ipset for dynamic routing with openvpn client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

xulian

Regular Contributor
Hello,

I have been reading a lot but I'm unable to set this working due to some kind of problem when trying to populate the ipset with the corresponding addresses. These are the commands I have run:

1) added the entry ipset=/plex.tv/my.plexapp.com/myipset to /jffs/configs/dnsmasq.conf.add
2) restarted dnsmasq service with service service restart_dnsmasq and verified the line is added to the main dnsmasq.conf file
3) create the ipset with the command ipset create wan0 iphash
4) fill the ipset with ipset add wan0 myipset

and get the error:

ipset v6.29: Syntax error: cannot parse myipset: resolving to IPv4 address failed

If I try to add the url directly without the dnsmasq record with ipset add wan0 plex.tv then I get

Warning: plex.tv resolves to multiple addresses: using only the first one returned by the resolver.

So looks like the dnsmasq info is not being resolved? Any idea please? My intention is to route any packet to those addresses adding some fwmark in there.

thanks very much in advance
 
Hello,

I have been reading a lot but I'm unable to set this working due to some kind of problem when trying to populate the ipset with the corresponding addresses. These are the commands I have run:

1) added the entry ipset=/plex.tv/my.plexapp.com/myipset to /jffs/configs/dnsmasq.conf.add
2) restarted dnsmasq service with service service restart_dnsmasq and verified the line is added to the main dnsmasq.conf file
3) create the ipset with the command ipset create wan0 iphash
4) fill the ipset with ipset add wan0 myipset

and get the error:

ipset v6.29: Syntax error: cannot parse myipset: resolving to IPv4 address failed

If I try to add the url directly without the dnsmasq record with ipset add wan0 plex.tv then I get

Warning: plex.tv resolves to multiple addresses: using only the first one returned by the resolver.

So looks like the dnsmasq info is not being resolved? Any idea please? My intention is to route any packet to those addresses adding some fwmark in there.

thanks very much in advance

I assume IPSET WAN0 is to contain a list of smaller individual IPSETS

e.g.

Code:
ipset create WAN0 list:set

ipset create MyIPSET1 hash:ip
ipset create MyIPSET2 hasp:ip

ipset add WAN0 MyIPSET1
ipset add WAN0 MyIPSET2

ipset list WAN0

Manually list the IPs known for say plex.tv

Code:
nslookup plex.tv

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      plex.tv
Address 1: 54.76.211.208 ec2-54-76-211-208.eu-west-1.compute.amazonaws.com
Address 2: 52.213.208.228 ec2-52-213-208-228.eu-west-1.compute.amazonaws.com
Address 3: 52.214.149.31 ec2-52-214-149-31.eu-west-1.compute.amazonaws.com
Address 4: 52.210.223.97 ec2-52-210-223-97.eu-west-1.compute.amazonaws.com
Address 5: 52.30.162.251 ec2-52-30-162-251.eu-west-1.compute.amazonaws.com
Address 6: 52.209.254.156 ec2-52-209-254-156.eu-west-1.compute.amazonaws.com
Address 7: 54.194.110.119 ec2-54-194-110-119.eu-west-1.compute.amazonaws.com
Address 8: 52.210.244.61 ec2-52-210-244-61.eu-west-1.compute.amazonaws.com

Now manually (rather than wait for dnsmasq to do it for us!) populate one of the IPSETS with the first listed plex.tv IP address

Code:
ipset add MyIPSET1  54.76.211.208

ipset list MyIPSET1

Name: MyIPSET1
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8264
References: 1
Members:
54.76.211.208

At this point IPSET WAN0 contains two sub-IPSETS one of which contains 1 entry and the other is completely empty!

So we could have one sub-IPSET containing all plex.tv addresses and one sub-IPSET say for all Netflix addresses, that are referenced as a group to be routed via WAN0.


(P.S. Might be better to choose better descriptive names rather than say MyIPSETx etc.)

Hope this explains it?
 
Last edited:
I assume IPSET WAN0 is to contain a list of smaller individual IPSETS

e.g.

