What's new

Asus merlin router, vpn, selective policy website routing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

pattox

Regular Contributor
I have an Asus RTAC56U with the most recent firmware. I have set up vpn so that, apart from a voip phone and smart tv which ago through the WAN, all other devices go through the vpn.

There is one website (iview.abc.net.au) which is accessible through the WAN but not through the vpn because of geo blocking-my vpn is in Europe and this website is in Australia. I would like to be able to access this particular site with the devices which are normally are set up to only use the vpn.

I understand that this can be done with selective policy routing if one has the ip address for the website.

A tracert for this website returns several ip addresses, each of which when I try to access directly via a browser generates an "invalid url" message.

I'm just wondering if there is a relatively easy way to achieve what I'm trying to do?
 
I have an Asus RTAC56U with the most recent firmware. I have set up vpn so that, apart from a voip phone and smart tv which ago through the WAN, all other devices go through the vpn.

There is one website (iview.abc.net.au) which is accessible through the WAN but not through the vpn because of geo blocking-my vpn is in Europe and this website is in Australia. I would like to be able to access this particular site with the devices which are normally are set up to only use the vpn.

I understand that this can be done with selective policy routing if one has the ip address for the website.

A tracert for this website returns several ip addresses, each of which when I try to access directly via a browser generates an "invalid url" message.

I'm just wondering if there is a relatively easy way to achieve what I'm trying to do?
Use the nslookup command in an ssh session to find the ip address for the domain:
Code:
nslookup iview.abc.net.au

Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      iview.abc.net.au
Address 1: 72.246.234.183 a72-246-234-183.deploy.static.akamaitechnologies.com

In the Policy Routing section of the OpenVPN Client screen, create the entry as follows
Code:
abc.net  0.0.0.0  72.246.234.183  WAN
 
Use the nslookup command in an ssh session to find the ip address for the domain:
Code:
nslookup iview.abc.net.au

Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      iview.abc.net.au
Address 1: 72.246.234.183 a72-246-234-183.deploy.static.akamaitechnologies.com

In the Policy Routing section of the OpenVPN Client screen, create the entry as follows
Code:
abc.net  0.0.0.0  72.246.234.183  WAN
--------------------------------------------------------------------
Thank you. I did what you suggested and got a different result for the ip address. plse see below. I tried both your result and mine. When I try to play videos from this website there is a message saying "loading" but the screen blanks and stays that way. So perhaps the geo blocking more sophisticated.

ASUSWRT-Merlin RT-AC56U 384.6-0 Wed Jul 25 16:34:54 UTC 2018

admin@RT-AC56U-FCC8:/tmp/home/root# nslookup iview.abc.net.au

Server: 127.0.0.1

Address 1: 127.0.0.1 localhost.localdomain



Name: iview.abc.net.au

Address 1: 104.74.40.49 a104-74-40-49.deploy.static.akamaitechnologies.com

admin@RT-AC56U-FCC8:/tmp/home/root# ASUSWRT-Merlin RT-AC56U 384.6-0 Wed Jul 25 1

6:34:54 UTC 2018

admin@RT-AC56U-FCC8:/tmp/home/root#
 
--------------------------------------------------------------------
Thank you. I did what you suggested and got a different result for the ip address. plse see below. I tried both your result and mine. When I try to play videos from this website there is a message saying "loading" but the screen blanks and stays that way. So perhaps the geo blocking more sophisticated.

ASUSWRT-Merlin RT-AC56U 384.6-0 Wed Jul 25 16:34:54 UTC 2018

Code:
admin@RT-AC56U-FCC8:/tmp/home/root# nslookup iview.abc.net.au

Server:    127.0.0.1

Address 1: 127.0.0.1 localhost.localdomain

Name:      iview.abc.net.au

Address 1: 104.74.40.49 a104-74-40-49.deploy.static.akamaitechnologies.com

admin@RT-AC56U-FCC8:/tmp/home/root# ASUSWRT-Merlin RT-AC56U 384.6-0 Wed Jul 25 1

6:34:54 UTC 2018

admin@RT-AC56U-FCC8:/tmp/home/root#
Akamai Technologies is a content delivery network so the difference in IP address makes sense. Looking up the address you provided on Hurricane Electric yields the IP addresses in CIDR notation below. Try those two entries.

https://bgp.he.net/ip/104.74.40.49

Code:
104.64.0.0/10
104.74.32.0/20

Try the 104.74.32.0/20 entry first.
 
