x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Frostry81

New Around Here
Many thanks for your work on this.
It's exactly what I want as I was looking to route through the wan for Netflix and Amazon prime

Just to report method three is working for me.

I'm based in the UK and to start with only amazon prime would work, with 'some' Netflix shows playing without issue. After a bit of investigation I found ipv4-c001-bhx003-virginmedia-isp.1.oca.nflxvideo.net seemed to be causing my problems.
traced it back to ASN5089 which is maintained by my ISP

I've ended up with the following

load_AMAZON_ipset_iface.sh 0 AMAZON-EU EU
load_ASN_ipset_iface.sh 0 NETFLIX-2906 AS2906
load_ASN_ipset_iface.sh 0 NETFLIX-5089 AS5089
load_ASN_ipset_iface.sh 0 NETFLIX-14618 AS14618

Hopefully that's not opened up too much.

Thanks again!
 
Last edited:

Jack Yaz

Part of the Furniture
Many thanks for your work on this.
It's exactly what I want as I was looking to route through the wan for Netflix and Amazon prime

Just to report method three is working on my Netgear R7000, that runs xwrt-vortex which is built from Asuswrt-Merlin.

I'm based in the UK and to start with only amazon prime would work, with 'some' Netflix shows playing without issue. After a bit of investigation I found ipv4-c001-bhx003-virginmedia-isp.1.oca.nflxvideo.net seemed to be causing my problems.
traced it back to ASN5089 which is maintained by my ISP

I've ended up with the following

load_AMAZON_ipset_iface.sh 0 AMAZON-EU EU
load_ASN_ipset_iface.sh 0 NETFLIX-2906 AS2906
load_ASN_ipset_iface.sh 0 NETFLIX-5089 AS5089
lad_ASN_ipset_iface.sh 0 NETFLIX-14618 AS14618

Hopefully that's not opened up too much.

Thanks again!
You're running the software illegally. https://www.snbforums.com/threads/a...d-forks-on-non-asus-devices-is-illegal.44636/
 

Xentrk

Part of the Furniture
Many thanks for your work on this.
It's exactly what I want as I was looking to route through the wan for Netflix and Amazon prime

Just to report method three is working for me.

I'm based in the UK and to start with only amazon prime would work, with 'some' Netflix shows playing without issue. After a bit of investigation I found ipv4-c001-bhx003-virginmedia-isp.1.oca.nflxvideo.net seemed to be causing my problems.
traced it back to ASN5089 which is maintained by my ISP

I've ended up with the following

load_AMAZON_ipset_iface.sh 0 AMAZON-EU EU
load_ASN_ipset_iface.sh 0 NETFLIX-2906 AS2906
load_ASN_ipset_iface.sh 0 NETFLIX-5089 AS5089
load_ASN_ipset_iface.sh 0 NETFLIX-14618 AS14618

Hopefully that's not opened up too much.

Thanks again!
I suspect it may be a Content Delivery Network issue where Netflix is caching content on servers your ISP is hosting?

Anyways, the DNSMASQ method may eliminate the need for the three ASN scripts. I also included amazonaws.com domain in the example below:

Code:
sh load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
 

Kingp1n

Very Senior Member
@Xentrk you helped me setup comcast "at home" thru the VPN forums using option 3 of your install. A few days ago my router (RT-AC86U) somehow resetted and I had to setup all over again. This time around, I will not be using Diversion/Skynet, however, I did re-install amtm to include your script again. I have finally finish setting up my router and for some odd reason...comcast at home is not working with your script. Hulu and Netflix are working flawlessly.

In the past, all I did was to add the the ASN script and added the ASN command (sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 COMCAST AS7922) to the nat-start and it started working. I restarted the router and hulu/Netflix works without issues. Can it be that I have the PIA server address set up to "east" coast server? It's odd because it worked in the past.

I use PIA VPN and i'm using option 3 of your script but for whatever reason, comcast at home is not working... any other options you think I can try?
 
