What's new

Selective Routing for Netflix

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

That worked a treat thanks! BBC iPlayer now works (after I found out the hard way of copying code into Sublime and it screwing with the format).

I copied again to add SkyGo but failed.

The SkyGo IP's here aren't working and I still can't get them to show in dnsmasq.log. Tried two devices both the same. I must be missing a setting somewhere... I'll look into it later. Thanks again
 
I ran the getdomainnames.sh script to strip out the dnsmasq noise and sort the domain names to up with the list below. You may need to perform more web surfing and streaming to capture domain names if you still have issues. Some sites require more effort than others.

skygo domains
Code:
analytics.faw.sky.com
awk.epgsky.com
config.ott.sky.com
config.skyq-b.interactive.sky.com
desktop.client.ott.sky.com
entity.search.sky.com
images.metadata.sky.com
init.sky.com
metrics.sky.com
p.sky.com
qgo-desktop-sgw.skyanywhere.com
static.skyq-b.interactive.sky.com
uk.imageservice.sky.com

This script will read the file above and issue the iptables command to route the domain names to the VPN tunnel. This is modified from another script I used. You will have to test.

Code:
#!/bin/sh
####################################################################################################
# Written By: Xentrk
# Version 1.0
#
# Description:
#   Selective Routing Script for SKYGO
#
####################################################################################################
logger -t "($(basename $0))" $$ Starting SKYGO.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
#set -x

#Pull SKYGO Domain Names and route to OVPNC2
for DNS in $(awk '{ print $1 }' /jffs/scripts/SKYGO_Domains)
    do
      iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000/0x2000
      iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000/0x2000
    done

logger -t "($(basename $0))" $$ Ending SKYGO.sh..." $0${*:+ $*}."
 
Last edited:
Similarly, you can try to capture the SKYGO IPv4 addresses using the IPSET feature of dnsmasq. You still need to use dnsmasq to capture the domain names. This method may be required when CDN are involved.

Code:
ipset create SKYGO hash:net family inet hashsize 1024 maxelem 65536

Place the following in /jffs/configs/dnsmasq.conf.add

Code:
ipset=/sky.com/epgsky.com/skyanywhere.com/SKYGO

Then restart dnsmasq after adding the entry above:

Code:
service restart_dnsmasq

Then, browse SKYGO to capture IPv4 addresses.

Alternatively, you can download the IPv4 addresses for SKYGO using this method.
Code:
download_AS5607 () {
    curl https://ipinfo.io/AS5607 2>/dev/null | grep -E "a href.*5607\/" | grep -v ":" | sed 's/^.*<a href="\/AS5607\///; s/" >//' > "$FILE_DIR/SKYGO"
    if [ "$?" = "1" ]; then  # file download failed
        logger -t "($(basename "$0"))" $$ Script execution failed because AS5607 file could not be downloaded
    exit 1
    fi
}
 
Nope! Still confused o_O My coding knowledge isn't stretching that far.

Also, my dnslog still isn't logging addresses for some reason.

It's annoying because I'm finding more and more VOD services locking out VPNs such as UK's Channel 4 and 5.
 
Nope! Still confused o_O My coding knowledge isn't stretching that far.

Also, my dnslog still isn't logging addresses for some reason.

It's annoying because I'm finding more and more VOD services locking out VPNs such as UK's Channel 4 and 5.
Getting dnsmasq to log queries is key to obtaining the Domains. If you have not done so, I recommend installing Diversion. It will setup and configure dnsmasq logging properly.

As far as VPN blocks, the solution I use is in the blog post
https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/

They have an app I use on my Fire TV stick when traveling that works great. That way, you don’t have to do selective routing at the router level. You can try it and cancel after seven days if not satisfied.
 
Last edited:
Getting dnsmasq to log queries is key to obtaining the Domains. If you have not done so, I recommend installing Diversion. It will setup and configure dnsmasq logging properly.

As far as VPN blocks, the solution I use is in the blog post
https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/

They have an app I use on my Fire TV stick when traveling that works great. That way, you don’t have to do selective routing at the router level. You can try it and cancel after seven days if not satisfied.
Thanks.

I just so happened to install Diversion last night anyway. After realising it bugged my router by duplicated several entries in dnsmasq.conf, I managed to get that sorted by removing some entries in dnsmasq.conf.add

I've tried Diversion's logging UI and even when by 'filter' (entering my device IP)- still no entries appear. Only
dns.msftncsi.com to 9.9.9.9 (as mentioned earlier). Other sites seem to skip the log.

I've already read your post on Torguard and it is probably something I'll look into when my current VPN sub ends, although I'm happy with who I'm currently with.

Thanks again.
 
Thanks.

I just so happened to install Diversion last night anyway. After realising it bugged my router by duplicated several entries in dnsmasq.conf, I managed to get that sorted by removing some entries in dnsmasq.conf.add

I've tried Diversion's logging UI and even when by 'filter' (entering my device IP)- still no entries appear. Only
dns.msftncsi.com to 9.9.9.9 (as mentioned earlier). Other sites seem to skip the log.

I've already read your post on Torguard and it is probably something I'll look into when my current VPN sub ends, although I'm happy with who I'm currently with.

Thanks again.
If you are using VPN with Policy Rules and have Accept DNS Configuration set to Exclusive, dnsmasq is being bypassed which may explain the lack of logging to dnsmasq.log file. Also, Diversion ad blocking will not work either.
 
I'm an idiot. Found the issue. My default LAN DNS was not set to the router's IP. I was getting confused with the WAN's. I'm now able to see my addresses in DNSMASQ. My VPN DNS config is set to Strict. Both work happily now.

Now for some logging....

Thanks for your help meanwhile though!
 
