x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[StarkWiz]

I noticed that load balance mode needs to be enabled so that the asus router makes separate lookup tables.
Like below.

admin@:/jffs/scripts/x3mRouting# ip rule
0:      from all lookup local
150:    from all fwmark 0x80000000/0xf0000000 lookup wan0
150:    from all fwmark 0x90000000/0xf0000000 lookup wan1
200:    from x.x.x.x lookup wan0
200:    from y.y.y.y lookup wan0
200:    from w.w.w.w lookup wan1
400:    from all to x.x.x.x lookup wan0
400:    from all to z.z.z.z lookup wan1
400:    from all to y.y.y.y lookup wan0
400:    from all to z.z.z.z lookup wan1
990:    from all fwmark 0x9000/0x9000 lookup wan1
32766:  from all lookup main
32767:  from all lookup default

It appears to be using the prerouting chain but not actually routing the traffic through wan1.

 

[Martineau]

I noticed that load balance mode needs to be enabled so that the asus router makes separate lookup tables.
Like below.

admin@:/jffs/scripts/x3mRouting# ip rule
0:      from all lookup local
150:    from all fwmark 0x80000000/0xf0000000 lookup wan0
150:    from all fwmark 0x90000000/0xf0000000 lookup wan1
200:    from x.x.x.x lookup wan0
200:    from y.y.y.y lookup wan0
200:    from w.w.w.w lookup wan1
400:    from all to x.x.x.x lookup wan0
400:    from all to z.z.z.z lookup wan1
400:    from all to y.y.y.y lookup wan0
400:    from all to z.z.z.z lookup wan1
990:    from all fwmark 0x9000/0x9000 lookup wan1
32766:  from all lookup main
32767:  from all lookup default

It appears to be using the prerouting chain but not actually routing the traffic through wan1.

Try using the inherent Dual-WAN Load-Balancing (LB) WAN1 fwmark

i.e. delete the 'Backblaze' IPSET rules

iptables -t mangle -D PREROUTING -i br0 -m set --match-set Backblaze dst -j MARK --set-mark 0x9000/0x9000

ip rule del prio 990

and replace with

iptables -t mangle -D PREROUTING -i br0 -m set --match-set Backblaze dst -j MARK --set-mark 0x90000000/0x90000000

ip route flush cache

 

[StarkWiz]

Try using the inherent Dual-WAN Load-Balancing (LB) WAN1 fwmark with a higher priority
/QUOTE]

wow, that did the trick. Thank you Martineau and Xentrk.

 

[StarkWiz]

Try using the inherent Dual-WAN Load-Balancing (LB) WAN1 fwmark

I need little more help pls.

Enabling load balancing in the ASUS routers seems to be a requirement if I want to selectively route traffic between the WAN links.
But I actually don't want load balancing. My primary link, even if limited is 5 times faster than secondary.
I have kept the ratio 9:1 max possible weight values in the UI but still it seems it is passing some traffic through 2nd link.
Any idea how I can stop that from happening ?

 

[Martineau]

I need little more help pls.

Enabling load balancing in the ASUS routers seems to be a requirement if I want to selectively route traffic between the WAN links.
But I actually don't want load balancing. My primary link, even if limited is 5 times faster than secondary.
I have kept the ratio 9:1 max possible weight values in the UI but still it seems it is passing some traffic through 2nd link.
Any idea how I can stop that from happening ?

You can either use a script to manually replicate the method used to implement the Dual-WAN (LB) rules to your liking, or let the GUI generate the inappropriate 9:1 Load-Balance ratio, then override the ratio to 1:0 using a simple script

e.g. the 'balance' chain for a 9:1 ratio will look something like:

Chain balance (1 references)
num   pkts bytes target     prot opt in     out     source               destination      
1     1144 90082 RETURN     all  --  *      *       0.0.0.0/0            10.88.8.0/24     
2        0     0 RETURN     all  --  *      *       0.0.0.0/0            xxx.xxx.xxx.xxx/20     
3        0     0 RETURN     all  --  *      *       0.0.0.0/0            192.168.0.0/24   
4       90  5943 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
5        0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
6       37 41928 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443
7        0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80
8     2637  855K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            connmark match  0x80000000/0x80000000
9        0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
10    1680  661K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            statistic mode random probability 0.89999999991 CONNMARK xset 0x80000000/0xf0000000
11     202 77213 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0            connmark match  0x0 CONNMARK xset 0x90000000/0xf0000000

