What's new

Asuswrt-Merlin Netflix through VPN settings

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Netflix wont work with VPN. They blocked it.
Depends on which VPN you're using. Some work fine. I was using VPN.ac with no issues after I got my DNS configuration straightened out. However, I'm going to switch to another VPN because of speed issues in the evenings. Anyone else experience a 30Mbps drop in download speeds in the evenings compared to the morning?
 
To set dns filtering while using vpn, you need to set accept dns configuration to disable in vpn client page. Then set opendns in wan page
It should work as you want but you will have dns leak. There is no point to use a vpn if you create leak with your config.

The way I setup mine is ...

policy rules for the computer using vpn. Accept dns configuration to exclusive so only this computer use vpn dns, so no filtering for this one. Other computers goes directly to wan and use wan dns which are opendns family.
Thanks @ledan, I wanted blanket DNS filtering for all home devices though. I guess there's no way to do it unless the VPN provider builds this into their DNS servers?
 
Is there a way in the policy rules to allow devices to connect to WAN if going to Netflix, i.e., Netflix IP range will go through WAN instead of VPN? Does Netflix have a IP range?
 
Is there a way in the policy rules to allow devices to connect to WAN if going to Netflix, i.e., Netflix IP range will go through WAN instead of VPN? Does Netflix have a IP range?
NF will work with TorGuard if you get the Private IP option. I have used them for 1.5 years now.. If you want to bypass NF traffic to the VPN to the WAN, I recommend a read thru the Selective Routing thread
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/

It will take some time. But there are others who shared their tips on this topic.

There are scripts others shared to route traffic per your use case. On page 28, you will see one I wrote based on help of others.
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-28#post-339141

I suggest using domain names rather than IP addresses as IP addresses may change.

I like the idea of using the dnsmasq log to see what domains are being called when you start Netflix.

This would probably be a good topic for a wiki as it comes up often.

There is a website here that has some IP addresses.
https://ipinfo.io/AS2906

I have another one bookmarked but I can't find it.
 
Maybe this will help as well as another check.

Netflix.com
I got these NF IP addresses from http://digwebinterface.com/?hostnames=Netflix.com&type=&ns=resolver&useresolver=8.8.4.4&nameservers=
Code:
netflix.com.        59    IN    A    52.5.89.35
netflix.com.        59    IN    A    52.45.81.31
netflix.com.        59    IN    A    52.5.104.12
netflix.com.        59    IN    A    52.45.226.110
netflix.com.        59    IN    A    52.54.71.157
netflix.com.        59    IN    A    52.54.76.119
netflix.com.        59    IN    A    52.5.79.73
netflix.com.        59    IN    A    52.54.254.24
www.netflix.com
http://digwebinterface.com/?hostnam...&ns=resolver&useresolver=8.8.4.4&nameservers=
Code:
www.netflix.com.    1724    IN    CNAME    www.geo.netflix.com.
www.geo.netflix.com.    1570    IN    CNAME    www.us-west-2.prodaa.netflix.com.
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.246.49
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.235.31
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.43.10.174
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.68.185
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.250.151
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.228.237
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.43.110.107
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.43.211.100
vortex.netflix.com
http://digwebinterface.com/?hostnam...&ns=resolver&useresolver=8.8.4.4&nameservers=
Code:
netflix.com.        899    IN    SOA    ns-81.awsdns-10.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 1800
 
Last edited:
I don't use netflix so this is needed test.

As per this thread,
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-25#post-291913
I again will point out that the script you have posted is flawed and will fail! :eek:

Assuming dnsmasq has been configured to automatically populate the NETFLIX Ipset, all you need are two rules:
Code:
TAG_MARK=0x7000

ip rule add fwmark $TAG_MARK table main prio 9990

iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark $TAG_MARK/$TAG_MARK

but if you add them to say nat-start then it is good practice to ensure that duplicate rules are not created.
Code:
TAG_MARK=0x7000

ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990

iptables -D PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark $TAG_MARK/$TAG_MARK
iptables -A PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark $TAG_MARK/$TAG_MARK

P.S. This has been tested and works.
 
Weird. I tested your rule before with Youtube.

With my rules, other sites are connected via my US VPS and Youtube was connected via my Wan.
But with your rules, all sites accessed via my VPS.

To me, my rules work and your rules not work.
 
Weird. I tested your rule before with Youtube.

With my rules, other sites are connected via my US VPS and Youtube was connected via my Wan.
But with your rules, all sites accessed via my VPS.

To me, my rules work and your rules not work.

