x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Robson]

Noob question!

Can I have 2 vpn clients setup on my router for my samsung tizen tv? Let me explain what I want to do..
Currently I have TG streaming IP [US] setup on my acus rt ac86u router running merlin. Mainly for US Netflix.

On the same tv I have S.IPTV installed but the TG´s vpn speed doesn´t allow me to stream IPTV very well.
So to fix this I have another VPN client setup on my router where I can get close to my full internet speed from. But netflix will not work with this VPN..
It´s inconvenient to manually switch from VPN clients every time I want to watch Netflix/IPTV..

Is this something that can be done with x3mRouting or is there any way to achieve this?

 

[Xentrk]

Noob question!

Can I have 2 vpn clients setup on my router for my samsung tizen tv? Let me explain what I want to do..
Currently I have TG streaming IP [US] setup on my acus rt ac86u router running merlin. Mainly for US Netflix.

On the same tv I have S.IPTV installed but the TG´s vpn speed doesn´t allow me to stream IPTV very well.
So to fix this I have another VPN client setup on my router where I can get close to my full internet speed from. But netflix will not work with this VPN..
It´s inconvenient to manually switch from VPN clients every time I want to watch Netflix/IPTV..

Is this something that can be done with x3mRouting or is there any way to achieve this?

x3mRouting should be able to accomplish this.

I recommend you use the mine dnsmasq method as described in this post to find the domain names used by Smart IPTV. You can then use the DNSMASQ method to route the traffic for those domains to the VPN tunnel you setup for Smart IPTV. It usually requires some trial and error.

This will avoid having to manually switch between VPN Clients.

 

[TonyK132]

Sorry, I should have specified that I used option 8 to do the Force update. It did not fix my situation until I did the del cmd.

This is happening pretty consistently now. What can I do to fix this? I only started having this problem when I moved to 384.13. I did not have this problem when running 384.8_2.

I've now setup a script to del the Amazon ipset and reload it. That works, but I only know to run it when Amazon reports that they are detecting a VPN. I'd really like to fix the root cause. What can I do?

 

[Xentrk]

This is happening pretty consistently now. What can I do to fix this? I only started having this problem when I moved to 384.13. I did not have this problem when running 384.8_2.

I've now setup a script to del the Amazon ipset and reload it. That works, but I only know to run it when Amazon reports that they are detecting a VPN. I'd really like to fix the root cause. What can I do?

From the symptoms, it initially appears that the list is not being updated. But I suspect something else is going on.

Please confirm the method you are using to generate the AMAZON ipset list? Are you using the method below to get the IP addresses for the US Region as shown below?

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US

In one region in the EU, a member had to combine the method above with the DNSMASQ method:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh 0 AMAZONAWS amazonaws.com

See if that works. If not, then I may have to disable the check for 7 days and update the IPSET list whenever the script is run.

Are you running the x3mRouting script from nat-start or the openvpn-event script?

 

[TonyK132]

From the symptoms, it initially appears that the list is not being updated. But I suspect something else is going on.

Please confirm the method you are using to generate the AMAZON ipset list? Are you using the method below to get the IP addresses for the US Region as shown below?

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US

In one region in the EU, a member had to combine the method above with the DNSMASQ method:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh 0 AMAZONAWS amazonaws.com

See if that works. If not, then I may have to disable the check for 7 days and update the IPSET list whenever the script is run.

Are you running the x3mRouting script from nat-start or the openvpn-event script?

I am running the script from nat-start. Here is the file:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 0 HBONOW
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 0 ROKU

Here is my script that I run manually when Amazon says it detects that I'm using a VPN.

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON US del
sleep 1
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US

One change that I made compared to when I was running this in 384.8_2 is that I'm using the new built-in dnsmasq in 384.13. Might that be having an effect?

I just tried it now, and Amazon is happy. This is after doing a router reboot last night. I'll continue to watch this, but if it happens again, I'll try the DNSMASQ method you mentioned.

 

[Xentrk]

I am running the script from nat-start. Here is the file:

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 0 HBONOW
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 0 ROKU

Here is my script that I run manually when Amazon says it detects that I'm using a VPN.

#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON US del
sleep 1
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US

One change that I made compared to when I was running this in 384.8_2 is that I'm using the new built-in dnsmasq in 384.13. Might that be having an effect?

