x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

ugandy

Very Senior Member
Hi,
can we still install x3mrouting on 384.18, or is 384.19 required?
thx
 

Xentrk

Part of the Furniture
Hi,
can we still install x3mrouting on 384.18, or is 384.19 required?
thx
The current version is not compatible with 384.18. I moved it to it's own branch on GitHub.

Install 384.18 Version
Code:
sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/Install_x3mRouting.sh)"
 

Xentrk

Part of the Furniture
I tried manually with

and it works well.
What option/features of x3mRouting do you have installed? I'm curious to know where the fwmark for WAN interface is getting set. Do you have a bypass rule in VPN Client 1?
 

Wisiwyg

Regular Contributor
HI @Xentrk

Checking to see if there is a preferred method of routing Discord traffic with this script over a VPN while the rest of the traffic remains untouched to punch Discord through the Skynet firewall/country ban. One of mine has discovered Discord and now *must* have it to maintain his social life. Woke me up at 2:30am b/c he couldn't get it to work. TIA
edit: note 384.18 fw
 

Xentrk

Part of the Furniture
HI @Xentrk

Checking to see if there is a preferred method of routing Discord traffic with this script over a VPN while the rest of the traffic remains untouched to punch Discord through the Skynet firewall/country ban. One of mine has discovered Discord and now *must* have it to maintain his social life. Woke me up at 2:30am b/c he couldn't get it to work. TIA
edit: note 384.18 fw
Yes, you should be able to do that. Just a matter of determining the best method to use.

x3mRouting 384.18 branch

You can install the ASN Lookup Tool directly from the asn project repo since it's not available in the 384.18 compatible version of x3mRouting. Option 4 contains the two other scripts getdomainnames.sh and autoscan.sh that you can also use. A site like discourse.pi-hole.net returns only one IP address from an nslookup command. The dnsmasq method may be the best solution. Go to the website and navigate around. The run autoscan.sh script and search for "discourse" or other relevent terms.
 
Last edited:

h0me5k1n

Occasional Visitor
I have 9 x3mRouting entries in nat-start:
1x aws_region entry
3x dnsmasq entries
5x asnum entries

Some of these entries push traffic over VPN1 and others aim to force traffic over WAN (for when I want to bypass VPN for a LAN ip which normally routes all traffic over VPN1)

The problem is that the VPN pushed traffic for the asnum entries doesn't seem to be working! dnsmasq traffic pushed over VPN works - validated with whatismyipaddress.com!

When I run liststats, all the asnum IPSET entries always show 0
the only IPSET file I see in /opt/tmp is the aws_region one

Do you know what the problem might be with detection and routing over VPN of IPs for asnum entries?
 

Olivier L

Regular Contributor
What option/features of x3mRouting do you have installed? I'm curious to know where the fwmark for WAN interface is getting set. Do you have a bypass rule in VPN Client 1?
Options 3.
with these rules
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 AMAZON aws_region=GLOBAL,EU dir=/mnt/cleusb/backup
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com dir=/mnt/cleusb/backup
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX-14618 asnum=AS14618 dir=/mnt/cleusb/backup
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX-2906 asnum=AS2906 dir=/mnt/cleusb/backup
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 GOOGLE asnum=AS15169 dir=/mnt/cleusb/backup
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 GOOGLE2 dnsmasq=doubleclick.net,google-analytics.com,google.com,googleadsapi.com,googleapis.com,googletagmanager.com,googletagservices.com,googleusercontent.com dir=/mnt/cleusb/backup
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CANALPLUS-AS51366 asnum=AS51366 dir=/mnt/cleusb/backup
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 MYCANAL dnsmasq=canal-plus.com,canal-plus.net,canalplus-bo.net,canalplus-cdn.net,canalplus.com,canalplus.pro dir=/mnt/cleusb/backup
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 WAREZ dnsmasq=xxx, yyy, zzz
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=1 client=1
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 PREMIUM_IPS dir=/mnt/cleusb/backup/
 

Xentrk

Part of the Furniture
I have 9 x3mRouting entries in nat-start:
1x aws_region entry
3x dnsmasq entries
5x asnum entries

Some of these entries push traffic over VPN1 and others aim to force traffic over WAN (for when I want to bypass VPN for a LAN ip which normally routes all traffic over VPN1)

The problem is that the VPN pushed traffic for the asnum entries doesn't seem to be working! dnsmasq traffic pushed over VPN works - validated with whatismyipaddress.com!

