x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Torson]

Great idea - thanks!

On line 72

for ENTWARE_PACKAGE in bash host mtr whois; do

'host' doesn't seem to be a valid Entware package name and yields an error when installing and running the script.

 

[Uniken]

Great idea - thanks!

On line 72

for ENTWARE_PACKAGE in bash host mtr whois; do

'host' doesn't seem to be a valid Entware package name and yields an error when installing and running the script.

could it be that its opkg package hostip and not host that needs to be installed?

 

[Xentrk]

could it be that its opkg package hostip and not host that needs to be installed?

Sorry about that. I thought I had that one nailed down. I have host installed in /opt/bin when I started the project. I am not sure yet what package installed it. I'll see what I can find out.

 

[Xentrk]

could it be that its opkg package hostip and not host that needs to be installed?

The package name is "bind-host". I issued the opt pkg remove bind-host command and confirmed the /opt/bin/host was removed. I then installed and /opt/bin/host was present. Should work like a charm now!

 

[SomeWhereOverTheRainBow]

x3mRouting Version 2.4.0 (29 September 2020)

A new feature called the ASN Lookup Tool has been added to x3mRouting Option 4 to assist users in identifying selective routing information for websites and streaming services.

• To install, type x3mMenu at the command line or access via amtm.
• Select option [7] Update x3mRouting Menu
• Select option [4] Install x3mRouting Utility Scripts.

The ASN Lookup Tool is used to search ASN/IPv4/IPv6/Prefix/ASPath/Organization lookup.

The script will perform an AS path trace (using mtr in raw mode and retrieving AS data from the results) for single IPs or DNS results, optionally reporting detailed data for each hop, such as organization/network name, geographic location, etc.

It is also possible to search by organization name in order to retrieve a list of IPv4/6 network ranges related to a given company. A multiple choice menu will be presented if more than one organization matches the search query.

See the README for examples

ASN Lookup Tool

Usage:
        asn [-d|-n] <TARGET>

Options:

-d, --detailed
        Output detailed hop info (collected from pWhois) during the AS path trace to the TARGET
-n, --notrace
        Disable tracing the AS path to the TARGET

Supported targets:

<AS Number>
        (lookup matching ASN data. Supports "as123" and "123" formats - case insensitive)
<IPv4/IPv6>
        (lookup matching route and ASN data)
<Prefix>
        (lookup matching ASN data)
<host.name.tld>
        (lookup matching IP, route and ASN data. Supports multiple IPs - e.g. DNS RR)

Note: AS path tracing will be performed only for single IPs/DNS lookup results.

@Xentrk does this look like normal outputs for running option 4

Option ==> 4

getdomainnames.sh downloaded successfully

autoscan.sh downloaded successfully

Installation of getdomainnames.sh and autoscan.sh completed

Checking if bash is installed...
Checking if host is installed...
Unknown package 'host'.
Collected errors:
 * opkg_install_cmd: Cannot install package host.
Checking if mtr is installed...
Installing mtr (0.93-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/mtr_0.93-1_aarch64-3.10.ipk
Configuring mtr.
Checking if whois is installed...
Installing whois (5.5.6-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/whois_5.5.6-1_aarch64-3.10.ipk
Installing libunistring (0.9.10-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libunistring_0.9.10-1_aarch64-3.10.ipk
Installing libidn2 (2.3.0-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libidn2_2.3.0-1_aarch64-3.10.ipk
Configuring libunistring.
Configuring libidn2.
Configuring whois.
Downloading ASN Lookup Utility...
Installation of the ASN Lookup Tool completed

 

[Xentrk]

