Menu
What's new
By:
Filters Better Search

Need help with firewall-start for policy based routing OpenVPN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

H

hvluu

Occasional Visitor
Hi all,

I'm new to all of this and I've picked pieces from here and there trying to work out my script but it seems nothing works. So I have a RT-AC68U (T-mobile branded) loaded with the latest release from Merlin (380.65_2) I believe. I'm trying to route Netflix out of my VPN. VPN is setup to run on router level and it works just fine. Following the wiki for user script, I added firewall-start file in /jffs/scripts and chmod it so it can be executed. However, the script doesn't run when I reboot router. When I manually run it through CLI, the system log gave me this error
Code: 
iptables v1.4.14: unknown option "--set-mark"

I came from Tomato Shibby and the script worked just fine. Below is the content of my script
Code: 
# Put this in the Firewall portion of the script section in Administration

#!/bin/sh
set -x  #uncomment/comment to enable/disable debug mode

(
TID="200"
FW_MARK="0x88"
IPSET="ovpn_split"

# cleanup from prior execution
(
# stop split tunnel
ip rule del fwmark $FW_MARK table $TID

# delete firewall rules
iptables -t mangle -F

# delete alternate routing table
ip route flush table $TID

# force routing system to recognize our changes
ip route flush cache

# enable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 2 > $i; done

sleep 3
) > /dev/null 2>&1

# quit if neither OpenVPN client is active
! ip route show | egrep -qm1 'tun1[1-2]' && exit

# copy main routing table (exclude all default gateway routes)
ip route show | egrep -v '^default|^0.0.0.0/1|^128.0.0.0/1' \
| while read route; do
ip route add $route table $TID
done