So you would delete rules 10 and 11 and add the rule to force all traffic via WAN0, except for the nominated IPSET.

e.g. Try these commands manually

iptables -t mangle -D balance -m connmark --mark 0x0 -j CONNMARK --set-xmark 0x90000000/0xf0000000
iptables -t mangle -D balance -m statistic --mode random --probability 0.89999999991 -j CONNMARK --set-xmark 0x80000000/0xf0000000

iptables -t mangle -A balance -m connmark --mark 0x0 -j CONNMARK --set-xmark 0x80000000/0xf0000000

and if they work then they can be permanently added to wan-start for WAN1

 

[Deleted member 62525]

Everything works. Thank a lot!!!!!

I am happy you got it working. I m in Canada too and this setup worked for me enabling my laptop to watch Netflix. It previously did not. However my Sony Tv still complains about proxy error. Very stubborn android tv.

 

[Xentrk]

I am happy you got it working. I m in Canada too and this setup worked for me enabling my laptop to watch Netflix. It previously did not. However my Sony Tv still complains about proxy error. Very stubborn android tv.

Do you have location services turned on? https://x3mtek.com/location-spoofing-on-android-tv/

 

[Deleted member 62525]

Do you have location services turned on? https://x3mtek.com/location-spoofing-on-android-tv/

I turned it on for tv but no effect. The fact is that I also have location service turned off on my laptop. The laptop Netflix using the browser works just fine with the Netflix by pass rules as mentioned on thi thread. However tv android app is behaving differently. I m on the latest Netflix app version. I noticed that on older app version it worked over NordVPN without any rules. They r starting to implement something new. Using the app and trailing the dnsmasq log I can see and everything goes through the rules and sets but still it fails.

 

[Xentrk]

I turned it on for tv but no effect. The fact is that I also have location service turned off on my laptop. The laptop Netflix using the browser works just fine with the Netflix by pass rules as mentioned on thi thread. However tv android app is behaving differently. I m on the latest Netflix app version. I noticed that on older app version it worked over NordVPN without any rules. They r starting to implement something new. Using the app and trailing the dnsmasq log I can see and everything goes through the rules and sets but still it fails.

I suspect the TV is setting DNS and overriding the DNS setting on the router. The DNSFilter setting = Router will force all traffic to use the DNS set by the router. Check the region setting on the TV. I successfully tested on Windows 10 browser, iOS, Amazon Fire TV, Roku and Nvidia Shield. I did not test using the Netflix app on the Samsung Smart TV though. I will test when I get home and let you know what I find.

 

[Deleted member 62525]

I suspect the TV is setting DNS and overriding the DNS setting on the router. The DNSFilter setting = Router will force all traffic to use the DNS set by the router. Check the region setting on the TV. I successfully tested on Windows 10 browser, iOS, Amazon Fire TV, Roku and Nvidia Shield. I did not test using the Netflix app on the Samsung Smart TV though. I will test when I get home and let you know what I find.

Here is what I have tried.
1. WAN DNS config set NordVPN DNS IP's
2. VPN Client custom config removed DNS entries
3. VPN Client DNS is set to Strict
4. DNSFilter OFF
5. Tools/Other WAN DNS local cache ON

nat-start
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

dnsmasq.conf.add
ipset=/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/NETFLIX

With above config playing Netflix from my apple laptop works like a charm. With Sony TV Netflix app version 6.1 it would play the first movie and when I try to play something for the second time is gives a proxy error.

 

[Xentrk]

Here is what I have tried.
1. WAN DNS config set NordVPN DNS IP's
2. VPN Client custom config removed DNS entries
3. VPN Client DNS is set to Strict
4. DNSFilter OFF
5. Tools/Other WAN DNS local cache ON

nat-start
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

dnsmasq.conf.add
ipset=/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/NETFLIX

With above config playing Netflix from my apple laptop works like a charm. With Sony TV Netflix app version 6.1 it would play the first movie and when I try to play something for the second time is gives a proxy error.

