x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.

mister

Regular Contributor
thank you both about your support and sorry for my questions, I am an absolute beginner in this field....

As I understand you in the right way, if I assign one Client e. g. to ovpn1 using his ip adress and the ovpn1 tunnel goes down, it is normally switched to wan except I would have a matching roule e. g. in ovpn2, correct?

@Torson : if I understand you in the right way, you configured ovpn2 that all clients are using this, if no other rule prior matches. so it would be e. g.
LAN 192.168.1.0/24 0.0.0.0 vpn
Router 192.168.1.1 0.0.0.0 wan
right?

if I understand you in a right way, you delete the rules you entered before manually by using a batch of del commands, if you are changing your configuration to avoid reboots. Is there a risk of getting a bootloop if I am using this script?
Is there a way to save all unmodified files at the beginning and restore them, if you want to change it or only over the batch of commands?

@Martineau : thanks a lot for your support too. You described in your configuration your ovpnc clients.1-New York,2-LA,3-ovpnc3,4-Glenside and 5-UK .. The rule numbers have a different order, so it seems to me, that ovpnc3 has a lower priority than the other ovpncs, is that correct? In this case I would be a little confused, because it should have a middle priority, or?

Apologies again for my many questions....
 
Last edited:

Martineau

Part of the Furniture
@Martineau - that's a master class in routing range (where range > selective.) Would you mind sharing the thought behind rules 8005 and 10803?
The two rules combine to solve an advanced edge case

e.g. Policy Based Routing IPTV problem and Policy Based Routing IPTV problem

i.e. Rule 10803 is created by the VPN Client 5 GUI 'UseDNSOnly' entry to only add the 16 LAN devices (IP range 172.16.5.32-172.16.5.47) to the "Exclusive" DNSVPN5 chain without forcing the devices via the VPN tunnel.

Subsequently this allows the OpenVPN event script 'vpnclient5-route-up' to dynamically create rule 8005 using the current (100.120.32.1) VPN Client 5 DNS server without the need to hard-code it.
 

Martineau

Part of the Furniture
@Martineau You described in your configuration your ovpnc clients.1-New York,2-LA,3-ovpnc3,4-Glenside and 5-UK ..

The rule numbers have a different order, so it seems to me, that ovpnc3 has a lower priority than the other ovpncs, is that correct?
No.

Any Selective Routing GUI entries would be matched first against VPN 1 (NewYork), then VPN 2 (LA), then VPN 3 (ovpnc3) etc., so ovpnc3 has a lower priority than New York and LA, but a higher priority than Glenside and UK.
 

Xentrk

Part of the Furniture
thank you both about your support and sorry for my questions, I am an absolute beginner in this field....

As I understand you in the right way, if I assign one Client e. g. to ovpn1 using his ip adress and the ovpn1 tunnel goes down, it is normally switched to wan except I would have a matching roule e. g. in ovpn2, correct?
I never thought of doing that as a fail over method nor have I tested it. But in theory it should work. The assignment to OVPNC1 is a higher priority than OVPNC2 and would get the first match. If the tunnel goes down and the routing rules for OVPNC1 have been properly removed, routing to OVPNC2 would appear.

However, the script VPN_Failover.sh was specifically designed to manage fail over assignments.

@Torson : if I understand you in the right way, you configured ovpn2 that all clients are using this, if no other rule prior matches. so it would be e. g.
LAN 192.168.1.0/24 0.0.0.0 vpn
Router 192.168.1.1 0.0.0.0 wan
right?
The 192.168.1.0/24 LAN entry is routing ALL clients thru the tunnel. See this article for how policy rules work: https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

if I understand you in a right way, you delete the rules you entered before manually by using a batch of del commands, if you are changing your configuration to avoid reboots. Is there a risk of getting a bootloop if I am using this script?
Is there a way to save all unmodified files at the beginning and restore them, if you want to change it or only over the batch of commands?
The first thing is to execute the script from the command line and test that it works.
Create IPSET NETFLIX from AS2906 via VPN Client 2, but use the /mnt/sda1/Backups directory rather than the default opt/tmp as the IPSET save/restore file location:
Code:
sh load_ASN_ipset_iface.sh 2 NETFLIX AS2906 dir=/mnt/sda1/Backups
If you want to delete and start over, add the "del" parameter:

Delete IPSET NETFLIX and remove routing via VPN Client 2 (the AS Number parameter is not required when using the delete function):
Code:
sh load_ASN_ipset_iface.sh 2 NETFLIX del
Once you have determined the script(s) work, you can configure the scripts to run at system boot using one of two methods. See the Run Scripts at System Boot section the README page.
 

jfdaigle

New Around Here
Hi,

I'm having trouble getting Netflix CANADA to work. I'm a newbee in these script and router config things, but I went through every guide I could find, following step by step but it doesn't work. I got Amazon Prime to work no problem, but I always get the error from Netflix saying that it detected a proxy.