# add WAN as default gateway
ip route add default via $(nvram get wan_gateway) table $TID

# force routing system to recognize our changes
ip route flush cache

# disable reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done

# load required netfilter modules
(modprobe xt_set || modprobe ip_set) 2> /dev/null

# Add Netflix IP blocks
ipt() {
  iptables -t mangle -A PREROUTING -i br0 -d "$1" -j MARK --set-mark $FW_MARK
}
ipt 208.75.79.0/24
ipt 208.75.76.0/24
ipt 208.75.73.0/24
ipt 208.75.72.0/24
ipt 108.175.32.0/20
ipt 108.175.32.0/24
ipt 108.175.33.0/24
ipt 108.175.34.0/24
ipt 108.175.35.0/24
ipt 108.175.38.0/24
ipt 108.175.39.0/24
ipt 108.175.40.0/24
ipt 108.175.41.0/24
ipt 108.175.42.0/24
ipt 108.175.43.0/24
ipt 108.175.44.0/24
ipt 108.175.46.0/24
ipt 108.175.47.0/24
ipt 185.2.220.0/22
ipt 185.2.222.0/24
ipt 185.2.223.0/24
ipt 185.9.188.0/22
ipt 185.9.188.0/24
ipt 192.173.112.0/20
ipt 192.173.64.0/18
ipt 192.173.64.0/20
ipt 192.173.64.0/24
ipt 192.173.65.0/24
ipt 192.173.66.0/24
ipt 192.173.67.0/24
ipt 192.173.68.0/24
ipt 192.173.80.0/20
ipt 192.173.96.0/20
ipt 198.38.100.0/24
ipt 198.38.101.0/24
ipt 198.38.102.0/23
ipt 198.38.102.0/24
ipt 198.38.108.0/24
ipt 198.38.109.0/24
ipt 198.38.110.0/24
ipt 198.38.111.0/24
ipt 198.38.112.0/24
ipt 198.38.113.0/24
ipt 198.38.114.0/24
ipt 198.38.115.0/24
ipt 198.38.116.0/24
ipt 198.38.117.0/24
ipt 198.38.118.0/24
ipt 198.38.119.0/24
ipt 198.38.120.0/24
ipt 198.38.121.0/24
ipt 198.38.124.0/24
ipt 198.38.125.0/24
ipt 198.38.126.0/24
ipt 198.38.127.0/24
ipt 198.38.96.0/19
ipt 198.38.96.0/24
ipt 198.38.97.0/24
ipt 198.38.98.0/24
ipt 198.38.99.0/24
ipt 198.45.48.0/20
ipt 198.45.48.0/24
ipt 198.45.49.0/24
ipt 198.45.50.0/23
ipt 198.45.50.0/24
ipt 198.45.52.0/24
ipt 198.45.53.0/24
ipt 198.45.54.0/24
ipt 198.45.55.0/24
ipt 198.45.56.0/24
ipt 198.45.57.0/24
ipt 198.45.61.0/24
ipt 198.45.62.0/24
ipt 198.45.63.0/24
ipt 23.246.0.0/18
ipt 23.246.12.0/24
ipt 23.246.13.0/24
ipt 23.246.14.0/24
ipt 23.246.15.0/24
ipt 23.246.16.0/24
ipt 23.246.17.0/24
ipt 23.246.18.0/24
ipt 23.246.2.0/24
ipt 23.246.20.0/24
ipt 23.246.21.0/24
ipt 23.246.22.0/24
ipt 23.246.23.0/24
ipt 23.246.24.0/24
ipt 23.246.25.0/24
ipt 23.246.26.0/24
ipt 23.246.27.0/24
ipt 23.246.28.0/22
ipt 23.246.28.0/24
ipt 23.246.29.0/24
ipt 23.246.3.0/24
ipt 23.246.30.0/24
ipt 23.246.31.0/24
ipt 23.246.32.0/20
ipt 23.246.36.0/24
ipt 23.246.37.0/24
ipt 23.246.38.0/24
ipt 23.246.39.0/24
ipt 23.246.4.0/24
ipt 23.246.42.0/24
ipt 23.246.43.0/24
ipt 23.246.44.0/24
ipt 23.246.45.0/24
ipt 23.246.46.0/24
ipt 23.246.47.0/24
ipt 23.246.48.0/24
ipt 23.246.49.0/24
ipt 23.246.5.0/24
ipt 23.246.50.0/24
ipt 23.246.51.0/24
