Selective Routing for Netflix

[Xentrk]

I cleaned up the script on the check for the shared whitelist file and incorporated @Martineau code on the entware check. I liked the way it worked from my testing scenarios. Excellent code @Martineau. Very
thorough.

Thinking about skipping the download of the Amazon AWS json file if it already exists. A cron job entry would be required to execute a separate script that downloads the file once per day to keep the file updated. I download the json file once per day on my pfSense router and I have not had any issues.

Perhaps the reason the script did not work for some early adopters is the ASN I used for Amazon may have only included USA regions whereas the json file includes all global locations. So, this should work for Netflix users around the globe. I'll do a comparison when time allows to verify my hypothesis.

@robahearts , let me know how it works for you.

#!/bin/sh
####################################################################################################
# Script: IPSET_Netflix.sh
# Author: Xentrk
# 4-Mar-2018 Version 3.2
# Collaborators: @Martineau, @thelonelycoder, @Adamm
#
# Thank you to @Martineau on snbforums.com for educating myself and others on Selective
# Routing using Asuswrt-Merlin firmware.
#
#####################################################################################################
# Script Description:
#
# The purpose of this script is for selective routing of Netflix traffic using
# Autonomous System Numbers (ASNs). ASNs are assigned to entities such as Internet
# Service Providers and other large organizations that control blocks of IP addresses.
#
# Netflix and other services that use Amazon AWS servers are blocking VPN's.
#
# This script will
#   1. Create shared whitelist entry for ipinfo.io in /jffs/shared-SelectiveRouting-whitelist for use by AB-Solution and Skynet.
#      Otherwise, ipinfo.io may be blocked and the script will not work.
#    2. Obtain the IPv4 addresses used by Netflix and Amazon AWS USA from ipinfo.io.
#      IPv6 addresses are excluded in this version.
#   3. Create the IPSET list NETFLIX
#   4. Add the IPv4 address to the IPSET list NETFLIX
#   5. Route IPv4 addresses in IPSET list NETFLIX to WAN interface.
#
# Note 1: IPSET syntax differs between version 6 and 4.5
#             Syntax for ipset v6
#                ipset create WAN0 list:set
#                ipset add WAN0 setlist (e.g. SPEEDTEST)
#             for routers running ipset v4.5 (ipset -V)
#                ipset -N WAN0 setlist (e.g. SPEEDTEST)
#
# Note 2: In the event one needs to use IPv6 in the future, the syntax is: ipset -N NETFLIX-v6 hash:net family ipv6
#
# Note 3: Troubleshooting
#
#            You can use these sites for AS validation and troubleshooting to lookup ASNs:
#
#               https://bgp.he.net/AS16509 (Click on the prefixes tab to view IP addresses)
#               http://ipinfo.io/AS2906
#
# Note 4: Required OpenVPN Client Settings
#
#         - Redirect Internet Traffic = Policy Rules or Policy Rules (Strict)
#         - Others?
#
#######################################################################
logger -t "($(basename $0))" $$ Starting IPSET_Netflix.sh..." $0${*:+ $*}."

# Uncomment for debugging
set -x

# Prevent script from running concurrently when called from nat-start

PROGNAME=$(basename "$0")
LOCKFILE_DIR=/tmp
LOCK_FD=200

lock() {
    local prefix=$1
    local fd=${2:-$LOCK_FD}
    local lock_file=$LOCKFILE_DIR/$prefix.lock

    # create lock file
    eval "exec $fd>$lock_file"

    # acquier the lock
    flock -n $fd \
        && return 0 \
        || return 1
}

eexit() {
    local error_str="$@"
    echo $error_str
    exit 1
}

main() {
    lock $PROGNAME \
        || eexit "Only one instance of $PROGNAME can run at one time."

