Thank you for this. I think I have a bit of a dilemma. I use Pi-hole as my DNS server and the names are not gettign logged here. This may not beable to work with my setup. When I ran the script ands started streaming I got zero output.
x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware
- Thread starter Xentrk
- Start date
Xentrk, if i'm starting to use this script from scratch and previously I used option 3 of the older script. Which option would I use now? I don't have backup files anymore but I wanted to mirror my old setup when I used option 3 with the nat-start file.
I now see 4 install options:
1. install lan...
2. install OpenVPN...
3. install OpenVPN event...
4. install getdomainnames...
Which would be the best option to use? Thanks!
Update: think i got it figured it out!!! Looking good so far!
Last edited:
Xentrk
Part of the Furniture
I just discovered that a firewall restart will wipe the routing rules for IPSETS if using the GUI. I fixed this in the new version for those using option 2 but didn't realize the GUI had the same issue until now. I have to ponder the best way to patch for the GUI as there are several ways I can handle it. But just be aware of it for now.
Xentrk
Part of the Furniture
The ASN, Amazon and Manual methods may still work with your setup though. You can try an experiment by creating a rule to have a LAN client or all LAN devides routed thru the VPN. Then, create a VPN Bypass Rule to have whatismyipaddress.com route through the WAN as follows:
Code:
x3mRouting 1 0 WIMIPADDR ip=104.16.155.36,104.16.154.36You can go to whatismyip.com and it should report the VPN IP address and whatismyipaddress.com should report your WAN address.
Thank you for this, I think those methods will work, I have not test it yet. I have a quesoitn , if I just wanted to bypass all netflix traffic to not use VPN would it be something like this
Code:
x3mRouting ALL 0 NETFLIX asnum=AS2906 src=192.168.1.1-192.168.1.254andresmorago
Senior Member
@Xentrk i have a question about something i have been noticing.
i have the following entries on my dnsmasq.conf.add
routing works ok.
now lets say i delete mediafire entry and restart dnsmasq. i also flush dns on my windows device. the routing keeps happening. is this normal? how can i revert it so it goes through main wan?
i have the following entries on my dnsmasq.conf.add
routing works ok.
now lets say i delete mediafire entry and restart dnsmasq. i also flush dns on my windows device. the routing keeps happening. is this normal? how can i revert it so it goes through main wan?
Xentrk
Part of the Furniture
The problem is the mediafire IPv4 addresses still reside in the IPSET list 'aws1'. The easiest way is to delete the ipset list and all references using the 'x3mRouting ipset_name=aws1 del' command. Then, remove the save/restore file e.g. rm /opt/tmp/aws1. Lastly, rerun x3mRouting using the other domains. dnsmasq will start loading the IPSET list from scratch.
Otherwise, you have to do some analysis to figure out what IPv4 addresses belong to mediafire.com.
You may want to consider creating separate IPSET lists for each host name if you have dynamic routing requirements. The other benefit is you can view the number of packets traversing the routing rule.
Code:
x3mRouting ALL 1 IPCONFIG dnsmasq=ipconfig.io
x3mRouting ALL 1 PANDORA dnsmasq=pandora.com
x3mRouting ALL 1 IPINFO dnsmasq=ipinfo.io
x3mRouting ALL 1 MEDIAFIRE dnmasq=mediafire.comNow, if you want to remove mediafire.com, type
Code:
x3mRouting ipset_name=MEDIAFIRE delAll of the IPv4 addresses you collected from the other domains and mediafire.com will still be preserved in the save/restore file in case you want to reuse it later on.
Last edited:
Xentrk
Part of the Furniture
The "ALL" + "0" combination will not work. In the new version, you need to specify the VPN you want to bypass. It usually means you have a rule such as 192.168.1.0/24 in the GUI to have all LAN traffic to use the VPN. But you need to bypass the VPN for Netflix traffic because Netflix blocks VPNs. So, if the LAN rule exists in VPN Client 1, you need to specify VPN Client 1 as the traffic source and the WAN as the destination.
Code:
x3mRouting 1 0 NETFLIX asnum=AS2906This is called VPN Bypass Routing. Specifying the source is also required so x3mRouting knows how to configure the setup.
Hi Xentrk. Small Q, i have multiple rules with ip numbers, option 3, like: x3mRouting 3 0 horizon dnsmasq=212.142.30.138 x3mRouting 3 0 horizon dnsmasq=212.142.30.170 and some more.
Unfortunate the asn numbers don't work but with the ip's it's working. Is it possible to combine the ip's in a way or any recommendations before i have to reset the router. Tnx!