Last edited:

Xentrk

Part of the Furniture
@Xentrk you helped me setup comcast "at home" thru the VPN forums using option 3 of your install. A few days ago my router (RT-AC86U) somehow resetted and I had to setup all over again. This time around, I will not be using Diversion/Skynet, however, I did re-install amtm to include your script again. I have finally finish setting up my router and for some odd reason...comcast at home is not working with your script. Hulu and Netflix are working flawlessly.

In the past, all I did was to add the the ASN script and added the ASN command (sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 COMCAST AS7922) to the nat-start and it started working. I restarted the router and hulu/Netflix works without issues. Can it be that I have the PIA server address set up to "east" coast server? It's odd because it worked in the past.

I use PIA VPN and i'm using option 3 of your script but for whatever reason, comcast at home is not working... any other options you think I can try?
That is peculiar that AS7922 it was working before. I highly recommend you add the router's IP address to the Policy Rules and route it to the WAN.

First thing to check is to make sure the ipset list is populated and the routing rules for COMCAST are being applied.
  1. Use the liststat command to make sure the COMCAST ipset list is being populated.
  2. Run the command iptables -nvL PREROUTING -t mangle --line to see if packets are traversing the chain
The second step is to mine dnsmasq.log or use the follow the log file feature of Diversion to see what domain names are being called when watching Comcast. Then, do an nslookup on the domain name to get the IP address. Run the whob command on the IP address to list the ASN it belongs to or lookup the IP address using bgp toolkit. You may need to add another ASN.
 

Xentrk

Part of the Furniture
The other thing is the order of the iptables rules. They are processed in order. When it was working before, did you have the script for comcast listed before the script for Hulu and NF?
 

Kingp1n

Very Senior Member
The other thing is the order of the iptables rules. They are processed in order. When it was working before, did you have the script for comcast listed before the script for Hulu and NF?
Thanks ...I had made a back up the nat-start file so I have not changed the order of the iptables rules. In the past, I also used both AS7922 and AS7016. I'll continue to work on the steps you mentioned earlier.
 

Xentrk

Part of the Furniture
Thanks ...I had made a back up the nat-start file so I have not changed the order of the iptables rules. In the past, I also used both AS7922 and AS7016. I'll continue to work on the steps you mentioned earlier.
You are welcome. Comcast owns 71 AS numbers. Try adding AS7015.
 

mister

Regular Contributor
Dear all,
I have a problem with my configuration. The german TV Streams should be streamed via OVPNC1 (Germany), the rest should be routed to OVPNC2, except some devices with specific IPs.
I got the AS numbers and populated them Screenshots. I added DNSMASQ as well, but it doen´t work.

But the routing seems to be via OVPNC2 because I got an error, that I am in a the wrong country. What did I wrong ?

edit: I got it worked. You have to add additional urls to DNSMASQ entries e.g. akamaihd.net . Then it works....

Thanks a lot.
 
Last edited:

Xentrk

Part of the Furniture
Dear all,
I have a problem with my configuration. The german TV Streams should be streamed via OVPNC1 (Germany), the rest should be routed to OVPNC2, except some devices with specific IPs.
I got the AS numbers and populated them Screenshots. I added DNSMASQ as well, but it doen´t work.

But the routing seems to be via OVPNC2 because I got an error, that I am in a the wrong country. What did I wrong ?