Partial success with the first ip address, 104.64.0.0/10
Just to explain, the website contains 2 groups of tv programs.

The first group contains all of the programs previously broadcast and which can be viewed as "catchups" via the website.
Success with this group.

The second group contains all of the programs on many channels which are now being broadcast live and can be watched as livestreams on the website.

This still doesn't work for this group. Still shows as loading. But the result is a screen which appears to be showing something (program name on bottom of screen and icon to change to full screen, together with "back button on top") but is otherwise completely blank.
 
Last edited:
Partial success with the first ip address, 104.64.0.0/10
Just to explain, the website contains 2 groups of tv programs.

The first group contains all of the programs previously broadcast and which can be viewed as "catchups" via the website.
Success with this group.

The second group contains all of the programs on many channels which are now being broadcast live and can be watched as livestreams on the website.

This still doesn't work for this group. Still shows as loading. But the result is a screen which appears to be showing something (program name on bottom of screen and icon to change to full screen, together with "back button on top") but is otherwise completely blank.
Sounds like you made some progress which is encouraging.

https://bgp.he.net/ip/104.74.40.49 returns two ASN entries. Add the 104.64.0.0/10 to see if that resolves the issue.

I have had good luck by looking at the website source code. In a browser, right click on the page and select the view source code option from the menu. You can search for href and look at the domains being referenced. May require some patience. You can then do an nslookup to get the IP Address. You can use bgp.he.net to see if they belong to the same ASN grouping.

Another option is to mine dnsmasq. I have a script called getdomainnames.sh. You can download and read how to use it on GitHub.

Sometimes, I've had to use a combination of the two methods.

For BBC, I used the getdomainnames.sh script and ended up with many domain names and it worked after a lot of trial and error. About a year later, I was able to reduce it to just a handful by looking at the webpage source code.

Unfortunately, the version of ipset on the AC-56U is not supported by x3mRouting project. But maybe adding the 104.64.0.0/10 will get the live programming working.
 
Here is another example.

I did a search on the page source code for ".net" and the first match I got was cdn.iview.abc.net.au.

Code:
nslookup cdn.iview.abc.net.au
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      cdn.iview.abc.net.au
Address 1: 72.246.234.183 a72-246-234-183.deploy.static.akamaitechnologies.com

The CIDR ranges can be viewed at https://bgp.he.net/ip/72.246.234.183

Selective routing can sometimes require a lot of analysis to determine the domains the site uses. Some sites are more difficult than others.
 
Partial success with the first ip address, 104.64.0.0/10
Just to explain, the website contains 2 groups of tv programs.

The first group contains all of the programs previously broadcast and which can be viewed as "catchups" via the website.
Success with this group.

The second group contains all of the programs on many channels which are now being broadcast live and can be watched as livestreams on the website.

This still doesn't work for this group. Still shows as loading. But the result is a screen which appears to be showing something.
(program name on bottom of screen and icon to change to full screen, together with "back button on top") but is otherwise completely blank.

Re your earlier post. Just to recap
Code:
104.64.0.0/10 Works on its own for catchup programs, not for livestream
104.74.32.0/20 Doesn't work on its own

entering both as separate policy rules makes no difference - catchup still ok, no livestream

re
The CIDR ranges can be viewed at https://bgp.he.net/ip/72.246.234.183

This yields 2 more ip addresses
72.246.0.0/15
72.246.234.0/23

Adding them in as well, as separate policies, doesn't improve things.

Thank you for all your help so far. Makes me realise how rudimentary my knowledge is in these matter. I'll do my best and treat this as a learning exercise
 
Re your earlier post. Just to recap
Code:
104.64.0.0/10 Works on its own for catchup programs, not for livestream
104.74.32.0/20 Doesn't work on its own

entering both as separate policy rules makes no difference - catchup still ok, no livestream

re
The CIDR ranges can be viewed at https://bgp.he.net/ip/72.246.234.183

This yields 2 more ip addresses
72.246.0.0/15
72.246.234.0/23

Adding them in as well, as separate policies, doesn't improve things.

