Policy Rules or Selective Routing Question

[yorgi]

I do have another question. Under LAN, DNS and WINS Server Settings, should I be using the VPNs DNS IP addresses or use Google, OpenDNS etc?

Thank you very much for your help!!

Do not put any DNS in that area leave it alone. The VPN client will get its DNS from the Server.
Google is only for local ISP if you use Google for your VPN you would be leaking DNS and telling google everything you are doing, which is not the purpose of your VPN
I was about to tell you the same thing since you finally said you had 2 routers in play.
Easiest way is to have one router set as 192.168.1.1 and the other router 192.168.2.1
Router A is plugged to the Modem and router B is from LAN out of A to WAN in on B
.1.1 will be local ISP with DHCP enabled and its own wi fi and 2.1 will have its own DHCP and wi fi
this way you have 2 separate routers sharing the same modem.
This is probably your best option as you can just change ssid and have VPN or local ISP
I am not sure how you set it up.

 

[RSJ]

Apologies, I left that part out since I had already set it up that way and just assumed I could use the selective routing on the Asus to automatically switch from VPN to ISP. It's a bummer that it won't work, but the setup (which is exactly how you described above) will work fine. Again, thanks for all your help. I first came across this forum just doing Google searches on how to set up the VPN to work with PIA. I just realized it was your guide that stepped me through the entire process and saved me many headaches. Thank you very much for that!! Your posting made it an absolute breeze!! This is an amazing forum.

 

[Xentrk]

There are still a few VPN providers that are able to circumvent Netflix and Hulu VPN blocks so you avoid the work arounds. The one I use provides me a private IP for a little extra fee.

http://best10vpn.com/which-vpns-work-with-netflix-mid-2016-update/

 

[yorgi]

Well, I have found a working solution and it was in front of me the entire time. I pretty much talked through it in my previous reply and then it hit me later. It's simple and is already in place! Even though I was hoping I could accomplish this on the router and have it done automatically, the work around is simply to change which SSID I'm connected to and that's all that's needed. When I connect to the FIOS router I can connect to Netflix and Hulu just fine and then when I connect to the VPN everything is encrypted for my Kodi. It's too bad it couldn't be done on the router, but with Netflix continuing their crack down on VPNs I guess this is my next best option.

I do have another question. Under LAN, DNS and WINS Server Settings, should I be using the VPNs DNS IP addresses or use Google, OpenDNS etc?

Thank you very much for your help!!

I am glad you figured it out. but you can still get VPN services that work with netflix.http://top5-vpn.com/?gclid=CMb_7vLq3M8CFc5Zhgod_8wJFg
many companies claim that their service works with netflix.
PIA is going bankrupt so they are completely out of the race.
some hired CEO apparently robbed them blind so just because PIA is going nowhere with this issues doesn't mean that its a dead issue.
try other companies and you will see that its easier then you think

 

[john9527]

PIA is going bankrupt so they are completely out of the race.
some hired CEO apparently robbed them blind

Do you have a reference? Couldn't find anything about this with a quick search.

 

[yorgi]

Do you have a reference? Couldn't find anything about this with a quick search.

http://best10vpn.com/is-private-internet-access-broke/

 

[RMerlin]

http://best10vpn.com/is-private-internet-access-broke/

This article uses the words "an interesting theory" and "this is our speculations", so I wouldn't take it as entirely factual. A lot of it also is "I heard from a guy who heard from a guy".

 

[yorgi]

This article uses the words "an interesting theory" and "this is our speculations", so I wouldn't take it as entirely factual. A lot of it also is "I heard from a guy who heard from a guy".

LOL i don't dispute but this is what I read. There are a lot of things mentioned in that article that are true, for example no more live tech support and the fact they don't support netflix is a bummer. Other companies are supporting it and I am sure PIA is loosing a lot of customers.
I am also not so sure about their Speeds. I only have a 15mb/s up and down so I cant get up there in the super high speeds but I can tell you that my buddy is on videotron and has a 30mb/s and has no problem reaching his ISP speeds on VPN.