Thanks a lot.
When you see a 0 in the pkts and bytes columns, it means no traffic is traversing that chain. No match is occurring. You need to mine dnsmasq to see what domain names are being used. Then, do a nslookup to get the IP address. Then, either use the whob command on the ip address to identify the ASN the ip address belongs to or lookup the IP address on Hurrican Electric BGP Toolkit.
 

mister

Regular Contributor
When you see a 0 in the pkts and bytes columns, it means no traffic is traversing that chain. No match is occurring. You need to mine dnsmasq to see what domain names are being used. Then, do a nslookup to get the IP address. Then, either use the whob command on the ip address to identify the ASN the ip address belongs to or lookup the IP address on Hurrican Electric BGP Toolkit.
Dear Xentrk,
I already used the BGP Toolkit to get the AS numbers. But that was not enough. I used the programm mediathekview to look at the urls for streaming. These urls I added to DNSMASQ as well as the toplevel domains for the TV broadcaster. maybe a transferred more urls then necessary via OVPNC1 but it seems to work at the moment. I am able to stream :)

But thanks a lot for your support.
If you are interested I can send you the script, that you could add the urls in your help file....


Last question:
The IPs of the guest network are from the same range as from my "normal" network. Any idea to separate it e.g. 192.168.11.0 (normal network) , 192.168.22.0 (Guest) ?
Currently the same rule 192.168.11.0/24 as source is applied to normal network and for guests....

I add a rule for my DSL router, that he can be configured from my asus network. So I allowed everybody to reach the 192.168.0.1 from the normal network. unfortunately the is reachable of the guest network as well. That I don´t want...
 
Last edited:

Xentrk

Part of the Furniture
Dear Xentrk,
I already used the BGP Toolkit to get the AS numbers. But that was not enough. I used the programm mediathekview to look at the urls for streaming. These urls I added to DNSMASQ as well as the toplevel domains for the TV broadcaster. maybe a transferred more urls then necessary via OVPNC1 but it seems to work at the moment. I am able to stream :)

But thanks a lot for your support.
If you are interested I can send you the script, that you could add the urls in your help file....
Can you post an example or two of the domain names you passed to the script using the dnsmasq method? Thank you.
 

Kingp1n

Very Senior Member
You are welcome. Comcast owns 71 AS numbers. Try adding AS7015.
I tried adding with no luck....I was looking at WinSCP, the configs folder, the dnsmasq file and when I opened it, it has the following line: ipset=/hulu.com/hulustream.com/akamaihd.net/HULU_WEB

Should I add anything here to reflect comcast? also, liststats shows:

[email protected]:/jffs/scripts# liststats
AMAZON-US - 382
COMCAST - 107
HULU_WEB - 63
NETFLIX - 154
Skynet-Blacklist - 160870
Skynet-BlockedRanges - 1810
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 5091
XFINITY - 107

and:

[email protected]DD0:/jffs/scripts# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 45985 packets, 14M bytes)
num pkts bytes target prot opt in out source destination
1 4804 2565K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 13 1118 MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
3 243 15640 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set XFINITY dst MARK or 0x8000
4 1016 79765 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x8000
5 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst MARK or 0x8000
6 1199 94283 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set HULU_WEB dst MARK or 0x8000
7 70 3843 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set COMCAST dst MARK or 0x8000

Ip rule:

[email protected]:/jffs/scripts# ip rule
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
10001: from 192.168.1.1/27 lookup main
10101: from 192.168.1.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
 
Last edited:

Xentrk

Part of the Furniture
I tried adding with no luck....I was looking at WinSCP, the configs folder, the dnsmasq file and when I opened it, it has the following line: ipset=/hulu.com/hulustream.com/akamaihd.net/HULU_WEB

Should I add anything here to reflect comcast? also, liststats shows:

[email protected]:/jffs/scripts# liststats
AMAZON-US - 382
COMCAST - 107
HULU_WEB - 63
NETFLIX - 154
Skynet-Blacklist - 160870
Skynet-BlockedRanges - 1810
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 5091
XFINITY - 107

and:

[email protected]:/jffs/scripts# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 45985 packets, 14M bytes)
num pkts bytes target prot opt in out source destination
1 4804 2565K MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 13 1118 MARK all -- tun21 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
3 243 15640 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set XFINITY dst MARK or 0x8000
4 1016 79765 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZON-US dst MARK or 0x8000
5 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst MARK or 0x8000
6 1199 94283 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set HULU_WEB dst MARK or 0x8000
7 70 3843 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set COMCAST dst MARK or 0x8000

