x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.

andresmorago

Senior Member
Check the system log for clues. Is TOR enabled?
always OFF

Make sure the VPN server and client are using different port numbers. Port 443 is being referenced in the message. So that may be a clue.
i turned off the vpn server i had running on my router off for testing purposes

Shut down the VPN client and server on the router and run the ip route command to see if you can determine what is creating this route:

10.0.0.0/8 dev br0 proto kernel scope link src 10.0.0.6
with aws server off, and either vpn client on or off that ip rule you mention is still showing. and 10.0.0.6 is definitely the pixel serve server.


Code:
[email protected]:/tmp/home/root# ifconfig

br0       Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:8625282 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22670501 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7018765046 (6.5 GiB)  TX bytes:25052338515 (23.3 GiB)

br0:pixelserv-t Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.6  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:181.xxx.xxx.xxxBcast:181.xxx.xxx.xxxMask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50276364 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32906211 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:858913774 (819.1 MiB)  TX bytes:2405561012 (2.2 GiB)
          Interrupt:181 Base address:0x6000

eth1      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:588796 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:425039621 (405.3 MiB)

eth2      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:4C
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19121703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3969762686 (3.6 GiB)

fwd0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:578675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148295 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:23386422 (22.3 MiB)
          Interrupt:179 Base address:0x4000

fwd1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:19110580 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7476183 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1833769805 (1.7 GiB)
          Interrupt:180 Base address:0x5000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:576067 errors:0 dropped:0 overruns:0 frame:0
          TX packets:576067 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:128965806 (122.9 MiB)  TX bytes:128965806 (122.9 MiB)

lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

vlan1     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:10155732 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22742641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7123461208 (6.6 GiB)  TX bytes:25148947888 (23.4 GiB)

vlan2     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Code:
[email protected]:/tmp/home/root# ip route
181.xxx.xxx.xxx dev eth0  proto kernel  scope link
181.xxx.xxx.xxx/24 dev eth0  proto kernel  scope link  src 181.xxx.xxx.xxx
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.xxx dev eth0


i have a completely separate network on a different place with a similar router and that ip route shows as well, so i dont think that should be related with my issue

Code:
ASUSWRT-Merlin RT-AC68U 384.18_0 Sun Jun 28 17:57:07 UTC 2020

[email protected]:/tmp/home/root# ip route
73.xxx.xxx.xxx dev eth0  proto kernel  scope link
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
10.10.10.0/24 dev br0  proto kernel  scope link  src 10.10.10.1
73.xxx.xxx.xxx/23 dev eth0  proto kernel  scope link  src 73.xxx.xxx.xxx
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.10.10.2
127.0.0.0/8 dev lo  scope link
default via 73.xxx.xxx.xxx dev eth0
 
Last edited:

Xentrk

Part of the Furniture
always OFF


i turned off the vpn server i had running on my router off for testing purposes


with aws server off, and either vpn client on or off that ip rule you mention is still showing. and 10.0.0.6 is definitely the pixel serve server.


Code:
[email protected]:/tmp/home/root# ifconfig

br0       Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:8625282 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22670501 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7018765046 (6.5 GiB)  TX bytes:25052338515 (23.3 GiB)

br0:pixelserv-t Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.6  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:181.xxx.xxx.xxxBcast:181.xxx.xxx.xxxMask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50276364 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32906211 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:858913774 (819.1 MiB)  TX bytes:2405561012 (2.2 GiB)
          Interrupt:181 Base address:0x6000

eth1      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:588796 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:425039621 (405.3 MiB)

eth2      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:4C
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19121703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3969762686 (3.6 GiB)

fwd0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:578675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148295 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:23386422 (22.3 MiB)
          Interrupt:179 Base address:0x4000

fwd1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:19110580 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7476183 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1833769805 (1.7 GiB)
          Interrupt:180 Base address:0x5000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:576067 errors:0 dropped:0 overruns:0 frame:0
          TX packets:576067 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:128965806 (122.9 MiB)  TX bytes:128965806 (122.9 MiB)

lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

vlan1     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:10155732 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22742641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7123461208 (6.6 GiB)  TX bytes:25148947888 (23.4 GiB)

vlan2     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Code:
[email protected]:/tmp/home/root# ip route
181.xxx.xxx.xxx dev eth0  proto kernel  scope link
181.xxx.xxx.xxx/24 dev eth0  proto kernel  scope link  src 181.xxx.xxx.xxx
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.xxx dev eth0


i have a completely separate network on a different place with a similar router and that ip route shows as well, so i dont think that should be related with my issue

