route to OpenVPN 1 interface
2 = Route to OpenVPN 2 interface, etc..

EDIT
I suggest we get your DNS issue fixed first. Remove x3mRouting for now. I'll check my code over the weekend to make sure it's not contributing to the issue.

First, check that DNS on the WAN iface is set and there are no DNS entries on the LAN -> DHCP tab.

On the VPN Clieint Screen,, set Accept DNS configuration = Exclusive and Policy Rules (Strict)

Then, set your streaming device to use the VPN in the Policy Routing section. Check to see if NF works over the VPN connection.

Run the debug commands posted above.
 
Last edited:

Xentrk

Part of the Furniture
@suxus,

I did some analysis and did find a bug in the modified updown-client.sh script that was creating the DNS issue if you are using Method 1- x3mRouting for LAN Clients Method or Method 2 - x3mRouting OpenVPN Client Screen & IPSET Shell Script Method. It has now been fixed. You and anyone else using x3mRouting should select the option to update the installation to get the updated code.
 
Last edited:

suxus

Occasional Visitor
Thank you very much for your feedback.

Okay i will check first my DNS problem and post the output in the thread and when that‘s okay, then can we check the routing problem.

By the way to the fix, i use Method 3 and not 1 or 2.
 

Xentrk

Part of the Furniture
Thank you very much for your feedback.

Okay i will check first my DNS problem and post the output in the thread and when that‘s okay, then can we check the routing problem.

By the way to the fix, i use Method 3 and not 1 or 2.
Double check to make sure Method 1 is not active. Type the command
Code:
df
on the command line.

If you see entries that look like this:
Code:
/dev/mtdblock4           65536     11412     54124  17% /usr/sbin/vpnrouting.sh
/dev/mtdblock4           65536     11412     54124  17% /usr/sbin/updown-client.sh
Then method 1 is installed. If so, uninstall x3mRouting and reinstall and select Method 3.
 

suxus

Occasional Visitor
So and now i reinstall x3mRouting Method 3 and i make this.

nat-start
Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX-812 AS812
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX-2906 AS2906
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX-14618 AS14618
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX-394406 AS394406
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-GLOBAL GLOBAL
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON-16509 AS16509
Code:
[email protected]:/jffs/scripts# liststats
AMAZON-16509 - 3080
AMAZON-GLOBAL - 43
NETFLIX-14618 - 189
NETFLIX-2906 - 150
NETFLIX-394406 - 2
NETFLIX-812 - 574
Code:
[email protected]:/jffs/scripts# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 1810 packets, 279K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1    69588   67M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-812 dst MARK or 0x8000
3        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-2906 dst MARK or 0x8000
4       47  3226 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-14618 dst MARK or 0x8000
5        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-394406 dst MARK or 0x8000
6        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x8000
7       16  2832 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-16509 dst MARK or 0x8000
Code:
[email protected]:/jffs/scripts# ip rule
0:    from all lookup local
9990:    from all fwmark 0x8000/0x8000 lookup main
10101:    from 192.168.99.160 lookup ovpnc1
10102:    from 192.168.99.79 lookup ovpnc1
10103:    from 192.168.99.154 lookup ovpnc1
10104:    from 192.168.99.104 lookup ovpnc1
10105:    from 192.168.99.12 lookup ovpnc1
10106:    from 192.168.99.53 lookup ovpnc1
10107:    from 192.168.99.51 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default
Force Internet traffic through tunnel: Police Rules (strict)

I don't know is everything okay, but i can watch Netflix Switzerland.

My idea ist, the iPad (192.168.99.53) must use VPN Connection 1 that all traffic goes thru the VPN, only Netflix must go thru the WAN that i can watch Netflix in my home country. Are the commands right so or how can check that without test Netflix?

Thank you very much
 
Last edited:

Torson

Regular Contributor
I now have the system fully functional - thank you @Xentrk for all the help, links and pointers provided over the last several days.
- This is what I wanted to achieve:
1. Have the SmartTVs pick up a shared VPN IP through the OVPN Client 1
2. Stream local Netflix and Prime on the SmartTVs through the WLAN (interface 0)
3. All the other devices on the network use WLAN directly for streaming and are selectively routed through OVPN Client 2 (on another shared VPN IP) to skysports.com.
- This is how it works for me:
- Configured and tested the 2 OVPN Clients for the desired destinations
- OVPN 1 has Policy Rules (strict) selected and blocks routed clients if the tunnel goes down; the 2 SmartTV reserved IPs and the WLAN are defined in the Rules for routing client traffic
- OVPN 2 has Policy Rules enabled and no defined clients; also it doesn't block routed clients if the tunnel goes down
- now for the time consuming part - the dnsmasq and ASN based rules come from all the sources @Xentrk pointed to in previous posts and the GitHub link - i.e. mining the Diversion dnsmasq log or following it in real-time (VPN disabled), the nslookup / whob method of determining AS numbers, the https://bgp.he.net/ and https://www.yougetsignal.com/tools/web-sites-on-web-server/ sites etc.

