x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[raven-au]

I found to get Netflix US (since I'm not is the US), Disney+, and Amazon Prime I needed to use the DNSMASQ method to send both Disney+ and Prime via the WAN.

Actually I don't think I was using Prime at the time, but the principle is the same, the trick is finding the domain names you need to use with x3mRouting setup script.

You should be able to get most of that from the forum and probably most from this very thread. There's more information about harvesting domain names around too and also in the github readme description for x3mRouting.

Btw, @Xentrk, nice job with the routing scripts.

 

[Xentrk]

Actually I don't think I was using Prime at the time, but the principle is the same, the trick is finding the domain names you need to use with x3mRouting setup script.

You should be able to get most of that from the forum and probably most from this very thread. There's more information about harvesting domain names around too and also in the github readme description for x3mRouting.

Btw, @Xentrk, nice job with the routing scripts.

I subscribed for one month and didn't have to do anything. I already had a rule for routing Amazon US region. Since Disney hosts on Amazon servers, the routing rule for Amazon must have been handling it. The new version of x3mRouting has two scripts that will help people with finding the domain names which should make things much easier.

 

[raven-au]

I subscribed for one month and didn't have to do anything. I already had a rule for routing Amazon US region. Since Disney hosts on Amazon servers, the routing rule for Amazon must have been handling it. The new version of x3mRouting has two scripts that will help people with finding the domain names which should make things much easier.

I'm in a different region, so having some addresses from the ipset going to the US was a problem for me, I'm pretty sure that's why using DNSMASQ worked properly.

IIRC (not certain) setting strict DNS on the client worked for me too but the stock client didn't work.

 

[LevesqueOnline]

Express requires you

From the reports on the forum, it appears ExpressVPN is using DNS proxy to circumvent the blocks. So you have to specify their DNS using the Accept DNS Configuration = Exclusive. My provider uses a different approach and I can use any DNS. You may want to notify them though and see what they say.

The usage is as follows:

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh {[0|1|2|3|4|5] ipset_name region} [del] [dir='directory']

Sounds like you want to route Amazon to the WAN. You can try the two methods below. Either one works for me.

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US

ASN Method

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON AS16509

If it works, place the entry in /jffs/scripts/nat-start so the rules are applied at boot.

I ran as suggested, appears to have worked fine, but prime still says im behind a proxy. Appreciate any thoughts, for now when someone needs prime i need to remove them from VPN pool manually, then ensure to add them back when done, this would change my life

 

[Xentrk]

I ran as suggested, appears to have worked fine, but prime still says im behind a proxy. Appreciate any thoughts, for now when someone needs prime i need to remove them from VPN pool manually, then ensure to add them back when done, this would change my life

View attachment 23854

Try the US region. Other tips on the README page.

You should first route traffic for the device you are testing with to the WAN. Navigate to teh site or stream media. Then, try these steps:

grep amazon /opt/var/log/dnsmasq.log | grep query | awk '{print $6}' | sort -u

I picked one domain as an example:
nslookup hedwig-client.s3-us-west-2.amazonaws.com

Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      hedwig-client.s3-us-west-2.amazonaws.com
Address 1: 52.218.230.57 s3-us-west-2-r-w.amazonaws.com

Use whob 52.218.230.57 to find info:

IP: 52.218.230.57
Origin-AS: 16509
Prefix: 52.218.230.0/24
AS-Path: 23673 3491 16509
AS-Org-Name: Amazon.com, Inc.
Org-Name: Amazon Technologies Inc.
Net-Name: AT-88-Z
Cache-Date: 1590996989
Latitude: 45.523450
Longitude: -122.676210
City: Portland
Region: Oregon
Country: United States
Country-Code: US

The domain belongs to AS16509 which is the US region using the AMAZON method.

 

[LevesqueOnline]

Try the US region. Other tips on the README page.

You should first route traffic for the device you are testing with to the WAN. Navigate to teh site or stream media. Then, try these steps:

grep amazon /opt/var/log/dnsmasq.log | grep query | awk '{print $6}' | sort -u

I picked one domain as an example:
nslookup hedwig-client.s3-us-west-2.amazonaws.com

Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      hedwig-client.s3-us-west-2.amazonaws.com
Address 1: 52.218.230.57 s3-us-west-2-r-w.amazonaws.com

Use whob 52.218.230.57 to find info:

IP: 52.218.230.57
Origin-AS: 16509
Prefix: 52.218.230.0/24
AS-Path: 23673 3491 16509
AS-Org-Name: Amazon.com, Inc.
Org-Name: Amazon Technologies Inc.
Net-Name: AT-88-Z
Cache-Date: 1590996989
Latitude: 45.523450
Longitude: -122.676210
City: Portland
Region: Oregon
Country: United States
Country-Code: US

The domain belongs to AS16509 which is the US region using the AMAZON method.

