What's new

x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I just registered and I am a complete newbie when it comes to networking so please excuse my ignorance.

I have a RT-AX88U router with merlin firmware on it and even managed to get the VPN client to work nicely.
What I would like is to route some specific ports from a certain local IP to WAN side instead of VPN (the other ports continue to go through VPN), can this be done with this script?

I have googled intensively but most instructions is "make a script!" and then the conversation ends.
Problem is I would need someone to hold my hand through the entire process for that to work, and that is why I am now asking here.

Thanks
x3mRouting does not have support for port routing at this time. It is something I had considered adding in a future release though. I'm am close to launching the new version. I'll take a look at it this weekend to see if I can add the feature in the new version before the go-live.

In the meantime, this post in the wiki explains how to set up port routing.

https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)

https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts will explain more about scripts on asuswrt-merlin.

You can google "basic linux commands" to learn enough to get by. You need a good SSH client. You can google for reviews. I use MobaXterm. Some use Putty. MobaXterm has an built-in editor. I also installed the entware package openssh-sftp-server so I can use the SFTP feature of MobaXterm. This feature provides a windows explorer type view of the file system. I can then right click on a file and edit it using the built in editor rather than nano or vi.
 
x3mRouting does not have support for port routing at this time. It is something I had considered adding in a future release though. I'm am close to launching the new version. I'll take a look at it this weekend to see if I can add the feature in the new version before the go-live.

In the meantime, this post in the wiki explains how to set up port routing.

https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method)

https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts will explain more about scripts on asuswrt-merlin.

You can google "basic linux commands" to learn enough to get by. You need a good SSH client. You can google for reviews. I use MobaXterm. Some use Putty. MobaXterm has an built-in editor. I also installed the entware package openssh-sftp-server so I can use the SFTP feature of MobaXterm. This feature provides a windows explorer type view of the file system. I can then right click on a file and edit it using the built in editor rather than nano or vi.

Thank you for the fast response.
Sounds promising, that would be a really good feature!

Thing is I have read those 2 articles ~10 times now and I am sorry to say that I can not wrap my head around it.
The whole SSH and linux commands is not an issue since I am tinkering with headless Raspberry Pi etc, I probably should have provided that background.
The issue for me is 1. Scripts (can't make them) 2. Networking syntaxes.

I see this command to modify for my IP & ports, but where do I put it?
<code>
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.100-192.168.1.109 -p tcp -m multiport --dport 80,443,54000:54010 -j MARK --set-mark 0x4000/0x4000</code>
And before that there is some sort of RPDB file that needs to be done, which is completely lost on me.

I understand that these things is probably super basic and so on but for me as a novice it feels like studying for NASA.
 
Thank you for the fast response.
Sounds promising, that would be a really good feature!

Thing is I have read those 2 articles ~10 times now and I am sorry to say that I can not wrap my head around it.
The whole SSH and linux commands is not an issue since I am tinkering with headless Raspberry Pi etc, I probably should have provided that background.
The issue for me is 1. Scripts (can't make them) 2. Networking syntaxes.

I see this command to modify for my IP & ports, but where do I put it?
<code>
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.100-192.168.1.109 -p tcp -m multiport --dport 80,443,54000:54010 -j MARK --set-mark 0x4000/0x4000</code>
And before that there is some sort of RPDB file that needs to be done, which is completely lost on me.

I understand that these things is probably super basic and so on but for me as a novice it feels like studying for NASA.
You can copy and paste this text on a command line to create the required entry in nat-start so it runs at boot.
Code:
cd /jffs/scripts
touch nat-start
chmod 755 nat-start
echo "#!/bin/sh" > nat-start
echo "iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.100-192.168.1.109 -p tcp -m multiport --dport 80,443,54000:54010 -j MARK --set-mark 0x4000/0x4000 2>/dev/null" >> nat-start
echo "iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.100-192.168.1.109 -p tcp -m multiport --dport 80,443,54000:54010 -j MARK --set-mark 0x4000/0x4000" >> nat-start
 
I made a few edits after I posted.
 
If you don't want to use an editor to create the other entries, you can use the echo method for the fwmarks:
Code:
echo "sleep 10  # During the boot process nat-start may run multiple times so this is required " >> nat-start            
echo "ip rule add from 0/0 fwmark 0x8000/0x8000 table main   prio 9990        # WAN   fwmark"  >> nat-start
echo "ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark" >> nat-start
<snip>

nano is the built-in editor you can use. e.g. nano nat-start
 
Wow, you are fast and to me like a friendly wizard.
Thank you so much for helping me even though it is currently off-topic for your project and to a lot of other people reading this.

