x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[TechTinkerer]

I don't have HBO Max. I see they have a 7 day free trial though. So may be I can help if you get stuck.

You can remove play.hbomax.com. The first domain listed will cover it. I did a search for ".com" and found numerous references.

warnermediacdn.com
amazonaws.com

A search for ".net" come up with a few hits.

go-mpulse.net
akamaihd.net

I've been thinking of creating a Wiki on GitHub for the various streaming services.

Great idea @Xentrk a known streaming working list with correct commands used
p.s. for users of nvidia shield tv i had to use torguard android tv app to get usa content to work on nflix with dedicated streaming ip, pain in the butt tbh as had x3mrouting setup and the for some reason my real location kept being leaked even with shieldtv services disabled...until i used the app

 

[Xentrk]

Hi @Xentrk

I've updated the router to 384.13_10. I installed the script following the link you gave me. I added that ipset to go over vpn and then deleted it

teymur88@router:/tmp/home/root# /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/x3mRoutin
g.sh" -o "/jffs/scripts/x3mRouting/x3mRouting.sh"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 60643  100 60643    0     0  46612      0  0:00:01  0:00:01 --:--:-- 55130


teymur88@router:/tmp/home/root# x3mRouting ALL 1 edemtvips
(x3mRouting): 27072 Starting Script Execution ALL 1 edemtvips
(x3mRouting): 27072 IPSET created: edemtvips
(x3mRouting): 27072 Selective Routing Rule via VPN Client 1 created for edemtvips fwmark 0x1000/0x1000
(x3mRouting): 27072 iptables -t mangle -D PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 27072 iptables -t mangle -A PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 27072 iptables -t mangle -D PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting): 27072 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 edemtvips added to /jffs/scripts/nat-start
(x3mRouting): 27072 Completed Script Execution


teymur88@router:/tmp/home/root# more /jffs/scripts/nat-start
#!/bin/sh
xxxxxxxxxxxxxx
xxxxxxxxxxxxxx
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 edemtvips
teymur88@router:/tmp/home/root#


teymur88@router:/tmp/home/root# m
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N BWDPI_FILTER
-A PREROUTING -i tun11 -j MARK --set-xmark 0x1/0x7
-A PREROUTING -i tun21 -j MARK --set-xmark 0x1/0x7
-A PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-xmark 0x1000/0x1000
-A FORWARD -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -o br0 -j MARK --set-xmark 0x1/0x7



teymur88@router:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

Now deleting:

teymur88@router:/tmp/home/root# x3mRouting ALL 1 edemtvips del
(x3mRouting): 27928 Starting Script Execution ALL 1 edemtvips del
(x3mRouting): 27928 Script entry for edemtvips deleted from /jffs/scripts/nat-start
(x3mRouting): 27928 ipset edemtvips entry deleted from /jffs/scripts/x3mRouting/vpnclient1-route-up


/jffs/scripts/x3mRouting/vpnclient1-route-up has 1 shebang entry and 0 empty lines.
Would you like to remove ?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
(x3mRouting): 27928 ipset edemtvips entry deleted from /jffs/scripts/x3mRouting/vpnclient1-route-pre-down


/jffs/scripts/x3mRouting/vpnclient1-route-pre-down has 1 shebang entry and 0 empty lines.
Would you like to remove ?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
(x3mRouting): 27928 IPSET edemtvips deleted!
(x3mRouting): 27928 Completed Script Execution
teymur88@router:/tmp/home/root#


teymur88@router:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1 >>>>> NOT DELETED STILL HERE
32766:  from all lookup main
32767:  from all lookup default

teymur88@router:/tmp/home/root# m
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N BWDPI_FILTER
-A PREROUTING -i tun11 -j MARK --set-xmark 0x1/0x7
-A PREROUTING -i tun21 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -o br0 -j MARK --set-xmark 0x1/0x7


teymur88@router:/tmp/home/root# more /jffs/scripts/nat-start
#!/bin/sh
xxxxxxxxxxxxxx
xxxxxxxxxxxxxx
NO edemtvips here.
teymur88@router:/tmp/home/root#

Thanks, I will patch it. It supposed to get removed after a restart of the VPN Client. It does if one is using the GUI option. I will look into it. It won't cause any issue. But to remove it, type:

ip rule del prio 9995

 

[Xentrk]

Great idea @Xentrk a known streaming working list with correct commands used
p.s. for users of nvidia shield tv i had to use torguard android tv app to get usa content to work on nflix with dedicated streaming ip, pain in the butt tbh as had x3mrouting setup and the for some reason my real location kept being leaked even with shieldtv services disabled...until i used the app

That is one major issue I have with Nvidia Shield. If you have Nvidia, some of the local TV stations require you to turn on location services so they can present the local channel to you. But if you have a FireTV or Roku, they go by your IP address (aka VPN server location). CBS All Access is an example of one service that does this.