ipt 23.246.52.0/24
ipt 23.246.54.0/24
ipt 23.246.55.0/24
ipt 23.246.56.0/24
ipt 23.246.57.0/24
ipt 23.246.58.0/24
ipt 23.246.59.0/24
ipt 23.246.6.0/24
ipt 23.246.7.0/24
ipt 23.246.8.0/24
ipt 23.246.9.0/24
ipt 37.77.184.0/21
ipt 37.77.186.0/24
ipt 37.77.187.0/24
ipt 37.77.188.0/24
ipt 37.77.189.0/24
ipt 37.77.190.0/24
ipt 37.77.191.0/24
ipt 45.57.0.0/17
ipt 45.57.0.0/24
ipt 45.57.1.0/24
ipt 45.57.10.0/23
ipt 45.57.10.0/24
ipt 45.57.12.0/24
ipt 45.57.13.0/24
ipt 45.57.14.0/24
ipt 45.57.15.0/24
ipt 45.57.16.0/24
ipt 45.57.17.0/24
ipt 45.57.18.0/24
ipt 45.57.19.0/24
ipt 45.57.2.0/24
ipt 45.57.20.0/24
ipt 45.57.21.0/24
ipt 45.57.22.0/24
ipt 45.57.23.0/24
ipt 45.57.28.0/24
ipt 45.57.29.0/24
ipt 45.57.3.0/24
ipt 45.57.30.0/24
ipt 45.57.31.0/24
ipt 45.57.36.0/24
ipt 45.57.37.0/24
ipt 45.57.38.0/24
ipt 45.57.39.0/24
ipt 45.57.4.0/24
ipt 45.57.40.0/24
ipt 45.57.42.0/24
ipt 45.57.44.0/24
ipt 45.57.45.0/24
ipt 45.57.5.0/24
ipt 45.57.6.0/24
ipt 45.57.7.0/24
ipt 45.57.8.0/23
ipt 45.57.8.0/24
ipt 45.57.9.0/24
ipt 64.120.128.0/17
ipt 66.197.128.0/17
ipt 69.53.230.0/24
ipt 69.53.231.0/24
ipt 69.53.232.0/23
ipt 69.53.234.0/24
ipt 69.53.235.0/24
ipt 69.53.240.0/24
ipt 69.53.242.0/24
ipt 69.53.245.0/24
ipt 69.53.246.0/24
ipt 69.53.255.0/24
ipt 107.20.0.0/16
ipt 107.21.0.0/18
ipt 107.21.128.0/17
ipt 107.21.64.0/18
ipt 107.22.0.0/16
ipt 107.23.0.0/17
ipt 107.23.128.0/17
ipt 174.129.0.0/16
ipt 184.72.128.0/17
ipt 184.72.64.0/19
ipt 184.72.96.0/19
ipt 184.73.0.0/16
ipt 204.236.192.0/18
ipt 204.236.224.0/19
ipt 216.182.224.0/21
ipt 216.182.232.0/21
ipt 23.20.0.0/15
ipt 23.22.0.0/15
ipt 23.23.189.144/28
ipt 34.192.0.0/12
ipt 34.195.253.0/25
ipt 50.16.0.0/16
ipt 50.17.0.0/16
ipt 50.19.0.0/17
ipt 50.19.128.0/17
ipt 52.0.0.0/15
ipt 52.2.0.0/15
ipt 52.20.0.0/14
ipt 52.200.0.0/13
ipt 52.4.0.0/14
ipt 52.44.0.0/15
ipt 52.54.0.0/15
ipt 52.70.0.0/15
ipt 52.72.0.0/15
ipt 52.86.0.0/15
ipt 52.90.0.0/15
ipt 52.95.245.0/24
ipt 54.144.0.0/14
ipt 54.152.0.0/16
ipt 54.156.0.0/14
ipt 54.160.0.0/14
ipt 54.164.0.0/15
ipt 54.166.0.0/15
ipt 54.172.0.0/15
ipt 54.174.0.0/15
ipt 54.196.0.0/15
ipt 54.198.0.0/16
ipt 54.204.0.0/15
ipt 54.208.0.0/15
ipt 54.210.0.0/16
ipt 54.211.0.0/16
ipt 54.221.0.0/16
ipt 54.224.0.0/15
ipt 54.226.0.0/15
ipt 54.234.0.0/15
ipt 54.236.0.0/18
ipt 54.236.128.0/17
ipt 54.236.64.0/18
ipt 54.237.0.0/16
ipt 54.240.30.0/23
ipt 54.240.32.0/20
ipt 54.240.48.0/23
ipt 54.240.8.0/21
ipt 54.242.0.0/15
ipt 54.80.0.0/14
ipt 54.84.0.0/15
ipt 54.86.0.0/16
ipt 54.87.0.0/16
ipt 54.88.0.0/16
ipt 54.89.0.0/16
ipt 54.90.0.0/15
ipt 54.92.128.0/17
ipt 54.204.25.0/28
ipt 67.202.0.0/18
ipt 72.44.32.0/19
ipt 75.101.128.0/17
 