Code:
ASUSWRT-Merlin RT-AC68U 384.18_0 Sun Jun 28 17:57:07 UTC 2020

[email protected]:/tmp/home/root# ip route
73.xxx.xxx.xxx dev eth0  proto kernel  scope link
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
10.10.10.0/24 dev br0  proto kernel  scope link  src 10.10.10.1
73.xxx.xxx.xxx/23 dev eth0  proto kernel  scope link  src 73.xxx.xxx.xxx
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.10.10.2
127.0.0.0/8 dev lo  scope link
default via 73.xxx.xxx.xxx dev eth0
What port is the VPN server using? Change the VPN client to use another port rather than 443. Perhaps there is a conflict with pixelserv? Maybe pixelserv-tls service starts before ovpn, and reserves the 443/TCP port.

https://www.snbforums.com/threads/ab-solution-the-ad-blocking-solution.37511/page-131#post-386022




Routes don't get created for pixelserv on the routers I support. I would try turning off pixelserv first to see if that is the source of the problem.

The routes get created by the program vpnrouting.sh. There is a new version on github. You can try testing with it:

Code:
curl https://raw.githubusercontent.com/RMerl/asuswrt-merlin.ng/master/release/src/router/others/vpnrouting.sh -o /jffs/scripts/vpnrouting.sh
mount -o bind /jffs/scripts/vpnrouting.sh /usr/sbin/vpnrouting.sh
To revert to 384.19 code:
Code:
umount /usr/sbin/vpnrouting.sh
rm /jffs/scripts/vpnrouting.sh
Instructions for deleting routes from the command line:
 
Last edited:

Xentrk

Part of the Furniture
I will test further and inform you.
The issue is not about a particular website. Sometimes it is google or some other website. Totally random. The website is not in the list so it should use regular internet connection. With chrome I get "DNS_PROBE_FINISHED_NXDOMAIN" error.

This points me that there is a problem with DNS resolution.
It is also possible that this is a problem with DoT and not related to x3m at all. It is hard to pinpoint.
Okay. Let me know. Try different browsers too.
 

andresmorago

Senior Member
What port is the VPN server using? Change the VPN client to use another port rather than 443. Perhaps there is a conflict with pixelserv? Maybe pixelserv-tls service starts before ovpn, and reserves the 443/TCP port.

https://www.snbforums.com/threads/ab-solution-the-ad-blocking-solution.37511/page-131#post-386022




Routes don't get created for pixelserv on the routers I support. I would try turning off pixelserv first to see if that is the source of the problem.

The routes get created by the program vpnrouting.sh. There is a new version on github. You can try testing with it:

Code:
curl https://raw.githubusercontent.com/RMerl/asuswrt-merlin.ng/master/release/src/router/others/vpnrouting.sh -o /jffs/scripts/vpnrouting.sh
mount -o bind /jffs/scripts/vpnrouting.sh /usr/sbin/vpnrouting.sh
To revert to 384.19 code:
Code:
umount /usr/sbin/vpnrouting.sh
rm /jffs/scripts/vpnrouting.sh
Instructions for deleting routes from the command line:
thanks for all your help. i really appreciate the time you have provided me. unfortunately, nothing has given me good results. :(

i plan to wipe my router in the upcoming weeks and start from scratch

i will let you know how it goes
 
Last edited:

Xentrk

Part of the Furniture
thanks for all your help. i really appreciate the time you have provided me. unfortunately, nothing has given me good results. :(

i plan to wipe my router in the upcoming weeks and start from scratch

i will let you know how it goes
Thanks for the update. Probably best to use a port other than 443 for VPN Client and Servers when you reconfigure the router to avoid any conflicts.
 