Ip rule:

[email protected]:/jffs/scripts# ip rule
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
10001: from 192.168.1.1/27 lookup main
10101: from 192.168.1.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
What I recommend that you do is mine dnsmasq using the technique and script getdominanames.sh

Installation getdomainnames.sh
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/master/getdomainnames.sh" -o /jffs/scripts/getdomainnames.sh && chmod 755 /jffs/scripts/getdomainnames.sh
1. mv /jffs/scripts/nat-start /jffs/scripts/nat-start.bk
2. Reboot to remove routing rules create by the x3mRouting scripts.
3. Turn off VPN to route all traffic thru the WAN.
4. Navigate to the dnsmasq log file directory. My dnsmasq.log file location is /opt/var/log.
5. Type the command to start capturing domains used by Comcast to the file :

Code:
tail -f dnsmasq.log > Comcast
6. Now, go to the device you are watching Comcast from. If you are streaming from your PC or laptop, close out other applications to minimize collecting domain names for non-Comcast traffic. Navigate around the menu options and watch several videos for a few minutes each to generate traffic and log entries to dnsmasq.log.
7. When done generating Comcast traffic, press ctrl-C to stop logging to the /opt/var/log/Comcast file. Run the getdomainnames.sh script, passing the file name and IP address of the device you were watching Comcast from. For example:

Code:
sh /jffs/scripts/getdomainnames.sh Comast 192.168.1.20
8. This will create a file called Comcast_domains in the /opt/var/log directory. Open the file in an editor to view the domains names collected. The next step is to desk check the file for domains not related to Comcast. These are domains generated by other applications on the LAN client you streamed from. Once you have narrowed down the domains, the next step is to use the top level domain name references in the script using the domain names you captured. For example:

Code:
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 COMCAST xfinity.net,comcast.com, etc..
Or, you can analyze the IP addresses for each domain and see what AS number they belong to and use the ASN method.
 
Last edited:

Kingp1n

Very Senior Member
What I recommend that you do is mine dnsmasq using the technique and script getdominanames.sh

Installation getdomainnames.sh
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/master/getdomainnames.sh" -o /jffs/scripts/getdomainnames.sh && chmod 755 /jffs/scripts/getdomainnames.sh
1. mv /jffs/scripts/nat-start /jffs/scripts/nat-start.bk
2. Reboot to remove routing rules create by the x3mRouting scripts.
3. Turn off VPN to route all traffic thru the WAN.
4. Navigate to the dnsmasq log file directory. My dnsmasq.log file location is /opt/var/log.
5. Type the command to start capturing domains used by Comcast to the file :

Code:
tail -f dnsmasq.log > Comcast
6. Now, go to the device you are watching Comcast from. If you are streaming from your PC or laptop, close out other applications to minimize collecting domain names for non-Comcast traffic. Navigate around the menu options and watch several videos for a few minutes each to generate traffic and log entries to dnsmasq.log.
7. When done generating Comcast traffic, press ctrl-C to stop logging to the /opt/var/log/Comcast file. Run the getdomainnames.sh script, passing the file name and IP address of the device you were watching Comcast from. For example:

Code:
sh /jffs/scripts/getdomainnames.sh Comast 192.168.1.20
8 This will create a file called Comcast_domains in the /opt/var/log directory. Open the file in an editor to view the domains names collected. The next step is to desk check the file for domains not related to Comcast. These are domains generated by other applications on the LAN client you streamed from. Once you have narrowed down the domains, the next step is to use the top level domain name references in the script using the domain names you captured. For example:

Code:
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 COMCAST xfinity.net, comcast.com, etc..
Or, you can analyze the IP addresses for each domain and see what AS number they belong to and use the ASN method.
Thanks again! Got it working by adding the comcast.net/com domains. Really do appreciate all the help on this matter.
 