When I run liststats, all the asnum IPSET entries always show 0
the only IPSET file I see in /opt/tmp is the aws_region one

Do you know what the problem might be with detection and routing over VPN of IPs for asnum entries?
Can you please tell me what router model and firmware version you are using? Is it only the ASN method that appears to not work or the ipset list is not loading?

What version of x3mRouting.sh are you using?
Code:
grep VERS /jffs/scripts/x3mRouting/x3mRouting.sh

I tested the line below and it worked for me. The IPSET list was populated.

Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 NETFLIX-14618 asnum=AS14618

I also tried by specifying the 'dir=' parm and no issues even though the code no longer creates a save/restore location for the ASN method.

Recently, I made an update and optimized the code for the ASN method. It used to first download the ipv4 addresses to the file in the /opt/tmp or directory specified with the 'dir=' parm before loading to the IPSET list. The code now loads directly into the IPSET list from the source - https://api.hackertarget.com. The 'dir=' parm is ignored as a result.

Make sure https://api.hackertarget.com is not blacklisted or blocked.
 

Teymur

Regular Contributor
Hi there @Xentrk
Any idea why am I not able to use a custom dir for this:

Code:
[email protected]:/tmp/mnt/Sandisk/entware/tmp# cd ipsets/
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# pwd
/opt/tmp/ipsets
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# ll
-rw-rw-rw-    1 teymur88 root           140 Oct 11 04:00 edemtvips
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# more edemtvips
88.218.240.0/24
88.218.241.0/24
91.192.80.0/24
92.119.88.0/24
93.189.58.0/24
93.189.63.0/24
213.183.32.0/24
213.183.33.0/24
213.183.58.0/24
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# x3mRouting ipset_name=edem dir=/opt/tmp/ipsets
(x3mRouting): 9019 Starting Script Execution ipset_name=edem dir=/opt/tmp/ipsets
(x3mRouting): 9019 Encountered an invalid parameter:  ipset_name=edem dir=/opt/tmp/ipsets
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets#
 

Xentrk

Part of the Furniture
Hi there @Xentrk
Any idea why am I not able to use a custom dir for this:

Code:
[email protected]:/tmp/mnt/Sandisk/entware/tmp# cd ipsets/
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# pwd
/opt/tmp/ipsets
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# ll
-rw-rw-rw-    1 teymur88 root           140 Oct 11 04:00 edemtvips
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# more edemtvips
88.218.240.0/24
88.218.241.0/24
91.192.80.0/24
92.119.88.0/24
93.189.58.0/24
93.189.63.0/24
213.183.32.0/24
213.183.33.0/24
213.183.58.0/24
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# x3mRouting ipset_name=edem dir=/opt/tmp/ipsets
(x3mRouting): 9019 Starting Script Execution ipset_name=edem dir=/opt/tmp/ipsets
(x3mRouting): 9019 Encountered an invalid parameter:  ipset_name=edem dir=/opt/tmp/ipsets
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets#
I can reproduce. A patch will be coming soon... Stay tuned.
 

Xentrk

Part of the Furniture
Hi there @Xentrk
Any idea why am I not able to use a custom dir for this:

Code:
[email protected]:/tmp/mnt/Sandisk/entware/tmp# cd ipsets/
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# pwd
/opt/tmp/ipsets
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# ll
-rw-rw-rw-    1 teymur88 root           140 Oct 11 04:00 edemtvips
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# more edemtvips
88.218.240.0/24
88.218.241.0/24
91.192.80.0/24
92.119.88.0/24
93.189.58.0/24
93.189.63.0/24
213.183.32.0/24
213.183.33.0/24
213.183.58.0/24
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets# x3mRouting ipset_name=edem dir=/opt/tmp/ipsets
(x3mRouting): 9019 Starting Script Execution ipset_name=edem dir=/opt/tmp/ipsets
(x3mRouting): 9019 Encountered an invalid parameter:  ipset_name=edem dir=/opt/tmp/ipsets
[email protected]:/tmp/mnt/Sandisk/entware/tmp/ipsets#
I see the problem now. The save file name is different from the ipset name. Rename the file to match the IPSET list name or vice versa:

mv /opt/tmp/ipsets/edemtvips /opt/tmp/ipsets/edem
 
Last edited:

Xentrk

Part of the Furniture
x3mRouting.sh Version 2.3.7 Update (12-October-2020)

Description
Trap condition when the save/restore file does not exist when defaulting to the manual method and the 'ipset_name=' and 'dir=' parms are specified. The save/restore file must be the same name as the IPSET list name. Case sensative.