 

[TechTinkerer]

That is one major issue I have with Nvidia Shield. If you have Nvidia, some of the local TV stations require you to turn on location services so they can present the local channel to you. But if you have a FireTV or Roku, they go by your IP address (aka VPN server location). CBS All Access is an example of one service that does this.

guessing would need a location spoofer app used through mock locations in developer options

 

[Xentrk]

guessing would need a location spoofer app used through mock locations in developer options

I couldn't find one that works for Android TV box. I found one https://x3mtek.com/location-spoofing-on-android-tv/ spoofing device for routers that is in semi-active development. They do exist in the app store for cell phones though.

 

[andresmorago]

Version 2.2.0 (22 August, 2020)
The x3mRouting.sh script has been updated!

FIX for ASN Method!
Updated grep command option no longer supported. Error may result in empty save/restore files and IPSET lists.

dnsmasq Method with 'dnsmasq_file=' parameter

Rather than specifying the domain names in a list, you can specify a file location using the 'dnsmasq_file=' parameter. The format of the file is one top level domain name per line.

domain1.com
domain2.com
domain3.com

@Xentrk thanks for this. im really interested in implementing this on my router.

what i have done so far:

created the domain file /jffs/scripts/x3mRouting/aws_domains_01

pandora.com
ifconfig.io
ipinfo.io
deserve.com
eltiempo.com

then ran x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
routing works ok!

i now see that dnsmasq.conf.add has the same domains than /jffs/scripts/x3mRouting/aws_domains_01 -why?

ipset=/pandora.com/ifconfig.io/ipinfo.io/deserve.com/eltiempo.com/aws1

im curious about what to do if i want to add more domains to the domains file? do i need to run the script again or how do i update the route to include the new domains i add ? also, what do i do with the domains stored on dnsmasq.conf.add ?

thanks

 

[Xentrk]

@Xentrk thanks for this. im really interested in implementing this on my router.

what i have done so far:

created the domain file /jffs/scripts/x3mRouting/aws_domains_01

pandora.com
ifconfig.io
ipinfo.io
deserve.com
eltiempo.com

then ran x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
routing works ok!

i now see that dnsmasq.conf.add has the same domains than /jffs/scripts/x3mRouting/aws_domains_01 -why?

ipset=/pandora.com/ifconfig.io/ipinfo.io/deserve.com/eltiempo.com/aws1

im curious about what to do if i want to add more domains to the domains file? do i need to run the script again or how do i update the route to include the new domains i add ? also, what do i do with the domains stored on dnsmasq.conf.add ?

thanks

If you make updates to the dnsmasq_file, you need to run x3mRouting again for the change to take affect. x3mRouting will update the entry in dnsmasq.conf.add.

The ipset entry in dnsmasq.conf.add is correct. It will mirror the domains you entered in the file. This post should answer your other questions. Need to be aware that removing the domain doesn't mean the IPv4 address was removed from the IPSET list in memory. I will research how to automate if possible. I appreciate any feedback on the new feature.

 

[TechTinkerer]

I couldn't find one that works for Android TV box. I found one https://x3mtek.com/location-spoofing-on-android-tv/ spoofing device for routers that is in semi-active development. They do exist in the app store for cell phones though.

As much as i like the shield the lack of a good tv app for spoofing location may mean roku becomes a preferred choice

 

[Xentrk]

As much as i like the shield the lack of a good tv app for spoofing location may mean roku becomes a preferred choice

The FireTV provides the spoofing ability of the Roku and the ability to side load like the Nvidia or other android TVs.

 

[andresmorago]

If you make updates to the dnsmasq_file, you need to run x3mRouting again for the change to take affect. x3mRouting will update the entry in dnsmasq.conf.add.