@Xentrk does this look like normal outputs for running option 4

Option ==> 4

getdomainnames.sh downloaded successfully

autoscan.sh downloaded successfully

Installation of getdomainnames.sh and autoscan.sh completed

Checking if bash is installed...
Checking if host is installed...
Unknown package 'host'.
Collected errors:
* opkg_install_cmd: Cannot install package host.
Checking if mtr is installed...
Installing mtr (0.93-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/mtr_0.93-1_aarch64-3.10.ipk
Configuring mtr.
Checking if whois is installed...
Installing whois (5.5.6-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/whois_5.5.6-1_aarch64-3.10.ipk
Installing libunistring (0.9.10-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libunistring_0.9.10-1_aarch64-3.10.ipk
Installing libidn2 (2.3.0-1) to root...
Downloading http://bin.entware.net/aarch64-k3.10/libidn2_2.3.0-1_aarch64-3.10.ipk
Configuring libunistring.
Configuring libidn2.
Configuring whois.
Downloading ASN Lookup Utility...
Installation of the ASN Lookup Tool completed

I pushed a fix. You will need to update the x3mMenu. The program is host but the entware package is bind-host. My bad.

 

[Olivier L]

Hello
Is it possible to route all connections from a LAN IP (192.168.1.x) to "any IP / port 11254" to vpnclient1 ?
Or is there a way to auto fill in a file with IP address each time a connection to an external port 11254 is established ?
Thanks

 

[Xentrk]

Hello
Is it possible to route all connections from a LAN IP (192.168.1.x) to "any IP / port 11254" to vpnclient1 ?
Or is there a way to auto fill in a file with IP address each time a connection to an external port 11254 is established ?
Thanks

Good question. x3mRouting does not have port routing functionality. I am willing to add it. Just been waiting for someone to ask for it! I don't have a use case myself though and would need a volunteer or two to collaborate with me for testing if I move forward.

If you have option 1, 2 or 3 of x3mRouting installed, you can create the file vpnclient1-route-up and vpnclient1-route-pre-down in /jffs/scripts/x3mRouting if it does not exist. It will get created if you specify the source and destination interfaces using x3mRouting e.g.

x3mRouting ALL 1 NETFLIX asnum=AS1906

EDIT:
If you have option 2 installed, x3mRouting will create the fwmark once the VPN client is active.

Another option is to add this to openvpnclient1-route-up

TAG_MARK=0x1000/0x1000
ip rule del fwmark "$TAG_MARK" 2>/dev/null
ip rule add from 0/0 fwmark "$TAG_MARK" table 111 prio 9995
ip route flush cache

The frist two lines need to get inserted into openvpnclient1-route-pre-down file to remove the fwmark when the client is in a down state.

Reference

Policy based Port routing (manual method)

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Use 0x1000/0x1000 for VPN Client 1:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.99 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x1000/0x1000

 

[Martineau]

Hello
Is it possible to route all connections from a LAN IP (192.168.1.x) to "any IP / port 11254" to vpnclient1 ?
Or is there a way to auto fill in a file with IP address each time a connection to an external port 11254 is established ?
Thanks

See Wiki Policy based Port routing

 

[kodbel]

Hi,
I have two VPN clients running (VPN 1 and VPN 5 both TUN, UDP) . I want to channel all traffic from my TV (192.1.68.2.6) via VPN 1, Amazon Stick (192.168.2.7) and Roku (192.168.2.8) on VPN 5, and everything else on WAN. This seems to fit option 1
My devices have static ip assigned, both vpns are connected with policy routing (strict) and kill switch off for VPN1 and on for VPN5.
However all 3 devices are going via VPN 1
My x3mrouting client rules file:

1 192.168.2.6 Sony-eth
5 192.168.2.7 AmazonTV
5 192.168.2.8 Roku-eth
0 192.168.2.11 PC
0 192.168.2.30 XiaomiCam
0 192.168.2.31 Robot360

and I ran the x3mRouting_client_nvram script successfully.

Trying this on a 86U with firmware 384.19 and factory reset after update. Any idea where it is going wrong? Thanks for your help

 

[Xentrk]

Hi,
I have two VPN clients running (VPN 1 and VPN 5 both TUN, UDP) . I want to channel all traffic from my TV (192.1.68.2.6) via VPN 1, Amazon Stick (192.168.2.7) and Roku (192.168.2.8) on VPN 5, and everything else on WAN. This seems to fit option 1
My devices have static ip assigned, both vpns are connected with policy routing (strict) and kill switch off for VPN1 and on for VPN5.
However all 3 devices are going via VPN 1
My x3mrouting client rules file:

1 192.168.2.6 Sony-eth
5 192.168.2.7 AmazonTV
5 192.168.2.8 Roku-eth
0 192.168.2.11 PC
0 192.168.2.30 XiaomiCam
0 192.168.2.31 Robot360

and I ran the x3mRouting_client_nvram script successfully.