Thank you for all your help so far. Makes me realise how rudimentary my knowledge is in these matter. I'll do my best and treat this as a learning exercise
I went to the website and selected some menu options and generated the following domain names which hopefully will be of some help. I used the getdomainnames.sh script to get the list and deleted those that were generated from other traffic to narrow the list down. You will have to do a nslookup on the domain name to get the IP address. Hopefully, most can be grouped to a few ASN and you can use CIDR notation to achieve the desired results.
Code:
api.iview.abc.net.au
cdn.iview.abc.net.au
cdns.au1.gigya.com
e3161.e2.akamaiedge.net
e3161.g.akamaiedge.net
e8333.g.akamaiedge.net
ecn.dev.virtualearth.net
fpdownload2.macromedia.com
iview.abc.net.au
res.abc.net.au
t0.ssl.ak.dynamic.tiles.virtualearth.net
t0.ssl.ak.tiles.virtualearth.net
Since you are using an older router and firmware, my scripts won't work for you. You will have to try to find the CIDR ranges and enter in the Policy Section of the OpenVPN Client screen.
 
I went to the website and selected some menu options and generated the following domain names which hopefully will be of some help. I used the getdomainnames.sh script to get the list and deleted those that were generated from other traffic to narrow the list down. You will have to do a nslookup on the domain name to get the IP address. Hopefully, most can be grouped to a few ASN and you can use CIDR notation to achieve the desired results.
Code:
api.iview.abc.net.au
cdn.iview.abc.net.au
cdns.au1.gigya.com
e3161.e2.akamaiedge.net
e3161.g.akamaiedge.net
e8333.g.akamaiedge.net
ecn.dev.virtualearth.net
fpdownload2.macromedia.com
iview.abc.net.au
res.abc.net.au
t0.ssl.ak.dynamic.tiles.virtualearth.net
t0.ssl.ak.tiles.virtualearth.net
Since you are using an older router and firmware, my scripts won't work for you. You will have to try to find the CIDR ranges and enter in the Policy Section of the OpenVPN Client screen.
Again thank you. Just to add more complexity, the partial success and all the other attempts were done using an ipad. The abc forces you to use their ios app to access iview. As I said, partial success.

I thought I might just try using my windows 10 laptop-tried both firefox and chrome. No success at all. The screen shows an error message which says has been logged for their technical team to investigate.

Of course, when I disable my vpn, everthing works perfectly on both the ipad and laptop.

I will persevere but I'm starting to wonder if a less elegant solution such as removing the ipad from the router vpn, a running it separately on its own vpn, and disabling the ipad vpn when I want to watch iview.

Again thanks btw where is the land of smiles? Thailand?
 
Decided to send an email to the ABC describing my partial success and seeking their technical help to make livestream work (asked for suggestions and additional ip addresses if needed).

Will be interesting to see if they respond!
 
Again thank you. Just to add more complexity, the partial success and all the other attempts were done using an ipad. The abc forces you to use their ios app to access iview. As I said, partial success.

I thought I might just try using my windows 10 laptop-tried both firefox and chrome. No success at all. The screen shows an error message which says has been logged for their technical team to investigate.

Of course, when I disable my vpn, everthing works perfectly on both the ipad and laptop.

I will persevere but I'm starting to wonder if a less elegant solution such as removing the ipad from the router vpn, a running it separately on its own vpn, and disabling the ipad vpn when I want to watch iview.
I got that message when trying to watch from my laptop.

You can still mine dnsmasq.log for the queries the router is making when using the app on your iPad. Just use an SSH client on your laptop to access the dnsmasq.log file. That is going to be the best way to figure out what domains the app is querying and help you determine what IP address to router to the WAN interface.

I actually took the time to find out what ABC means. I then did a search for Australian Broadcasting Corporation (ABC) on bgp.he.net and got a hit on the ASN:

Selecting the prefix tab reveals the IP addresses:

Code:
202.6.74.0/24
203.2.218.0/24
Try adding those two addresses to the policy rules and test.

Code:
 nslookup abc.net.au
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      abc.net.au
Address 1: 203.2.218.214

btw where is the land of smiles? Thailand?
Yes. :D
 
Last edited:
I got that message when trying to watch from my laptop.

You can still mine dnsmasq.log for the queries the router is making when using the app on your iPad. Just use an SSH client on your laptop to access the dnsmasq.log file. That is going to be the best way to figure out what domains the app is querying and help you determine what IP address to router to the WAN interface.

I actually took the time to find out what ABC means. I then did a search for Australian Broadcasting Corporation (ABC) on bgp.he.net and got a hit on the ASN:

Selecting the prefix tab reveals the IP addresses:

Code:
202.6.74.0/24
203.2.218.0/24
Try adding those two addresses to the policy rules and test.