Xentrk

Part of the Furniture
Thanks again! Got it working by adding the comcast.net/com domains. Really do appreciate all the help on this matter.
Good news. :) Thanks for reporting back. Hopefully it will help someone else in the future.
 

StarkWiz

New Around Here
First of all thank you for these awesome scripts which enhances the features of asus routers. :)
I know this script has been specifically made for routing to a VPN.
But I have slightly different use case.
I have two internet connections, both are unlimited but one of it reduces speed after certain usage and that is my primary wan connection.
The other one is truly unlimited and connected on LAN port 4 in Dual WAN+Failover configuration on RT-AC68U.

I want to redirect all Backblaze traffic through this 2nd WAN connection.
I ran this script to create the ipset,
Code:
sh load_ASN_ipset_iface.sh 0 Backblaze AS32354
But in the script there is option only for 1st/default WAN that is WAN 0 and the other 5 are all OpenVPN connections.

How can I use this ipset and configure it to route Backblaze traffic through 2nd WAN connection on the router ?
 

Xentrk

Part of the Furniture
First of all thank you for these awesome scripts which enhances the features of asus routers. :)
I know this script has been specifically made for routing to a VPN.
But I have slightly different use case.
I have two internet connections, both are unlimited but one of it reduces speed after certain usage and that is my primary wan connection.
The other one is truly unlimited and connected on LAN port 4 in Dual WAN+Failover configuration on RT-AC68U.

I want to redirect all Backblaze traffic through this 2nd WAN connection.
I ran this script to create the ipset,
Code:
sh load_ASN_ipset_iface.sh 0 Backblaze AS32354
But in the script there is option only for 1st/default WAN that is WAN 0 and the other 5 are all OpenVPN connections.

How can I use this ipset and configure it to route Backblaze traffic through 2nd WAN connection on the router ?
Routing to WAN1 should work. I'm unable to test using dual WAN though. I looked at some of @Martineau post for references. I'm not sure if the fwmark/bitmask of 0x9000/0x9000 will work. I would need to evaluate the priority number for WAN1 as well. You can test by running the commands below:

Code:
#del current routes assigned to WAN0
sh load_ASN_ipset_iface.sh 0 Backblaze AS32354 del
Code:
#create ipset list Backblaze
sh load_ASN_ipset_.sh Backblaze AS32354
Code:
# WAN1 - Create rule and table for WAN1
ip rule add from 0/0 fwmark 0x9000/0x9000 table wan1 prio 990
ip route flush cache
Code:
#Create routing rule for ipset list
iptables -t mangle -A PREROUTING -i br0 -m set --match-set Backblaze dst -j MARK --set-mark 0x9000/0x9000
See if the routing works. Run the command below to see if any packets are traversing the chain.
Code:
iptables -nvL PREROUTING -t mangle --line
Check RPDB priorities using the command
Code:
ip rule
Backout Changes:
Code:
iptables -t mangle -D PREROUTING -i br0 -m set --match-set Backblaze dst -j MARK --set-mark 0x9000/0x9000
ip rule del fwmark 0x9000/0x9000
ip rule del prio 990
 
Last edited:

StarkWiz

New Around Here
Code:
iptables -nvL PREROUTING -t mangle --line
Check RPDB priorities using the command
Code:
ip rule
Code:
[email protected]:/jffs/scripts/x3mRouting# ip rule
0:      from all lookup local
990:    from all fwmark 0x9000/0x9000 lookup wan1
9990:   from all fwmark 0x8000/0x8000 lookup main
32766:  from all lookup main
32767:  from all lookup default
[email protected]:/jffs/scripts/x3mRouting# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 23383 packets, 2152K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1742 2160K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set Backblaze dst MARK or 0x9000
Thank you the detailed steps. The routing is working but traffic is not going through secondary WAN :(
How is the fwmark bitmask calculated. What kind of information do you need to get it right for secondary WAN ?

Thanks again for quick response :)
 
Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top