So either the priority for the RPDB rule in your environment is too low
Code:
ip rule
and/or the routing tables are inappropriate for selective routing
Code:
ip route
ip route show table 11x
 
ip rule
0: from all lookup local
32766: from all lookup main
32767: from all lookup default

ip route
111.111.111.254 dev eth0 proto kernel scope link
111.111.111.0/24 dev eth0 proto kernel scope link src 111.111.111.111
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
127.0.0.0/8 dev lo scope link
default via 111.111.111.254 dev eth0

ip route show table 11x
Error: argument "11x" is wrong: table id value is invalid

There is nothing on table 100~120.

I hide my real ip.
 
Last edited:
There is nothing on table 100~120.

<sigh>

By all means you should use custom scripts that work for your environment, but please don't publish flawed script solutions to others.

@RMerlin has expended considerable time and effort to ensure that it very easy to manage Selective Routing and manually adding two simple rules (to implement Selective ipset/port Routing) surely has to be more reliable, so why take risks by 're-inventing the wheel' with flawed scripts?

TL;DR
It has been documented (read the source code) and also advised in forum posts:

https://www.snbforums.com/threads/rt-ac68u-and-manual-bypass-vpn-rules-help.35252/#post-285752

that Asus and @RMerlin use reserved fwmarks, so user-written custom scripts should stay well clear of these

i.e. using 'fwmark 1' is more than likely a definite no-no! :eek:

For Dual-WAN users, routing tables 100 and 200 are configured explicitly by ASUS, so 'randomly' trashing table 100 probably isn't a good idea.

So if you follow the guide:

https://github.com/RMerl/asuswrt-merlin/wiki/Policy-based-routing

Using 'Redirect Internet traffic=Policy Rules'

then by default everything is routed via the WAN unless explicitly specified via the GUI which will automatically create the necessary VPN specific routing tables (111-115).

However, whilst the firmware doesn't support fwmark selective routing via the GUI, clearly the kernel does, so now my two rules will work in harmony with the firmware's in-built selective routing.

e.g. see '/usr/sbin/vpnrouting.sh' which already disables Reverse Path Filtering
Code:
# Unsure if necessary, but most policy-based routing scripts disable reverse path filtering
 for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
  echo 0 > $i
 done


P.S. What happens to users that have two ACTIVE VPNs?....
Do you know what the potentially damaging consequences of your script's command does? :rolleyes:
Code:
iptables -t mangle -F PREROUTING
 
I can confirm Netflix works just fine through both Astrill and Private Internet Access. Works on phone, T.V. and computer for me through router VPN tunnel.
 
<sigh>

By all means you should use custom scripts that work for your environment, but please don't publish flawed script solutions to others.

@RMerlin has expended considerable time and effort to ensure that it very easy to manage Selective Routing and manually adding two simple rules (to implement Selective ipset/port Routing) surely has to be more reliable, so why take risks by 're-inventing the wheel' with flawed scripts?

Now I am testing re-write script as your advice.
 
Now I am testing re-write script as your advice.

Whatever, but my point is that you don't need a separate script!!!! :rolleyes::rolleyes:

I proposed the same solution referencing the normal WAN routing table main (aka 254) here:

https://www.snbforums.com/threads/selective-routing-netflix-amazon-etc.36608/#post-346660

The goal was to have one device on the LAN send ALL of its traffic via the VPN, but the device must also selectively use the WAN when accessing a couple of specific remote I/P addresses.

Thankfully, despite enforced VPN routing being enabled, routing table main reliably remained true to its intended original default configuration which is for dedicated WAN routing (as is the case for ALL systems that do not use VPNs)

So why would we need to alter this expected/standard usage when the firmware conveniently creates the necessary VPN routing tables 111-115?

NOTE: Use of the iptables and fwmarks rules wasn't necessary, as RPDB rules natively support I/P addresses/subnet references.

P.S. Of course, it is entirely possible the OP was mistaken in his next posted reply, or perhaps was just being polite?
 
Last edited:
Now, it works as you said. many thanks @Martineau

Set the Policy Rules on GUI and add client 192.168.1.0/24 0.0.0.0 VPN.