 

[Xentrk]

Torguard has been working good for me. I pay a little extra to have a private IP address. I worked with them to give me an IP on the west coast as that gives me the best ping time and download speed from Thailand compared to an IP in the Midwest. I don't use encryption as my primary requirements are streaming media from a Roku 4. The Torguard clients work well on my devices when I am traveling.

 

[p1r473]

I am using this script to bypass Netflix.

#!/bin/sh

# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
# Debug:
# sleep 2
# touch /tmp/000wanstarted
# logger "openvpn-event event called"

#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
#All devices bypass VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#ShieldTV uses VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.190 -j MARK --set-mark 0

#Netflix bypass VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.177.0-107.20.177.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.154.0-107.20.154.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 174.129.2.0-174.129.2.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 75.101.139.0-75.101.139.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.243.253.0-54.243.253.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 50.19.210.0-50.19.210.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.23.191.0-23.23.191.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.204.2.0-54.204.2.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.204.43.0-54.204.43.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.225.192.0-54.225.192.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.21.190.0-23.21.190.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.151.0-107.20.151.255 -j MARK --set-mark 1

exit 1

 

[yorgi]

I am using this script to bypass Netflix.

#!/bin/sh

# This code goes in the WAN UP section of the Tomato GUI.
# This code based on the contributions from this thread:
# http://www.linksysinfo.org/index.php?threads/route-only-specific-ports-through-vpn-openvpn.37240/
#
# And from material in these articles:
# http://linux-ip.net/html/adv-multi-internet.html
# http://fedorasolved.org/Members/kanarip/iptables-howto
#
# This script configures "selective" VPN routing. Normally Tomato will route ALL traffic out
# the OpenVPN tunnel. These changes to iptables allow some outbound traffic to use the VPN, and some
# traffic to bypass the VPN and use the regular Internet instead.
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING
#
# Debug:
# sleep 2
# touch /tmp/000wanstarted
# logger "openvpn-event event called"

#
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:
#
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11\
| while read ROUTE ; do
ip route add table 100 $ROUTE
done
ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache

#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#
#All devices bypass VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

#ShieldTV uses VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.190 -j MARK --set-mark 0

#Netflix bypass VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.177.0-107.20.177.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.154.0-107.20.154.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 174.129.2.0-174.129.2.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 75.101.139.0-75.101.139.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.243.253.0-54.243.253.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 50.19.210.0-50.19.210.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.23.191.0-23.23.191.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.204.2.0-54.204.2.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.204.43.0-54.204.43.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 54.225.192.0-54.225.192.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 23.21.190.0-23.21.190.255 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 107.20.151.0-107.20.151.255 -j MARK --set-mark 1

exit 1

You should also disable the VPN and test this script to see if it leaks your IP. Otherwise you will need to place another script for the firewall that if VPN access drops then it will stop traffic until VPN resumes. if you leak IP when the VPN tunnel goes down let me know and i will give you a firewall script to fix that. When you use scripts they can override rules set in place by policy rules so make sure you check everything before you trust any scripts

 

[p1r473]

You should also disable the VPN and test this script to see if it leaks your IP. Otherwise you will need to place another script for the firewall that if VPN access drops then it will stop traffic until VPN resumes. if you leak IP when the VPN tunnel goes down let me know and i will give you a firewall script to fix that. When you use scripts they can override rules set in place by policy rules so make sure you check everything before you trust any scripts

I found this script for use for the firewall on the wiki I can use!
#!/bin/sh

sleep 4

iptables -I FORWARD -i br0 -o tun11 -j ACCEPT
iptables -I FORWARD -i tun11 -o br0 -j ACCEPT
iptables -I FORWARD ! -o tun11 -s 192.168.xx.xxx -j DROP
iptables -I FORWARD ! -o tun11 -s 192.168.xx.xxx -j DROP
iptables -I INPUT -i tun11 -j REJECT
iptables -t nat -A POSTROUTING -o tun11 -j MASQUERADE

chmod a+rx /jffs/scripts/firewall-start

 