# Create shared-SelectiveRouting-whitelist file if one does not exist
# to prevent ipinfo.io from being blocked by AB-Solution and Skynet

if [ ! -s "/jffs/shared-SelectiveRouting-whitelist" ];then
# create shared white list for ABS and Skynet"
  echo "ipinfo.io" > /jffs/shared-SelectiveRouting-whitelist
fi

ipset create NETFLIX hash:net family inet hashsize 1024 maxelem 65536

#Pull all IPv4s listed for Netflix USA - AS2906
netsv4=`curl http://ipinfo.io/AS2906 2>/dev/null | grep -E "a href.*2906\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
  ipset add NETFLIX $net
done
unset netsv4

# Prevent entware funcion jq from executing until entware has mounted
# Chk_Entware function provided by @Martineau

Chk_Entware () {

    # ARGS [wait attempts] [specific_entware_utility]

    local READY=1                   # Assume Entware Utilities are NOT available
    local ENTWARE="opkg"
    ENTWARE_UTILITY=                # Specific Entware utility to search for
    local MAX_TRIES=30

    if [ ! -z "$2" ] && [ ! -z "$(echo $2 | grep -E '^[0-9]+$')" ];then
        local MAX_TRIES=$2
    fi
 
    if [ ! -z "$1" ] && [ -z "$(echo $1 | grep -E '^[0-9]+$')" ];then
        ENTWARE_UTILITY=$1
    else
        if [ -z "$2" ] && [ ! -z "$(echo $1 | grep -E '^[0-9]+$')" ];then
            MAX_TRIES=$1
        fi
    fi

   # Wait up to (default) 30 seconds to see if Entware utilities available.....
   local TRIES=0

   while [ $TRIES -lt $MAX_TRIES ];do
      if [ ! -z "$(which $ENTWARE)" ] && [ "$($ENTWARE -v | grep -o "version")" == "version" ];then
         if [ ! -z "$ENTWARE_UTILITY" ];then            # Specific Entware utility installed?
            if [ ! -z "$($ENTWARE list-installed $ENTWARE_UTILITY)" ];then
                READY=0                                 # Specific Entware utility found
            else
                # Not all Entware utilities exists as a stand-alone package e.g. 'find' is in package 'findutils'
                if [ -d /opt ] && [ ! -z "$(find /opt/ -name $ENTWARE_UTILITY)" ];then
                  READY=0                               # Specific Entware utility found
                fi
            fi
         else
            READY=0                                     # Entware utilities ready
         fi
         break
      fi
      sleep 1
      logger -st "($(basename $0))" $$ "Entware" $ENTWARE_UTILITY "not available - wait time" $((MAX_TRIES - TRIES-1))" secs left"
      local TRIES=$((TRIES + 1))
   done
 
   return $READY
}

Chk_Entware 'jq' || { echo -e "\a***ERROR*** Entware" $ENTWARE_UTILITY  "not available";exit 99; }

# Download Amazon AWS json file
wget https://ip-ranges.amazonaws.com/ip-ranges.json -O /jffs/scripts/ip-ranges.json

# Create IPSET lists
ipset create AMAZONAWS hash:net family inet hashsize 1024 maxelem 65536

#Pull all IPv4s listed for Amazon AWS

for IPv4 in `jq -r '.prefixes | .[].ip_prefix' < /jffs/scripts/ip-ranges.json`
do
  ipset add AMAZONAWS $IPv4
done
unset IPv4

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
ip rule del prio 9990 > /dev/null 2>&1
ip rule add from 0/0 fwmark 0x7000/0x7000 table main prio 9990

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000/0x7000 > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set AMAZONAWS dst,dst -j MARK --set-mark 0x7000/0x7000 > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set AMAZONAWS dst,dst -j MARK --set-mark 0x7000/0x7000

logger -t "($(basename $0))" $$ Ending IPSET_Netflix.sh..." $0${*:+ $*}."
}
main

 

[Martineau]

@Martineau ..code on the entware check. I liked the way it worked from my testing scenarios. Excellent code @Martineau. Very thorough.

Thank you for the praise of my coding skills, but unlike some , I never assume anything when it comes to programming.

NOTE: Perhaps you could modify your script to check if the IPSETs already exist (or need to be physically flushed) for the case where nat-start executes outside of the boot sequence?

 

[Xentrk]

Thank you for the praise of my coding skills, but unlike some , I never assume anything when it comes to programming.