My Internet provider's AS number came up in pretty much every place. However, the whole thing did not come together until I linked its ASN to both, interface 0 and 2 (although both occurrences show the same number of packets and bytes.)

Here is how it all looks like:

Code:
Chain PREROUTING (policy ACCEPT 597K packets, 473M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    76057   92M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2     244K  312M MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3     2096  170K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4     774K  788M BWDPI_FILTER  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
5     324K   31M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set ROGERS.i2_812 dst MARK or 0x2000
6     151K   12M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set SkySports_masq dst MARK or 0x2000
7    29874 2847K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set SkySports_rev dst MARK or 0x2000
8     324K   31M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set ROGERS.i0_812 dst MARK or 0x8000
9     7336  630K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX_2906 dst MARK or 0x8000
10      22  2475 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_CA dst MARK or 0x8000
11   64587   19M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_14618 dst MARK or 0x8000
12    101K   81M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_16509 dst MARK or 0x8000
Code:
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
10001:  from 192.168.1.1 lookup main
10101:  from 192.168.1.238 lookup ovpnc1
10102:  from 192.168.1.253 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
Code:
AMAZON_14618 - 188
AMAZON_16509 - 3069
AMAZON_CA - 26
NETFLIX_2906 - 152
ROGERS.i0_812 - 574
ROGERS.i2_812 - 574
SkySports_masq - 394
SkySports_rev - 7
 

suxus

Occasional Visitor
A question i would have to x3mRouting (Method 3), if i now on the router add or remove a device from a VPN Connection, then i must run a command or is this going automatically?
As far as i understand it, there is indeed the nat-start file and is executed at each router restart (so then the sh-commands are executed) is that correct or will nat-start otherwise automatically (once a day or so) executed?

Thank you

@Torson is it possible that you can also post your nat-start?
 

Xentrk

Part of the Furniture
@chncar

I want to reply to your PM in the thread as it is useful information to others.


Hello Xentrk,

I am interested in netflix streaming selective routing. Thanks for you scripts which I copied a lot into my own script.

Few days ago when I was trying to watch NF at Chrome, I was blocked by NF, proxy detected.

I found my Chrome try to connect *.nflxvideo.net. And NSLOOKUP shows they are 9 IPs. Most of them are included in amazonawsipset, except 52.17.14.207 , 54.89.245.208 , and 50.17.247.31 . These 3 are not in related ipset.

Checked with "Whois", it seems they are from amazonaws.

But they are not in https://ip-ranges.amazonaws.com/ip-ranges.json

Do you have any ideas how to fetch these kind of IPs in advanced ? So that we can add all netflix/amazonaws related IPs to their ipsets in one time.

thanks.
I used the search feature on Hurricane Electric BGP to lookup the IP address:

52.17.14.207 AS16509 52.16.0.0/15 Amazon Data Services Ireland Limited
54.89.245.208 AS14618 54.89.0.0/16 Amazon Technologies Inc
50.17.247.31 AS14618 50.17.0.0/16 Amazon.com, Inc

I will do some analysis over the weekend on the Amazon regions to see what region these IP addresses belong to. Perhaps it is a combination of your geo location and end point destination. I suspect that Netflix is hosted on EU server farm for EU users. As a result, EU users require additional routing for their location. I do know that streaming media services are using content delivery networks which cache content local to the end user to prevent buffering issues.

For now, use the ASN script to collect the required IP addresses.

Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON-16509 AS16509
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON-14618 AS14618
 

Xentrk

Part of the Furniture
I now have the system fully functional - thank you @Xentrk for all the help, links and pointers provided over the last several days.
- This is what I wanted to achieve:
1. Have the SmartTVs pick up a shared VPN IP through the OVPN Client 1
2. Stream local Netflix and Prime on the SmartTVs through the WLAN (interface 0)
3. All the other devices on the network use WLAN directly for streaming and are selectively routed through OVPN Client 2 (on another shared VPN IP) to skysports.com.
- This is how it works for me:
- Configured and tested the 2 OVPN Clients for the desired destinations
- OVPN 1 has Policy Rules (strict) selected and blocks routed clients if the tunnel goes down; the 2 SmartTV reserved IPs and the WLAN are defined in the Rules for routing client traffic
- OVPN 2 has Policy Rules enabled and no defined clients; also it doesn't block routed clients if the tunnel goes down
- now for the time consuming part - the dnsmasq and ASN based rules come from all the sources @Xentrk pointed to in previous posts and the GitHub link - i.e. mining the Diversion dnsmasq log or following it in real-time (VPN disabled), the nslookup / whob method of determining AS numbers, the https://bgp.he.net/ and https://www.yougetsignal.com/tools/web-sites-on-web-server/ sites etc.