# create ipset hash table
modprobe ip_set_hash_ip
ipset create $IPSET iphash
ipset flush $IPSET

# add firewall rule
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2-192.168.1.51 -j MARK --set-mark $FW_MARK
iptables -t mangle -A PREROUTING -m set --match-set $IPSET dst -j MARK --set-mark $FW_MARK
iptables -I FORWARD -i tun11 -p udp -d 192.168.255.254 --dport 32400 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.255.254 --dport 32400 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --dport 32400 -j DNAT --to-destination 192.168.255.254
iptables -t nat -I PREROUTING -i tun11 -p udp --dport 32400 -j DNAT --to-destination 192.168.255.254

# start split tunnel
ip rule add fwmark $FW_MARK table $TID

) 2>&1 | logger -t "ovpn_split[$$]"

I'd be really appreciated if someone can help me out on this.
 
hvluu said:
No one?
Click to expand...

I trimmed the script to check the ipt() function.
Code: 
#!/bin/sh
TID="200"
FW_MARK="0x88"
IPSET="ovpn_split"

# Add Netflix IP blocks
ipt() {
  iptables -t mangle -A PREROUTING -i br0 -d "$1" -j MARK --set-mark $FW_MARK
}
ipt 208.75.79.0/24

then ran it from the command prompt then checked the firewall:
Code: 
iptables -nvL PREROUTING --line -t mangle

Chain PREROUTING (policy ACCEPT 33111 packets, 17M bytes)
num   pkts bytes target     prot opt in     out     source               destination
<snip>
9        0     0 MARK       all  --  br0    *       0.0.0.0/0            208.75.79.0/24       MARK set 0x88

seemed to work as the rule was correctly inserted.

So try testing this snippet in /jffs/scripts/firewall-start, assuming firewall-start is executable, and you have set 'Enable JFFS custom scripts and configs=Yes' in the GUI.

NOTE: I have posted many times that the use of a (flawed obsolete) external script is no longer necessary on the RMerlin firmware.....unless you can/want to debug it yourself!

Instead why not save yourself grief and simply enable Selective routing 'Policy Rules' in the VPN Client GUI.

Now create an appropriate IPSET called say Netflix (although as your original script lists 258 CIDR subnets I would personally choose NetflixCIDR), then rather than create the multitude of '-t mangle PREROUTING' fwmark rules, you can issue two commands:
Code: 
ip rule add from 0/0 fwmark 0x1000 table ovpnc1 prio 9991
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set Netflix src,dst -j MARK --set-mark $0x1000/0x1000

assuming the Netflix IPSET is to be routed via VPN Client 1 (i.e. use ovpnc3/prio 9993/0x3000 if you want to route Netflix via VPN Client 3)
 
Last edited:
Martineau said:
Now create an appropriate IPSET called say Netflix (although as your original script lists 258 CIDR subnets I would personally choose NetflixCIDR)
Click to expand...
Or create a standard iphash IPSET that covers the following domains...

netflix.com
netflix.net
nflximg.com
nflximg.net
nflxvideo.com
nflxvideo.net
nflxext.com
 
john9527 said:
Or create a standard iphash IPSET that covers the following domains...

netflix.com
netflix.net
nflximg.com
nflximg.net
nflxvideo.com
nflxvideo.net
nflxext.com
Click to expand...

And therein lies the problem....published static lists of Netflix domains/CIDR subnets...are they actually valid?

e.g. Is nflximg.net one that you have just listed actually verified - nslookup etc?

Clearly there is a requirement to initially seed the Netflix IPSET so where do you obtain a reliable initial list?

Many providers such as RADB, LEVEL3 etc. maintain a Internet Routing Registry (IRR) for Netflix, so are they the definitive reference resource to do a curl to grab the addresses to populate a current Netflix IPSET?

Indeed it is trivial to configure dnsmasq to dynamically collate real-time references to the Netflix domains over an extended period of time...
I rebooted about 4 days ago, so my dnsmasq has managed to collate 784 Netflix addresses (via my US Smart DNS providers DNS servers):