Code:
 nslookup abc.net.au
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      abc.net.au
Address 1: 203.2.218.214


Yes. :D

Earlier attempts
104.64.0.0/10 partial success (catchup yes, livestream no)
added 104.74.32.0/20 no improvement

added the following 3 latest ones as well-no improvement on partial success
202.6.74.0/24
203.2.218.0/24
203.2.218.214

I'll persevere but my knowledge in this area is very rudimentary to say the least. So it will be slow. In the meantime I'll use a lateral solution by taking the ipad off the router vpn, and running a standalone vpn on the ipad-disconnecting the ipad vpn when I want to watch iview.

I may hear from the ABC. After all I'm not trying to circumvent their geoblocking and its a legitimate technical access query.

Again thanks. Much appreciated. Makes me realise how little I know compared to all the technical experts on this forum.
 
Earlier attempts
104.64.0.0/10 partial success (catchup yes, livestream no)
added 104.74.32.0/20 no improvement

added the following 3 latest ones as well-no improvement on partial success
202.6.74.0/24
203.2.218.0/24
203.2.218.214

I'll persevere but my knowledge in this area is very rudimentary to say the least. So it will be slow. In the meantime I'll use a lateral solution by taking the ipad off the router vpn, and running a standalone vpn on the ipad-disconnecting the ipad vpn when I want to watch iview.

I may hear from the ABC. After all I'm not trying to circumvent their geoblocking and its a legitimate technical access query.

Again thanks. Much appreciated. Makes me realise how little I know compared to all the technical experts on this forum.
The feature of ipset allows you to specify top level domain names for selective routing. I have a script that simplifies the process. But I suspect you are on the old version of ipset with the 56u model. In the command line, type

ipset version

I could update the code to support ipset version 4, but most people have since upgraded and I hardly see anyone with a mips cpu router on the forum.
 
The feature of ipset allows you to specify top level domain names for selective routing. I have a script that simplifies the process. But I suspect you are on the old version of ipset with the 56u model. In the command line, type

ipset version

I could update the code to support ipset version 4, but most people have since upgraded and I hardly see anyone with a mips cpu router on the forum.

admin@RT-AC56U-FCC8:/tmp/home/root# ipset v6.32, protocol version: 6

ipset v6.32: No command specified: unknown argument v6.32,

Try `ipset help' for more information.

admin@RT-AC56U-FCC8:/tmp/home/root#
 
admin@RT-AC56U-FCC8:/tmp/home/root# ipset v6.32, protocol version: 6

ipset v6.32: No command specified: unknown argument v6.32,

Try `ipset help' for more information.

admin@RT-AC56U-FCC8:/tmp/home/root#
That's promising. The last two messages is because you typed the output of the ipset version command on the command line. :oops:

The x3mRouting scripts do support ipset v6.32, protocol version: 6.

You may want to read about the features of Method 3 - load_dnsmasq_ipset_iface.sh script helps in situations like yours. If you want to try this, there are requirements. I also recommend you install Diversion as it configures and sets up dnsmasq logging in /opt/var/log/dnsmasq.log. You can try the script with the top level domain names we know about so far. You may need to mine dnsmasq entries to see what else is going on.

The ASN script may also be of help since we now know AS9432 is the AS number for ABC. No issue in using the combination of the two.
 
I just installed x3mRouting in my U86 Merlin router using method 3. It seemed to go smoothly, although I have a few comments.

1. In the example scripts, I finally figured out that I needed to do a sh before each of the listed commands, otherwise I would get an error message when I just copied and pasted the line. Here's an example:
load_AMAZON_ipset_iface.sh 2 AMAZON-US US
should be
sh load_AMAZON_ipset_iface.sh 2 AMAZON-US US
This might be obvious to the experienced but was not to me.

Also, do I need to go to the Scripts sub-dir to run those commands, or would they work anywhere (before I figured out that I needed the sh, I did change to the scripts sub-dirs but I do not know if that was necessary)?

2. It would be nice if you updated the nat-start file as part of running each of the scripts that you provide. Not a huge deal, but the whole installation process is many steps, so in my excitement at getting this working, I might miss the instructions about this.

3. BTW, I am putting all of the Amazon, Netflix, BBC, etc, IPs to access my WAN, so my Amazon script line reads:
sh load_AMAZON_ipset_iface.sh 0 AMAZON-US US
But I am also running a VPN (1) that I want to use for all non-streaming non-video uses on all my devices. Are the IP address or AS numbers only the ones for streaming video, or are they also the ones for accessing Amazon normally? How can I tell? If they are all Amazon address, how can I separate only the ones for streaming?