My Internet provider's AS number came up in pretty much every place. However, the whole thing did not come together until I linked its ASN to both, interface 0 and 2 (although both occurrences show the same number of packets and bytes.)

Here is how it all looks like:

Code:
Chain PREROUTING (policy ACCEPT 597K packets, 473M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    76057   92M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2     244K  312M MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3     2096  170K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4     774K  788M BWDPI_FILTER  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0
5     324K   31M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set ROGERS.i2_812 dst MARK or 0x2000
6     151K   12M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set SkySports_masq dst MARK or 0x2000
7    29874 2847K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set SkySports_rev dst MARK or 0x2000
8     324K   31M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set ROGERS.i0_812 dst MARK or 0x8000
9     7336  630K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX_2906 dst MARK or 0x8000
10      22  2475 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_CA dst MARK or 0x8000
11   64587   19M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_14618 dst MARK or 0x8000
12    101K   81M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_16509 dst MARK or 0x8000
Code:
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
10001:  from 192.168.1.1 lookup main
10101:  from 192.168.1.238 lookup ovpnc1
10102:  from 192.168.1.253 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
Code:
AMAZON_14618 - 188
AMAZON_16509 - 3069
AMAZON_CA - 26
NETFLIX_2906 - 152
ROGERS.i0_812 - 574
ROGERS.i2_812 - 574
SkySports_masq - 394
SkySports_rev - 7
Hi @Torson,

I appreciate your feedback and very happy you got it working. I remember when I first got into this. It took a lot of persistence at times to figure out the domains and IP addresses to use. For BBC, it took me awhile to mine all of the domain names and convert them to IP addresses before I got it working. When I developed this project, I viewed the source code on the website and found I was able to get it to work only using 8 top level domain names.

In the process of helping you with sky.com, I also found that my ISP would get a match when I did a lookup on the IP addresses I mined from dnsmasq. As I mentioned above, I suspect CDN or Content Delivery Network is coming into play with caching content across the globe to reduce load and improve streaming performance.

I would like to add the sky.com lists to the GitHub page. Please share the manual method list or dnsmasq script method parameters with me and I will add it to the project GitHub page to help others who have the same use case. sky.com comes up time to time on the forum. So, it would be helpful to others if I can add it to the GitHub page.
 

suxus

Occasional Visitor
For me, currently only this following questions be open.

1. If I add or remove a device from a VPN connection (on the Web-Gui), i must do anything in the script for updating or are the rules updated automatically?

2. If i enter the sh-commands into the nat-start file, then they will be executed each time from the restart of the router and so will not lose of the settings. Is that correct?

3. Diversion and x3mRouting (Method 3) together will not going? Diversion can not handle Exclusive and Policy Route (strict).

Many thanks for the support
 

Xentrk

Part of the Furniture
For me, currently only this following questions be open.

1. If I add or remove a device from a VPN connection (on the Web-Gui), i must do anything in the script for updating or are the rules updated automatically?
No need to do anything with the script. You can type the command ip rule at the command line to see the routing rules for devices that use the VPN and priorities. Per the example below, you can see the dhcp clients and the VPN interface the are routed to. If a device is not defined to use a VPN, it defaults to lookup main which is the WAN interface.

Code:
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9992:   from all fwmark 0x7000/0x7000 lookup ovpnc4
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10104:  from 192.168.1.150 lookup ovpnc1
10105:  from 192.168.1.151 lookup ovpnc1
10106:  from 192.168.1.153 lookup ovpnc1
10107:  from 192.168.1.154 lookup ovpnc1
10301:  from 192.168.1.165 lookup ovpnc2
10302:  from 192.168.1.149 lookup ovpnc2
10303:  from 192.168.1.152 lookup ovpnc2
32766:  from all lookup main
32767:  from all lookup default
2. If i enter the sh-commands into the nat-start file, then they will be executed each time from the restart of the router and so will not lose of the settings. Is that correct?
Correct. This allows the scripts to run at system boot. Set it and forget it.