Code:
ipset create WAN0 list:set

ipset create MyIPSET1 hash:ip
ipset create MyIPSET2 hasp:ip

ipset add WAN0 MyIPSET1
ipset add WAN0 MyIPSET2

ipset list WAN0

Manually list the IPs known for say plex.tv

Code:
nslookup plex.tv

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      plex.tv
Address 1: 54.76.211.208 ec2-54-76-211-208.eu-west-1.compute.amazonaws.com
Address 2: 52.213.208.228 ec2-52-213-208-228.eu-west-1.compute.amazonaws.com
Address 3: 52.214.149.31 ec2-52-214-149-31.eu-west-1.compute.amazonaws.com
Address 4: 52.210.223.97 ec2-52-210-223-97.eu-west-1.compute.amazonaws.com
Address 5: 52.30.162.251 ec2-52-30-162-251.eu-west-1.compute.amazonaws.com
Address 6: 52.209.254.156 ec2-52-209-254-156.eu-west-1.compute.amazonaws.com
Address 7: 54.194.110.119 ec2-54-194-110-119.eu-west-1.compute.amazonaws.com
Address 8: 52.210.244.61 ec2-52-210-244-61.eu-west-1.compute.amazonaws.com

Now manually (rather than wait for dnsmasq to do it for us!) populate one of the IPSETS with the first listed plex.tv IP address

Code:
ipset add MyIPSET1  54.76.211.208

ipset list MyIPSET1

Name: MyIPSET1
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8264
References: 1
Members:
54.76.211.208

At this point IPSET WAN0 contains two sub-IPSETS one of which contains 1 entry and the other is completely empty!

So we could have one sub-IPSET containing all plex.tv addresses and one sub-IPSET say for all Netflix addresses, that are referenced as a group to be routed via WAN0.


(P.S. Might be better to choose better descriptive names rather than say MyIPSETx etc.)

Hope this explains it?

Hello Martineau,

Thanks, your post helps also to understand the way both ipsets can improve my initial version. In fact you are right, I want all of them to be routed thru WAN rather than VPN. Thing is that it works filling them manually (as you loaded first plex.tv IP into MyIPSET1) and it makes sense of course.

But point here is that I was expecting dnsmasq to fill them for us... isn't that the way it works?
 
Hello Martineau,

Thanks, your post helps also to understand the way both ipsets can improve my initial version. In fact you are right, I want all of them to be routed thru WAN rather than VPN. Thing is that it works filling them manually (as you loaded first plex.tv IP into MyIPSET1) and it makes sense of course.

But point here is that I was expecting dnsmasq to fill them for us... isn't that the way it works?

Indeed, but there is nothing wrong with initially manually populating the IPSET ('seeding') then let dnsmasq dynamically update the IPSET with future resolved IP addresses as they are discovered.
 
there is nothing wrong with initially manually populating the IPSET ('seeding') then let dnsmasq dynamically update the IPSET with future resolved IP addresses as they are discovered.

Hi Martineau, yes I understand it... but if dnsmasq does it for us, then I write in my openvpn-event script using only the name of the ipset defined in dnsmasq. I forget the rest of it ... otherwise, I need to decode the lines in the dnsmasq and load every element into the ipset... of course it makes sense, but it's easier in the first attemp :)

Does dnsmasq need something to make this or do we need to code it inside one script?

thanks again for your help
 
Hi Martineau, yes I understand it... but if dnsmasq does it for us, then I write in my openvpn-event script using only the name of the ipset defined in dnsmasq. I forget the rest of it ... otherwise, I need to decode the lines in the dnsmasq and load every element into the ipset... of course it makes sense, but it's easier in the first attemp :)

Does dnsmasq need something to make this or do we need to code it inside one script?

thanks again for your help

If the appropriate 'ipset=' directive is defined in dnsmasq (and dnsmasq is restarted), then dnsmasq will automatically add IP entries to the appropriate IPSET each time the associated domain(s) are referenced.

NOTE: Obsolete IP entries will not be removed from the IPSET by this automated dnsmasq process, so you may have to create your own 'house-keeping' script.
 
Hi... that was my understanding also, but this is what happens in my step 4:

4) fill the ipset with ipset add wan0 myipset
and get the error:
ipset v6.29: Syntax error: cannot parse myipset: resolving to IPv4 address failed

So thats the reason I think something is not working as expected, or I have forgotten/misunderstood something at that point

thanks again
 
Hi... that was my understanding also, but this is what happens in my step 4:

4) fill the ipset with ipset add wan0 myipset
and get the error:
ipset v6.29: Syntax error: cannot parse myipset: resolving to IPv4 address failed

So thats the reason I think something is not working as expected, or I have forgotten/misunderstood something at that point

thanks again

You didn't create IPSET wan0 correctly

You will need to delete it and re-create it as a 'list:set' as in my WAN0 IPSET example.
 
yes... same result

/tmp/home/root# ipset create wan0 list:set
/tmp/home/root# ipset create wan_ipset hash:ip
/tmp/home/root# ipset add wan0 wan_ipset
/tmp/home/root# ipset add wan_ipset myipset
ipset v6.29: Syntax error: cannot parse myipset: resolving to IPv4 address failed
/tmp/home/root# ipset add wan_ipset plex.tv
Warning: plex.tv resolves to multiple addresses: using only the first one returned by the resolver.
/tmp/home/root# ipset list wan_ipset
Name: wan_ipset
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8264
References: 1
Members:
52.209.254.156

I think we are missing something here. I need at some point link "myipset" with wan_ipset so as you say when I reference any of the sites there listed, they are solved and saved into the list. Also tried defining the list as hash:net but same result.