Xentrk

Part of the Furniture
x3mRouting.sh Update V 2.3.4 (23 September, 2020)

Fixed a typo in the code that checks for the required iptables entries in the openvpn-event down file. The entry was being written to the openvpn-event up file rather than the down file.

First, run option
[5] Check for updates to existing x3mRouting installation
to update x3mRouting.sh.

To clean up any errors, copy/paste the code below in an SSH session to remove the openvpn up/down files. They will get recreated when running the x3mRouting scripts inside of /jffs/scripts/nat-start.

Code:
rm /jffs/scripts/x3mRouting/*route-up
rm /jffs/scripts/x3mRouting/*route-pre-down
sh /jffs/scripts/nat-start
 

archiel

Regular Contributor
@Xentrk - Minor issue, not sure if this is a script or amtm issue (or something with my setup)
Running u from amtm did not show any update and version shows as
6 open x3mRouting v2.3.0
running 5 > 1 successfully downloads update to 2.3.4 but page shows
______________________________________________________
| |
| Welcome to the x3mRouting Installation Menu |
| Version 2.3.0 by Xentrk |
and amtm still reports as
6 open x3mRouting v2.3.0
 

Xentrk

Part of the Furniture
@Xentrk - Minor issue, not sure if this is a script or amtm issue (or something with my setup)
Running u from amtm did not show any update and version shows as

running 5 > 1 successfully downloads update to 2.3.4 but page shows

and amtm still reports as
There was no update to the x3mMenu. Only x3mRouting.sh. So amtm won't show that an update to the menu is available. I sometimes add a space to x3mMenu to prompt ppl to update. But I didn't do it this time. There are many programs in x3mRouting and each one has it's own version number. I only bump the version on the x3mRouting Menu if it changed or if there was a significant update to functionality.
 

Olivier L

Regular Contributor
Hello I am trying to route all traffic from a list of IPs called PREMIUM and stored within /mnt/cleusb/backup to WAN (VPN client 1 bypass) with
x3mRouting 1 0 PREMIUM dir=/mnt/cleusb/backup/
But it fails with
(x3mRouting): 32534 Starting Script Execution 1 0 PREMIUM dir=/mnt/cleusb/backup/
(x3mRouting): 32534 Encountered an invalid parameter: 1 0 PREMIUM dir=/mnt/cleusb/backup/
What am I doing wrong ?
 

Xentrk

Part of the Furniture
Hello I am trying to route all traffic from a list of IPs called PREMIUM and stored within /mnt/cleusb/backup to WAN (VPN client 1 bypass) with

But it fails with

What am I doing wrong ?
I just pushed an update to x3mRouting.sh to fix the issue.

Run option 5 from the x3mMenu to update.
 
Last edited:

Xentrk

Part of the Furniture
x3mRouting.sh Update 2.3.3 (24 Sept, 2020)

Add check to run the manual method when no method is specified but the the 'dir=' parm is specified.
 

tejesh83

Occasional Visitor
First, thank you Xentrk for the fantastic work!

I'm a long time user, 2 years now, with the original IPSET_Netflix_Domains.sh tweaked to include other domains/services. I'm happy to report that I've been using it largely trouble free on 2 AC86U routers, one powering my home network (~20-30 clients) and the other at a hotel (~30-75 clients) for all that time. Kudos to Xentrk for making such a reliable and useful tool for the community!

In those 2 years, I've only had a couple minor hiccups that required intervention, so I only recently decided it was time to upgrade to x3mrouting and retire the old tweaked version of IPSET_Netflix_Domains.sh I had been running for so long. I'm impressed at just how far this has come, and Xentrk's new features should squash all the little issues I've been having. To help the community, I'd thought I'd share some of the issues I experienced over the years, and how I'm using Xentrk's latest script to mitigate them going forward.