Unfortunate the asn numbers don't work but with the ip's it's working. Is it possible to combine the ip's in a way or any recommendations before i have to reset the router. Tnx!
Xentrk
Part of the Furniture
The IPv4 addresses are downloaded from ipinfo.io. ipinfo.io may require whitelisting if you use an ad-blocker program. If x3mRouting is unable to download the IP addresses from ipinfo.io, it will attempt to download using the aslookup tool on api.hackertarget.com/aslookup/.
Check if IPv4 address were downloaded in the save/restore file located in /opt/tmp with the same name as the IPSET list. If it has values, then the download worked. The liststats command will show the number of entries in the IPSET list.
The usage for the dnsmasq method isn't correct. For the dnsmasq method, you need to specify a top level domain name rather than an IP address.
Code:
x3mRouting ALL 1 ipset_name ['dnsmasq='domain[,domain]...]The correct way is to use the 'ip=' parm and pass IPv4 or CIDR format
Code:
3mRouting ALL 1 ipset_name ['ip='ip[,ip][,cidr]...]Hi Xentrk, Tnx for the explanations, The fun part is that the method I used i post before, seems to work and the app on the TV's seem to work that have to go trough LAN, even after a reboot the script survives.
This is what i see after a reboot and all is working just fine.
15:12:38 (x3mRouting.sh): 4853 Selective Routing Rule via WAN deleted for horizon fwmark 0x8000/0x8000
15:12:38 (x3mRouting.sh): 4853 Selective Routing Rule via WAN created for horizon fwmark 0x8000/0x8000
The question is do i have to change something ? Can it harm even when its working in regards of privacy on the vpn?
This is what i see after a reboot and all is working just fine.
15:12:38 (x3mRouting.sh): 4853 Selective Routing Rule via WAN deleted for horizon fwmark 0x8000/0x8000
15:12:38 (x3mRouting.sh): 4853 Selective Routing Rule via WAN created for horizon fwmark 0x8000/0x8000
The question is do i have to change something ? Can it harm even when its working in regards of privacy on the vpn?
Xentrk
Part of the Furniture
There is no checking for the valued entered for the domain name. The only way I could code this is to see if the entry already exists in dnsmasq.log file. Which would prevent someone from setting it up in advance.
So the script will run and create the IPSET list for whatever is placed after the 'dnsmasq='. But using a IP address after the 'dnsmasq=' will never get a hit from the dnsmasq IPSET feature works and the IPSET list will no get populated. In this example, I specify an IP address and the script appears to run normally.
Code:
x3mRouting ALL 1 TEST100 dnsmasq=172.16.0.1
(x3mRouting): 27125 Starting Script Execution ALL 1 TEST100 dnsmasq=172.16.0.1
Done.
(x3mRouting): 27125 IPSET created: TEST100 hash:net family inet hashsize 1024 maxelem 65536
(x3mRouting): 27125 CRON schedule created: #TEST100# '0 2 * * * ipset save TEST100'
(x3mRouting): 27125 Selective Routing Rule via VPN Client 1 created for TEST100 fwmark 0x1000/0x1000
(x3mRouting): 27125 iptables -t mangle -D PREROUTING -i br0 -m set --match-set TEST100 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 27125 iptables -t mangle -A PREROUTING -i br0 -m set --match-set TEST100 dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 27125 iptables -t mangle -D PREROUTING -i br0 -m set --match-set TEST100 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting): 27125 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 TEST100 dnsmasq=172.16.0.1 added to /jffs/scripts/nat-start
(x3mRouting): 27125 Completed Script Executioncat /jffs/configs/dnsmasq.conf.add
Here is the contents of my dnsmasq.conf.add file. Note the top level domain names for the IPSET lists I have running on my router. But the one I created for TEST100 contains an IP address.
Code:
ipset=/ipleak.net/IPLEAK
ipset=/bbc.co.uk/bbc.com/bbc.gscontxt.net/bbci.co.uk/bbctvapps.co.uk/ssl-bbcsmarttv.2cnt.net/BBC_WEB
ipset=/hulu.com/hulustream.com/akamaihd.net/HULU_WEB
ipset=/movetv.com/MOVETV
ipset=/pandora.com/PANDORA
ipset=/cbs.com/cbsaavideo.com/cbsi.com/cbsig.net/cbsnews.com/cbsstatic.com/irdeto.com/omtrdc.net/syncbak.com/CBS_Web
ipset=/whatismyipaddress.com/WIMIPADDR
ipset=/172.16.0.1/TEST100TEST100 will never get populated as there is no domain name called 172.16.0.1
You can run the command "liststats" to see the number of entries in the list or the command "ipset -L TEST100" to view the contents of the IPSET list. The command below will show you if any packets are traversing the iptables chain.
