x3mRouting x3mRouting Updates (30 January, 2021)

[Xentrk]

x3mRouting Updates (30 January, 2021)

Two updates made based on feedback from @MarcoPolo

x3mRouting Script
Change ASN method source for IPv4 addresses from hackertarget.com to bgpview.io due to hackertarget pay model. bgview.io is the same IPv4 source used by Skynet.

x3mMenu
If installation option requires the use of the /jffs/scripts/firewall-start file, check if the file is executable if it already exists. If not, change permission to 0755.

Stay Safe and Be Excellent To Each Other

Update x3mMenu:
selection option 7

Update x3mRouting Script:
select option 5

 

[Kingp1n]

Thanks for the update.

I know in the past you helped me out with CBS All access bypassing VPN with your script to include a CBS_IPV4 file.

I just learned that CBS will rename their streaming to "Paramount Plus".

Can I simply add "paramountplus.com" to the current dnsmasq rule that I currently use for CBS All Access or would need to create a new rule?

Thanks again for all your help!

This is what im using now for CBS:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_WEB dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com


sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CBS_WEB asnum=AS15169


sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CBS_WEB asnum=AS15169


sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_IPV4

 

[Xentrk]

Thanks for the update.

I know in the past you helped me out with CBS All access bypassing VPN with your script to include a CBS_IPV4 file.

I just learned that CBS will rename their streaming to "Paramount Plus".

Can I simply add "paramountplus.com" to the current dnsmasq rule that I currently use for CBS All Access or would need to create a new rule?

Thanks again for all your help!

This is what im using now for CBS:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_WEB dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com


sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CBS_WEB asnum=AS15169


sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CBS_WEB asnum=AS15169


sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_IPV4

I saw the announcement a few weeks ago. I will definitely be monitoring the change.

To keep things clean, you should delete the original entry first then create the new one:

x3mRouting ipset_name=CBS_WEB del

You will get prompted to delete the backup file in /opt/tmp. Select option 2 to not delete the backup file. That way, the backup file will be used to populate the updated list. Then, create the new entry adding paramount.com. There may be more domains but I will have to mine dnsmasq when the time comes.

x3mRouting ipset_name=CBS_WEB dnsmasq=paramount.com,cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com

I suggest using a different IPSET name across different methods. For example, don't use CBS_WEB for both the dnsmasq method and the ASN method for AS15169. dnsmasq method creates a nightly backup and ASN is loaded real time. I have not tested what happens when one combines the two methods but know of some situations where it can be an issue. Plus, you want the ability to see if traffic is traversing the iptables chain for the IPSET list and you loose the ability by combining the two methods in one IPSET name.

You may be able to leave the CBS_WEB as is and just create a rule for AS16509 for paramount.com. But we will know more once the change takes place.

wizard@RT-AC88U-8248:/jffs/scripts# asn paramount.com

--------------------------------
| ASN lookup for paramount.com |
--------------------------------

- Resolving "paramount.com"... 2 IP addresses found:

 34.213.106.51 +PTR ec2-34-213-106-51.us-west-2.compute.amazonaws.com
               +ASN 16509 (AMAZON-02, US)
               +ORG Amazon.com, Inc.
               +NET 34.208.0.0/12 (AT-88-Z)
               +ABU abuse@amazonaws.com
               +GEO Portland, Oregon (US)

  54.68.182.72 +PTR ec2-54-68-182-72.us-west-2.compute.amazonaws.com
               +ASN 16509 (AMAZON-02, US)
               +ORG Amazon.com, Inc.
               +NET 54.68.0.0/15 (AMAZON-2011L)
               +ABU abuse@amazonaws.com
               +GEO Portland, Oregon (US)

 

[Kingp1n]

I saw the announcement a few weeks ago. I will definitely be monitoring the change.