Update Process
The x3mMenu will show an update is available in amtm. Or, type x3mMenu to access. Run option 7 to update the x3mMenu. There is no version or code changes to the x3mMenu. After the x3mMenu update, run option 5 to update x3mRouting.sh
 
Last edited:

Teymur

Regular Contributor
I see the problem now. The save file name is different from the ipset name. Rename the file to match the IPSET list name or vice versa:

mv /opt/tmp/ipsets/edemtvips /opt/tmp/ipsets/edem
Thanks @Xentrk
This helps!
 

tejesh83

Occasional Visitor
@Xentrk

I'm experiencing an intermittent issue, where it seems the ipset rules to bypass the vpn are not getting applied. When this happens, I can no longer watch Amazon Prime Videos until I reboot the router or rerun nat-start. I've traced through my syslog, and think it may have something to do with when the openvpn client loses connection with the server and restarts itself. Any ideas what's causing this?

I've attached my syslog for the 2 days where this happened and noted some key timestamps below. I did scrub the file a bit and removed some wlcevent entries to focus on the vpn and routing log entries.

Relevant timestamps:
  1. Oct 12 09:31:41 or Oct 12 10:31:58 - The timestamps seem a bit jumbled up in the log, so not sure exactly when, but the VPN goes down and restart itself.
  2. Oct 12 15:11:22 - FireTV videos are not playing and I'm getting a VPN detected error, so I reboot the router and everything starts working again.
The following day, my FireTV is again showing the VPN detected error, so I can't play videos. In the logs, I see earlier that day the VPN restarted, which why I think this may be the common culprit. Relevant timestamps:
  1. Oct 13 01:02:54 or Oct 13 02:02:54 - Again, the timestamps in the log are bit jumbled up, so not sure exactly when it occured, but you can see the VPN restart itself.
  2. Oct 13 15:35:23 - This time, instead of rebooting the router, I just rerun nat-start. Again, the firetv starts working and videos now play.
Thanks for your help!
 

Xentrk

Part of the Furniture
@Xentrk

I'm experiencing an intermittent issue, where it seems the ipset rules to bypass the vpn are not getting applied. When this happens, I can no longer watch Amazon Prime Videos until I reboot the router or rerun nat-start. I've traced through my syslog, and think it may have something to do with when the openvpn client loses connection with the server and restarts itself. Any ideas what's causing this?

I've attached my syslog for the 2 days where this happened and noted some key timestamps below. I did scrub the file a bit and removed some wlcevent entries to focus on the vpn and routing log entries.

Relevant timestamps:
  1. Oct 12 09:31:41 or Oct 12 10:31:58 - The timestamps seem a bit jumbled up in the log, so not sure exactly when, but the VPN goes down and restart itself.
  2. Oct 12 15:11:22 - FireTV videos are not playing and I'm getting a VPN detected error, so I reboot the router and everything starts working again.
The following day, my FireTV is again showing the VPN detected error, so I can't play videos. In the logs, I see earlier that day the VPN restarted, which why I think this may be the common culprit. Relevant timestamps:
  1. Oct 13 01:02:54 or Oct 13 02:02:54 - Again, the timestamps in the log are bit jumbled up, so not sure exactly when it occured, but you can see the VPN restart itself.
  2. Oct 13 15:35:23 - This time, instead of rebooting the router, I just rerun nat-start. Again, the firetv starts working and videos now play.
Thanks for your help!
The rules get applied when the VPN status is "route-up" and the rules get removed at "route-pre-down" when the VPN is started or stopped. They also get reapplied during a firewall restart or when nat-start is run. This should cover most situations that I am aware of.

Here is how the route-up entry looks in system log:
Code:
openvpn-event[4216]: Running /jffs/scripts/x3mRouting/vpnclient2-route-up tun12 1500 1584 10.37.0.6 10.37.0.5

Next time it happens, enter the following command to display the PREROUTING IPTABLES Chains for the mangle table to confirm if the rules exist or not:

Code:
iptables -nvL PREROUTING -t mangle --line

Try turning the VPN on/off and use the command above to verify if the rules are being applied properly.

I did have an issue with my private IP one time where I had issues everytime the certificate lease got renewed. I can't recall the fix. I think they gave me a new IP.
 