I am not getting anything running

to install I ran

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/x3mRouting" -o "/opt/bin/x3mRouting" && chmod 755 /opt/bin/x3mRouting && x3mRouting
grep amazon /opt/var/log/dnsmasq.log | grep query | awk '{print $6}' | sort -u

Selected option 3 to install the ipshell scripts

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US

nslookup on the url you placed works

 

[Xentrk]

I am not getting anything running

to install I ran

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/master/x3mRouting" -o "/opt/bin/x3mRouting" && chmod 755 /opt/bin/x3mRouting && x3mRouting
grep amazon /opt/var/log/dnsmasq.log | grep query | awk '{print $6}' | sort -u

Selected option 3 to install the ipshell scripts

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 0 AMAZON-US US

nslookup on the url you placed works

View attachment 23859

Enable dnsmasq logging if you are using the DNSMASQ method and for mining domain names:

Enable dnsmasq Logging

1. Navigate to the /jffs/configs directory e.g cd /jffs/config
2. Use your SFTP or SSH client to create the dnsmasq.conf.add file
3. Add the following entry to /jffs/configs/dnsmasq.conf.add:

log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log

Save the file and exit. Restart dnsmasq: service restart_dnsmasq

Make sure policy rules is enabled in the VPN Client too!

DummyVPN entry may be required based on your setup. Please read about it here.

Check if traffic is traversing the chain:

iptables -nvL PREROUTING -t mangle --line

 

[Olivier L]

Hello I am trying to overcome my VPN for discord because my VPN ip has been banned by discord app domain.
I tried with sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 DISCORD discord.com,discordapp.com but it is not working. I am still blocked.
Any idea ?
Thanks

 

[Xentrk]

Hello I am trying to overcome my VPN for discord because my VPN ip has been banned by discord app domain.
I tried with sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 DISCORD discord.com,discordapp.com but it is not working. I am still blocked.
Any idea ?
Thanks

Look at dnsmasq.log for clues. You can use this script to search for domains that have the word discord:

https://www.snbforums.com/threads/x...wrt-merlin-firmware.57793/page-35#post-587463

However, there may be other domains that don't use the word discord. The ip addresses that returned for discord.com belong to AS13335 . So, you can try the ASN method. But it may cast too wide of a net.

 

[Olivier L]

hum. This ASN is Cloudflare... do not want to bypass it.

 

[Xentrk]

hum. This ASN is Cloudflare... do not want to bypass it.

I went to the discord.com home page. The only domains dnsmasq.log collected are discord.com and discordapp.com when I did a search on the word "discord". There may be more domain names and I can do more complete scan later. I see traffic discord traffic going to the WAN.

iptables -nvL PREROUTING -t mangle --line

20     269 22038 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set DISCORD dst MARK or 0x8000

 

[Olivier L]

I went to the discord.com home page. The only domains dnsmasq.log collected are discord.com and discordapp.com when I did a search on the word "discord". There may be more domain names and I can do more complete scan later. I see traffic discord traffic going to the WAN.

iptables -nvL PREROUTING -t mangle --line

20     269 22038 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set DISCORD dst MARK or 0x8000

which IPs do you have in your DISCORD list ? I did the same but still not connect because my IP (VPN) is banned.

 

[Xentrk]

which IPs do you have in your DISCORD list ? I did the same but still not connect because my IP (VPN) is banned.

You can create the IPSET list from the file below. Save to a location and run the ipset restore command.

ipset restore -! <"/opt/tmp/DISCORD"

create DISCORD hash:net family inet hashsize 1024 maxelem 65536
add DISCORD 162.159.128.233
add DISCORD 162.159.136.232
add DISCORD 162.159.134.233
add DISCORD 162.159.135.233
add DISCORD 162.159.130.233
add DISCORD 162.159.129.233
add DISCORD 162.159.133.233
add DISCORD 162.159.138.232
add DISCORD 162.159.137.232
add DISCORD 162.159.135.232

 

[Froghut]

I have the following setup:
- asuswrt merlin router using dns filter to force the use of a pihole in my network (mainly to block youtube ads on chromecast), also connected to a VPN and forcing all internet traffic through VPN.
- x3mrouting using ASN to force Netflix through WAN (using the line from the github readme)
additionally I configured the pihole to only use the DNS servers provided by the VPN as upstream servers. I added the netflix domains there to dnsmasq.conf to be resolved using a "normal" dns server (since the VPN has some dns magic to force netflix us servers, which I don't want, I'd rather be using our local Netflix servers because of the kids)
this worked perfectly, but since a few days some netflix shows/movies show the "you're using a VPN" error.