Trying this on a 86U with firmware 384.19 and factory reset after update. Any idea where it is going wrong? Thanks for your help

Please run the following command from the command line to verify the assignment is taking place (clients assigned to the WAN won't appear in the list.):

ip rule

Example

Check the contents of /jffs/addons/x3mRouting. There should be a file called ovpnc1.nvram and ovpnc5.nvram.

The latest version of x3mRouting_client_nvram.sh does restart the vpn clients to apply the rules when it's run. Prior versions didn't to that and a manual restart of the vpn client was required.

 

[Xentrk]

Need some support here, can’t get it to work in the way I want it to work.

Sorry, I missed your post earlier in the week.

Accept DNS Configuration = exclusive is probably the issue. This will bypass dnsmasq. dnsmasq is required for dnsmasq= or dnsmasq_file= methods to work. I will add that to the README. I did update the Asuswrt-Merlin Wiki earlier in the week that explains the behavior and options.

Policy based routing

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

I'm sure no IP addresses were getting added to the IPSET lists using the dnsmasq= and dnsmasq_file= methods. The command "liststats" will show you the number of entries in the lists.

For AWS, prime, etc, I recently dropped aws_region=US and changed to aws_region=GLOBAL. Everything works as expected. So you may want to test that as well.

EDIT: I will add a check for the Accept DNS Config = Exclusive setting to the code and display and log system msg if it exists

 

[kodbel]

Hi,

IP rule shows the following:

0: from all lookup local
10101: from 192.168.2.6 lookup ovpnc1
10102: from 192.168.2.6 lookup ovpnc1
10901: from 192.168.2.7 lookup ovpnc5
10902: from 192.168.2.8 lookup ovpnc5
10903: from 192.168.2.7 lookup ovpnc5
10904: from 192.168.2.8 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default

Not sure why there are repeats - is it because I ran the script twice, after it didnt work after the first attempt?

x3mrouting does contain the nvram files. Folder currently contains :
client1_dns.sh updown-dns.sh
client5_dns.sh x3mRouting_Menu.sh
ovpnc1.nvram x3mRouting_firewall_start.sh
ovpnc5.nvram x3mvpnrouting.sh

Thanks again for your help.

Please run the following command from the command line to verify the assignment is taking place (clients assigned to the WAN won't appear in the list.):

ip rule

Example

Check the contents of /jffs/addons/x3mRouting. There should be a file called ovpnc1.nvram and ovpnc5.nvram.

The latest version of x3mRouting_client_nvram.sh does restart the vpn clients to apply the rules when it's run. Prior versions didn't to that and a manual restart of the vpn client was required.

 

[Xentrk]

Hi,

IP rule shows the following:

0: from all lookup local
10101: from 192.168.2.6 lookup ovpnc1
10102: from 192.168.2.6 lookup ovpnc1
10901: from 192.168.2.7 lookup ovpnc5
10902: from 192.168.2.8 lookup ovpnc5
10903: from 192.168.2.7 lookup ovpnc5
10904: from 192.168.2.8 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default

Not sure why there are repeats - is it because I ran the script twice, after it didnt work after the first attempt?

x3mrouting does contain the nvram files. Folder currently contains :
client1_dns.sh updown-dns.sh
client5_dns.sh x3mRouting_Menu.sh
ovpnc1.nvram x3mRouting_firewall_start.sh
ovpnc5.nvram x3mvpnrouting.sh

Thanks again for your help.

For the duplicate issue, check to make sure you also don't have the LAN entries entered in the OpenVPN Client Screen. The code first processes the entries entered in the OpenVPN Client Screen followed by the entries created using x3mRouting LAN Client Routing feature. There is no check for duplicate entries at the moment. I can add an edit to check though.