For context, my routers are setup to route all traffic through the VPN (policy strict), with a few devices configured in the GUI to bypass the VPN altogether, and the rest handled by xentrk's script to bypass the VPN for Amazon Prime Video, Netflix, Google, Youtube, and Facebook. The last 3 weren't necessary per say, but I wasn't concerned about anonymizing that traffic since I was already signed into those account, so I figured I'd skip the vpn overhead.
  1. A few times a year, my FireTV devices or Android phone would throw up a VPN detected error when trying to stream something off Amazon Prime Video. Sometimes simply rebooting the router would resolve the issue but other times I had to fish through the dnsmasq log to find some new domains to bypass the VPN. With the old IPSET_NETFLIX_DOMAINS script, I just kept adding domains as discovered.
    • When upgrading to x3mRouting, in addition to my old custom domain list, I added AMAZON_US, AMAZON_GLOBAL, as well as AMAZON AS16509. There's a good bit of redundancy, but my hope is that this means my FireTVs / Amazon Prime Video will never see the VPN block errors again, or at least less frequently. You can see the custom domain list I'm using in my config shared below.
  2. On the hotel router, I started seeing errors in syslog that the IPSET had reached its size limit. I believe this was induced by #1 above and the ever growing list of domains I had assigned to one IPSET. My temp fix was to log in periodically to the router, delete the IPSET restore file the script was creating, and have it start the IPSET from scratch. At first, this seemed to work for awhile, but as I added domains, it started filling up faster and faster, so I bumped up the "maxelem" in the script where it creates the IPSET.
    • At this point, I started questioning whether saving/restoring the IPSET was worthwile and if the IPSET should occasionally get purged anyway. My theory, which I didn't get around to testing, was maybe some old IPs were getting saved to that list or DNS load balancing was growing the list to an unmanagable size. I think today once an IP is identified using the DOMAIN/DNSMASQ logic, it will persist forever, but maybe they should expire over time to keep the list fresh and from growing too large. Having said that, for now I'm not overly concerned and tweaked my usage to split the bypass rules across IPSETs intead of using just one. You can see my new IPSETs in the config I shared below.
    • Here's my original monolith IPSET string (~36 domains) which likley triggered this issue, along with the number of unique clients that use this router: "ipset=/akamai.net/movenetworks.com/movetv.com/footprint.net/conviva.com/sling.com/cloudflare.net/akamaiedge.net/fastly.net/adobeprimetime.com/adobepass.com/roku.com/apple.com/amazoncrl.com/elasticbeanstalk.com/amazon-alexa.com/aiv-cdn.net/aiv-delivery.net/amazonsilk.com/amazon-adsystem.com/cloudfront.net/google.com/ytimg.com/googlevideo.com/youtube.com/fbsbx.com/fbcdn.net/facebook.com/amazon.com/whatismyip.com/amazonaws.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/x3mRouting_DNSMASQ"

A recent issue I experienced with the new x3mrouting is that a specific nat-start entry kept getting deleted. I worked around it by moving to a dnsmasq file instead of keeping the domains in-line, but I'm still curious as to why this happened. Also, note that when running nat-start, the issue was silent. It wasn't until I opened nat-start that I noticed the line had been removed and then dug through the syslog that some script was doing it, and not me losing my mind every time I thought I added it back =)

nat-start line:
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMZN_CUST2 dnsmasq=amazonaws.com,ntp-fireos.com,amazon.com,Akamai.net,amazonvideo.com,amazonaws.com,media-amazon.com,images-amazon.com,amazonalexa.com,cloudfront.net,amazon-adsystem.com,aiv-delivery.net,aiv-cdn.net,peer5.com,akamaihd.net,ssl-images-amazon.com