I just tried it now, and Amazon is happy. This is after doing a router reboot last night. I'll continue to watch this, but if it happens again, I'll try the DNSMASQ method you mentioned.

See if setting local DNS caching makes a difference in Tools -> Other Settings

 

[TonyK132]

See if setting local DNS caching makes a difference in Tools -> Other Settings

View attachment 20217

I may have found the problem. I was scanning the logs at the time of the reboot and found a line that said that nat-start was not set to be an executable. That likely explains why the Amazon ipset did not get set. I must have forgotten to set it when I reset everything when I went to 384.13.

Sorry for the wild goose chase.

 

[Xentrk]

I may have found the problem. I was scanning the logs at the time of the reboot and found a line that said that nat-start was not set to be an executable. That likely explains why the Amazon ipset did not get set. I must have forgotten to set it when I reset everything when I went to 384.13.

Sorry for the wild goose chase.

Good news. Thanks for the update.

 

[bengalih]

Hey all. This might be the wrong thread..or might be the perfect one, but I'm hoping someone can guide me in the right direction. I was led here via the older netflix thread which I was in turn directed to from here:

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-Port-routing-(manual-method)

What I am trying to do is route only specific ports from one client on my network out through VPN Client 1 on my router.
I tested it using these commands:

ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
iptables -D mangle -i br0 -m iprange --src-range 10.10.10.102 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x1000/0x1000

This didn't seem to work as tested by whatsmyip.com still showing my non-vpn. I restarted my VPN client and then also removed the already defined strict-policy rule I had that was routing just that IP.

I'm hoping that this project may be a replacement for what I am trying to do, but don't want to invest the time in figuring this out if it isn't what I need. If it can't do what I want, can someone point me in the right direction of a tutorial or the right terms I need to know to do this?

 

[Martineau]

What I am trying to do is route only specific ports from one client on my network out through VPN Client 1 on my router.
I tested it using these commands:

ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
iptables -D mangle -i br0 -m iprange --src-range 10.10.10.102 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x1000/0x1000

This didn't seem to work as tested by whatsmyip.com still showing my non-vpn.

You need to make sure you have correctly added (-A) the Selective Port Routing fwmark tagging rule after the delete '-D'

ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark

iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 10.10.10.102 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.10.102 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x1000/0x1000

and check the rules

ip rule

iptables  --line -t mangle -nvL PREROUTING

 

[bengalih]

You need to make sure you have correctly added (-A) the Selective Port Routing fwmark tagging rule after the delete '-D'

ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark

Yes, that's my mistake, I accidentally pasted the wrong command. I actually added the command like such:

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 10.10.10.102 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x1000/0x1000

But it wasn't working. I switched from "Policy Rules (strict)" to "Policy Rules" and it then appeared to work.
After that I found info here that suggests this is proper behavior.

So, it appears the basic functionality may work for me here, the issue is now that I'm unsure of how to properly force all my BT traffic out through a specific port that this routing rule can then apply to. It appears to me so far that it may be impossible to restrict a given set of ports for BT traffic because the client may establish an outgoing connection on any port. If anyone has any info on this I would appreciate a PM (as I don't want to derail the thread any further). In the meantime I'm going to try to get some answers on deluge forums.

thanks.

 

[Martineau]

So, it appears the basic functionality may work for me here, the issue is now that I'm unsure of how to properly force all my BT traffic out through a ...VPN

I suggest you move your discussion to this thread Routing router through VPN and the rest through WAN

 

[bengalih]

I suggest you move your discussion to this thread Routing router through VPN and the rest through WAN

I guess I didn't mention my BT traffic was coming from another box, not the router itself, so that thread isn't relevant. In any case, I don't want to bog up this thread with my issue on that, but if someone has any info on feel free to PM me.

 

[Seij]

Upgraded RT-AC5300 from 384.13 to 384.14. Upon running the x3mRouting_client_config.sh script, I did the typical nano /jffs/config/x3mRouting_client_rules only to find that the first entries are completely blank.

Here's an image pre-upgrade showing all devices present and accounted for with routing as appropriate:

And here's post- upgrade:

I've tried uninstalling and reinstalling x3m, cleaning up the reserved DHCP list, all to no avail. For now I've disabled VPN 1 and 3 until I figure this out..