4. Also in my case, with video coming from the WAN interface but normal browsing in the VPN, what do I do with the
/jffs/scripts/x3mRouting/vpnclient1-route-up example? Do the start-up commands go into the nat-start file or in the vpnclient1-route-up or both?

5. After doing the installation, do I need to reboot the router? In my case, I did not and it appears to be working, but what should be the best practice (I'm guessing I should do a reboot)?

6. I also need to do video for HBO NOW and Roku. Have you tried to do them, and what process works to get their IPs? If you do not know, that's OK, you seem to have provided enough info for me to try to figure it out. But if anyone has already done them, it might save me and others some work.

BTW, I just added the ASN number for Roku, and the command seemed to work, but there was no comment about adding a CRON job to update. Will that CRON happen and you just did not print out that message like you did in other cases? Also ditto for the Manual IP file command (I did it for HBO Now. We'll see if the 3 ranges I got from https://bgp.he.net/search are enough).

7. I would like the CRON job to update the address to run daily instead of weekly, at 4:35am. Where would I make that change? Or possibly you might consider making that an option at installation time?

8. Have you considered getting x3mRouting to be a part of AMTM? That is getting to be the standard for installing and maintaining scripts beyond what Merlin provides.

Otherwise, thanks for doing the work to get this working. I always worried about putting my smart TVs outside of the VPN just so that I could watch videos, especially with the recent article about Samsung TVs being a hackable potential that might compromise my network. Your excellent work hopefully plugs that hole.
 
Last edited:
Hi @TonyK132,

Thank you for testing the x3mRouting project. I greatly appreciate the feedback. I will definitely use the feedback to make the project better for others.

I have the responses split into separate threads due to the length of the replies.

PART 1

Question 1
I will add the “sh” to the usage examples on the project README to avoid confusion. Doing so will also allow people to copy and paste the command to the command line. If inside the directory where the scripts are located, there are two options to select from to execute the scripts:

Code:
sh load_AMAZON_ipset_iface.sh 2 AMAZON-US US
./ load_AMAZON_ipset_iface.sh 2 AMAZON-US US

If not inside the directory, then the full path must be specified. E.g.

Code:
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 2 AMAZON-US US

Question 2
I thought about this briefly during the development but could not come up with a solution. I think the best way is to add an optional parameter that will add the entry to nat-start if it does not already exist.

Question 3
Looks like amazon.com shopping site in US is included in the US Region. I got a hit in the AMAZON_US ipset list when searching for 176.32.103.0. See the example below.

Code:
#nslookup amazon.com
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      amazon.com
Address 1: 205.251.242.103 s3-console-us-standard.console.aws.amazon.com
Address 2: 176.32.103.205
Address 3: 176.32.98.166

# whob 176.32.103.205
IP: 176.32.103.205
Origin-AS: 16509
Prefix: 176.32.96.0/21
AS-Path: 8492 12389 1273 16509
AS-Org-Name: Amazon.com, Inc.
Org-Name: PROD IAD
Net-Name: amazon-IAD-PROD
Cache-Date: 1563532062
Latitude: 39.043720
Longitude: -77.487490
City: Ashburn
Region: Virginia
Country: United States
Country-Code: US

# MatchIP 176.32.103.0
176.32.103.0 found in Skynet-Whitelist
176.32.103.0 not found in Skynet-Blacklist
176.32.103.0 not found in NETFLIX
176.32.103.0 found in AMAZON_US
176.32.103.0 not found in Skynet-BlockedRanges
176.32.103.0 not found in Skynet-IOT
176.32.103.0 not found in BBC_WEB
176.32.103.0 not found in CBS
176.32.103.0 not found in CBS_WEB
176.32.103.0 not found in HULU_WEB
176.32.103.0 not found in MOVETV
176.32.103.0 not found in Skynet-Master

The whob command is an entware package. The MatchIP command is in the profile.add file in my script repo on GitHub. It is a useful function and will add it to the x3mRouting project.
 
PART 2

Question 4

If you use Method 1 - x3mRouting for LAN Clients Method combined with Method 3 - x3mRouting IPSET Shell Script Method, don't use the nat-start method. Since you are using Method 3, you can execute the scripts from nat-start. Placing the scripts in nat-start has been the go to recommendation since I have been doing this. But nat-start can run concurrently and cause issues. My code accounts for this to prevent the issues from occurring.

However, you can choose the option to select Option 4 - Install x3mRouting OpenVPN Event if you prefer.