NOTE: Perhaps you could modify your script to check if the IPSETs already exist (or need to be physically flushed) for the case where nat-start executes outside of the boot sequence?

Great idea.

Thinking about the location of the json file. Probably best practice to store a file that is downloaded daily to a USB partition if the user has one rather than /jffs/scripts. journalling flash file system were designed to minimize frequent overwrites and a concern that frequent changing files, such as often being updated log files, were known to cause flash wear-out over time. But the json file is being overwritten once per day rather than being written to multiple times throughout the day. Not sure if the frequent write concern still applies to routers built in the past five years.

 

[Martineau]

Great idea.

Thinking about the location of the json file. Probably best practice to store a file that is downloaded daily to a USB partition if the user has one rather than /jffs/scripts. journalling flash file system were designed to minimize frequent overwrites and a concern that frequent changing files, such as often being updated log files, were known to cause flash wear-out over time. But the json file is being overwritten once per day rather than being written to multiple times throughout the day. Not sure if the frequent write concern still applies to routers built in the past five years.

Use /tmp/ rather than /jffs/ but as your script requires Entware then use /opt/

 

[andysabre]

Hi.
sorry for my question but i'm a newbie.
I created the script under my jjfs/script pasted and copied your example. All ok, without problem. But before to execute it i would like to know, after i execute the script, if for any reason something go wrong, how i come back in the situation without this script? if i save my cfg before to apply the script, if i install the cfg file saved, all come back like before the script istallation or there is another way? Thanks in advance.

 

[Xentrk]

Hi.
sorry for my question but i'm a newbie.
I created the script under my jjfs/script pasted and copied your example. All ok, without problem. But before to execute it i would like to know, after i execute the script, if for any reason something go wrong, how i come back in the situation without this script? if i save my cfg before to apply the script, if i install the cfg file saved, all come back like before the script istallation or there is another way? Thanks in advance.

As long as you don't call the script from nat-start, you can go to the WAN tab and select the Apply button. That should clear everything. If you call the script from nat-start, rename or delete nat-start before bouncing the WAN interface. A reboot will do the same thing.

 

[igobyterry]

Are there any other sites like ipinfo.io? It seems to have been acquired by MyIP Expert completely ruining the functionality.

 

[Xentrk]

Are there any other sites like ipinfo.io? It seems to have been acquired by MyIP Expert completely ruining the functionality.

Was the script working before? And now you are getting an error from ipinfo.io? Can you provide the error msg? I am traveling and not in a position to test it on my router right now.

iponfo.io may have changed the code on their website and the script may just require an update for the values it looks for to pull the ip addresses.

ultratools.com and mxtoolbox.com may be viable alternatives. I will need to research this to verify. Changes to the script may be required.

 

[igobyterry]

I didn't have the script setup before. I was going to use it for a few other purposes. The problem is every ipinfo.io page redirects to www.myipexpert.com, which doesn't have the same functionality.

curl http://ipinfo.io/AS2906
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>

 

[Xentrk]

I didn't have the script setup before. I was going to use it for a few other purposes. The problem is every ipinfo.io page redirects to www.myipexpert.com, which doesn't have the same functionality.

curl http://ipinfo.io/AS2906
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>

Thank you. I should have time to perform some analysis tonight.

 

[Xentrk]

I didn't have the script setup before. I was going to use it for a few other purposes. The problem is every ipinfo.io page redirects to www.myipexpert.com, which doesn't have the same functionality.

curl http://ipinfo.io/AS2906
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>

Thank you for your patience. I was not able to work on this during my recent travels. I ran the 3.2 version the script. I did not get any errors. But the NETFLIX ipset list did not get populated. I then went to ipinfo.io/AS2906 to view the source code to see if changes were required to the sed or grep syntax. I then noticed the url for ipinfo.io had the https rather than the http in the URL. I was able to get the NETFLIX ipset list to populate once I changed the code to reference https://ipinfo.io/AS2906 rather than http://ipinfo.io/AS2906. Here is the updated code.