Any help would be much appreciated!

 

[Xentrk]

Upgraded RT-AC5300 from 384.13 to 384.14. Upon running the x3mRouting_client_config.sh script, I did the typical nano /jffs/config/x3mRouting_client_rules only to find that the first entries are completely blank.

Here's an image pre-upgrade showing all devices present and accounted for with routing as appropriate:
View attachment 20324

And here's post- upgrade:
View attachment 20323

I've tried uninstalling and reinstalling x3m, cleaning up the reserved DHCP list, all to no avail. For now I've disabled VPN 1 and 3 until I figure this out..


Any help would be much appreciated!

Thanks. I'll take a look.

 

[Xentrk]

Upgraded RT-AC5300 from 384.13 to 384.14. Upon running the x3mRouting_client_config.sh script, I did the typical nano /jffs/config/x3mRouting_client_rules only to find that the first entries are completely blank.

Here's an image pre-upgrade showing all devices present and accounted for with routing as appropriate:
View attachment 20324

And here's post- upgrade:
View attachment 20323

I've tried uninstalling and reinstalling x3m, cleaning up the reserved DHCP list, all to no avail. For now I've disabled VPN 1 and 3 until I figure this out..


Any help would be much appreciated!

There were some changes to dhcp_hostnames and dhcp_staticlist nvram parms in 384.13 I had to code for. There were also some cases where users have no hostnames for dhcp static reservations and the word "undefined" exists for some users in the nvram parms that I had to account for. I had made the change in another utility I have so it was easy to copy and paste the updates to x3mRouting_client_config.sh.

Please update the program by selecting option 7:

[7]  Check for updates to existing x3mRouting installation

Let me know if it works. Thank you.

 

[lukaszzsch]

hi All, esspecially Xentrk - king of selective routing

i spent a few days to set up selective routing on my asus rt-ax88
everything went fine, i have enabled quite complicated (to me) settings when my LAN devices are selectively pushed by VPN client 2. NETFLIX traffic is pushed thru WAN. That works well.

then i started to making another rule that force my VPN server to VPN client using ipset configuration of netflix. that is also work flawlessy. unfortunately today, during traveling, i have noticed that i cand get access to my lan computers, no samba, no remote desktop. Fortunately i could log into the router, set second VPN server without selective routing and establish connestion to my home PCs.

the queston is - is itat normal behaviour or i've done something in wrong way?

 

[Xentrk]

hi All, esspecially Xentrk - king of selective routing

i spent a few days to set up selective routing on my asus rt-ax88
everything went fine, i have enabled quite complicated (to me) settings when my LAN devices are selectively pushed by VPN client 2. NETFLIX traffic is pushed thru WAN. That works well.

then i started to making another rule that force my VPN server to VPN client using ipset configuration of netflix. that is also work flawlessy. unfortunately today, during traveling, i have noticed that i cand get access to my lan computers, no samba, no remote desktop. Fortunately i could log into the router, set second VPN server without selective routing and establish connestion to my home PCs.

the queston is - is itat normal behaviour or i've done something in wrong way?

Glad to hear your kind words!

On the VPN Server screen, there is a setting to specify if clients connected to the router only have access to the LAN, Internet or Both. What do you have it set to? That is the only thing I can think of right now.

 

[lukaszzsch]

„Both” is checked,

I created two vpn servers with absolutely the same configuration( double checked).

Only vpn server with traffic directed via OpenVPN client with ipset serting enabled does not let me get in to my Lan network. Weird

But i am able to log in to my router - 192.168.1.1 adress works normally.


Edit:

Even if I change server settong to LAN only, everything behaves in the same way. I can surf the internet but no access to my home LAN nerwork. It seems to be bypassed by selective routing rule.

 

[Seij]

There were some changes to dhcp_hostnames and dhcp_staticlist nvram parms in 384.13 I had to code for. There were also some cases where users have no hostnames for dhcp static reservations and the word "undefined" exists for some users in the nvram parms that I had to account for. I had made the change in another utility I have so it was easy to copy and paste the updates to x3mRouting_client_config.sh.

Please update the program by selecting option 7:

[7]  Check for updates to existing x3mRouting installation

Let me know if it works. Thank you.

Nailed it! Thanks so much for the quick reply and fix!