I have WAN DNS set to Cloudflare using DoT and have Accept DNS Configuration set to Disabled. I have a private or dedicated VPN IP address and am able to use any DNS. From the posts I have seen and looking at their support site, I think NordVPN uses DNS proxy to circumvent Netflix VPN blocks. In that case, setting Accept DNS Configuration to Exclusive is required if you route Netflix over the VPN. But Diversion won’t work over the VPN when using policy rules with Exclusive. .

 

[Deleted member 62525]

I have WAN DNS set to Cloudflare using DoT and have Accept DNS Configuration set to Disabled. I have a private or dedicated VPN IP address and am able to use any DNS. From the posts I have seen and looking at their support site, I think NordVPN uses DNS proxy to circumvent Netflix VPN blocks. In that case, setting Accept DNS Configuration to Exclusive is required if you route Netflix over the VPN. But Diversion won’t work over the VPN when using policy rules with Exclusive. .

Even without your scripts when I set VPN client dns to strict and in VPN config putting dhcp-option dns my laptop would not play Netflix. However, if I set my laptop dns to VPN dns it works. I would expect that with VPN dhcp-option dns it should work too but it does not. I wonder at this point if the firmware is properly setting VPN dns.

 

[Xentrk]

Even without your scripts when I set VPN client dns to strict and in VPN config putting dhcp-option dns my laptop would not play Netflix. However, if I set my laptop dns to VPN dns it works. I would expect that with VPN dhcp-option dns it should work too but it does not. I wonder at this point if the firmware is properly setting VPN dns.

Based on reports from others on the forum, I strongly suspect NordVPN and Express VPN use DNS proxy to override Netflix VPN Blocks. Users report using the VPN DNS is required. My provider has a private or dedicated IP for streaming and I can use DNS from half way across the globe and stream with no issues.

Setting Accept DNS Configuration = Exclusive will force all VPN traffic to use the DNS of the VPN provider. You should see a script that issues the iptables command for DNS:

/tmp/etc/openvpn/fw/client5-dns.sh

#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN5
/usr/sbin/iptables -t nat -A DNSVPN5 -s 172.16.0.115 -j DNAT --to-destination 1.1.1.1
/usr/sbin/iptables -t nat -A DNSVPN5 -s 192.168.22.152 -j DNAT --to-destination 1.1.1.1
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN5
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN5

To check DNS entries, issue the commands like below. But change the number to match the vpn client instance you are checking.

iptables --line -t nat -nvL DNSVPN5

Chain DNSVPN5 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       172.16.0.115         0.0.0.0/0            to:1.1.1.1
2     1711  116K DNAT       all  --  *      *       192.168.22.152       0.0.0.0/0            to:1.1.1.1

iptables -nvL PREROUTING -t nat --line | grep DNS

Chain PREROUTING (policy ACCEPT 23537 packets, 1423K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      294 17600 DNSVPN5    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2     4784  332K DNSVPN5    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
6     3085  216K DNSFILTER  udp  --  *      *       192.168.22.0/24      0.0.0.0/0            udp dpt:53
7      292 17520 DNSFILTER  tcp  --  *      *       192.168.22.0/24      0.0.0.0/0            tcp dpt:53

Change the Accept DNS Configuration setting from Exclusive to Strict and set dhcp-option DNS x.x.x.x in the custom config section. Check the iptables entries again. You should see the DNS specified

 

[fearz]

Hi,

Just to get this straight, this would replace those DNS automatic routing such as smartdnsproxy.com and with your lists (such as Amazon, etc,) <- Can you please provide me with a page that has all the netblocks? I want also for Youtube to be connected to US servers.

Where do I find lists of all streamming websites?

 

[fearz]

If im understanding the cause of this script, you will be my life savior, it will replace the DNS proxy subscriptions i have, byt auto routing to streaming websites to the correct country (mainly US)

But 've followed the instructions, and whenever i go to www.netflix.com it redirects me to the local netflix website of my country...

can this script fix that? If yes, appreciating baby-steps on how to perform so, I just want to redirect all my internal IPs traffic to the correct geo-based US location servers.

 

[Xentrk]

If im understanding the cause of this script, you will be my life savior, it will replace the DNS proxy subscriptions i have, byt auto routing to streaming websites to the correct country (mainly US)

But 've followed the instructions, and whenever i go to www.netflix.com it redirects me to the local netflix website of my country...

can this script fix that? If yes, appreciating baby-steps on how to perform so, I just want to redirect all my internal IPs traffic to the correct geo-based US location servers.