#!/bin/sh
####################################################################################################
# Script: IPSET_Netflix.sh
# Author: Xentrk
# 12-Apr-2018 Version 3.3
# Collaborators: @Martineau, @thelonelycoder, @Adamm
#
# Thank you to @Martineau on snbforums.com for educating myself and others on Selective
# Routing using Asuswrt-Merlin firmware.
#
#####################################################################################################
# Script Description:
#
# The purpose of this script is for selective routing of Netflix traffic using
# Autonomous System Numbers (ASNs). ASNs are assigned to entities such as Internet
# Service Providers and other large organizations that control blocks of IP addresses.
#
# Netflix and other services that use Amazon AWS servers are blocking VPN's.
#
# This script will
#   1. Create shared whitelist entry for ipinfo.io in /jffs/shared-SelectiveRouting-whitelist for use by AB-Solution and Skynet.
#      Otherwise, ipinfo.io may be blocked and the script will not work.
#    2. Obtain the IPv4 addresses used by Netflix and Amazon AWS USA from ipinfo.io.
#      IPv6 addresses are excluded in this version.
#   3. Create the IPSET list NETFLIX
#   4. Add the IPv4 address to the IPSET list NETFLIX
#   5. Route IPv4 addresses in IPSET list NETFLIX to WAN interface.
#
# Note 1: IPSET syntax differs between version 6 and 4.5
#             Syntax for ipset v6
#                ipset create WAN0 list:set
#                ipset add WAN0 setlist (e.g. SPEEDTEST)
#             for routers running ipset v4.5 (ipset -V)
#                ipset -N WAN0 setlist (e.g. SPEEDTEST)
#
# Note 2: In the event one needs to use IPv6 in the future, the syntax is: ipset -N NETFLIX-v6 hash:net family ipv6
#
# Note 3: Troubleshooting
#
#            You can use these sites for AS validation and troubleshooting to lookup ASNs:
#
#               https://bgp.he.net/AS16509 (Click on the prefixes tab to view IP addresses)
#               https://ipinfo.io/AS2906
#
# Note 4: Required OpenVPN Client Settings
#
#         - Redirect Internet Traffic = Policy Rules or Policy Rules (Strict)
#         - Others?
#
#######################################################################
logger -t "($(basename $0))" $$ Starting IPSET_Netflix.sh..." $0${*:+ $*}."

# Uncomment for debugging
set -x

# Prevent script from running concurrently when called from nat-start

PROGNAME=$(basename "$0")
LOCKFILE_DIR=/tmp
LOCK_FD=200

lock() {
    local prefix=$1
    local fd=${2:-$LOCK_FD}
    local lock_file=$LOCKFILE_DIR/$prefix.lock

    # create lock file
    eval "exec $fd>$lock_file"

    # acquier the lock
    flock -n $fd \
        && return 0 \
        || return 1
}

eexit() {
    local error_str="$@"
    echo $error_str
    exit 1
}

main() {
    lock $PROGNAME \
        || eexit "Only one instance of $PROGNAME can run at one time."

# Create shared-SelectiveRouting-whitelist file if one does not exist
# to prevent ipinfo.io from being blocked by AB-Solution and Skynet

if [ ! -s "/jffs/shared-SelectiveRouting-whitelist" ];then
# create shared white list for ABS and Skynet"
  echo "ipinfo.io" > /jffs/shared-SelectiveRouting-whitelist
fi

ipset create NETFLIX hash:net family inet hashsize 1024 maxelem 65536

#Pull all IPv4s listed for Netflix USA - AS2906
netsv4=`curl https://ipinfo.io/AS2906 2>/dev/null | grep -E "a href.*2906\/" | grep -v ":" |sed 's/^.*\">//; s/<.*//; /^\s*$/d'`
for net in $netsv4
do
  ipset add NETFLIX $net
done
unset netsv4

# Prevent entware funcion jq from executing until entware has mounted
# Chk_Entware function provided by @Martineau

Chk_Entware () {

    # ARGS [wait attempts] [specific_entware_utility]

    local READY=1                   # Assume Entware Utilities are NOT available
    local ENTWARE="opkg"
    ENTWARE_UTILITY=                # Specific Entware utility to search for
    local MAX_TRIES=30

    if [ ! -z "$2" ] && [ ! -z "$(echo $2 | grep -E '^[0-9]+$')" ];then
        local MAX_TRIES=$2
    fi
 
    if [ ! -z "$1" ] && [ -z "$(echo $1 | grep -E '^[0-9]+$')" ];then
        ENTWARE_UTILITY=$1
    else
        if [ -z "$2" ] && [ ! -z "$(echo $1 | grep -E '^[0-9]+$')" ];then
            MAX_TRIES=$1
        fi
    fi