To keep things clean, you should delete the original entry first then create the new one:

x3mRouting ipset_name=CBS_WEB del

You will get prompted to delete the backup file in /opt/tmp. Select option 2 to not delete the backup file. That way, the backup file will be used to populate the updated list. Then, create the new entry adding paramount.com. There may be more domains but I will have to mine dnsmasq when the time comes.

x3mRouting ipset_name=CBS_WEB dnsmasq=paramount.com,cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com

I suggest using a different IPSET name across different methods. For example, don't use CBS_WEB for both the dnsmasq method and the ASN method for AS15169. dnsmasq method creates a nightly backup and ASN is loaded real time. I have not tested what happens when one combines the two methods but know of some situations where it can be an issue. Plus, you want the ability to see if traffic is traversing the iptables chain for the IPSET list and you loose the ability by combining the two methods in one IPSET name.

You may be able to leave the CBS_WEB as is and just create a rule for AS16509 for paramount.com. But we will know more once the change takes place.

wizard@RT-AC88U-8248:/jffs/scripts# asn paramount.com

--------------------------------
| ASN lookup for paramount.com |
--------------------------------

- Resolving "paramount.com"... 2 IP addresses found:

34.213.106.51 +PTR ec2-34-213-106-51.us-west-2.compute.amazonaws.com
               +ASN 16509 (AMAZON-02, US)
               +ORG Amazon.com, Inc.
               +NET 34.208.0.0/12 (AT-88-Z)
               +ABU abuse@amazonaws.com
               +GEO Portland, Oregon (US)

  54.68.182.72 +PTR ec2-54-68-182-72.us-west-2.compute.amazonaws.com
               +ASN 16509 (AMAZON-02, US)
               +ORG Amazon.com, Inc.
               +NET 54.68.0.0/15 (AMAZON-2011L)
               +ABU abuse@amazonaws.com
               +GEO Portland, Oregon (US)

I appreciated. I'll take a look at my entries rename so they don't use the same "CBS_WEB" name.

I guess will know more come March 4th. Thanks alot.

 

[Laxarus]

Hey @Xentrk

I just updated the new merlin fw 386.1_2. I was using your script with fw 384.19 with no problem. However, after installing everything, something seems wrong.
I use the 3rd method with dnsmasq_file
I have a "Hosts" file filled with line by line top level domains.
This same file was working very well with the old fw and x3mRouting setup.

Anyway.
Like I did previously. I set up the VPN client.
DNS Configuration Exclusive
Policy Rules (Strict) with
DummyVPN1 172.16.1.1

Then copied the Hosts file. Path is "/jffs/scripts/x3mRouting/Hosts"

Finally I run the x3mRouting script

x3mRouting ALL 1 GULIBU dnsmasq_file=/jffs/scripts/x3mRouting/Hosts

(x3mRouting): 16800 Starting Script Execution ALL 1 GULIBU dnsmasq_file=/jffs/scripts/x3mRouting/Hosts
(x3mRouting): 16800 Created fwmark 0x1000/0x1000
(x3mRouting): [truncated] 16800 ipset=/...............................................................................

Done.
(x3mRouting): 16800 IPSET created: GULIBU hash:net family inet hashsize 1024 maxelem 65536
(x3mRouting): 16800 CRON schedule created: #GULIBU# '0 2 * * * ipset save GULIBU'
(x3mRouting): 16800 Selective Routing Rule via VPN Client 1 created for GULIBU fwmark 0x1000/0x1000
(x3mRouting): 16800 iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 16800 iptables -t mangle -A PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 16800 iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting): 16800 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 GULIBU dnsmasq_file=/jffs/scripts/x3mRouting/Hosts added to /jffs/scripts/nat-start
(x3mRouting): 16800 Completed Script Execution

However when I run:

ipset list GULIBU

Name: GULIBU
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0
Members:

I also checked /opt/tmp

There is no ipset file named GULIBU.

Apparently, it fails to create IPSET file from the Hosts file. I didn't change anything from the previous version. It seems something broke tis option.