syslog output, note line 5, deleting from nat-start:
Sep 23 15:15:44 (x3mRouting.sh): 15945 Starting Script Execution 1 0 AMZN_CUST2 dnsmasq=amazonaws.com,ntp-fireos.com,amazon.com,Akamai.net,amazonvideo.com,amazonaws.com,media-amazon.com,images-amazon.com,amazonalexa.com,cloudfront.net,amazon-adsystem.com,aiv-delivery.net,aiv-cdn.net,peer5.com,akamaihd.net,ssl-images-amazon.com
Sep 23 15:15:44 (x3mRouting.sh): 15945 Checking /jffs/configs/dnsmasq.conf.add...
Sep 23 15:15:44 (x3mRouting.sh): 15945 no references for IPSET AMZN_CUST2 found in /jffs/configs/dnsmasq.conf.add
Sep 23 15:15:44 (x3mRouting.sh): 15945 Checking /jffs/scripts/nat-start...
Sep 23 15:15:44 (x3mRouting.sh): 15945 Script entry for AMZN_CUST2 deleted from /jffs/scripts/nat-start
Sep 23 15:15:44 (x3mRouting.sh): 15945 No AMZN_CUST2 references found in /jffs/scripts/nat-start
Sep 23 15:15:44 (x3mRouting.sh): 15945 Checking /jffs/scripts/x3mRouting/vpnclient1-route-up...
Sep 23 15:15:44 (x3mRouting.sh): 15945 No AMZN_CUST2 references found in /jffs/scripts/x3mRouting/vpnclient1-route-up
Sep 23 15:15:44 (x3mRouting.sh): 15945 No AMZN_CUST2 references found in /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
Sep 23 15:15:44 (x3mRouting.sh): 15945 Checking crontab...
Sep 23 15:15:44 (x3mRouting.sh): 15945 Checking PREROUTING iptables rules...
Sep 23 15:15:44 (x3mRouting.sh): 15945 Checking POSTROUTNG iptables rules...
Sep 23 15:15:44 (x3mRouting.sh): 15945 Checking if IPSET list AMZN_CUST2 exists...
Sep 23 15:15:44 (x3mRouting.sh): 15945 Checking if IPSET backup file exists...
Sep 23 15:15:44 (x3mRouting.sh): 15945 Completed Script Execution

Here's my current nat_start config.

As discussed above, you'll see some redundancy in my config, sometimes opting for 2 or 3 different ways to bypass the VPN for a single service. I'm going more for a set it and forget it, so I don't have to fiddle to much with specific domains anymore and I'm okay with some extra traffic bypassing the VPN.


#vpn bypass scripts
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON_US aws_region=US
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON_GLOBAL aws_region=GLOBAL
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON_AS16509 asnum=AS16509
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON_CUSTOM dnsmasq_file=/jffs/scripts/x3mRouting/AMAZON_CUSTOM

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX asnum=AS2906
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX_CUSTOM dnsmasq=netflix.com,,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 GOOGLE asnum=AS15169
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 FACEBOOK asnum=AS32934


#AMAZON_CUSTOM file contents
amazonaws.com
ntp-fireos.com
amazon.com
Akamai.net
amazonvideo.com
amazonaws.com
media-amazon.com
images-amazon.com
amazonalexa.com
cloudfront.net
amazon-adsystem.com
aiv-delivery.net
aiv-cdn.net
peer5.com
akamaihd.net
ssl-images-amazon.com

Thanks again, Xentrk!
 

Xentrk

Part of the Furniture
@tejesh83 Thanks for letting me know. Glad you find x3mRouting useful. I am looking into the issue now. I will report back ASAP.

Update:
This domain was causing the issue.

aiv-delivery

The code found a match of 'del' so it removed the entry from nat-start. The code has been updated to match for the word 'del' rather than the characters 'del'.
 
Last edited:

Xentrk

Part of the Furniture
x3mRouting.sh Version 2.3.6 (25 Sept, 2020)

When checking for 'del' parm, check for whole word separated by a space by using the -w parm in the grep command.

Use option [5] from x3mMenu to download the new version.
 

Kingp1n

Very Senior Member
x3mRouting.sh Version 2.3.6 (25 Sept, 2020)

When checking for 'del' parm, check for whole word separated by a space by using the -w parm in the grep command.

Use option [5] from x3mMenu to download the new version.
Thanks again for the script. Just updated to latest update. Just wanted to let you know that I have all streaming apps (Netflix|HBOMax|Hulu|Disney|Amazon Prime|CBS All Access) running flawlessly with your script using option 3. I did have to go back to Amazon US vs Global as I kept getting the "VPN is being used" message!!!

Everything is working flawlessly on my full time VPN on my network. Thanks again.
 

tejesh83

Occasional Visitor
As always, thanks Xentrk for the rapid response!