The ipset entry in dnsmasq.conf.add is correct. It will mirror the domains you entered in the file. This post should answer your other questions. Need to be aware that removing the domain doesn't mean the IPv4 address was removed from the IPSET list in memory. I will research how to automate if possible. I appreciate any feedback on the new feature.

thanks!
so if i want to add more domains, can i do it by running:?

x3mRouting ipset_name=aws1 del

###add new domains to /jffs/scripts/x3mRouting/aws_domains_01

x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

an automatic process will be great but as of right now i cant think of what i need. ill give it some thinking. maybe....

prerequisites:
having an initial file /jffs/scripts/x3mRouting/aws_domains_01
running x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

1- i add/remove domains on /jffs/scripts/x3mRouting/aws_domains_01
2- an automatic script like x3mRouting update aws1 that will re-read the domains file and update the ipset list and dnsmasq.conf.add

 

[box4m]

Im using a version from several month ago still on my asus 86u, im wondering.
When executing these 2:
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-EU EU
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-GLOBAL GLOBAL

where does the script get the ipranges?
Thx

 

[Xentrk]

Im using a version from several month ago still on my asus 86u, im wondering.
When executing these 2:
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-EU EU
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-GLOBAL GLOBAL

where does the script get the ipranges?
Thx

The source file used by x3mRouting is provided by Amazon at https://ip-ranges.amazonaws.com/ip-ranges.json.

 

[Xentrk]

thanks!
so if i want to add more domains, can i do it by running:?

x3mRouting ipset_name=aws1 del

###add new domains to /jffs/scripts/x3mRouting/aws_domains_01

x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

an automatic process will be great but as of right now i cant think of what i need. ill give it some thinking. maybe....

prerequisites:
having an initial file /jffs/scripts/x3mRouting/aws_domains_01
running x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01

1- i add/remove domains on /jffs/scripts/x3mRouting/aws_domains_01
2- an automatic script like x3mRouting update aws1 that will re-read the domains file and update the ipset list and dnsmasq.conf.add

Good discussion. After thinking this over, the following would be the best practice.

If you add domains to the file, you only need to rerun x3mRouting to update the entry in dnsmasq.conf.add. New domains will now be appended to the existing ipset list. No need to first specify the 'del' parm

If you remove domains from the file, you need to first run x3mRouting with the 'del' parm. This will delete the IPSET list and it's contents. Then, run x3mRouting specifying the 'dnsmasq_file' parm. dnsmasq will start populating the IPSET list anew. At 2AM, the new list will get saved to the save/restore file location in /opt/tmp by the cron job and will be used to restore the list at system boot.

 

[TechTinkerer]

The FireTV provides the spoofing ability of the Roku and the ability to side load like the Nvidia or other android TVs.

Managed to get location spoofing working using floater it does wifi location spoof as well

 

[andresmorago]

@Xentrk as a question aside,

an issue that i encountered is that when uninstalling your script, the backup files will remain at /opt/tmp. and if i re-create a new routing rule with a new dnsmasq_file, the backup file will have higher priority than the newly created file. is this intended to be that way?

thanks

 

[andresmorago]

hello again. sorry for the extra posts but i want to have separate posts for each issue im having.

so i included a new domain on the file (imgur.com)

pandora.com
ifconfig.io
ipinfo.io
deserve.com
imgur.com

i re-ran x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01 and i can see the new domain being added to dnsmasq.conf.add

ipset=/pandora.com/ifconfig.io/ipinfo.io/deserve.com/imgur.com/aws1

still, the routing for that domain doesnt work while the rest do work ok.

routing not working

tracetcp imgur.com:443 -t 400 -n

Tracing route to 151.101.32.193 on port 443
Over a maximum of 30 hops.
1       4 ms    4 ms    3 ms    10.0.0.1
2       *       *       *       Request timed out.
3       11 ms   20 ms   24 ms   172.21.111.42
4       19 ms   29 ms   43 ms   190.85.254.207
5       *       *       *       Request timed out.
6       *       *       *       Request timed out.
7       Destination Reached in 60 ms. Connection established to 151.101.32.193
Trace Complete.

funny thing, i.imgur.com or www.imgur.com do work

tracetcp i.imgur.com:443 -t 400 -n

Tracing route to 151.101.4.193 on port 443
Over a maximum of 30 hops.
1       2 ms    3 ms    4 ms    10.0.0.1
2       109 ms  101 ms  107 ms  10.0.2.1
3       *       *       *       Request timed out.
4       *       *       *       Request timed out.
5       *       *       *       Request timed out.
6       *       *       *       Request timed out.
7       *       *       *       Request timed out.

some debug

andresmorago@RT-AC3100-0548:/tmp/home/root# check-route
Name: aws1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 932
References: 1
Number of entries: 11
Members:
3.213.182.30
208.85.47.117
172.67.189.102
3.213.106.72
151.101.4.193
104.24.122.146
208.85.40.20
199.232.64.193
104.24.123.146
151.101.20.193
107.23.16.159
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 10.0.0.1 lookup main
32766:  from all lookup main
32767:  from all lookup default
Chain PREROUTING (policy ACCEPT 188K packets, 133M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     3931  237K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set aws1 dst MARK or 0x1000
andresmorago@RT-AC3100-0548:/tmp/home/root#

 

[Xentrk]

@Xentrk as a question aside, can i have several routing rules running to the same vpn client?
for example:

x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
x3mRouting ALL 1 uic asnum=AS6200

if this is possible, where are the AS6200 ip addresses stored?
also, can i change the location of the backup file which is currently saved at /opt/tmp ?

an issue that i encountered is that when uninstalling your script, the backup files will remain at /opt/tmp. and if i re-create a new routing rule with a new dnsmasq_file, the backup file will have higher priority than the newly created file. is this intended to be that way?

thanks

Not removing the save/restore file is done by design. Especially to accomdate the dnsnmasq and manual methods.