I also tested with

x3mRouting ALL 1 GUDENE dnsmasq=whatismyip.com

VPN routing did not work at all.

ipset list GUDENE

returns

Name: GUDENE
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 316
References: 1
Number of entries: 0
Members:

/opt/tmp still empty

 

[Xentrk]

Hey @Xentrk

I just updated the new merlin fw 386.1_2. I was using your script with fw 384.19 with no problem. However, after installing everything, something seems wrong.
I use the 3rd method with dnsmasq_file
I have a "Hosts" file filled with line by line top level domains.
This same file was working very well with the old fw and x3mRouting setup.

Anyway.
Like I did previously. I set up the VPN client.
DNS Configuration Exclusive
Policy Rules (Strict) with
DummyVPN1 172.16.1.1

Then copied the Hosts file. Path is "/jffs/scripts/x3mRouting/Hosts"

Finally I run the x3mRouting script

x3mRouting ALL 1 GULIBU dnsmasq_file=/jffs/scripts/x3mRouting/Hosts


However when I run:

ipset list GULIBU



I also checked /opt/tmp

There is no ipset file named GULIBU.

Apparently, it fails to create IPSET file from the Hosts file. I didn't change anything from the previous version. It seems something broke tis option.

I also tested with

x3mRouting ALL 1 GUDENE dnsmasq=whatismyip.com

VPN routing did not work at all.

ipset list GUDENE

returns

/opt/tmp still empty

Acknowledged. I will try a test on my end.

 

[Xentrk]

Hey @Xentrk

I just updated the new merlin fw 386.1_2. I was using your script with fw 384.19 with no problem. However, after installing everything, something seems wrong.
I use the 3rd method with dnsmasq_file
I have a "Hosts" file filled with line by line top level domains.
This same file was working very well with the old fw and x3mRouting setup.

Anyway.
Like I did previously. I set up the VPN client.
DNS Configuration Exclusive
Policy Rules (Strict) with
DummyVPN1 172.16.1.1

Then copied the Hosts file. Path is "/jffs/scripts/x3mRouting/Hosts"

Finally I run the x3mRouting script

x3mRouting ALL 1 GULIBU dnsmasq_file=/jffs/scripts/x3mRouting/Hosts


However when I run:

ipset list GULIBU



I also checked /opt/tmp

There is no ipset file named GULIBU.

Apparently, it fails to create IPSET file from the Hosts file. I didn't change anything from the previous version. It seems something broke tis option.

I also tested with

x3mRouting ALL 1 GUDENE dnsmasq=whatismyip.com

VPN routing did not work at all.

ipset list GUDENE

returns

/opt/tmp still empty

I think I spotted the issue. The Accept DNS Cofiguration = Exclusive will exclusively use the DNS of the VPN provider and bypass dnsmasq. So IPv4 addresses are not getting populated. As a work around, you can set Accept DNS Configuration = Disabled. Then, in LAN -> DNS Filter tab, set the device to use the DNS of your provider.

I did spot some error trapping I need to perform though. The ipset name needs to be different from the file containing the domain names and code is not trapping that.

 

[Laxarus]

@Xentrk
But why is this command not creating an ipset list at all?

No matter what I did the list is not populating. ):
tried with Relaxed and Disabled but no luck

 

[Xentrk]

@Xentrk
But why is this command not creating an ipset list at all?

No matter what I did the list is not populating. ):
tried with Relaxed and Disabled but no luck

Is dnsmasq logging enabled?

 

[Laxarus]

Is dnsmasq logging enabled?

No.

Further info below:

After leaving it a couple of hours, ipset file GULIBU has been created at /opt/tmp.

I also noticed another IPSET file I created and deleted with:

x3mRouting ipset_name=RLISTX del

It seems, it didn't do a clean delete.

Going back to GULIBU ipset file:
The number of entries do not match with the HOSTS file. HOSTS file has 67 domains listed. But IPSET file contains only 14 ip addresses.

ipset list GULIBU

returns

Name: GULIBU
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 1100
References: 1
Number of entries: 14
Members:
.....
......
.....
......
.....
.......

dnsmasq.conf.add has a line like this

ipset=/domain/domain/domain/...../domain/GULIBU


Should I uninstall everything and start over?