Just wanted to let you know that I have all streaming apps (Netflix|HBOMax|Hulu|Disney|Amazon Prime|CBS All Access) running flawlessly with your script using option 3. I did have to go back to Amazon US vs Global as I kept getting the "VPN is being used" message!!!
Do you mind sharing your nat-start, so we can compare notes. Are you using the ASNs or domain list for these?

Thanks!
 

Kingp1n

Very Senior Member
As always, thanks Xentrk for the rapid response!




Do you mind sharing your nat-start, so we can compare notes. Are you using the ASNs or domain list for these?

Thanks!

This is what I have below and I also use the "CBS_IPV4" file that Xentrk provided inside opt/tmp folder. As I mentioned earlier, I only use option 3 of the script and I have PIA VPN running full time on VPN 1. I also have the following rules setup:

192.168.1.0/24 = VPN
192.168.1.1/27 = WAN (I have these static IP devices to not go thru VPN i.e. nest devices, router etc...)
Finally, for my setup, under the LAN-->DHCP Server-->IP Pool Starting Address, I start with 192.168.1.100 - 192.168.1.254 (as ending). You can setup this up however you like. However, with this setup all my devices running thru VPN have an IP address between .100 - .254!!!


Code:
#!/bin/sh

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON_US aws_region=US
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON asnum=AS16509
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON asnum=AS14618
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX asnum=AS2906
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 COMCAST asnum=AS7922
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 COMCAST asnum=AS7016
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AKAMAI asnum=AS20940
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 FUNIMATION asnum=AS19551
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ADULTSWIM asnum=AS5662
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CBS_WEB asnum=AS15169
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 OFFERUP dnsmasq=offerup.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CBS_WEB dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 HBOGO dnsmasq=hbogo.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 HBOMAX dnsmasq=hbomax.com,warnermediacdn.com,amazonaws.com,go-mpulse.net,akamaihd.net,cutestat.com,hbo.com,omtrdc.net,pubmatic.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 DISNEY dnsmasq=demdex.net,disney-plus.net,disney.com,disney.io,disneyplus.com,footprint.net,go.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 HULU dnsmasq=hulu.com,hulustream.com,akamaihd.net
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 FUNIMATION dnsmasq=funimation.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 DAZN dnsmasq=dazn.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ADULTSWIM dnsmasq=adultswim.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 MERCARI dnsmasq=mercari.com,akamaized.net,fastly.net,mercariapp.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX_DNS dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 TWITCH dnsmasq=twitch.tv,m.twitch.tv
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 GEARS_WEB dnsmasq=live.gearsofwar.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_IPV4
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_WEB dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com
 
Last edited:

Xentrk

Part of the Furniture
x3mRouting Version 2.4.0 (29 September 2020)

A new feature called the ASN Lookup Tool has been added to x3mRouting Option 4 to assist users in identifying selective routing information for websites and streaming services.
  • To install, type x3mMenu at the command line or access via amtm.
  • Select option [7] Update x3mRouting Menu
  • Select option [4] Install x3mRouting Utility Scripts.
The ASN Lookup Tool is used to search ASN/IPv4/IPv6/Prefix/ASPath/Organization lookup.

The script will perform an AS path trace (using mtr in raw mode and retrieving AS data from the results) for single IPs or DNS results, optionally reporting detailed data for each hop, such as organization/network name, geographic location, etc.

It is also possible to search by organization name in order to retrieve a list of IPv4/6 network ranges related to a given company. A multiple choice menu will be presented if more than one organization matches the search query.

See the README for examples

Code:
ASN Lookup Tool

Usage:
        asn [-d|-n] <TARGET>

Options:

-d, --detailed
        Output detailed hop info (collected from pWhois) during the AS path trace to the TARGET
-n, --notrace
        Disable tracing the AS path to the TARGET

Supported targets:

<AS Number>
        (lookup matching ASN data. Supports "as123" and "123" formats - case insensitive)
<IPv4/IPv6>
        (lookup matching route and ASN data)
<Prefix>
        (lookup matching ASN data)
<host.name.tld>
        (lookup matching IP, route and ASN data. Supports multiple IPs - e.g. DNS RR)

Note: AS path tracing will be performed only for single IPs/DNS lookup results.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top