Let's say I created an IPSET list and have it routed to VPN Client 1 using the dnsmasq method. I now want to change it to VPN Client 2. I first remove the ipset list by specifying the 'del' parameter. The save/restore file is still in /opt/tmp but the IPSET list is now deleted. I then create the new rule to route to VPN Client 2. x3mRouting will see the restore file and load the IPSET list from the file.

For the manual method, one manually creates a file and uses an editor to enter the IPv4 addresses. The ipset list is loaded from this file. If x3mRouting deleted the file, I would have some upset users.

What I can do is add another option when specifying the 'del=' parm to the command that will remove the save/restore file.

Specify the save/restore file location using the 'dir=' parameter.

 ['dir='save_restore_location] # if 'dir' not specified, defaults to /opt/tmp

x3mRouting ALL 1 WIMIPCOM dir=/mnt/ASUS/mylists

 

[Xentrk]

hello again. sorry for the extra posts but i want to have separate posts for each issue im having.

so i included a new domain on the file (imgur.com)

pandora.com
ifconfig.io
ipinfo.io
deserve.com
imgur.com

i re-ran x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01 and i can see the new domain being added to dnsmasq.conf.add

ipset=/pandora.com/ifconfig.io/ipinfo.io/deserve.com/imgur.com/aws1

still, the routing for that domain doesnt work while the rest do work ok.

routing not working

tracetcp imgur.com:443 -t 400 -n

Tracing route to 151.101.32.193 on port 443
Over a maximum of 30 hops.
1       4 ms    4 ms    3 ms    10.0.0.1
2       *       *       *       Request timed out.
3       11 ms   20 ms   24 ms   172.21.111.42
4       19 ms   29 ms   43 ms   190.85.254.207
5       *       *       *       Request timed out.
6       *       *       *       Request timed out.
7       Destination Reached in 60 ms. Connection established to 151.101.32.193
Trace Complete.

funny thing, i.imgur.com or www.imgur.com do work

tracetcp i.imgur.com:443 -t 400 -n

Tracing route to 151.101.4.193 on port 443
Over a maximum of 30 hops.
1       2 ms    3 ms    4 ms    10.0.0.1
2       109 ms  101 ms  107 ms  10.0.2.1
3       *       *       *       Request timed out.
4       *       *       *       Request timed out.
5       *       *       *       Request timed out.
6       *       *       *       Request timed out.
7       *       *       *       Request timed out.

some debug

andresmorago@RT-AC3100-0548:/tmp/home/root# check-route
Name: aws1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 932
References: 1
Number of entries: 11
Members:
3.213.182.30
208.85.47.117
172.67.189.102
3.213.106.72
151.101.4.193
104.24.122.146
208.85.40.20
199.232.64.193
104.24.123.146
151.101.20.193
107.23.16.159
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 10.0.0.1 lookup main
32766:  from all lookup main
32767:  from all lookup default
Chain PREROUTING (policy ACCEPT 188K packets, 133M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     3931  237K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set aws1 dst MARK or 0x1000
andresmorago@RT-AC3100-0548:/tmp/home/root#

Try

nslookup imgur.com

See if IPv address got added.
ipset -L aws1 | grep x.x.x.x

If IPv4 not found add it manuallly:

ipset add aws1 x.x.x.x

 

[andresmorago]

hello again @Xentrk

im still curious about if i can have several routing rules running to the same vpn client?
for example:

x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01
x3mRouting ALL 1 uic asnum=AS6200

if this is possible, where are the AS6200 ip addresses stored?

 

[Torson]

I'm currently running the 384.19 version of selective routing set of scripts, method 3 (scripts only.)
Over the past few days I made some changes to IPsets, interfaces they're routed through etc. It all works very well, as it always did
However, I've seen on more than a couple of occasions that the cron jobs get wiped out with the exception of Diversion and the last IPset I edited (which show the 2:00 am update correctly.) Everything else is gone. For all the scripts I'm running under normal conditions there are ~30 jobs in the list at any given time.

Has anyone else seen this issue?