Here is what I configured:

[email protected]:/tmp/home/root# liststats
AMAZON-16509 - 3070
AMAZON-CA - 26
AMAZON-GLOBAL - 43
NETFLIX-14618 - 190
NETFLIX-2906 - 152
NETFLIX-394406 - 2
NETFLIX-812 - 574

[email protected]:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 3885 packets, 5171K bytes)
num pkts bytes target prot opt in out source destination
1 156K 214M MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 157K 224M BWDPI_FILTER udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-812 dst MARK or 0x8000
4 49 6122 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-2906 dst MARK or 0x8000
5 379 163K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-14618 dst MARK or 0x8000
6 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-394406 dst MARK or 0x8000
7 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-GLOBAL dst MARK or 0x8000
8 121 14338 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-16509 dst MARK or 0x8000
9 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-CA dst MARK or 0x8000

I also noticed that when I reboot the router, it seems to forget the codes I programmed... The liststats and iptables become empty.

Thank you for your help
 

mister

Regular Contributor
The 192.168.1.0/24 LAN entry is routing ALL clients thru the tunnel. See this article for how policy rules work: https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/
Thanks a lot again. From this page I had the command but because the configuration you mentioned has different rules of ways for routing, I was not sure, if this entry would fit. I want to use your configuration as the starting point and - Maybe - vary it a little bit. (e. g. Amazon regions etc). This was the reason I asked.

If it is possible and would be ok for you, it would be nice if you could send me the script you described before via PM without any confidential information. This would help me very much at my first steps.

One last question regarding the 192.168.1.0/24 policy : Is the order of this rule important in the policy page?

To be clear: Is there a difference if I put this rule in the first place in the ovpnc1 screen and add then rules for specific client at the secound or third place? EG if client 192.168.1.2 should use the wan port instead of vpn. Has this entry to be before the general rule or could it be after?

If so, the rule 192.168.1.0/24 has to be set only once and then at the active vpn with the lowest priority and then at the buttom of the page, right?

I will try your support as soon as I will be home again. So many thanks again for your excellent support and hints here.
 

Xentrk

Part of the Furniture
Hi,

I'm having trouble getting Netflix CANADA to work. I'm a newbee in these script and router config things, but I went through every guide I could find, following step by step but it doesn't work. I got Amazon Prime to work no problem, but I always get the error from Netflix saying that it detected a proxy.

Here is what I configured:

[email protected]:/tmp/home/root# liststats
AMAZON-16509 - 3070
AMAZON-CA - 26
AMAZON-GLOBAL - 43
NETFLIX-14618 - 190
NETFLIX-2906 - 152
NETFLIX-394406 - 2
NETFLIX-812 - 574

[email protected]:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 3885 packets, 5171K bytes)
num pkts bytes target prot opt in out source destination
1 156K 214M MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 157K 224M BWDPI_FILTER udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-812 dst MARK or 0x8000
4 49 6122 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-2906 dst MARK or 0x8000
5 379 163K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-14618 dst MARK or 0x8000
6 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX-394406 dst MARK or 0x8000
7 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-GLOBAL dst MARK or 0x8000
8 121 14338 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-16509 dst MARK or 0x8000
9 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-CA dst MARK or 0x8000
I reboot the router, it seems to forget the codes I programmed... The liststats and iptables become empty.

Thank you for your help
No traffic is traversing the iptables chain for the following IPSET lists:

Code:
NETFLIX-812
AMAZON-GLOBAL
NETFLIX-394406
AMAZON-CA
As a result, they may not be needed.

Are you trying to route Amazon Prime and Netflix to the VPN or WAN interface?

Start with the the lists that work for me that I posted on the GitHub page and tell me if you still have the proxy error.

Code:
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
If you still have issues with Netflix, try the DNSMASQ method:

Code:
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
I've had two people report they need to use the combination of the DNSMASQ + ASN method for Netflix in the EU.

