x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

Thanks, for sonething like slingtv will i need vpn active to use dnsmasq script as was just thinking to do it i would need all media streamer traffic going through vpn?

You can add a rule on the GUI screen to have the streaming device to use the VPN Client. This will force all streaming traffic to use the VPN Client interface

Roku  192.168.1.20 0.0.0.0  VPN

If you just want SlingTV to route SlingTV to VPN Client 2 interface, you run the script like this:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 2 MOVETV movetv.com

Did I answer your question?

 

[Xentrk]

Thank you, @Xentrk - I'll widen my search to vpn specific forums to see if there are existing solutions. I'd be surprised if I was the first to make this request. Going forward, I suspect more people will want to do something like this with more people working and schooling from home over the next few months.

We will most likely need a MASQUERADE iptables rule for the VPN Server and one for the Guest Network since they use different subnets than the LAN. The MASQUERADE rule allows us to bridge the two subnets together. But it gets hazy for me after that. I have some ideas. But I need time to research and experiment on Saturday. If I can't figure it out, we can grovel for help from the resident forum routing expert who has mentored me on how this all works.

We may need to use similar rules that are use for Policy based port Routing for that part.

 

[Wisiwyg]

If I can't figure it out, we can grovel for help from the resident forum routing expert who has mentored me on how this all works.

Leaps and bound ahead of me! Don't sell yourself short.
Found some info on the OVPN help forums that might be a solution, but I dont' understand it well enough to even know what I'm looking at. Thank you for your help.

 

[Xentrk]

Leaps and bound ahead of me! Don't sell yourself short.
Found some info on the OVPN help forums that might be a solution, but I dont' understand it well enough to even know what I'm looking at. Thank you for your help.

I also have found some good info on dd-wrt forum and openwrt forum for matters like this as well.

 

[TechTinkerer]

You can add a rule on the GUI screen to have the streaming device to use the VPN Client. This will force all streaming traffic to use the VPN Client interface

Roku  192.168.1.20 0.0.0.0  VPN

If you just want SlingTV to route SlingTV to VPN Client 2 interface, you run the script like this:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 2 MOVETV movetv.com

Did I answer your question?

@Xentrk thanks for all your help sightly off topic probably having to shelve idea of disney+ usa as finding it difficult to pay for it being in the uk even though usa disney is vastly superior with having espn+hulu unless you know how i can do it?

 

[Xentrk]

@Xentrk thanks for all your help sightly off topic probably having to shelve idea of disney+ usa as finding it difficult to pay for it being in the uk even though usa disney is vastly superior with having espn+hulu unless you know how i can do it?

Your billing address maybe the issue. Not sure if they allow other payment methods that don't require an address. If you were able to overcome that issue, then you need to get around the VPN blocks Disney+ has in place for known VPN servers. This is the solution that myself and others use. The other two VPN providers that have workarounds require that you use their DNS servers.

 

[TechTinkerer]

Your billing address maybe the issue. Not sure if they allow other payment methods that don't require an address. If you were able to overcome that issue, then you need to get around the VPN blocks Disney+ has in place for known VPN servers. This is the solution that myself and others use. The other two VPN providers that have workarounds require that you use their DNS servers.

I have a working vpn for disney it is the american billing address linked to an american payment method thats the issue

 

[Kingp1n]

@Xentrk, I upgraded my modem and it seems option 3 of the script no longer works for me. I know you mentioned you were updating the script...is the new script out already for use? Thanks!

Update: It's working again. Not sure what happened but I'm using Quad9 DNS vs Cloudflare now and that worked.

 

[TechTinkerer]

@Xentrk does this look correct for adding to a nat-start script?

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 DISNEYPLUS disneyplus.com

just one vpn client for usa setup

 

[OKLY]

I am trying to use "sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 Apple AS714" and I see a file called Apple in my /opt/tmp directory, however the file is 0KB and there are no IPs inside. Does anyone knows why?

 

[TechTinkerer]

I am trying to use "sh /jffs/scripts/x3mRouting/jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 Apple AS7" and I see a file called Apple in my /opt/tmp directory, however the file is 0KB and there are no IPs inside. Does anyone knows why?

try this

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 Apple apple.com

 

[TechTinkerer]

@Xentrk Do these scripts have to be run initially then run as a router startup script (nat-start) ?

Thanks

 

[TechTinkerer]

I am trying to use "sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 Apple AS714" and I see a file called Apple in my /opt/tmp directory, however the file is 0KB and there are no IPs inside. Does anyone knows why?

further thought...from what i know you initially run the script, do some usage on apple and it will be recorded by the script to the output file.