Last edited:

ewokuk

Regular Contributor
Greetings,

Ok so I have everything working to bypass the vpn for certain services (netflix, bbc, amazon) I have now installed entware and xemrouting using option 3 and used the following commands which seemed to execute ok (I didn't see any errors):
x3mRouting 1 0 BBC asnum=AS2818,AS31459
x3mRouting 1 0 NETFLIX asnum=AS2906
x3mRouting 1 0 AMAZON_EU aws_region=EU

Netflix seems to be working, as well as bbc and Prime, except Prime video is not working on the pc, it insists I am on a VPN, but seems to work on the tv and the firestick which are also routed over the vpn the same as the pc, is which is odd! Not sure how it's detecting the vpn on the pc but not on anything else (only difference is pc us using firefox and the rest are using apps, but my firefox even has webrtc disabled and is not using any proxy, I even tried with ublock origin turned off).

Other than prime on the pc not working, this is exactly what I have needed for years, great stuff! Now I can have everything behind the VPN except the couple of sites that don't like it. I guess the down side is they could add more ip's which aren't in the current lists and that would end up with it getting blocked again and needing updates?
 
Last edited:

Xentrk

Part of the Furniture
Greetings,

Ok so I have everything working to bypass the vpn for certain services (netflix, bbc, amazon) I have now installed entware and xemrouting using option 3 and used the following commands which seemed to execute ok (I didn't see any errors):
x3mRouting 1 0 BBC asnum=AS2818,AS31459
x3mRouting 1 0 NETFLIX asnum=AS2906
x3mRouting 1 0 AMAZON_EU aws_region=EU

Netflix seems to be working, as well as bbc and Prime, except Prime video is not working on the pc, it insists I am on a VPN, but seems to work on the tv and the firestick which are also routed over the vpn the same as the pc, is which is odd! Not sure how it's detecting the vpn on the pc but not on anything else (only difference is pc us using firefox and the rest are using apps, but my firefox even has webrtc disabled and is not using any proxy, I even tried with ublock origin turned off).

Other than prime on the pc not working, this is exactly what I have needed for years, great stuff! Now I can have everything behind the VPN except the couple of sites that don't like it. I guess the down side is they could add more ip's which aren't in the current lists and that would end up with it getting blocked again and needing updates?
For Prime, try setting 'aws_region=GLOBAL'. I switched to it about six months ago and it is working good for me. Prior to that, I used US region. I recently used the new ASN Lookup Utility (option 4) and noticed prime traffic routing from my location to AWS EU then to AWS US.
 
Last edited:

ewokuk

Regular Contributor
For Prime, try setting 'aws_region=GLOBAL'. I switched to it about six months ago and it is working good for me. Prior to that, I used US region. I recently used the new ASN Lookup Utility (option 4) and noticed prime traffic routing from my location to AWS EU then to AWS US.

Perfect, I just added US and global to it as well (don't think there is any harm in just dding both to the EU list I already added?), rebooted the router, Amazon is now working on the pc :D. I will set this up on my parents old AC68u later too.

Literally spent years trying to find a solution like this so I could just put everything behind the vpn except these. The only other things that get blocked at the uk lottery website and some airlines but less bothered about those.
 

Xentrk

Part of the Furniture
Perfect, I just added US and global to it as well (don't think there is any harm in just dding both to the EU list I already added?), rebooted the router, Amazon is now working on the pc :D. I will set this up on my parents old AC68u later too.

Literally spent years trying to find a solution like this so I could just put everything behind the vpn except these. The only other things that get blocked at the uk lottery website and some airlines but less bothered about those.
The dnsmasq or dnsmasq_file methods should word for individual websites.

e.g. x3mRouting 1 0 WEBSITES dnsmasq_file=/opt/tmp/websites


Check out the new ASN Lookup Tool available in option 4 (traceroute snipped off for privacy reasons)

1602922474468.png

This reveals the ASN for the website is AS2856.

x3mRouting 1 0 LOTTERY asnum=AS2856
 

OBENZ

Regular Contributor
Hello, great tool although I'm not using it as I'm using dnsmasq on my phone to do more or less the same thing but instead of a vpn it's using specific smartdns to access geographically restricted library of some video services, I'm only having trouble with amazon video which still detects I'm not in the US. I was wondering if anyone could share the list of servers used to bypass this ?thanks again
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top