Some VPN providers are using DNS proxy to get around Amazon Prime and Netflix blocks. If you are routing Netflix thru the VPN interface and are using Policy Rules, you need to set Accept DNS Configuration = Exclusive to any devices defined to use the tunnel will use the DNS pushed by the VPN service.

See the section Run Scripts on System Boot for instructions on how to configure the scripts so the IPSET lists and routing rules are populated at boot time.
 

Xentrk

Part of the Furniture
Thanks a lot again. From this page I had the command but because the configuration you mentioned has different rules of ways for routing, I was not sure, if this entry would fit. I want to use your configuration as the starting point and - Maybe - vary it a little bit. (e. g. Amazon regions etc). This was the reason I asked.

If it is possible and would be ok for you, it would be nice if you could send me the script you described before via PM without any confidential information. This would help me very much at my first steps.

One last question regarding the 192.168.1.0/24 policy : Is the order of this rule important in the policy page?

To be clear: Is there a difference if I put this rule in the first place in the ovpnc1 screen and add then rules for specific client at the secound or third place? EG if client 192.168.1.2 should use the wan port instead of vpn. Has this entry to be before the general rule or could it be after?

If so, the rule 192.168.1.0/24 has to be set only once and then at the active vpn with the lowest priority and then at the buttom of the page, right?

I will try your support as soon as I will be home again. So many thanks again for your excellent support and hints here.
Are you referring to the VPN_Failover.sh script to manage fail over assignments? Click on the link to access the code. If you need help with it, please start a new thread and @Martineau will assist you. It is advanced and I recommend you get x3mRouting working first.

The order of rules may come into play depending on your use case. OPVNC1 clients get first priority followed by OVPNC2 clients, etc. For LAN clients listed in the custom config section, the first one listed is the higher priority. The ip rule command will show you the priority order.

Any LAN clients not defined to use the VPN automatically get routed to the WAN interface. As a result, it is not really necessary to add LAN clients that use the WAN interface to the Custom Config section. Below is an example where one has to list the WAN interface for an individual LAN client if you want it to bypass the 192.168.1.0/24 rule that routes all LAN clients thru the VPN.

Code:
 LAN       192.168.1.0/24    0.0.0.0    VPN
 Laptop    192.168.1.50      0.0.0.0    WAN
EDIT:
The order does not matter for this scenario - WAN clients get a higher priority than VPN clients.
 
Last edited:

mister

Regular Contributor
Thank you guys. I will first try the x3mRouting script to get Amazon prime and netflix bypassing the vpn and then I will take a look into deeper details. Step by Step. :)

Your work. is great and I never imagined what could be done with scripts....
 

jfdaigle

New Around Here
No traffic is traversing the iptables chain for the following IPSET lists:

Code:
NETFLIX-812
AMAZON-GLOBAL
NETFLIX-394406
AMAZON-CA
As a result, they may not be needed.

Are you trying to route Amazon Prime and Netflix to the VPN or WAN interface?

Start with the the lists that work for me that I posted on the GitHub page and tell me if you still have the proxy error.

Code:
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
If you still have issues with Netflix, try the DNSMASQ method:

Code:
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
I've had two people report they need to use the combination of the DNSMASQ + ASN method for Netflix in the EU.

Some VPN providers are using DNS proxy to get around Amazon Prime and Netflix blocks. If you are routing Netflix thru the VPN interface and are using Policy Rules, you need to set Accept DNS Configuration = Exclusive to any devices defined to use the tunnel will use the DNS pushed by the VPN service.

See the section Run Scripts on System Boot for instructions on how to configure the scripts so the IPSET lists and routing rules are populated at boot time.

Thanks a lot, it seems to work! I guess I was missing a line or two. To clear up questions, I am using Method 3, bypassing my VPN for Netflix and Prime and sending them through WAN. So I added your scripts, both the DNSMASQ + ASN, changing the 1 for a 0 and it worked.

The last thing though is the Run Scrupts on System Boot. Honestly, I went through the guide, but I have no idea how to configure this using the "/jffs/scripts/nat-start" and "#!/bin/sh" and UNIX. This is way too advanced for me. Is it too much trouble to send me what I have to type step by step. Thank you very much.

Final question which might be my dumbest, once configured, do I have to leave the USB drive in the router or can I take it out. Is the scripts added to the router or stays in files in the USB drive?
 