I also recommend that you enter the Router IP address in OpenVPN Client 1 and assign it to the WAN. In my testing, I've had issues with policy routing if using more than one VPN Client. Adding the router IP address and routing to the WAN fixes the issue.

I use whatismyipaddresss.com and similar websites for testing policy routing. One thing I found out is the web browser will cache the content and give me a false reading after I change the routing rule. It will still show the same IPv4 address endpoint as before. What I usually do is open up the site in a completely different browser after changing the rule for validation.

 

[kodbel]

I did indeed have the lan entries in the vpn gui. I removed them, and added the router local ip as wan. After rebooting, x3mrouting client file looks as intended:

1 192.168.2.6 Sony-eth
5 192.168.2.7 AmazonTV
5 192.168.2.8 Roku-eth
0 192.168.2.11 PC
0 192.168.2.30 XiaomiCam
0 192.168.2.31 Robot360

Ip rule:
0: from all lookup local
10001: from 192.168.2.1 lookup main
10101: from 192.168.2.6 lookup ovpnc1
10801: from 192.168.2.1 lookup main
10901: from 192.168.2.7 lookup ovpnc5
10902: from 192.168.2.8 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default

However, all traffic from Sony, Amazon and Roku are still going via vpn 1. I am using ipleak, whatsmyip to check. Both my vpns are self hosted so I am checking activity from the server side to verify as well.

For the duplicate issue, check to make sure you also don't have the LAN entries entered in the OpenVPN Client Screen. The code first processes the entries entered in the OpenVPN Client Screen followed by the entries created using x3mRouting LAN Client Routing feature. There is no check for duplicate entries at the moment. I can add an edit to check though.

I also recommend that you enter the Router IP address in OpenVPN Client 1 and assign it to the WAN. In my testing, I've had issues with policy routing if using more than one VPN Client. Adding the router IP address and routing to the WAN fixes the issue.

I use whatismyipaddresss.com and similar websites for testing policy routing. One thing I found out is the web browser will cache the content and give me a false reading after I change the routing rule. It will still show the same IPv4 address endpoint as before. What I usually do is open up the site in a completely different browser after changing the rule for validation.

 

[Olivier L]

Good question. x3mRouting does not have port routing functionality. I am willing to add it. Just been waiting for someone to ask for it! I don't have a use case myself though and would need a volunteer or two to collaborate with me for testing if I move forward.

I would be more than happy to help you for testing.

 

[Xentrk]

I did indeed have the lan entries in the vpn gui. I removed them, and added the router local ip as wan. After rebooting, x3mrouting client file looks as intended:

1 192.168.2.6 Sony-eth
5 192.168.2.7 AmazonTV
5 192.168.2.8 Roku-eth
0 192.168.2.11 PC
0 192.168.2.30 XiaomiCam
0 192.168.2.31 Robot360

Ip rule:
0: from all lookup local
10001: from 192.168.2.1 lookup main
10101: from 192.168.2.6 lookup ovpnc1
10801: from 192.168.2.1 lookup main
10901: from 192.168.2.7 lookup ovpnc5
10902: from 192.168.2.8 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default

However, all traffic from Sony, Amazon and Roku are still going via vpn 1. I am using ipleak, whatsmyip to check. Both my vpns are self hosted so I am checking activity from the server side to verify as well.

The RPDB rules look okay. Are you using the same port number for VPN Client 1 and 5? What happens when you create a rule to route all LAN traffic (e.g. 192.168.1.0/24) to VPN Client 1? And VPN Client 5?

If you uninstall option 1 of x3mRouting and place the policy rules in the GUI, do you still have the same issue?

 

[Xentrk]

I would be more than happy to help you for testing.

Sounds good. I'll take a look at what is required.

 

[Olivier L]

Sounds good. I'll take a look at what is required.

I tried manually with

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.118 -p tcp -m multiport --dport 11254 -j MARK --set-mark 0x8000/0x
8000

and it works well.

 

[ugandy]

Hi,
can we still install x3mrouting on 384.18, or is 384.19 required?
thx