Code: 
./IPSET_List.sh

 1. VPN1Domains      
 2. VPN2Domains      
 3. VPN1IPs       
 4. VPN2IPs       
 5. Blacklist             (Current members  11395)
 6. Whitelist             (Current members      1)
 7. TorNodes              (Current members   7037)
 8. MicrosoftSpyServers   (Current members     45)
 9. privacy-filter_ipv4   (Current members     10)
 10. Gmail                (Current members     22)
 11. Malware-Filter       (Current members  50326)
 12. Malware-Range-Filter (Current members    851)
 13. Netflix              (Current members    258)
 14. NetflixUSA           (Current members    784)
 15. WAN0       
 16. VPN1       
 17. VPN2       
 18. VPN3       
 19. VPN4       
 20. VPN5      

Enter {number} [delete | save] (or ENTER to exit) ->14

 Selected IPSET 'NetflixUSA' (#14)
 
IPSET NetflixUSA==>
 35.161.121.126  35.166.101.186   50.112.45.104     52.11.31.31    52.11.47.167     52.11.76.92   52.17.197.175   52.17.203.144    52.26.121.92   52.26.221.216    52.30.103.67    52.37.81.18   52.40.81.184   52.41.230.224   52.51.125.107   52.94.225.114   52.214.32.156      52.216.0.0      52.216.0.8     52.216.0.16     52.216.0.24     52.216.0.32     52.216.0.40     52.216.0.4    52.216.0.56     52.216.0.64     52.216.0.72     52.216.0.88     52.216.0.96    52.216.0.104    52.216.0.112    52.216.0.120    52.216.0.128    52.216.0.136    52.216.0.144    52.216.0.15   52.216.0.160    52.216.0.168    52.216.0.176    52.216.0.184    52.216.0.192    52.216.0.208    52.216.0.216    52.216.0.224    52.216.0.227    52.216.0.232    52.216.0.240    52.216.0.24     52.216.1.0      52.216.1.8     52.216.1.16     52.216.1.24     52.216.1.32     52.216.1.40     52.216.1.48     52.216.1.56     52.216.1.64     52.216.1.72     52.216.1.80     52.216.1.8    52.216.1.96     52.216.1.99    52.216.1.104    52.216.1.112    52.216.1.120    52.216.1.176    52.216.1.184    52.216.1.192    52.216.1.200    52.216.1.208    52.216.1.216    52.216.1.22   52.216.1.232    52.216.1.240    52.216.1.248      52.216.2.0      52.216.2.8     52.216.2.16     52.216.2.24     52.216.2.32     52.216.2.40     52.216.2.48     52.216.2.56     52.216.16.    52.216.16.8    52.216.16.16    52.216.16.24    52.216.16.32    52.216.16.40    52.216.16.48    52.216.16.56    52.216.16.64    52.216.16.72    52.216.16.80    52.216.16.88    52.216.16.9   52.216.16.96   52.216.16.104   52.216.16.120   52.216.16.128   52.216.16.136   52.216.16.144   52.216.16.152   52.216.16.160   52.216.16.168   52.216.16.176   52.216.16.184   52.216.16.19  52.216.16.200   52.216.16.208   52.216.16.216   52.216.16.224   52.216.16.232   52.216.16.240   52.216.16.248     52.216.17.0     52.216.17.8    52.216.17.16    52.216.17.24    52.216.17.3   52.216.17.40    52.216.17.48    