Following your guide I can make a script to load the ipsets at firewall-start or any other point and have it ready to be used where I define the iptables rules. But this doesn't seem to be the best solution, isn't it?

thanks again
 
yes... same result

/tmp/home/root# ipset create wan0 list:set
/tmp/home/root# ipset create wan_ipset hash:ip
/tmp/home/root# ipset add wan0 wan_ipset
/tmp/home/root# ipset add wan_ipset myipset
ipset v6.29: Syntax error: cannot parse myipset: resolving to IPv4 address failed
/tmp/home/root# ipset add wan_ipset plex.tv
Warning: plex.tv resolves to multiple addresses: using only the first one returned by the resolver.
/tmp/home/root# ipset list wan_ipset
Name: wan_ipset
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 8264
References: 1
Members:
52.209.254.156

I think we are missing something here. I need at some point link "myipset" with wan_ipset so as you say when I reference any of the sites there listed, they are solved and saved into the list. Also tried defining the list as hash:net but same result.

Following your guide I can make a script to load the ipsets at firewall-start or any other point and have it ready to be used where I define the iptables rules. But this doesn't seem to be the best solution, isn't it?

thanks again

I think we are missing something here

I'm pretty certain I'm not missing anything :rolleyes:

So one last time....:confused:

So you managed to add the IPSET wan_ipset to the IPSET wan0 successfully - correct? Why did this work? because you created IPSET wano as a list:set which allows adding of IPSET names hence the 'list' type.

So how many IP addresses do you currently have in IPSET wan0?
HINT: You will need to use the 'ipset list' command on two IPSETs!!!

You created IPSET wan_ipset as hash:ip meaning it may only contain IP addresses!! so you can't add text such as 'plex.tv', 'numpty' etc. but only entries of the form xxx.xxx.xxx.xxx i.e. correctly formatted IP addresses.

So you can add both IPSETs wan_ipset and myipset to IPSET wan0 then populate wan_ipset and myipset with say the IP addresses associated with say plex.tv or Netflix

So IPSET wan0 will contain two entries, whereas myipset could contain 30 IP entries and wan_ipset could contain 70 IP entries.

i.e. wan0 will then have a total of 100 IP addresses it can selectively route.

if you added all 100 IP addresses into a single IPSET, how would you quickly identify at a later date say which belonged to plex.tv and those that didn't?

I have WAN0,VPN1,VPN2,VPN3 defined as 'list:set' IPSETs that physically don't contain any IP addresses until I add hash:ip IPSETs to them, so if say VPN2 is down, I can quickly move the (large) VPN2 hash:ip IPSETs to another VPN.

Good luck.
 
Last edited:
Hello,

So you managed to add the IPSET wan_ipset to the IPSET wan0 successfully - correct? Why did this work? because you created IPSET wano as a list:set which allows adding of IPSET names hence the 'list' type.

I only care about ip list type

You created IPSET wan_ipset as hash:ip meaning it may only contain IP addresses!! so you can't add text such as 'plex.tv', 'numpty' etc. but only entries of the form xxx.xxx.xxx.xxx i.e. actual IP addresses.

I understand it, that's the reason I was expecting dnsmasq.conf entry to resolve names into numbers.

if you added all 100 IP addresses into a single IPSET, how would you quickly identify at a later date say which belonged to plex.tv and those that didn't?

I don't care about it, only needed to know if they are in my list to route them properly

I have WAN0,VPN1,VPN2,VPN3 defined as 'list:set' IPSETs that physically don't contain any IP addresses until I add hash:ip IPSETs to them, so if say VPN2 is down, I can quickly move the (large) VPN2 hash:ip IPSETs to another VPN.

looks nice and may be I move to something similar in the future, atm only need 1 ipset for my only VPN tunnel and this chain was intended to routhe all these IPs thru WAN0.

Thanks for your patience until this point, your notes have been very helpful no matter I'm forgotting something ;)
 
What does your dnsmesq.conf.add look like now?


Hello,

I only care about ip list type



I understand it, that's the reason I was expecting dnsmasq.conf entry to resolve names into numbers.



I don't care about it, only needed to know if they are in my list to route them properly



looks nice and may be I move to something similar in the future, atm only need 1 ipset for my only VPN tunnel and this chain was intended to routhe all these IPs thru WAN0.

Thanks for your patience until this point, your notes have been very helpful no matter I'm forgotting something ;)
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top