Code:
iptables -nvL PREROUTING -t mangle --lineHi Xentrk, perhaps you can have a look at this if this good?
/jffs/configs/dnsmasq.conf.add
liststats
iptables -nvL PREROUTING -t mangle --line
/jffs/configs/dnsmasq.conf.add
Code:
ipset=/212.142.30.138/horizon
ipset=/212.142.30.170/horizon
ipset=/horizon.tv/horizon
ipset=/212.142.30.150/horizon
ipset=/212.142.30.144/horizon
ipset=/212.142.30.172/horizonliststats
Code:
Skynet-Blacklist - 356331
Skynet-BlockedRanges - 1609
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 6780
horizon - 29iptables -nvL PREROUTING -t mangle --line
Code:
num pkts bytes target prot opt in out source destination
1 9040K 12G MARK all -- tun15 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 2279K 2964M MARK all -- tun13 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
3 90677 33M MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
4 395K 491M MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
5 2250 127K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set horizon dst MARK or 0x8000Xentrk
Part of the Furniture
ipset=/horizon.tv/horizon reference is the only valid entry in dnsmasq.conf.add. The IPv4 addresses are not valid top level host names. With the dnsmasq method, the IPSET feature built into dnsmasq collects the IPv4 addresses when a top level domain is queried by dnsmasq.
Remove/delete the IPv4 address references below.
Code:
ipset=/212.142.30.138/horizon
ipset=/212.142.30.170/horizon
ipset=/212.142.30.150/horizon
ipset=/212.142.30.144/horizon
ipset=/212.142.30.172/horizonUse this syntax to create an IPSET list using the "Manual Method" for the IPv4 addresses:
Code:
x3mRouting ALL 1 HORIZON02 ip=212.152.30.138,212,142.30.170,212.152.30.144,212.142.130.172.You can also manually add the IPv4 addresses to the save/restore file in /opt/tmp (e.g. /opt/tmp/HORIZON02 using an editor, then run x3mRouting to populate the IPSET list:
Code:
x3mRouting ALL 1 HORIZON02You can view what IPv4 addresses are in the IPSET list using the command:
ipset -L ipsetname
where ipsetname is the name of the IPSET list.
Xentrk
Part of the Furniture
Did you try the ASN method using AS6830?
Code:
:/jffs/scripts/x3mRouting# nslookup horizon.tv
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name: horizon.tv
Address 1: 2001:730:3400:8001::a
Address 2: 212.142.30.138
Address 3: 212.142.30.170
Code:
:/jffs/scripts/x3mRouting# whob 212.142.30.170
IP: 212.142.30.170
Origin-AS: 6830
Prefix: 212.142.0.0/19
AS-Path: 3303 6830
AS-Org-Name: Liberty Global (formerly UPC Broadband Holding, aka AORTA)
Org-Name: B2B-COM21 Business Internet Com21
Net-Name: B2B-COM21
Cache-Date: 1594366403
Latitude: 52.374030
Longitude: 4.889690
City: Amsterdam
Region: Noord-Holland
Country: Netherlands
Country-Code: NL
Code:
num pkts bytes target prot opt in out source destination
1 9181K 12G MARK all -- tun15 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 2302K 2984M MARK all -- tun13 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
3 449K 88M MARK all -- tun12 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
4 415K 511M MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
5 2667 149K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set horizon dst MARK or 0x8000
6 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set HORIZON02 dst MARK or 0x4000Xentrk
Part of the Furniture
Looks good. If you don't see any packets traversing the HORIZON02 chain, it means the dnsmasq method using horizon.tv is capturing all of the IPv4 addresses and the HORIZON02 ipset list is not necessary and can be removed.
Similar threads
Similar threads
| Thread starter | Title | Forum | Replies | Date |
|---|---|---|---|---|
|
x3mrouting selective routing help for a noobie | Asuswrt-Merlin AddOns | 2 | |
| A | Domain VPN Routing Question | Asuswrt-Merlin AddOns | 1 | |
|
Domain-based VPN routing script | Asuswrt-Merlin AddOns | 2 | |
| R | Domain VPN Routing | Asuswrt-Merlin AddOns | 24 |
Similar threads
-
x3mrouting selective routing help for a noobie
- Started by themaidenmaniac
- Replies: 2
-
-
-
Latest threads
-
-
-
-
Can't get 2gbps to my unraid server
- Started by zekesdad
- Replies: 2
-
changed AC68U to AX86U Pro, same guest network setting but all devices gone?
- Started by Heronimos
- Replies: 5
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!