[kman]

Apologies in advance for resurrecting an old thread. I am trying to route Amazon Prime video through WAN, but can't figure the IP range. Can anyone please help. What I guessed through nslookup

Prime 1 0.0.0.0 72.21.0.0/24 WAN
Prime 2 0.0.0.0 52.94.0.0/24 WAN

Thanks.

 

[Xentrk]

Apologies in advance for resurrecting an old thread. I am trying to route Amazon Prime video through WAN, but can't figure the IP range. Can anyone please help. What I guessed through nslookup

Prime 1 0.0.0.0 72.21.0.0/24 WAN
Prime 2 0.0.0.0 52.94.0.0/24 WAN

Thanks.

I got a few more than you did when doing nslookup from USA location:

nslookup www.amazon.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.amazon.com
Address 1: 52.85.95.59 server-52-85-95-59.jfk5.r.cloudfront.net


nslookup amazon.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      amazon.com
Address 1: 54.239.17.6
Address 2: 54.239.26.128
Address 3: 54.239.25.208
Address 4: 54.239.25.192
Address 5: 54.239.17.7
Address 6: 54.239.25.200

I recommend this method to find the IP addresses.
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-28#post-318141

 

[kman]

I got a few more than you did when doing nslookup from USA location:

nslookup www.amazon.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.amazon.com
Address 1: 52.85.95.59 server-52-85-95-59.jfk5.r.cloudfront.net


nslookup amazon.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      amazon.com
Address 1: 54.239.17.6
Address 2: 54.239.26.128
Address 3: 54.239.25.208
Address 4: 54.239.25.192
Address 5: 54.239.17.7
Address 6: 54.239.25.200

I recommend this method to find the IP addresses.
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-28#post-318141

Thank you! A really basic question for you, how do I issue the "create" command. Seems like I don't have that package installed. I am getting

-sh: create: not found

Also, to remove the ipset in the future, is this valid?

ipset destroy <Set name>

 

[Xentrk]

Thank you! A really basic question for you, how do I issue the "create" command. Seems like I don't have that package installed. I am getting

-sh: create: not found

Also, to remove the ipset in the future, is this valid?

ipset destroy <Set name>

ipset create SETNAME hash:net family inet hashsize 1024 maxelem 65536

The destroy has not worked for me. I always get an error message that the set is in use! I have to reboot to clear the scripts and comment out the start of any start up scripts that create the ipset lists if I want a clean slate

 

[kman]

ipset create SETNAME hash:net family inet hashsize 1024 maxelem 65536

The destroy has not worked for me. I always get an error message that the set is in use! I have to reboot to clear the scripts and comment out the start of any start up scripts that create the ipset lists if I want a clean slate

Thanks. I'm facing the following error now. Any idea?

admin@RT-AC68U:/tmp/home/root# nano -w /jffs/configs/dnsmasq.conf.add

### Amazon Prime
ipset=/primevideo.com/www.primevideo.com/amazon.com/www.amazon.com/AmazonPrime

admin@RT-AC68U:/tmp/home/root# service restart_dnsmasq

Done.
admin@RT-AC68U:/tmp/home/root# ipset create AmazonPrime hash:net family inet hashsize 1024 maxelem 65536
admin@RT-AC68U:/tmp/home/root# ipset list AmazonPrime
admin@RT-AC68U:/tmp/home/root# nslookup www.primevideo.com
admin@RT-AC68U:/tmp/home/root# ip rule add from 0/0 fwmark 0x7000 table main prio 9990
admin@RT-AC68U:/tmp/home/root# iptables -A PREROUTING -t mangle -m set --match-set AmazonPrime dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.