Last edited:

Xentrk

Part of the Furniture
Thanks a lot, it seems to work! I guess I was missing a line or two. To clear up questions, I am using Method 3, bypassing my VPN for Netflix and Prime and sending them through WAN. So I added your scripts, both the DNSMASQ + ASN, changing the 1 for a 0 and it worked.

The last thing though is the Run Scrupts on System Boot. Honestly, I went through the guide, but I have no idea how to configure this using the "/jffs/scripts/nat-start" and "#!/bin/sh" and UNIX. This is way too advanced for me. Is it too much trouble to send me what I have to type step by step. Thank you very much.

Final question which might be my dumbest, once configured, do I have to leave the USB drive in the router or can I take it out. Is the scripts added to the router or stays in files in the USB drive?
You need to keep the USB plugged in. entware is installed on the USB and needs to remain mounted while using x3mRouting and some of the other add on programs written by the community. The root directory of entware is /opt. Backup files of the ipset lists are stored in /opt/tmp by default unless you specify another directory.

It appears you have SSH access to /jffs/scripts. Here is one method to accomplish the objective of adding the scripts to nat-start:

Code:
cd /jffs/scripts
touch nat-start
nano nat-start
copy the code below and paste into nano editor using right click:

Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
Make any necessary edits
Ctrl+X
It will prompt to save the file, enter a "y"
Confirm the filename at the prompt

Set the file permission to executable:
Code:
chmod 755 nat-start
Run nat-start from the /jffs/scripts directory, type:
Code:
sh nat-start
Here are some resources to get a basic understanding of linux and how user scripts work:
Asuswrt-Merlin Wiki: User Scripts
Basic Linux Commands Sources

Let me know how things work out or if you need more help.
 
Last edited:

jfdaigle

New Around Here
You need to keep the USB plugged in. entware is installed on the USB and needs to remain mounted while using x3mRouting and some of the other add on programs written by the community. The root directory of entware is /opt. Backup files of the ipset lists are stored in /opt/tmp by default unless you specify another directory.

It appears you have SSH access to /jffs/scripts. Here is one method to accomplish the objective of adding the scripts to nat-start:

Code:
cd /jffs/scripts
touch nat-start
nano nat-start
copy the code below and paste into nano editor using right click:

Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
Make any necessary edits
Ctrl+X
It will prompt to save the file, enter a "y"
Confirm the filename at the prompt

Set the file permission to executable:
Code:
chmod 755 nat-start
Run nat-start from the /jffs/scripts directory, type:
Code:
sh nat-start
Here are some resources to get a basic understanding of linux and how user scripts work:
Asuswrt-Merlin Wiki: User Scripts
Basic Linux Commands Sources

Let me know how things work out or if you need more help.

Everything works. Thank a lot!!!!!
 

mister

Regular Contributor
You need to keep the USB plugged in. entware is installed on the USB and needs to remain mounted while using x3mRouting and some of the other add on programs written by the community. The root directory of entware is /opt. Backup files of the ipset lists are stored in /opt/tmp by default unless you specify another directory.

It appears you have SSH access to /jffs/scripts. Here is one method to accomplish the objective of adding the scripts to nat-start:

Code:
cd /jffs/scripts
touch nat-start
nano nat-start
copy the code below and paste into nano editor using right click:

Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
Make any necessary edits
Ctrl+X
It will prompt to save the file, enter a "y"
Confirm the filename at the prompt

Set the file permission to executable:
Code:
chmod 755 nat-start
Run nat-start from the /jffs/scripts directory, type:
Code:
sh nat-start
Here are some resources to get a basic understanding of linux and how user scripts work:
Asuswrt-Merlin Wiki: User Scripts
Basic Linux Commands Sources

Let me know how things work out or if you need more help.
for the secound method you described with route-up here

https://github.com/Xentrk/x3mRouting/blob/master/README.md ,

could you please desribe to step by step commands as well, if it is possible?

I have to create up to 5 files (depending on the actively used vpn connections) with nano, right? And each file has only the content of one ovpnc client. Do I have to put the rules to WAN in every file or is routing through wan a separate file called vpnclient0-route-up?

Thanks a lot again.
 

Xentrk

Part of the Furniture
for the secound method you described with route-up here

https://github.com/Xentrk/x3mRouting/blob/master/README.md ,

could you please desribe to step by step commands as well, if it is possible?

I have to create up to 5 files (depending on the actively used vpn connections) with nano, right? And each file has only the content of one ovpnc client. Do I have to put the rules to WAN in every file or is routing through wan a separate file called vpnclient0-route-up?

