x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Marin]

Thank you for sharing. I am curious then...when you run dnsleaktest.com what IP address do you then see, that of your ISP or the VPN one? I am thinking if you added 1.0.0.0/8 under Source IP, you may be seeing that of your ISP.

Would share your routing configuration for your VPN clients once more please?

Thank you!

 

[maxsteel]

Thank you for sharing. I am curious then...when you run dnsleaktest.com what IP address do you then see, that of your ISP or the VPN one? I am thinking if you added 1.0.0.0/8 under Source IP, you may be seeing that of your ISP.

Would share your routing configuration for your VPN clients once more please?

Thank you!

Thank you for your feedback. Added as requested. Basically any excluded devices -not in the list below- will use ISP IP address and VPN DNS.

 

[Xentrk]

x3mRouting ~ 384.19 branch compatible code is available.

This change impacts those who use the LAN Routing and modified OpenVPN Client screen features of x3mRouting.

updown-client.sh was updated to conform to the 384.19 test Asuswrt-Firmware updated openvpn code updates See [Test] Asuswrt-Merlin 384.19 - OpenVPN test builds for more information. For those who use the GUI screen for IPSET list routing, IPSET lists will now have a DNS rule created for them when using the Accept DNS Configuratoin = Exclusive setting.

iptables --line -t nat -nvL DNSVPN1

Chain DNSVPN1 (2 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     all  --  *      *       192.168.1.1          0.0.0.0/0
2        0     0 DNAT       all  --  *      *       10.8.0.0/24          0.0.0.0/0            to:10.9.0.1
3        0     0 DNAT       all  --  *      *       172.16.0.1           0.0.0.0/0            to:10.9.0.1
4        0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_GLOBAL src tcp dpt:53 to:10.9.0.1
5        0     0 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_GLOBAL src udp dpt:53 to:10.9.0.1
6        0     0 DNAT       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set HULU_WEB src tcp dpt:53 to:10.9.0.1
7        0     0 DNAT       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set HULU_WEB src udp dpt:53 to:10.9.0.1

Update Process

http://www.snbforums.com/threads/x3...for-asuswrt-merlin-firmware.57793/post-605049

1. Download the 384.19 Test builds: https://www.asuswrt-merlin.net/test-builds
2. Install the x3mRouting versions of the vpnrouting.sh and updown-client.sh files from the x3mRouting-384.19 branch by copy/pasting the commands below in an SSH session.

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.19/vpnrouting.sh" -o "/jffs/addons/x3mRouting/vpnrouting.sh" && chmod 755 "/jffs/addons/x3mRouting/vpnrouting.sh"
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.19/updown-client.sh" -o "/jffs/addons/x3mRouting/updown-client.sh" && chmod 755 "/jffs/addons/x3mRouting/updown-client.sh"

3. Un-mount USB on the main menu
4. Update firmware

 

[Xentrk]

I will give it time to unravel fully and stick to the configuration I have with x3mRouting. I've manage to install and successfully use all "major" scripts except for FreshJrQoS while bypassing my VPN to access NETFLIX and GLOBO domains with your script. Not that I don't trust RMerlin's work but I have a bandwith hungry family to please. Do you think that the way we users interact with x3mRouting will be afected by this change on Merlin's side?

I don't foresee any issues. The location and structure of some of the files in /etc/openvpn are changing. So updown-client.sh refernces in x3mRouting had to change to match the updates made in 384.19 test builds.