52.216.17.56    52.216.17.64    52.216.17.72    52.216.17.80    52.216.17.88    52.216.17.96   52.216.17.104   52.216.17.112   52.216.17.120   52.216.17.12  52.216.17.136   52.216.17.144   52.216.17.152   52.216.17.160   52.216.17.168   52.216.17.176   52.216.17.184   52.216.17.192   52.216.17.200   52.216.17.208   52.216.17.216   52.216.17.22  52.216.17.232   52.216.17.240   52.216.17.248     52.216.18.0     52.216.18.3     52.216.18.8    52.216.18.16    52.216.18.24    52.216.18.32    52.216.18.40    52.216.18.48    52.216.18.5   52.216.18.64    52.216.18.72    52.216.18.80    52.216.18.88    52.216.18.96   52.216.18.104   52.216.18.112   52.216.18.120   52.216.18.128   52.216.18.136   52.216.18.144   52.216.18.15    52.216.32.0     52.216.32.8    52.216.32.16    52.216.32.24    52.216.32.32    52.216.32.40    52.216.32.48    52.216.32.56    52.216.32.64    52.216.32.72    52.216.32.80    52.216.32.8   52.216.32.96   52.216.32.104   52.216.32.112   52.216.32.120   52.216.32.128   52.216.32.136     52.216.64.0     52.216.64.8    52.216.64.16    52.216.64.24    52.216.64.32    52.216.64.4   52.216.64.48    52.216.64.56    52.216.64.80    52.216.64.88   52.216.64.104   52.216.64.120   52.216.64.128   52.216.64.136   52.216.64.144   52.216.64.152   52.216.64.160   52.216.64.16  52.216.64.176   52.216.64.184   52.216.64.192   52.216.64.200   52.216.64.208   52.216.64.216   52.216.64.224   52.216.64.232   52.216.64.240   52.216.64.248     52.216.65.0     52.216.65.   52.216.65.16    52.216.65.24    52.216.65.32    52.216.65.40    52.216.65.48    52.216.65.56    52.216.65.64    52.216.65.72    52.216.65.80    52.216.65.88    52.216.65.96   52.216.65.10  52.216.65.112   52.216.65.120   52.216.65.128   52.216.65.136   52.216.65.144   52.216.65.152   52.216.65.160   52.216.65.168   52.216.65.176   52.216.65.184   52.216.65.192   52.216.65.20  52.216.65.208   52.216.65.216   52.216.65.224   52.216.65.232   52.216.65.240   52.216.65.248     52.216.66.0     52.216.66.8    52.216.66.16    52.216.66.24    52.216.66.32    52.216.66.4   52.216.66.48    52.216.66.56     52.216.80.0     52.216.80.8    52.216.80.16    52.216.80.24    52.216.80.32    52.216.80.40    52.216.80.56    52.216.80.64    52.216.80.72    52.216.80.8   52.216.80.88    52.216.80.96   52.216.80.104   52.216.80.112   52.216.80.120   52.216.80.128   52.216.80.136   52.216.80.144   52.216.80.152   52.216.80.160   52.216.80.168   52.216.80.17  52.216.80.184   52.216.80.192   52.216.80.200   52.216.80.208   52.216.80.216   52.216.80.224   52.216.80.232   52.216.80.248     52.216.81.0     52.216.81.8    52.216.81.16    52.216.81.2   52.216.81.32    52.216.81.40    52.216.81.48    52.216.81.56    52.216.81.64    52.216.81.72    52.216.81.80    52.216.81.88    52.216.81.96   