Then, create an executable file inside of /jffs/scripts/x3mRouting/ called vpnclient1-route-up. Replace the number 1 with the OpenVPN client number you want to bypass or route. This script will be executed whenever the OpenVPN Client 1 route-up state has completed processing. Edit /jffs/scripts/x3mRouting/vpnclient1-route-up and execute the scripts from there.

Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 HULU_WEB hulu.com,hulustream.com,akamaihd.net

In summary, nat-start will work if using Method 3. But if using Method 1 and Method 3 together, then you need to install Option 4.

Question 5
There is no need to reboot the router after installing or running the scripts from the command line. However, a reboot is required to properly test that nat-start runs properly and the IPSET lists and routing rules are created after a reboot.

Question 6
I don’t have an HBO subscription to test with. It appears the HBO may be hosting on the AmazonAWS server farm. I found a matching IP address in the AMAZON_US IPSET list.

Code:
# nslookup hbo.com
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      hbo.com
Address 1: 52.5.139.147 ec2-52-5-139-147.compute-1.amazonaws.com
Address 2: 52.5.61.70 ec2-52-5-61-70.compute-1.amazonaws.com

# whob 52.5.139.147
IP: 52.5.139.147
Origin-AS: 14618
Prefix: 52.4.0.0/14
AS-Path: 8492 12389 3257 16509 14618
AS-Org-Name: Amazon.com, Inc.
Org-Name: Amazon Technologies Inc.
Net-Name: AT-88-Z
Cache-Date: 1563532062
Latitude: 39.043720
Longitude: -77.487490
City: Ashburn
Region: Virginia
Country: United States
Country-Code: US

#MatchIP 52.5.139.0
52.5.139.0 found in Skynet-Whitelist
52.5.139.0 not found in Skynet-Blacklist
52.5.139.0 not found in NETFLIX
52.5.139.0 found in AMAZON_US
52.5.139.0 not found in Skynet-BlockedRanges
52.5.139.0 not found in Skynet-IOT
52.5.139.0 not found in BBC_WEB
52.5.139.0 not found in CBS
52.5.139.0 not found in CBS_WEB
52.5.139.0 not found in HULU_WEB
52.5.139.0 not found in MOVETV
52.5.139.0 not found in Skynet-Master

Using the AMAZON US region does cast a wide net which may be good or bad depending on your use case. If one wants to get more specific, further analysis is required. A good place to start is the website of the streaming service. Right click on the site and chose the option to view the source code. Then, search on .com and .net or http to get the top level domain names. Then, try to see if it works using the DNSMASQ method. You can also mine dnsmasq.log file to see what domain names are being used. You can see the README on https://github.com/Xentrk/netflix-vpn-bypass where I explain how to do this. Similarly, you can do an nslookup on one of the domain names to get the IP address. Then, use the whob command to get the ASN. Or, enter the IP address on the search function on https://bgp.he.net/ or https://ipinfo.io/ to get the ASN.

Not sure how to respond to the Roku part of the question though. You can route the Roku player itself in the Policy Rules section of the OpenVPN client screen. The routing rules of the x3mRouting project will take a higher priority than the Policy Rules for the device. For example, I have my Roku player set to use the TorGuard server in L.A. Whereas Netflix and Hulu are configured to use my TorGuard Private IP that allows me to circumvent the VPN blocks. The Netflix and Hulu rules have a higher priority which overrides the Policy Rule for the Roku device.
 
Last edited:
PART 3

Question 7
The IP addresses for the ASN method are fairly static and don’t change that much. To test this, I turned off updating of the lists for a year on one of my routers and the streaming services continued to work. There is no cron job for the ASN method. Whenever the script runs, it does check to see if the list is older than 7 days and downloads a new list of IP addresses if so. I will consider changing the approach to use cron job though.

The only cron jobs are for the DNSMASQ scripts. The IP addresses are generated dynamically as one surfs the internet or streams. The cron job backs up the generated list to /opt/tmp at 2:00 AM. To change this, one would need to edit the script and reboot for the change to take effect.

Question 8
The project has been in soft launch mode so I could get feedback before a formal go-live. I’ll start preparing a formal announcement and thread for the project and work with @thelonelycoder to add x3mRouting to AMTM. I am targeting next weekend for a formal go-live. I have a full time job and things have been very busy for me. But will try my best to get this done.

This concludes the replies. Let me know if you have more questions. Thanks again for the feedback.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top