 

[Xentrk]

No.

Further info below:

After leaving it a couple of hours, ipset file GULIBU has been created at /opt/tmp.

I also noticed another IPSET file I created and deleted with:



It seems, it didn't do a clean delete.

Going back to GULIBU ipset file:
The number of entries do not match with the HOSTS file. HOSTS file has 67 domains listed. But IPSET file contains only 14 ip addresses.


returns




dnsmasq.conf.add has a line like this

ipset=/domain/domain/domain/...../domain/GULIBU


Should I uninstall everything and start over?

I think it is workkng okay. It appears to be a timing issue. You can always reinstall an option from the menu though.

When you choose the 'del' option, there is a prompt at the end to remove the backup file. You may have selected the option not to delete it. That is the only reason it may still exist in /opt/tmp. I don't delete it if I am removing an old entry and adding a new domain to the prior entry.

The IPv4 addresses gets added to the ipset list when you query the domain name using the ipset feature built into dnsmasq. The IPv4 addresses are added dynamically dnsmasq needs to be enabled for it to work. You can grep dnsmasq.log file for entries to confirm:

list FQDN entires

grep -w "GULIBU" /opt/var/log/dnsmasq.log | grep -v "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk '{print $9}' | sort -u

Raw output:

grep -w "GULIBU" /opt/var/log/dnsmasq.log | sort -u

The backup file in /opt/tmp gets created by a 2 am cron job. Type cru -l to list.

 

[Laxarus]

I think it is workkng okay. It appears to be a timing issue. You can always reinstall an option from the menu though.

When you choose the 'del' option, there is a prompt at the end to remove the backup file. You may have selected the option not to delete it. That is the only reason it may still exist in /opt/tmp. I don't delete it if I am removing an old entry and adding a new domain to the prior entry.

The IPv4 addresses gets added to the ipset list when you query the domain name using the ipset feature built into dnsmasq. The IPv4 addresses are added dynamically dnsmasq needs to be enabled for it to work. You can grep dnsmasq.log file for entries to confirm:

list FQDN entires

grep -w "GULIBU" /opt/var/log/dnsmasq.log | grep -v "([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}" | awk '{print $9}' | sort -u

Raw output:

grep -w "GULIBU" /opt/var/log/dnsmasq.log | sort -u

The backup file in /opt/tmp gets created by a 2 am cron job. Type cru -l to list.

Thanks for pointing out. The biggest problem for me was the dns cache I believe and some DNS settings of the VPN.

 

[Pradeep]

hey guys, i setup my selective routing based on ipset name & policy restricion. I see the below on iptables, no traffic is flowing through. can you help?

 

[Xentrk]

hey guys, i setup my selective routing based on ipset name & policy restricion. I see the below on iptables, no traffic is flowing through. can you help?

View attachment 31012

View attachment 31013

What method are you using? dnsmasq method may be the best one for this use case. e.g. dnsmasq=whatsapp.com. This method requires that dnsmasq be setup. Check that you have dnsmasq logging enabled per the instructions on the link. What is Accept DNS Configuration set to? dnsmasq is bypassed when it is set to Exclusive when using Policy Rules.

# asn whatsapp.com

-------------------------------
| ASN lookup for whatsapp.com |
-------------------------------

- Resolving "whatsapp.com"... 2 IP addresses found:

                     157.240.10.53 +PTR whatsapp-cdn-shv-01-kut2.fbcdn.net
                                   +ASN 32934 (FACEBOOK, US)
                                   +ORG Facebook, Inc.
                                   +NET 157.240.0.0/17 (THEFA-3)
                                   +ABU domain@facebook.com
                                   +GEO Menlo Park, California (US)

2a03:2880:f22a:c5:face:b00c:0:167 +PTR whatsapp-cdn6-shv-01-kut2.fbcdn.net
                                   +ASN 32934 (FACEBOOK, US)
                                   +ORG Facebook, Inc.
                                   +NET 2a03:2880::/32 ()
                                   +ABU domain@fb.com
                                   +GEO Dublin, Dublin (IE)


Tracing path to 157.240.10.53 (press CTRL-C to cancel)...^C
Interrupted

Also, the mobile version may use different domain names. You can follow the dnsmasq.log file to see what domains are being referenced when using mobile version. Or, you can try the ASN method using AS32934.