52.216.81.104   52.216.81.112   52.216.81.12  52.216.81.128   52.216.81.136   52.216.81.139   52.216.81.144   52.216.81.152   52.216.81.160   52.216.81.168   52.216.81.176   52.216.81.184   52.216.81.192   52.216.81.200   52.216.81.20  52.216.81.216   52.216.81.232   52.216.81.240   52.216.81.248     52.216.82.0     52.216.82.8    52.216.82.16    52.216.82.24    52.216.82.32    52.216.82.40    52.216.82.48    52.216.82.5   52.216.82.64    52.216.82.72    52.216.82.80    52.216.82.88    52.216.82.96   52.216.82.104   52.216.82.120   52.216.82.128   52.216.82.136   52.216.82.144   52.216.82.152   52.216.192.1  52.216.192.24   52.216.192.32   52.216.192.40    52.216.224.0    52.216.224.8   52.216.224.16   52.216.224.19   52.216.224.24   52.216.224.32   52.216.224.40   52.216.224.43   52.216.224.4  52.216.224.56   52.216.224.64   52.216.224.72   52.216.224.80   52.216.224.88   52.216.224.96  52.216.224.104  52.216.224.112  52.216.224.120  52.216.224.128  52.216.224.136  52.216.224.14 52.216.224.152  52.216.224.160  52.216.224.168  52.216.224.176  52.216.224.184  52.216.224.200  52.216.224.208  52.216.224.216  52.216.224.224  52.216.224.232  52.216.224.240    52.216.225.  52.216.225.16   52.216.225.24   52.216.225.80   52.216.225.88   52.216.225.96  52.216.225.104  52.216.225.112  52.216.225.120  52.216.225.128  52.216.225.136  52.216.225.144  52.216.225.15 52.216.225.160  52.216.225.168  52.216.225.176  52.216.225.184  52.216.225.192  52.216.225.200  52.216.225.208  52.216.225.216  52.216.225.224  52.216.225.232  52.216.225.240  52.216.225.24   52.216.226.0    52.216.226.8   52.216.226.16   52.216.226.24   52.216.226.32   52.216.226.40   52.216.226.48   52.216.226.56   52.216.226.64   52.216.226.80   52.216.226.88   52.216.226.9 52.216.226.104  52.216.226.112  52.216.226.120  52.216.226.128  52.216.226.136  52.216.226.152  52.216.226.160  52.216.226.168  52.216.226.176  52.216.226.184  52.216.226.192  52.216.226.20 52.216.226.208  52.216.226.216  52.216.226.224  52.216.226.232  52.216.226.240  52.216.226.248    52.216.227.0    52.216.227.8   52.216.227.16   52.216.227.24   52.216.227.32   52.216.227.4  52.216.227.48   52.216.227.56   52.216.227.64   52.216.227.72   52.216.227.80   52.216.227.88   52.216.227.96  52.216.227.104  52.216.227.120  52.216.227.128  52.216.227.136   52.218.20.11  52.218.48.249     54.77.36.39   54.148.59.150   54.171.39.149   54.171.53.100   54.187.98.195   54.201.188.11    54.213.76.99   54.231.11.112   54.231.11.120   54.231.11.128   54.231.11.13  54.231.11.144   54.231.11.152    54.231.32.83    54.231.32.91    54.231.32.99   54.231.32.107   54.231.32.115   54.231.32.123   54.231.33.131   54.231.33.139   54.231.33.147   54.231.33.15
<snip>
 due to exceeding posting characters  limit
 