If using method 3, you need to specify the interface using a number:

0 = WAN   
1 = OVPNC1
2 = OVPNC2
3 = OVPNC3
4 = OVPNC4
5 = OVPNC5

It will default to WAN interface if you don't specify it.

For my use case, I have three VPN clients I route traffic to:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 2 PLUTOTV

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 HULU_WEB hulu.com,hulustream.com,akamaihd.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh 2 MOVETV movetv.com
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 2 CBS_WEB cbs.com,cbsnews.com,cbssports.com,cbsaavideo.com,omtrdc.net,akamaihd.net,irdeto.com,cbsi.com,cbsig.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 3 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net

Client 1 is my private VPN IP, Client 2 is Los Angeles and Client 3 is UK.

See the ReadMe for instructions on how to determine the domains used by streaming services at https://github.com/Xentrk/x3mRouting#helpful-tips-validation-and-troubleshooting

 

[fearz]

I thought this was something totally different, i thought we could ditch the smart dns proxies and choose the routing we want and to which kocation for the streaming service (ie. Netflix)

 

[Xentrk]

I thought this was something totally different, i thought we could ditch the smart dns proxies and choose the routing we want and to which kocation for the streaming service (ie. Netflix)

You would need to ditch the DNS proxy service and replace it with a VPN connection to the location of your choice. But Netflix and other streaming services block known VPN servers. These services detect multiple users using the same IP address which flags that IP as a VPN server. NordVPN and Express VPN require that you use their DNS to stream Netflix. They are using DNS proxy over the VPN tunnel. My provider TorGuard uses a different approach and offers dedicated or private IP addresses. You can read more about it on my blog post.

 

[PeterV]

Hi.
Please froward me in right direction, or say what I did wrong.

1. router rt-ac86u
2. firmware -384.12.0
3. two vpn clients PureVPN configured with Redirect Internet traffic: Policy Rules
4. your script installed today from https://github.com/Xentrk/x3mRouting
5. Selected options 1 & 3, & 4
6. Created vpnclient1-route-up
   

   sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US

7. Created vpnclient2-route-up
   

   sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 2 AMAZON-EU EU

8. iptables -t mangle -vL
   

   Chain PREROUTING (policy ACCEPT 99 packets, 10662 bytes)
    pkts bytes target     prot opt in     out     source               destination
       1    60 MARK       all  --  tun12  any     anywhere             anywhere             MARK xset 0x1/0x7
      12   604 MARK       all  --  tun11  any     anywhere             anywhere             MARK xset 0x1/0x7
     828 54815 MARK       all  --  br0    any     anywhere             anywhere             match-set AMAZON-US dst MARK or 0x1000
      50  2969 MARK       all  --  br0    any     anywhere             anywhere             match-set AMAZON-EU dst MARK or 0x2000
   
   Chain INPUT (policy ACCEPT 94 packets, 10251 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain FORWARD (policy ACCEPT 2 packets, 168 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain OUTPUT (policy ACCEPT 97 packets, 11808 bytes)
    pkts bytes target     prot opt in     out     source               destination
   
   Chain POSTROUTING (policy ACCEPT 99 packets, 11976 bytes)
    pkts bytes target     prot opt in     out     source               destination

9. ip rule
   

   0:      from all lookup local
   9990:   from all fwmark 0x8000/0x8000 lookup main
   9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
   9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
   32766:  from all lookup main
   32767:  from all lookup default

10. liststats
    
    

    AMAZON-EU - 277
    AMAZON-US - 407
    Skynet-Blacklist - 143700
    Skynet-BlockedRanges - 1593
    Skynet-IOT - 0
    Skynet-Master - 2
    Skynet-Whitelist - 2031

And when I try to do from the lan host
traceroute 54.239.106.252 (54.239.106.252 is in AMAZON-EU)
it's going thru wan, not ovpnc2.

Is it wrong method to check ?
Is something another wrong?