I will try this and see how it goes and obviously change the variables that I can see, as use VPN1 instead of 4 etc.
It just dawned on me that I pasted an exampel with the inverse of what I wanted to do.
In the example the selected ports from specified IP's will go through VPN, can I use a similar code to make selected ports from specified IP go through WAN and the rest on that IP on VPN?

One more question.
Using this kind of code, will the routing rules I have made through the GUI interfere for those IP's?
 
Wow, you are fast and to me like a friendly wizard.
Thank you so much for helping me even though it is currently off-topic for your project and to a lot of other people reading this.

I will try this and see how it goes and obviously change the variables that I can see, as use VPN1 instead of 4 etc.
It just dawned on me that I pasted an exampel with the inverse of what I wanted to do.
In the example the selected ports from specified IP's will go through VPN, can I use a similar code to make selected ports from specified IP go through WAN and the rest on that IP on VPN?

One more question.
Using this kind of code, will the routing rules I have made through the GUI interfere for those IP's?
The rules you create will have a higher priority than the rules in the GUI and will take precedence. You can see the routing policy database (RPDB) rules using the "ip rule" command. Note the fwmarks are listed before the other rules. Lower number = Higher priority.

ip rule
Code:
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 10.8.0.0/24 lookup ovpnc1
10102:  from 192.168.1.162 lookup ovpnc1
10301:  from 192.168.7.0/24 lookup ovpnc2
10302:  from 192.168.1.149 lookup ovpnc2
10303:  from 192.168.1.150 lookup ovpnc2
<snip>
 
The rules you create will have a higher priority than the rules in the GUI and will take precedence. You can see the routing policy database (RPDB) rules using the "ip rule" command. Note the fwmarks are listed before the other rules. Lower number = Higher priority.

ip rule
Code:
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 10.8.0.0/24 lookup ovpnc1
10102:  from 192.168.1.162 lookup ovpnc1
10301:  from 192.168.7.0/24 lookup ovpnc2
10302:  from 192.168.1.149 lookup ovpnc2
10303:  from 192.168.1.150 lookup ovpnc2
<snip>

Thank you.

I have tried to modify it to fit my scenario.
My nat-start now looks like this:
Code:
#!/bin/sh
sleep 10  # During the boot process nat-start may run multiple times so this is required
# Create the RPDB rules
ip rule add from 0/0 fwmark 0x8000/0x8000 table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.23 -p tcp -m multiport --sport 80 -j MARK --set-mark 0x8000/0x8000

Does it look correct?
The idea is that everything except Port 80 (WAN) should go through VPN1.
The rest is configured already through the GUI.

Not sure if this line needs to be present in the nat-start code?
Code:
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark

And this is my current output from ip rule
Code:
0:      from all lookup local
10101:  from 192.168.1.108 lookup ovpnc1
10102:  from 192.168.1.26 lookup ovpnc1
10103:  from 192.168.1.102 lookup ovpnc1
10104:  from 192.168.1.252 lookup ovpnc1
10105:  from 192.168.1.171 lookup ovpnc1
10106:  from 192.168.1.23 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

[EDIT]
Rebooted and it does not seem to work.
The port is still in the VPN it seems.

Ip rule has my entries added:
Code:
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9993:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 192.168.1.108 lookup ovpnc1
10102:  from 192.168.1.26 lookup ovpnc1
10103:  from 192.168.1.102 lookup ovpnc1
10104:  from 192.168.1.252 lookup ovpnc1
10105:  from 192.168.1.171 lookup ovpnc1
10106:  from 192.168.1.23 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

[EDIT2]
Sorry for the spam.
I changed it to --dport instead of --sport and now it seems to be working.

Stupid question, are these rules affecting VPN performance negatively?
It seems theVPN throughput in (DL/UL) went down.
It might be to early to tell to be honest.
 
Last edited:
Thank you.

I have tried to modify it to fit my scenario.
My nat-start now looks like this:
Code:
#!/bin/sh
sleep 10  # During the boot process nat-start may run multiple times so this is required
# Create the RPDB rules
ip rule add from 0/0 fwmark 0x8000/0x8000 table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.23 -p tcp -m multiport --sport 80 -j MARK --set-mark 0x8000/0x8000

Does it look correct?
The idea is that everything except Port 80 (WAN) should go through VPN1.
The rest is configured already through the GUI.

Not sure if this line needs to be present in the nat-start code?
Code:
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark

And this is my current output from ip rule
Code:
0:      from all lookup local
10101:  from 192.168.1.108 lookup ovpnc1
10102:  from 192.168.1.26 lookup ovpnc1
10103:  from 192.168.1.102 lookup ovpnc1
10104:  from 192.168.1.252 lookup ovpnc1
10105:  from 192.168.1.171 lookup ovpnc1
10106:  from 192.168.1.23 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

[EDIT]
Rebooted and it does not seem to work.
The port is still in the VPN it seems.