   # Wait up to (default) 30 seconds to see if Entware utilities available.....
   local TRIES=0

   while [ $TRIES -lt $MAX_TRIES ];do
      if [ ! -z "$(which $ENTWARE)" ] && [ "$($ENTWARE -v | grep -o "version")" == "version" ];then
         if [ ! -z "$ENTWARE_UTILITY" ];then            # Specific Entware utility installed?
            if [ ! -z "$($ENTWARE list-installed $ENTWARE_UTILITY)" ];then
                READY=0                                 # Specific Entware utility found
            else
                # Not all Entware utilities exists as a stand-alone package e.g. 'find' is in package 'findutils'
                if [ -d /opt ] && [ ! -z "$(find /opt/ -name $ENTWARE_UTILITY)" ];then
                  READY=0                               # Specific Entware utility found
                fi
            fi
         else
            READY=0                                     # Entware utilities ready
         fi
         break
      fi
      sleep 1
      logger -st "($(basename $0))" $$ "Entware" $ENTWARE_UTILITY "not available - wait time" $((MAX_TRIES - TRIES-1))" secs left"
      local TRIES=$((TRIES + 1))
   done
 
   return $READY
}

Chk_Entware 'jq' || { echo -e "\a***ERROR*** Entware" $ENTWARE_UTILITY  "not available";exit 99; }

# Download Amazon AWS json file
wget https://ip-ranges.amazonaws.com/ip-ranges.json -O /jffs/scripts/ip-ranges.json

# Create IPSET lists
ipset create AMAZONAWS hash:net family inet hashsize 1024 maxelem 65536

#Pull all IPv4s listed for Amazon AWS

for IPv4 in `jq -r '.prefixes | .[].ip_prefix' < /jffs/scripts/ip-ranges.json`
do
  ipset add AMAZONAWS $IPv4
done
unset IPv4

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
ip rule del prio 9990 > /dev/null 2>&1
ip rule add from 0/0 fwmark 0x7000/0x7000 table main prio 9990

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000/0x7000 > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set NETFLIX dst,dst -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set AMAZONAWS dst,dst -j MARK --set-mark 0x7000/0x7000 > /dev/null 2>&1
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set AMAZONAWS dst,dst -j MARK --set-mark 0x7000/0x7000

logger -t "($(basename $0))" $$ Ending IPSET_Netflix.sh..." $0${*:+ $*}."
}
main

I have some updates planned for the script and want to post the next revisions on GitHub. Let me know if the change fixes your issue.

 

[EduardS]

Xentrk, thanks for the script and your good work.

However, Netflix still blocks my traffic. Diagnostics results are as follows:

admin@RT-AC5300:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 146K packets, 74M bytes)
num pkts bytes target prot opt in out source destination
1 43581 33M MARK all -- tun11 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x1/0x7
2 8 633 TTL all -- vlan34 * 0.0.0.0/0 0.0.0.0/0 TTL match TTL == 1 TTL set to 64
3 0 0 MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIX dst,dst MARK or 0x7000
4 3956 1901K MARK tcp -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set AMAZONAWS dst,dst MARK or 0x7000
admin@RT-AC5300:/tmp/home/root# ip rule
0: from all lookup local
9990: from all fwmark 0x7000/0x7000 lookup main
10001: from 192.168.1.1 lookup main
10002: from 192.168.1.60 lookup main
10003: from 192.168.1.100 lookup main
10101: from 192.168.1.0/24 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default
admin@RT-AC5300:/tmp/home/root# ip route show | grep tun
172.21.32.0/23 dev tun11 proto kernel scope link src 172.21.33.145
admin@RT-AC5300:/tmp/home/root# cat /rom/etc/iproute2/rt_tables
100 wan0
111 ovpnc1
112 ovpnc2
113 ovpnc3
114 ovpnc4
115 ovpnc5
200 wan1

Any idea what's going wrong? I'm acessing Netflix from the Netherlands on a Dutch IPvanish VPN server.