@Xentrk would you mind explaining more on how it all works pease, like a brief summary

 

[Xentrk]

I am trying to use "sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 Apple AS714" and I see a file called Apple in my /opt/tmp directory, however the file is 0KB and there are no IPs inside. Does anyone knows why?

/opt/tmp is the default backup save/restore location. The IPv4 addresses or CIDRs first get stored in /opt/tmp/Apple. The program then loads the ipset list from the contents of this file. AS714 is a valid ASN. I'll test it in a few hours when I get home to see if there is an issue.

Update: It worked for me. I get the IPv4 addresses from ipinfo.io. If you have diversion or another ad blocker installed, it may be blacklisted. You will need to add it to the whitelist to access.

 

[Xentrk]

@TechTinkerer

The autoscan feature will work differently in the new version. You will provide a parameter called 'autoscan=' along with a keyword or words e.g. "netflix,disney" rather than a domain name:

In the meantime, here is the code if you want to search dnsmasq for a "keyword" like disney in dnsmasq.log file.

grep "disney" "/opt/var/log/dnsmasq.log" | grep query | awk '{print $(NF-2)}' | awk -F\. '{print $(NF-1) FS $NF}' | sort | uniq

 

[Xentrk]

further thought...from what i know you initially run the script, do some usage on apple and it will be recorded by the script to the output file.

@Xentrk would you mind explaining more on how it all works pease, like a brief summary

The dnsmasq method does that. When dnsmasq queries the domain, it returns an IPv4 address and populates the IPSET list. You will see 'ipset add' entries in the dnsmasq.log like below:

Mar 30 18:46:35 dnsmasq[8091]: query[A] cbd46b77.cdn.cms.movetv.com from 192.168.22.165
Mar 30 18:46:35 dnsmasq[8091]: forwarded cbd46b77.cdn.cms.movetv.com to 1.0.0.1
Mar 30 18:46:35 dnsmasq[8091]: reply p-stats.movetv.com is <CNAME>
Mar 30 18:46:35 dnsmasq[8091]: ipset add MOVETV 74.206.222.26 p-col.gtm.movetv.com
Mar 30 18:46:35 dnsmasq[8091]: reply p-col.gtm.movetv.com is 74.206.222.26
Mar 30 18:46:35 dnsmasq[8091]: ipset add MOVETV 74.206.223.26 p-col.gtm.movetv.com
Mar 30 18:46:35 dnsmasq[8091]: reply p-col.gtm.movetv.com is 74.206.223.26

 

[Xentrk]

@Xentrk Do these scripts have to be run initially then run as a router startup script (nat-start) ?

Thanks

For now, you can create /jffs/scripts/nat-start file and call the scripts from there. See https://github.com/Xentrk/x3mRouting#run-scripts-at-system-boot for the instructions. You need to add a she-bang and set permission to be executable: chmod 755 nat-start

In the next version, I use the vpnclientX-route-up vpnclientX-route-pre-down scripts instead. The new version will also perform the config for you too. But the nat-start method works for the majority of people.

 

[Xentrk]

@Xentrk does this look correct for adding to a nat-start script?

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 DISNEYPLUS disneyplus.com

just one vpn client for usa setup

Looks good to me. But you may be missing some domains. Here are two I found viewing the disneyplus.com source code when searching for the word 'disney'. There may be more.

https://privacychoices.thewaltdisneycompany.com
https://prod-static.disney-plus.net

With the two I listed, this is how it should look:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 DISNEYPLUS disneyplus.com,thewaltdisneycompany.com,disney-plus.net

 

[TechTinkerer]

For now, you can create /jffs/scripts/nat-start file and call the scripts from there. See https://github.com/Xentrk/x3mRouting#run-scripts-at-system-boot for the instructions. You need to add a she-bang and set permission to be executable: chmod 755 nat-start

In the next version, I use the vpnclientX-route-up vpnclientX-route-pre-down scripts instead. The new version will also perform the config for you too. But the nat-start method works for the majority of people.

Think i will wait then for the update, Thanks

 

[OKLY]

/opt/tmp is the default backup save/restore location. The IPv4 addresses or CIDRs first get stored in /opt/tmp/Apple. The program then loads the ipset list from the contents of this file. AS714 is a valid ASN. I'll test it in a few hours when I get home to see if there is an issue.

Update: It worked for me. I get the IPv4 addresses from ipinfo.io. If you have diversion or another ad blocker installed, it may be blacklisted. You will need to add it to the whitelist to access.

It is working for me now. I believe I got a temporary ban from ipinfo as I was experimenting with things and therefore I was making too many API requests.