 

[Sonyrolfy]

Hi Xentrik regarding : https://www.snbforums.com/threads/t...-openvpn-test-builds.65323/reply?quote=604755

Im testing 384.19. When disabling SSH on the router (when some updates for scripts are done or something else) . The vpn clients set to exclusive will wipe the exclusive DNS setting it to the DOT CF router in my case. Bouncing the VPN will set it to exclusive again. Cant tell for now if the vpn's dns set to exclusive will be wipped aswell as DHE re-keying take place. Im ussing:
x3mRouting 1 0 WIMIPCOM dnsmasq=whatismyip.com

 

[Xentrk]

Hi Xentrik regarding : https://www.snbforums.com/threads/t...-openvpn-test-builds.65323/reply?quote=604755

Im testing 384.19. When disabling SSH on the router (when some updates for scripts are done or something else) . The vpn clients set to exclusive will wipe the exclusive DNS setting it to the DOT CF router in my case. Bouncing the VPN will set it to exclusive again. Cant tell for now if the vpn's dns set to exclusive will be wipped aswell as DHE re-keying take place. Im ussing:
x3mRouting 1 0 WIMIPCOM dnsmasq=whatismyip.com

The issue exists in the prior versions as well. The other impact is the routing rules for IPSET lists get wiped for those that use the modified x3mRouting OpenVPN Client screen for routing of IPSET lists. I think the way I will patch is to add a line to /jfffs/scripts/firewall-start to call the script below that will bounce any active VPN Clients, which will reinstate the DNS and PREROUTING rules for IPSET lists.

for VPN_CLIENT in 1 2 3 4 5; do
  CLIENT_STATE=$(nvram get vpn_client${VPN_CLIENT}_state)
  case "$CLIENT_STATE" in
  2) service restart_vpnclient${VPN_CLIENT}
     logger -st "($(basename "$0"))" $$ Restarted VPN Client "$VPN_CLIENT" ;;
  esac
done

I implemented the patch last night to my installation. I added it as the last line to firewall-start. It can take awhile to run though as firewall-start first calls the Skynet utility, which can take a minute or longer to get up and running. I will try moving it to the first line below the shebang next to see if that works. If it does, I'll update the code in the 384.19 branch.

EDIT: Yes, it works when added to firewall-start before Skynet gets called. I will proceed with adding the patch to the 384.19 branch repo.

 

[Xentrk]

384.19 Test Build Compatible version of x3mRouting available for testing.

Code changes impact those who use LAN Routing (Option 1) and the modified OpenVPN Client Screen (Option 2) for the routing of IPSET lists. See [Test] Asuswrt-Merlin 384.19 - OpenVPN test builds for more information.

For those that use the modified OpenVPN Client Screen, a new script has been added to restart active VPN Clients after a firewall-restart event to reinstate routing rules for IPSET lists. It also reinstates any Accept DNS Configuration=Exclusive iptables rules that also get wiped by a firewall-retart.

Due to the nature of the 384.19 test build changes, update x3mRouting first, followed by a firmware update of the 384.19 test build.

Once 384.19 goes into production, you will have to reinstall the x3mMenu using a similar copy/paste as shown in step 2 below to point the local repo to the master branch on GitHub.

Instructions:
1. Download the 384.19 Test builds: https://www.asuswrt-merlin.net/test-builds

2. Download the updated menu from the x3mRouting-384.19 branch:

sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.19/Install_x3mRouting.sh)"

3. Reinstall Option 1 and/or 2 as appropriate.
Since the code in Options 1 and 2 are not compatible with 384.18 and below, a warning message will be displayed as shown below:

Option ==> 2
Invalid firmware version detected - 384.18. This option of x3mRouting requires version 384.19 and above.
You can force update x3mRouting by typing the word 'force' after the option number to force update (e.g. 1 force)
To override the warning, you must force the update by supplying the "force" parameter at the option line "1 force" or "2 force"
Press enter to continue

Force update Option 2 example:

Option ==> 2 force

4. Unmount USB if applicable and perform an update to the 384.19 test firmware version immediately after the update of x3mRouting.

 

[Xentrk]

384.19 Test Build Compatible version of x3mRouting available for testing.

I enhanced the new firewall event code. It will now be installed for Options 1 thru 3 instead of options 1 and 2. The primary reason is to restore any DNS Exclusive rules that got wiped after a firewall restart.