-------------------------update------------------------------------
I found the reason:
Tables for both vpnc was empty.

root# ip route show table 111
root# ip route show table 112
root# ip route show table opvnc1
root# ip route show table opvnc2

The reason is simple - due to no any ip-s is set via web-interface, the default routes wasn't created for them.
After adding the any record (including dumb one) for 127.127.127.127 - everything is ok

root# ip route show table ovpnc1
default via 172.94.11.129 dev tun11
root# ip route show table ovpnc2
default via 45.74.60.141 dev tun12

And everything is routed as it has to be.
The reason is line 429 in vpnrouting.sh (marked by me by >>>)

  # Setup table default route
>>>  if [ "$VPN_IP_LIST" != "" ]; then
    if [ "$VPN_FORCE" -eq 1 ]; then
      /usr/bin/logger -t "openvpn-routing" "Tunnel re-established, restoring WAN access to clients"
    fi
    if [ "$route_net_gateway" != "" ]; then
      ip route del default table "$VPN_TBL"
      ip route add default via "$route_vpn_gateway" table "$VPN_TBL"

 

[Deleted member 62525]

Based on reports from others on the forum, I strongly suspect NordVPN and Express VPN use DNS proxy to override Netflix VPN Blocks. Users report using the VPN DNS is required. My provider has a private or dedicated IP for streaming and I can use DNS from half way across the globe and stream with no issues.

Setting Accept DNS Configuration = Exclusive will force all VPN traffic to use the DNS of the VPN provider. You should see a script that issues the iptables command for DNS:

/tmp/etc/openvpn/fw/client5-dns.sh

#!/bin/sh
/usr/sbin/iptables -t nat -N DNSVPN5
/usr/sbin/iptables -t nat -A DNSVPN5 -s 172.16.0.115 -j DNAT --to-destination 1.1.1.1
/usr/sbin/iptables -t nat -A DNSVPN5 -s 192.168.22.152 -j DNAT --to-destination 1.1.1.1
/usr/sbin/iptables -t nat -I PREROUTING -p udp -m udp --dport 53 -j DNSVPN5
/usr/sbin/iptables -t nat -I PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN5

To check DNS entries, issue the commands like below. But change the number to match the vpn client instance you are checking.

iptables --line -t nat -nvL DNSVPN5

Chain DNSVPN5 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       all  --  *      *       172.16.0.115         0.0.0.0/0            to:1.1.1.1
2     1711  116K DNAT       all  --  *      *       192.168.22.152       0.0.0.0/0            to:1.1.1.1

iptables -nvL PREROUTING -t nat --line | grep DNS

Chain PREROUTING (policy ACCEPT 23537 packets, 1423K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      294 17600 DNSVPN5    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
2     4784  332K DNSVPN5    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
6     3085  216K DNSFILTER  udp  --  *      *       192.168.22.0/24      0.0.0.0/0            udp dpt:53
7      292 17520 DNSFILTER  tcp  --  *      *       192.168.22.0/24      0.0.0.0/0            tcp dpt:53

Change the Accept DNS Configuration setting from Exclusive to Strict and set dhcp-option DNS x.x.x.x in the custom config section. Check the iptables entries again. You should see the DNS specified

Sorry for a late response. I have found this intriguing and performed the test. What I have noticed is that after changing my VPNClient DNS to String and following your recommendation setting dhcp-option DNS x.x.x.x I check run the iptables -nvL PREROUTING -t nat --line command and here is the result.

1 0 0 VSERVER all -- * * 0.0.0.0/0 192.168.0.4
2 74 5201 DNSFILTER udp -- * * 192.168.50.0/24 0.0.0.0/0 udp dpt:53
3 5 312 DNSFILTER tcp -- * * 192.168.50.0/24 0.0.0.0/0 tcp dpt:53


It is obvious that VPN DNS is not listed and I can confirm performing a dnsleak test. After checking resolve.conf and dnsmasq.conf I can see that VPN servers are listed properly. It seams that if the router has DNSSec and/or DoT enabled in WAN section these DNS servers will be used first, unless you configure OpenVPN client DNS to Exclusive. This behaviour has been changed from previous versions of the firmware.
Is that going to be reverted in the next version - that I would like to find out. Configuring OpenVPN to Strict (with DoT and DNSSec) should not make a difference and VPN DNS being the first in the list should be used. However, this is not the case in 384.12. I don't think I am doing anything wrong from configuring the router.
Do I understand it correctly?