 

[Martineau]

Netflix still blocks my traffic. Diagnostics results are as follows:

admin@RT-AC5300:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 146K packets, 74M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    43581   33M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        8   633 TTL        all  --  vlan34 *       0.0.0.0/0            0.0.0.0/0            TTL match TTL == 1 TTL set to 64
3        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst,dst MARK or 0x7000
4     3956 1901K MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZONAWS dst,dst MARK or 0x7000

Any idea what's going wrong? I'm acessing Netflix from the Netherlands on a Dutch IPvanish VPN server.

You don't appear to have any hits on Rule #3

Is the NETFLIX IPSET populated or empty?

ipset   list   NETFLIX   -t

 

[EduardS]

The netflix ip set has 107 entries:

Name: NETFLIX
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 5692
References: 1
Number of entries: 107

 

[Martineau]

The netflix ip set has 107 entries:

Name: NETFLIX
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 5692
References: 1
Number of entries: 107

OK, you could simply be using the entries in the AMAZONAWS IPSET (which is getting hits) so I would check the routing

ip route show table main |  grep -E "^0\.|^128\.|^default|tun1"

 

[Xentrk]

OK, you could simply be using the entries in the AMAZONAWS IPSET (which is getting hits) so I would check the routing

ip route show table main |  grep -E "^0\.|^128\.|^default|tun1"

Thanks for helping. It has taken me one week to recover from jet lag.

I have not tested with this entry:
10101: from 192.168.1.0/24 lookup ovpnc1

I have always created static ip for lan devices and listed each device separately. The rules above have higher priority so should not be an issue. If AMAZOZAWS is not being populated, then we can look to see if jq package is working properly. I think @EduardS may be the first one to test the script on stock FW.

 

[EduardS]

OK, you could simply be using the entries in the AMAZONAWS IPSET (which is getting hits) so I would check the routing

ip route show table main |  grep -E "^0\.|^128\.|^default|tun1"

result is: default via 84.81.218.1 dev vlan34

 

[EduardS]

Thanks for helping. It has taken me one week to recover from jet lag.

I have not tested with this entry:
10101: from 192.168.1.0/24 lookup ovpnc1

I have always created static ip for lan devices and listed each device separately. The rules above have higher priority so should not be an issue. If AMAZOZAWS is not being populated, then we can look to see if jq package is working properly. I think @EduardS may be the first one to test the script on stock FW.

AMAZONAWS is being populated too, 723 entries

I am not on stock, I'm on Merlin (latest version). Only added skynet and entware. All lan devices have static ip's. In openvpn client I have enabled policy rules and created policies for my router and two NAS's to bypass the VPN tunnel (ip to WAN), all other ip's go through the tunnel (192.168.1.0/24 to VPN).

 

[Xentrk]

AMAZONAWS is being populated too, 723 entries

I am not on stock, I'm on Merlin (latest version). Only added skynet and entware. All lan devices have static ip's. In openvpn client I have enabled policy rules and created policies for my router and two NAS's to bypass the VPN tunnel (ip to WAN), all other ip's go through the tunnel (192.168.1.0/24 to VPN).

Thanks for clarifying firmware.. 192.168.1.0/24 is routing all traffic to OpenVPN tunnel. I think this is where the issue may be.

For a test, remove the 192.168.1.0/24 entry. Then, define your laptop or streaming device to use the VPN tunnel using it's static IP address. Bounce the WAN interface by doing a save in the Web GUI to refresh everything. If you have the script in nat-start, it will rerun automatically. Or, rerun the script. Then, test to see if Netflix is by-passed.

I'll try the 192.168.1.0/24 entry on my router later today to see if I can duplicate your issue.

 

[EduardS]

Removed policy rule 192.168.1.0/24, added my laptop, saved in webgui, rerun script, netflix still blocks the traffic on using a proxy/unblocker. Attached some logs.