/jffs/scripts/vpnclient1-route-up

#!/bin/sh

sleep 3

TAG_MARK=0x7000

ip rule del prio 9990
ip rule add fwmark $TAG_MARK table main prio 9990

modprobe xt_set
ipset -N netflix hash:ip
iptables -t mangle -D PREROUTING -m set --match-set socks dst -j MARK --set-mark $TAG_MARK/$TAG_MARK
iptables -t mangle -A PREROUTING -m set --match-set socks dst -j MARK --set-mark $TAG_MARK/$TAG_MARK

/jffs/scripts/vpnclient1-route-pre-down
#!/bin/sh

TAG_MARK=0x7000
iptables -t mangle -D PREROUTING -m set --match-set socks dst -j MARK --set-mark $TAG_MARK/$TAG_MARK
ip rule del prio 9990
ipset -F netflix
ipset -X netflix

I have one more question. How to reverse this rules ?
Main connection goes to WAN and some sites go to VPN.

This seems to work, right ?

Set the Policy Rules on GUI and remain the client tab as blank.

ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 10001
iptables -t mangle -D PREROUTING -i br0 -m set --match-set netflix dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -m set --match-set netflix dst -j MARK --set-mark 0x1000/0x1000
 
Last edited:
Now, it works as you said. many thanks @Martineau

I have one more question. How to reverse this rules ?
Main connection goes to WAN and some sites go to VPN.

As per the RMerlin Wiki or @Xentrk's/ @yorgi's useful documentation, if the GUI table is blank then everything is routed via the WAN

If you have set VPN Client 'Accept DNS Configuration=Exclusive' then I recommend adding a dummy VPN entry

e.g. for VPN Client X
Code:
DummyVPNX   172.16.0.X    0.0.0.0   VPN

To reverse the routing, I create these static '-t mangle' rules

Code:
Chain PREROUTING (policy ACCEPT 792K packets, 282M bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN5 src,dst MARK or 0x5000
2        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN4 src,dst MARK or 0x4000
3        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN4 src,dst MARK or 0x3000
4        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN2 src,dst MARK or 0x2000
5        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN1 src,dst MARK or 0x1000
6        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set WAN0 src,dst MARK or 0x7000
and static RPDB rules
Code:
9990: from all fwmark 0x7000 lookup main
9991: from all fwmark 0x1000 lookup NewYork
9992: from all fwmark 0x2000 lookup UK
9993: from all fwmark 0x3000 lookup ovpnc3
9994: from all fwmark 0x4000 lookup Glenmorangie
9995: from all fwmark 0x5000 lookup ovpnc5

So with these 12 simple rules, I don't have to create any additional rules except for Selective Port routing!

i.e. in the case of the VPNx ipsets, simply add individual ipsets to the appropriate master VPNx ipset as the master ipset is already tagged with the correct fwmark!
 
Last edited:
Maybe this will help as well as another check.

Netflix.com
I got these NF IP addresses from http://digwebinterface.com/?hostnames=Netflix.com&type=&ns=resolver&useresolver=8.8.4.4&nameservers=
Code:
netflix.com.        59    IN    A    52.5.89.35
netflix.com.        59    IN    A    52.45.81.31
netflix.com.        59    IN    A    52.5.104.12
netflix.com.        59    IN    A    52.45.226.110
netflix.com.        59    IN    A    52.54.71.157
netflix.com.        59    IN    A    52.54.76.119
netflix.com.        59    IN    A    52.5.79.73
netflix.com.        59    IN    A    52.54.254.24
www.netflix.com
http://digwebinterface.com/?hostnam...&ns=resolver&useresolver=8.8.4.4&nameservers=
Code:
www.netflix.com.    1724    IN    CNAME    www.geo.netflix.com.
www.geo.netflix.com.    1570    IN    CNAME    www.us-west-2.prodaa.netflix.com.
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.246.49
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.235.31
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.43.10.174
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.68.185
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.250.151
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.42.228.237
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.43.110.107
www.us-west-2.prodaa.netflix.com. 46 IN    A    52.43.211.100
vortex.netflix.com
http://digwebinterface.com/?hostnam...&ns=resolver&useresolver=8.8.4.4&nameservers=
Code:
netflix.com.        899    IN    SOA    ns-81.awsdns-10.com. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 1800
the problem with Netflix is it uses to many subnets worldwide for one to put them all in a VPN policy rule.
So even though you searched for 5 results you can do the same search over and over and will always get new IP addresses showing up.
I think they add new IP often so you may have it working for a while but then it can stop.
They have a huge network.
 
I found the selective routing ipset examples @Martineau posted in the selective routing thread where ipset mines the ip addresses:

https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-25#post-289515

https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-25#post-289849

I may make the effort to consolidate the methods on the wiki so we have a central place to refer people to since this topic comes up a lot. I would then want input of others to review and edit as needed.
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top