If you already installed the x3mRouting-384.19 branch using the instructions above, you will need to select option 7 to update the menu or download using SSH session:

sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.19/Install_x3mRouting.sh)"

If you only use option 3, select the option [3] Install OpenVPN Event & x3mRouting.sh Script
to get the updated code. For those that already updated options 1 and/or 2 using the instructions in the post above, you can select option [5] Check for updates to existing x3mRouting installation to get the updated code.

 

[Sonyrolfy]

Thanks Xentrk!

 

[andresmorago]

hello guys.
im having the following error when adding a new routing route. still, the websites stored in dnsmasq.conf.add using ipset are correctly routed

am i missing something?

andresmorago@RT-AC3100-0548:/tmp/home/root# sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 aws1
(x3mRouting.sh): 32211 Starting Script Execution ALL 1 aws1
(x3mRouting.sh): 32211 IPSET created: aws1
ipset v6.32: Error in line 1: Syntax error: cannot parse create: resolving to IPv4 address failed
(x3mRouting.sh): 32211 Selective Routing Rule via VPN Client 1 created for aws1 fwmark 0x1000/0x1000
(x3mRouting.sh): 32211 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting.sh): 32211 iptables -t mangle -A PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting.sh): 32211 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting.sh): 32211 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 aws1 added to /jffs/scripts/nat-start
(x3mRouting.sh): 32211 Completed Script Execution
andresmorago@RT-AC3100-0548:/tmp/home/root#

 

[Xentrk]

hello guys.
im having the following error when adding a new routing route. still, the websites stored in dnsmasq.conf.add using ipset are correctly routed

am i missing something?

andresmorago@RT-AC3100-0548:/tmp/home/root# sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 aws1
(x3mRouting.sh): 32211 Starting Script Execution ALL 1 aws1
(x3mRouting.sh): 32211 IPSET created: aws1
ipset v6.32: Error in line 1: Syntax error: cannot parse create: resolving to IPv4 address failed
(x3mRouting.sh): 32211 Selective Routing Rule via VPN Client 1 created for aws1 fwmark 0x1000/0x1000
(x3mRouting.sh): 32211 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting.sh): 32211 iptables -t mangle -A PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting.sh): 32211 iptables -t mangle -D PREROUTING -i br0 -m set --match-set aws1 dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting.sh): 32211 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 aws1 added to /jffs/scripts/nat-start
(x3mRouting.sh): 32211 Completed Script Execution
andresmorago@RT-AC3100-0548:/tmp/home/root#

I suspect you have a mismatch in format of the save/restore file location in /opt/tmp/aws1. Please see the posts below.

http://www.snbforums.com/threads/x3...for-asuswrt-merlin-firmware.57793/post-598977
http://www.snbforums.com/threads/x3...for-asuswrt-merlin-firmware.57793/post-598981

I proposed this solution to help your use case but don't recall getting a reply. Please let me know. thanks!
http://www.snbforums.com/threads/x3...for-asuswrt-merlin-firmware.57793/post-599721

 

[andresmorago]

I suspect you have a mismatch in format of the save/restore file location in /opt/tmp/aws1. Please see the posts below.

http://www.snbforums.com/threads/x3...for-asuswrt-merlin-firmware.57793/post-598977
http://www.snbforums.com/threads/x3...for-asuswrt-merlin-firmware.57793/post-598981

I proposed this solution to help your use case but don't recall getting a reply. Please let me know. thanks!
http://www.snbforums.com/threads/x3...for-asuswrt-merlin-firmware.57793/post-599721

I’m really sorry. Indeed you had helped me before with this and I ended up forgetting about it. I will take a look again tomorrow and come back with results.