Ip rule has my entries added:
Code:
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9993:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 192.168.1.108 lookup ovpnc1
10102:  from 192.168.1.26 lookup ovpnc1
10103:  from 192.168.1.102 lookup ovpnc1
10104:  from 192.168.1.252 lookup ovpnc1
10105:  from 192.168.1.171 lookup ovpnc1
10106:  from 192.168.1.23 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

[EDIT2]
Sorry for the spam.
I changed it to --dport instead of --sport and now it seems to be working.

Stupid question, are these rules affecting VPN performance negatively?
It seems theVPN throughput in (DL/UL) went down.
It might be to early to tell to be honest.
You are missing the code to remove and existing RPDB rules before creating them. If you don't have the code in this order, you may end up creating duplicate RPDB rules. It won't hurt anything but it will create clutter.
Code:
#!/bin/sh

sleep 10  # During the boot process nat-start may run multiple times so this is required             

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
   do
      ip rule del prio 999${VPN_ID}  2>/dev/null
   done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main   prio 9990        # WAN   fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991        # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992        # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994        # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995        # VPN 3 fwmark

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.23 -p tcp -m multiport --sport 80 -j MARK --set-mark 0x8000/0x8000
There is no harm in having fwmark rules for interfaces you are not using. But no need to create them if you don't plan on using them.

You can use ShellCheck to help spot any script errors.

If you start sending mass quantities of packets through an interface, such as large file downloads, then it could impact performance. But the rule you created is for the WAN, not VPN.
 
I have added that code now so on next reboot it will be cleaned I guess.

A massive thank you for taking the time to help me out. I would not have been able to piece this together without you!
 
Is anyone besides me having a recent problem streaming HBONOW? I'm using x3mRouting to use the WAN for HBONOW and also Amazon Prime and Netflix, and while those work, HBONOW now does not. Here is what's in nat-start for HBO:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO1 AS16509
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO2 AS14618
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO3 AS10599

How can I use dnsmasq to determine the IP addresses that HBO is using?

Also, once I make a change to nat-start, how can I restart x3mRouting without doing a reboot?

Thanks,
 
Is anyone besides me having a recent problem streaming HBONOW? I'm using x3mRouting to use the WAN for HBONOW and also Amazon Prime and Netflix, and while those work, HBONOW now does not. Here is what's in nat-start for HBO:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO1 AS16509
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO2 AS14618
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO3 AS10599

How can I use dnsmasq to determine the IP addresses that HBO is using?

Also, once I make a change to nat-start, how can I restart x3mRouting without doing a reboot?

Thanks,

sometimes I restart x3m by using: /jffs/scripts/nat-start

Also, try these 3 instead:
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBOGO AS20940
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HBOGO hbogo.com,play.hbogo.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON AS16509
 
Is anyone besides me having a recent problem streaming HBONOW? I'm using x3mRouting to use the WAN for HBONOW and also Amazon Prime and Netflix, and while those work, HBONOW now does not. Here is what's in nat-start for HBO:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO1 AS16509
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO2 AS14618
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBO3 AS10599

How can I use dnsmasq to determine the IP addresses that HBO is using?

Also, once I make a change to nat-start, how can I restart x3mRouting without doing a reboot?

Thanks,
You can search dnsmasq.log file for hbo references to get an idea of the domain names being used.
Code:
grep hbo /opt/var/log/dnsmasq.log | grep query | awk '{print $6}' | sort -u
 
sometimes I restart x3m by using: /jffs/scripts/nat-start

Also, try these 3 instead:
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 HBOGO AS20940
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 HBOGO hbogo.com,play.hbogo.com
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 AMAZON AS16509

I added the 1st 2 lines to the other AS number lines, and that worked. Thanks.

If I just run nat-start, will I have a problem of duplicate IP addrs being added?
 
I added the 1st 2 lines to the other AS number lines, and that worked. Thanks.

If I just run nat-start, will I have a problem of duplicate IP addrs being added?
You will be fine. No duplicates will get created.
 
@Xentrk would you mind doing a guide for settingup openssh sftp server please?
 
@Xentrk would you mind doing a guide for settingup openssh sftp server please?
No guide required. Just install the sftp package using the syntax below:

Code:
opkg install openssh-sftp-server
 
No guide required. Just install the sftp package using the syntax below:

Code:
opkg install openssh-sftp-server
Done that, i just need help with setup and config
 
Done that, i just need help with setup and config
There is no setup or configuration required on the router. I use MobaXterm. Here is a video I found on how to setup

 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top