Thanks a lot again.
Type x3mRouting at the command line to access the x3mRouting menu.

Select option [4] = Install x3mRouting OpenVPN Event

Create a corresponding script called vpnclientX-route-up for each OpenVPN Client used for x3mRouting, where the "X" is the OpenVPN Client number 1, 2, 3, 4 or 5. You can use the method I describe above:

cd /jffs/scripts/x3mRouting
touch vpnclient1-route-up
nano vpnclient1-route-up

Following are the contents of my vpnclient1-route-up. You can copy/paste the contents and make any edits:

Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON_US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 HULU_WEB hulu.com,hulustream.com,akamaihd.net
logger -st "($(basename "$0"))" $$ Ending Script Execution
Ctrl+X
It will prompt to save the file, enter a "y"
Confirm the filename at the prompt

Set the file permission to executable:

Code:
chmod 755 vpnclient1-route-up
My preference is to use MobaXterm or another SSH client software. Many use WinSCP. There are many choices available and everyone has their favorite.

I first install SFTP server from entware using the command:

Code:
opkg install openssh-sftp-server
I then use open up an SFTP session to get a windows explorer type view of the directory. I can create, edit, delete and set file permission from the menu. If I right click on the file, I can open it up in the MobaXterm editor.

upload_2019-8-17_7-39-5.png
 

mister

Regular Contributor
Type x3mRouting at the command line to access the x3mRouting menu.

Select option [4] = Install x3mRouting OpenVPN Event

Create a corresponding script called vpnclientX-route-up for each OpenVPN Client used for x3mRouting, where the "X" is the OpenVPN Client number 1, 2, 3, 4 or 5. You can use the method I describe above:

cd /jffs/scripts/x3mRouting
touch vpnclient1-route-up
nano vpnclient1-route-up

Following are the contents of my vpnclient1-route-up. You can copy/paste the contents and make any edits:

Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON_US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 HULU_WEB hulu.com,hulustream.com,akamaihd.net
logger -st "($(basename "$0"))" $$ Ending Script Execution
Ctrl+X
It will prompt to save the file, enter a "y"
Confirm the filename at the prompt

Set the file permission to executable:

Code:
chmod 755 vpnclient1-route-up
My preference is to use MobaXterm or another SSH client software. Many use WinSCP. There are many choices available and everyone has their favorite.

I first install SFTP server from entware using the command:

Code:
opkg install openssh-sftp-server
I then use open up an SFTP session to get a windows explorer type view of the directory. I can create, edit, delete and set file permission from the menu. If I right click on the file, I can open it up in the MobaXterm editor.

View attachment 19030
very very thank you for the step by Step how to. It helps me very much. Could you answer my question at last, how to handle the Routing to wan in this methode? Do I have to create a separate file for Wan or write them into the file for opvnc1? Especially if you want to combine the rules later with the vpnfailover Script (currently not planned, interesting but not my level of configuration) , the rules for wan would disappear if placed only in the ovpnc1 file and the opvnc1 goes down.... In that case you have to add the wan rules to all ovpnc clients and so you could have. problems with conflicting wan rules...

So I thought, the creation of a separte file for wan rules could be an sufficient way, or did I thought in the wrong way....

So many thanks again for your patience with me...
 

Xentrk

Part of the Furniture
very very thank you for the step by Step how to. It helps me very much. Could you answer my question at last, how to handle the Routing to wan in this methode? Do I have to create a separate file for Wan or write them into the file for opvnc1? Especially if you want to combine the rules later with the vpnfailover Script (currently not planned, interesting but not my level of configuration) , the rules for wan would disappear if placed only in the ovpnc1 file and the opvnc1 goes down.... In that case you have to add the wan rules to all ovpnc clients and so you could have. problems with conflicting wan rules...

So I thought, the creation of a separte file for wan rules could be an sufficient way, or did I thought in the wrong way....

So many thanks again for your patience with me...
Most people will assign the IP address of the streaming device to the Policy Routing section so the traffic of the device is routed over the VPN. Or, define all LAN devices to use the VPN using the 192.168.0.1/24 entry. But if they are using a VPN server that NF or other services block, you are SOL and can't stream. You need to route that traffic to the WAN so it bypasses the VPN. You need to add the script to either nat-start or the vpnclientX-route-up file and use the "0" parameter to route NF traffic to the WAN.