The liststats command will display the number of entries in the ipset lists. Or, use the command "ipset -L whatsapp" to see the IPv4 entries.

 

[Xentrk]

@Pradeep
You may also have to set DNSFilter in LAN tab to force all clients to use DNS of the router.

 

[Pradeep]

@Pradeep
You may also have to set DNSFilter in LAN tab to force all clients to use DNS of the router.

Thanks @Xentrk for your timely and kind reply. My dnsmasq logging is enabled.

i had setup using autoscan using keyword if i remember correctly. x3mRouting ipset_name=whatsapp autoscan=whatsapp. liststatus shows domains with .net and .com were being listed with few other sub-domains also in the ipset list. i will double check again later today and will also try the following

1. ASN method.
2. Accept DNS Configuration
3. DNSFilter in LAN tab

Thanks a ton!

 

[Xentrk]

Thanks @Xentrk for your timely and kind reply. My dnsmasq logging is enabled.

i had setup using autoscan using keyword if i remember correctly. x3mRouting ipset_name=whatsapp autoscan=whatsapp. liststatus shows domains with .net and .com were being listed with few other sub-domains also in the ipset list. i will double check again later today and will also try the following

1. ASN method.
2. Accept DNS Configuration
3. DNSFilter in LAN tab

Thanks a ton!

The desktop version of whatsapp and the mobile version may use different domain names. Using the autoscan.sh script will help. You may also need to grep dnsmasq.log using the IPv4 address of the device to see what domains it queried.

grep xx.xx.xx.xx /opt/var/log/dnsmasq.log

 

[broski]

Hi all, first thank you for working on the tool.
I am having issue to set up it properly. When I connect the vpn for all connections it works well but when I try to enable the policy rules dns leak starts to happen
I use "accept dns configuration": exclusive and "Force Internet traffic through tunnel": yes ---- this combination works
If i change "Force Internet traffic through tunnel" to policyrules or policyrules(strict) and add a specific client to the list that client is using the vpn but it also leak dns

Do you have any suggestion on what to change?

 

[Xentrk]

Hi all, first thank you for working on the tool.
I am having issue to set up it properly. When I connect the vpn for all connections it works well but when I try to enable the policy rules dns leak starts to happen
I use "accept dns configuration": exclusive and "Force Internet traffic through tunnel": yes ---- this combination works
If i change "Force Internet traffic through tunnel" to policyrules or policyrules(strict) and add a specific client to the list that client is using the vpn but it also leak dns

Do you have any suggestion on what to change?

Exclusive bypasses dnsmasq and exclusively uses DNS of VPN provider. As a result, the dnsmasq method won't work if you have Accept DNS Configuration=Exclusive. You will have to use one of the other DNS settings if you require the dnsmasq method. May not solve the DNS leak issue though.

Option 1
You can set accept DNS configuration = Strict. Then, in Custom settings, specify a DNS:

dhcp-option DNS x.x.x.x

Option 2
My VPN provider uses Cloudflare 1.1.1.1. If I want my DNS to appear to be the same geo-location as my VPN endpoint, I can set DNS rules. In LAN->DNSFilter tab, set up a custom DNS and assign it to the device. In my case, I would use Cloudflare.

Otherwise, my DNS will default to DNS specified in WAN page.

 

[MatteoPV]

I installed x3mRouting to be able to use Unbound with the VPN and not have any DNS leaks. It works.
But I ask one thing, I have installed option 2 for the GUI management of the VPN, at this point if I go to the Merlin 386 VPN configuration page, it does not allow me any adjustment, otherwise it gives me a configuration error. In order to adjust my VPN, add or remove devices from tunnels etc, I have to uninstall option 2 of x3mRouting, make the changes and then install option 2 again