So first of all, does this setup even make sense or is there a better way to achieve what I want (route all traffic through VPN except Netflix, use pihole + VPN dns except netflix)? and if not does anyone have an idea what I'm missing or doing wrong?

 

[Xentrk]

I have the following setup:
- asuswrt merlin router using dns filter to force the use of a pihole in my network (mainly to block youtube ads on chromecast), also connected to a VPN and forcing all internet traffic through VPN.
- x3mrouting using ASN to force Netflix through WAN (using the line from the github readme)
additionally I configured the pihole to only use the DNS servers provided by the VPN as upstream servers. I added the netflix domains there to dnsmasq.conf to be resolved using a "normal" dns server (since the VPN has some dns magic to force netflix us servers, which I don't want, I'd rather be using our local Netflix servers because of the kids)
this worked perfectly, but since a few days some netflix shows/movies show the "you're using a VPN" error.

So first of all, does this setup even make sense or is there a better way to achieve what I want (route all traffic through VPN except Netflix, use pihole + VPN dns except netflix)? and if not does anyone have an idea what I'm missing or doing wrong?

What is Accept DNS Configuration set to on the VPN Client?

 

[Froghut]

It is set to strict.

 

[Xentrk]

It is set to strict.

I think the issue is you are forcing all traffic to use the VPN. You need to have the Policy Rules enabled for selective routing to work. Set Force Internet traffic through tunnel to Policy Rules (Strict). You can then force all LAN traffic to use the VPN by specifying the router subnet:

LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

The Router entry is to allow services such as NTP if the tunnel goes down and you have Block internet traffic if tunnel goes down. It also prevents issues if one has more then one vpn client running with policy rules.

 

[Froghut]

This is actually my setup (except I was using Policy Rules without strict), sorry for being unclear in my first post.
I experimented a bit more, on the VPN Client settings page I added my PC ip with Iface WAN (I checked using ipleak.net, it shows my real IP but still the VPN DNS), I also rebooted just to be sure, and using this configuration I can watch all Netflix content. So I think my DNS/Pihole setup works (since I get the content from my country, not the forced US version from the VPN DNS) and the problem is with the routing.
I have the following lines in /jffs/scripts/nat-start:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX2 AS40027
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIXDNSMASQ netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Before the problem started cropping up I only had the first line, I just thought perhaps I need to "cast a wider net".
executing liststats shows the following:

NETFLIX - 155
NETFLIX2 - 12
NETFLIXDNSMASQ - 357

 

[Xentrk]

This is actually my setup (except I was using Policy Rules without strict), sorry for being unclear in my first post.
I experimented a bit more, on the VPN Client settings page I added my PC ip with Iface WAN (I checked using ipleak.net, it shows my real IP but still the VPN DNS), I also rebooted just to be sure, and using this configuration I can watch all Netflix content. So I think my DNS/Pihole setup works (since I get the content from my country, not the forced US version from the VPN DNS) and the problem is with the routing.
I have the following lines in /jffs/scripts/nat-start:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX2 AS40027
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIXDNSMASQ netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Before the problem started cropping up I only had the first line, I just thought perhaps I need to "cast a wider net".
executing liststats shows the following:

That is interesting that the DNSMASQ method shows you have collected IPv4 addresses from surfing NF. That means you have local dnsmasq enabled on the router. /var/log/dnsmasq.log or /opt/var/log/dnsmasq.log are the locations to look for the log file.

The DNSMASQ method does require that local dnsmasq be enabled to work properly. I only use AS2906 for NF. I sometimes switch to the DNSMASQ method when testing updates. One person had to use both. I think because of Content Delivery Network.

The command below will show if packets and bytes are traversing the PREROUTING Chain which is helpful for debugging.

iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 5808K packets, 6404M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        1    60 MARK       all  --  tun13  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2     661K  863M MARK       all  --  tun15  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3        1    60 MARK       all  --  tun14  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
4    76880   70M MARK       all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
5    2030K 2737M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
6        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
7        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK set 0x1000
8    1067K   60M MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set HULU_WEB dst MARK set 0x1000
9    33488 6945K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON dst MARK set 0x1000
10    129K 9898K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set MOVETV dst MARK set 0x3000
11   27284 5635K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set CBS_WEB dst MARK set 0x3000
12       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC dst MARK set 0x4000

 

[Froghut]

Oh thats weird, it seems the "original" NETFLIX entry is missing:

Chain PREROUTING (policy ACCEPT 19M packets, 18G bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    6450K 7049M IMQ        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           IMQ: todev 0
2      142  7668 TTL        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            TTL match TTL == 1 TTL set to 64
3    19844 2606K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x8000
4     2837  158K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX2 dst MARK or 0x8000
5     3643 2143K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-EU dst MARK or 0x8000
6    20867 1830K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x8000
7     7938  927K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIXDNSMASQ dst MARK or 0x8000