 

[Xentrk]

July 26 Update - 384.19 Test Build Compatible version of x3mRouting available for testing.

x3mRouting 384.19 test branch has been updated as follows:

1. Updated to match recent changes to updown-client.sh 384.19 alpha3 test builds.
2. Backed out the patch to reinstate DNS Exclusive rules as this has now been patched in the alpha3 build. VPN Clients will still get bounced after a firwall-start event to reinstate IPSET routing rules for those who use the modified OpenVPN Screen.
3. Added error check for manual IPSET lists. Error msg will be displayed and exit of x3mRouting.sh script will occur when attempting to
   • create a manual IPSET list that does not exist or pre-populated.
   • restore a manual IPSET list when the save/restore file is in dnsmasq format.

For those who have already installed the x3mRouting 384.19 test branch, update the repo by selecting option
[5] Check for updates to existing x3mRouting installation

 

[Xentrk]

I’m really sorry. Indeed you had helped me before with this and I ended up forgetting about it. I will take a look again tomorrow and come back with results.

No worries. I did something similar myself recently. I did update the x3mRouting-384.19 test branch to trap the error, along with preventing the IPSET list to get created if the save/restore file does not exist.

 

[Xentrk]

July 26 Update - 384.19 Test Build Compatible version of x3mRouting available for testing.

The x3mRouting-384.19 test branch has been updated for those that use the modified x3mRouting OpenVPN Client screen with the changes listed below. Details available on the GitHub history.

 

[Sonyrolfy]

Perfect update! Router doesn't wipe the ipset after a reboot and doesn't wipe the DNS exclusive settings anymore after some changes on router. Thank you very much sir!

 

[TonyK132]

Hi Xentrk - I just made the switch to the 2.0.0 version, but I think it is not working like the previous version. Do the default GUI Policy Rules still work if I am also using the x3mRouting commands? As far as I can tell, the Policy rules no longer work.

 

[Xentrk]

Hi Xentrk - I just made the switch to the 2.0.0 version, but I think it is not working like the previous version. Do the default GUI Policy Rules still work if I am also using the x3mRouting commands? As far as I can tell, the Policy rules no longer work.

The old usage syntax no longer works. How did you switch over? Did you use the Version 2.0.0 Update Process and run the conversion file that got generated or did you uninstall the prior version then install the new version? For testing purposes, I am currently using the GUI to route the IPSET lists that don't have an interface specified. But also have some IPSET lists for Netflix where I specify the src and dst interface. The two are able to coexist.

Spoiler: nat-start

sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=AMAZON_GLOBAL aws_region=GLOBAL
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=BBC
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=BBC_WEB dnsmasq=bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_IPv4
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=HULU_WEB dnsmasq=hulu.com,hulustream.com,akamaihd.net
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=MOVETV dnsmasq=movetv.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=PANDORA dnsmasq=pandora.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=1 client=1
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_Web dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=WIMIPADDR dnsmasq=whatismyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIX-DNS dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIX_AS2906 asnum=AS2906

Use the command below to check the routing rules:

iptables -nvL PREROUTING -t mangle --line

 

[Xentrk]

July 27 Update - 384.19 Test Build Compatible version of x3mRouting available for testing.

Edit: The changes have been added back. I had a -1 in the connretry field and that it no longer valid with the change that was made.

I backed out one change RMerlin made to the GUI that causes a conflict with the modified OpenVPN Client Screen when trying to save an update the Policy Routing table. I will add it back in once I debug the root cause. The change had to do with the renegotiation time.

 

[TonyK132]

Did you use the Version 2.0.0 Update Process

No. I looked for that procedure but could not find it in either the 1st post of this thread or on the github text, so I thought I'd figure it out myself. After a few stumbles, including not getting the Policy Rules to work, I rebooted, and now all is OK. One issue I still have is that the nat-start file contains the new rules, but after the reboot, x3mRouting did not pick up all the rules. When I manually executed them from the ssh session, I ended up with duplicate lines of the same rules in nat-start. But I'm not sure x3m will pick up on them the next time I do a reboot. BTW, I initially did an uninstall then an install from amtm. That sequence did not produce a conversion file.