3. Diversion and x3mRouting (Method 3) together will not going? Diversion can not handle Exclusive and Policy Route (strict).
Diversion will not work on the VPN tunnel when using the combination of Accept DNS Configuration = Exclusive and Policy Rules (Strict). Clients defined to use the tunnel will exclusively use the DNS of the VPN provider. Local dnsmasq is bypassed as a result. See https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/ for more information on Policy Routing and the Accept DNS Configuration setting on Diversion.

Thanks for the gratitude. I am glad I could assist you on the journey as others have helped me!
 

mister

Regular Contributor
The configuration of Torson is very similar of the configuration I want to archive.

But I have a few questions to the Torson configuration.

How did you get the configuration, that all clients normally connect to ovpn2 except these clients configured to ovpn1? what configuration in the ovpn2 Client mask did you use? Which configuration has a higher priority : the scripts with x3mRouting via dnsmasq or the policies made in the configuration in ovpn1 ( I assume the x3mRouting scripts)?

Because I read, that ovpn1 has a higher priority than ovpn2, I am interested in the following example:

What would happen with the clients of ovpn1 if the ovpn1 tunnel goes down (policies, not strict)? Are they transferred to ovpn2 or to wan?

Either

Ovpn1 - - > Ovpn2 - - >wan

or


Ovpn1 - - > Wan
and
Ovpn2 - - > Wan



Thanks a lot for your support...
 
Last edited:

Martineau

Part of the Furniture
The configuration of Torson is very similar of the configuration I want to archive.

But I have a few questions to the Torson configuration.

How did you get the configuration, that all clients normally connect to ovpn2 except these clients configured to ovpn1? what configuration in the ovpn2 Client mask did you use? Which configuration has a higher priority : the scripts with x3mRouting via dnsmasq or the policies made in the configuration in ovpn1 ( I assume the x3mRouting scripts)?

Because I read, that ovpn1 has a higher priority than ovpn2, I am interested in the following example:

What would happen with the clients of ovpn1 if the ovpn1 tunnel goes down (policies, not strict)? Are they transferred to ovpn2 or to wan?

Either

Ovpn1 - - > Ovpn2 - - >wan

or


Ovpn1 - - > Wan
and
Ovpn2 - - > Wan
RPDB Policy rules are evaluated with '0' being the highest priority and '32767' being the lowest priority rule.

The Policy Rules are assigned 10000-11000 with each VPN Client normally allowed max 200 rules.

@Xentrk scripts use rules 9990-9995 for VPN Client 1 - 5

I have 5 VPN clients active (1-New York,2-LA,3-ovpnc3,4-Glenside and 5-UK)
and you can check the Selective routing order by issuing:
Code:
ip rule

0: from all lookup local
8005: from 172.16.5.33/28 to 100.120.32.1 lookup UK
9990: from all fwmark 0x8000/0x8000 lookup main
9991: from all fwmark 0x7000/0x7000 lookup Glenside
9992: from all fwmark 0x3000/0x3000 lookup UK
9993: from all fwmark 0x1000/0x1000 lookup NewYork
9994: from all fwmark 0x2000/0x2000 lookup LA
9995: from all fwmark 0x4000/0x4000 lookup ovpnc3
10002: from 172.16.1.1 lookup NewYork
10202: from 172.16.2.1 lookup LA
10402: from 172.16.3.1 lookup ovpnc3
10602: from 172.16.4.1 lookup Glenside
10802: from 172.16.5.1 lookup UK
10803: from 172.16.5.33/28 to 0.255.255.255 lookup UK
20100: from 10.88.101.0/24 lookup NewYork
20200: from 10.88.102.0/24 lookup LA
32766: from all lookup main
32767: from all lookup default
So normally the WAN (rule 32766) will be used if there is no prior matching RPDB rule for an IP/CIDR range.

NOTE: If the KILL-switch is ENABLED for a VPN Client, then the WAN cannot be used and the IP/CIDR range will be blocked.
 

Torson

Regular Contributor
@mister there is no harm in trying those things out - all your questions are more than professionally addressed in the post #39. One tip that I can offer from my experience during testing is to ensure that you have a copy of your nat-start file 'undone'. What I mean is that all statements with reference to selective routing applied when your router comes-up are reversed (undone) i.e.

Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 2 ROGERS.i2_812 del
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 2 SkySports_5607 del
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 2 SkySports_masq del
...etc
...that saves a number of router reboots - not all of them though (routers and dandelions are people too...)

@Martineau - that's a master class in routing range (where range > selective.) Would you mind sharing the thought behind rules 8005 and 10803?
 
Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top