IPSET NetflixUSA Total:  784

Hmm I wonder if any of my collated NetFlixUSA IPSET addresses appear in the OP CIDR list?;)
 
@Martineau, by any chance that you can share that IPSET_list.sh file that collates the Netflix CIDR? I created an ipset in the dnsmasq but turned out that wasn't enough, I had to put and update the CIDR that I found of Netflix into my script and it worked. The above mentioned script was working great with Tomato Shibby firmware. With Merlin, I had all of the things you mentioned turn on (made the file executable, turn on the custom script), but it just never automatically run when the router's booted up. Manually called the script then checked the log and it gave that message repeatedly, and others too but too bad I flashed back to Shibby just yesterday before checking this thread cause I needed netflix to work so bad.
 
hvluu said:
,,,any chance that you can share that IPSET_list.sh file that collates the Netflix CIDR?
Click to expand...

My IPSET_List.sh script does not collate anything, it simply helps manage my IPSETs.
It was originally used to simply list 'large' IPSETs in a more efficient manner rather than listing each member on its own line! I subsequently expanded the 'interactive' capabilty so that I could quickly backup/delete either just those IPSETs that were populated, or also backup/delete empty IPSETs so they could be instantly recreated/restored during the boot.
Code: 
./IPSET_List.sh -h

#================================================================================================================
#
#       IPSET_List      [help| [ipset_name | ?] [ sublist [ only ] [ range ] ]
#
#       IPSET_List      ?
#                       Present list of all IPSETs (default if no args), and allow user to select which one to list/save/delete
#                       @prompt: [number [save | delete [force] | list [sublist [ only ] [ range ] ]]]
#                                 where number is #IPSET ('0' means 'ALL populated' '-1' ALL IPSETs i.e. even empty ones!)
#
#       IPSET_List      Gmail
#                       List horizontally the Gmail ipset sorted by ascending IP
#
#                       IPSET Gmail==>
#                            74.125.206.108   74.125.206.109   172.217.23.37   216.58.201.37   216.58.204.5   216.58.208.165
#                            IPSET Gmail Total:  6 (Sublist count=1)
#
#       IPSET_List      Gmail sublist only
#                       List only the Gmail ipset sublists, each as a CSV list
#
#                       IPSET Gmail==>
#                            [74.125.206.108,74.125.206.109]   Index=3
#                            IPSET Gmail Total:  6 (Sublist count=1) only
#
#       IPSET_List      Gmail sublist only range
#                       List only the Gmail ipset sublists but reduce the CSV list to a two-element range
#
#                       IPSET Gmail==>
#                            [74.125.206.108-74.125.206.109]  Index=3
#                            IPSET Gmail Total:  6 (Sublist count=1) only
#
# as opposed to standard listing

hvluu said:
I had to put and update the CIDR that I found of Netflix into my script and it worked.
Click to expand...

Collating/adding 'published' Netflix CIDRs from websites can be as simple as this one line 'psuedo' script,

i.e. simply cut'n'paste the following into the command line:
Code: 
netsv4=`curl http://ipinfo.io/AS2906  2>/dev/null | grep -E "a href.*AS2906\/" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'`;for net in $netsv4;do echo $net;done;unset
netsv4
and it should list both Netflix IPv4 and IPv6 CIDR ranges...which can then be simply piped into appropriate 'ipset add' commands. (Simply repeat for all other Netflix URLs).

If your script still fails to execute correctly then usually there are 5 common reasons (well 6 if you count shoddy coding/subtle changes in command syntax or module pre-reqs between firmwares etc.)

1. Is the file location/name correct? - Asuswrt-Merlin system scripts that are called by Rmerlin's firmware e.g. firewall-start do not have the .sh suffix.
2. Did you chmod +x the script?
3. Is the script in Unix format? if unsure run 'dos2unix /jffs/scripts/script_file_name'
4 Is the file encoded correctly? i.e. usually occurs when cut'n'paste into the script on the router is incorrect.
5. Does the first line only contain #!/bin/sh etc.? - sometimes just deleting and retyping fixes stuff.

Good Luck.
 
Last edited:
You must log in or register to reply here.

Similar threads

G
VPN Client with Public IP, split tunnel web server over VPN and other traffic not on the VPN
Replies
4
Views
800
Grefyne
G
GShlomi
Sharing my DualWan with port forwarding and DDNS experience
Replies
0
Views
429
GShlomi
GShlomi
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
Jack-Sparr0w
Paste Debug, Does this look alright?
Replies
0
Views
215
Jack-Sparr0w
Jack-Sparr0w
Jack-Sparr0w
Paste this code, does it look ok
Replies
0
Views
367
Jack-Sparr0w
Jack-Sparr0w
Similar threads
Thread starter Title Forum Replies Date
staralfur12 Need help with Namecheap -> Router -> Caddy Asuswrt-Merlin 10
P Asus aimesh node disconnects frequently, corresponding log entries recorded. Need help understanding the log. Asuswrt-Merlin 5
StrikerXXX Need help configuring NextDNS Asuswrt-Merlin 14
W Need help to resolve VPN Director issue Asuswrt-Merlin 27
D Need help Asuswrt-Merlin 1
M Need help troubleshooting on FTP Asuswrt-Merlin 0
R Need help setting up DLNA server Asuswrt-Merlin 8
C Solved Need help with nat-start scripts Asuswrt-Merlin 3
G Need help with VPN Asuswrt-Merlin 2
C Need some help with a DHCP problem Asuswrt-Merlin 9

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 907 (members: 47, guests: 860)
Top