So, if I have defined a streaming device to use the OVPNC1 interface, I need to place the entry below in nat-start or vpnclient1-route-up to have NF bypass the VPN:
Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
logger -st "($(basename "$0"))" $$ Ending Script Execution
If you specify the WAN interface using a 0, you are telling the router to bypass the VPN for that traffic and route it to the WAN.
 
Last edited:

mister

Regular Contributor
Most people will assign the IP address of the streaming device to the Policy Routing section so the traffic of the device is routed over the VPN. Or, define all LAN devices to use the VPN using the 192.168.0.1/24 entry. But if they are using a VPN server that NF or other services block, you are SOL and can't stream. You need to route that traffic to the WAN so it bypasses the VPN. You need to add the script to either nat-start or the vpnclientX-route-up file and use the "0" parameter to route NF traffic to the WAN.

So, if I have defined by streaming device to use the OVPNC1 itnerface, I need to place the entry below in nat-start or vpnclient1-route-up:
Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
logger -st "($(basename "$0"))" $$ Ending Script Execution
If you specify the WAN interface using a 0, you are telling the router to bypass the VPN for that traffic and route it to the WAN.
Yes unfortunatly I have no working vpn Service for streaming Amazon prime, so I have to route specific Services over WAN, but the devices theirselves should not be unprotected, so my solution seems to be a combination of the two starting methods you described at your page.

Nat-Start Method for the scripts using vpn bypass (Amazon prime) and the vpnclientX-route-up script for the selective routing of public streaming services via vpn.

So I will firstly use the how to you described for jfdaigle.

So many thanks for your help.
 

Xentrk

Part of the Furniture
Yes unfortunatly I have no working vpn Service for streaming Amazon prime, so I have to route specific Services over WAN, but the devices theirselves should not be unprotected, so my solution seems to be a combination of the two starting methods you described at your page.

Nat-Start Method for the scripts using vpn bypass (Amazon prime) and the vpnclientX-route-up script for the selective routing of public streaming services via vpn.

So I will firstly use the how to you described for jfdaigle.

So many thanks for your help.
You don't need to combine the two starting methods. Pick either nat-start or vpnclientX-route-up script.

If you have your streaming device set to use the OVPNC1 tunnel, you need to add the script to either nat-start or vpnclient1-route-up so it runs at system boot - but not both!

A common configuration where you want your entire LAN to go through the VPN, but not the router itself is below:

Code:
LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN
Say you entered this in the OVPNC1 Client Screen and you need to route NF to the WAN. You add the script entry to either nat-start of vpnclient1-route-up as follows:

Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
logger -st "($(basename "$0"))" $$ Ending Script Execution
Similarly, you want to route NF to the WAN and AMAZON thru the VPN tunnel:
Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON_US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
logger -st "($(basename "$0"))" $$ Ending Script Execution
 
Last edited:

andresmorago

Senior Member
hi @Xentrk
im noticing that after making changes on the fresh qos script, the ipset configured websites are no longer routed through my ovpn client. Is that normal?

im running method 3 and i have also run option # 4 as per described on your post
my vpnclient1-route-up files contains
Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn
logger -st "($(basename "$0"))" $$ Ending Script Execution
my nat-start script doesnt have any x3mRouting calls

but still im having issues when router is rebooted or when any qos changes are made.

i have to re run
Code:
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn
 

Xentrk

Part of the Furniture
hi @Xentrk
im noticing that after making changes on the fresh qos script, the ipset configured websites are no longer routed through my ovpn client. Is that normal?

im running method 3 and i have also run option # 4 as per described on your post
my vpnclient1-route-up files contains
Code:
#!/bin/sh
logger -st "($(basename "$0"))" $$ Starting Script Execution
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn
logger -st "($(basename "$0"))" $$ Ending Script Execution
my nat-start script doesnt have any x3mRouting calls

but still im having issues when router is rebooted or when any qos changes are made.

i have to re run
Code:
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 1 amazon_vpn
I know Fresh also uses bitmasks/fwmarks. But last time I looked, they were different than the ones x3mRouting uses.

Run the iptables -nvL PREROUTING -t mangle --line command to see if the routing rules are still in affect after making qos script changes. You can also run the ip rule command to see if the priority rules remain in affect.

Look in the system log and search for vpnclient1-route-up to confirm that it is being run at boot. An entry should appear after the OpenVPN client 1 has completed start-up.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top