Thank you for providing this script as it's currently working great for me! However I do have a couple of questions. How often would the Netflix IP addresses change and do I need to add a cron job to rerun the IPSET_Netflix.sh every night? I did create the nat-start file for reboot starts.

thanks
 
Thank you for providing this script as it's currently working great for me! However I do have a couple of questions. How often would the Netflix IP addresses change and do I need to add a cron job to rerun the IPSET_Netflix.sh every night? I did create the nat-start file for reboot starts.

thanks
Glad the script helped you. Should have an updated version coming in the next few weeks.

The script will download an updated source file if the current source file is older than 24 hours. However, I have been running many months without refreshing the list and it is still working. So, that tells me the list is very static and the 24 hours is overkill. But I did not know that at the I developed the script. May change it to weekly or monthly update in a future version.
 
Last edited:
@Xentrk @RMerlin has something changed lately in relation to selective routing (or did it ever work on the AX88U)?

After a clean install I tried to get my generic Netflix > VPNClient1 script to work, but it doesn't seem to be forwarding the traffic to the VPN client. Rule wise everything seems to look correct (dnsmasq is also passing on IP's correctly), but again nothing is actually being routed via the VPN.

Code:
skynet@RT-AX88U-DC28:/jffs/configs# ip rule
0:    from all lookup local
9990:    from all fwmark 0x7000/0x7000 lookup main
9991:    from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:    from all lookup main
32767:    from all lookup default

Code:
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK xset 0x1/0x7
MARK       all  --  anywhere             anywhere             match-set VPNFlix-Master dst MARK or 0x1000

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Spent a lot longer then I'd like to admit to try get this working before coming to the conclusion its probably caused by another underlying issue and not the script itsself (which hasn't been edited in 6+ months and worked flawlessly on my 86U). Let me know if anyone else is able to get any sort of selective routing working.

Code:
#!/bin/sh
# VPNFlix By Adamm - 26/9/18
# Route Netflix Traffic Thorugh VPN Client1

Check_Lock () {
        if [ -f "/tmp/vpnflix.lock" ] && [ -d "/proc/$(sed -n '2p' /tmp/vpnflix.lock)" ] && [ "$(sed -n '2p' /tmp/vpnflix.lock)" != "$$" ] ; then
            logger -st VPNFlix "[INFO] Lock File Detected ($(sed -n '1p' /tmp/vpnflix.lock)) (pid=$(sed -n '2p' /tmp/vpnflix.lock)) - Exiting (cpid=$$)"
            echo
            exit 1
        else
            echo "$@" > /tmp/vpnflix.lock
            echo "$$" >> /tmp/vpnflix.lock
        fi
}

case "$1" in

    start)
        Check_Lock "$@"
        if [ -d "/opt/bin" ] && [ ! -f "/opt/bin/vpnflix" ]; then
            ln -s /jffs/scripts/vpnflix.sh /opt/bin/vpnflix
        fi
        if [ "$(nvram get vpn_client1_state)" != "2" ]; then nvram set vpn_client1_state="2"; fi
        if [ -f "/jffs/scripts/vpnflix.ipset" ]; then ipset restore -! -f "/jffs/scripts/vpnflix.ipset"; fi
        if ! ipset -L -n VPNFlix-Netflix >/dev/null 2>&1; then ipset -q create VPNFlix-Netflix hash:net timeout 604800; fi
        if ! ipset -L -n VPNFlix-Other >/dev/null 2>&1; then ipset -q create VPNFlix-Other hash:net timeout 604800; fi
        if ! ipset -L -n VPNFlix-Master >/dev/null 2>&1; then ipset -q create VPNFlix-Master list:set; ipset -q -A VPNFlix-Master VPNFlix-Netflix; ipset -q -A VPNFlix-Master VPNFlix-Other; fi
        ip rule del fwmark 0x7000/0x7000 2>/dev/null
        ip rule add fwmark 0x7000/0x7000 table 254 prio 9990 2>/dev/null
        ip rule del fwmark 0x1000/0x1000 2>/dev/null
        ip rule add fwmark 0x1000/0x1000 table 111 prio 9991 2>/dev/null
        iptables -D PREROUTING -t mangle -m set --match-set VPNFlix-Master dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
        iptables -A PREROUTING -t mangle -m set --match-set VPNFlix-Master dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
        sed -i '\~#VPNFlix~d' /jffs/configs/dnsmasq.conf.add
        echo "ipset=/netflix.com/nflxvideo.net/nflxso.net/nflxext.com/nflximg.net/VPNFlix-Netflix #VPNFlix" >> /jffs/configs/dnsmasq.conf.add
        chmod +x /jffs/configs/dnsmasq.conf.add
        cru d VPNFlix_save
        cru a VPNFlix_save "30 * * * * sh /jffs/scripts/vpnflix.sh save"
    ;;
    save)
        Check_Lock "$@"
        echo "Saving VPNFlix Server List..."
        if ipset -L -n VPNFlix-Master >/dev/null 2>&1; then { ipset save VPNFlix-Netflix; ipset save VPNFlix-Other; ipset save VPNFlix-Master; } > "/jffs/scripts/vpnflix.ipset" 2>/dev/null; fi
        echo "Complete! - $(wc -l < /jffs/scripts/vpnflix.ipset) Entries Total"
    ;;
    disable)
        Check_Lock "$@"
        echo "Disabing VPNFlix Policy Routing..."
        ip rule del fwmark 0x7000/0x7000
        ip rule del fwmark 0x1000/0x7000
        iptables -D PREROUTING -t mangle -m set --match-set VPNFlix-Master dst -j MARK --set-mark 0x1000/0x1000
        if ipset -L -n VPNFlix-Master >/dev/null 2>&1; then { ipset save VPNFlix-Netflix; ipset save VPNFlix-Other; ipset save VPNFlix-Master; } > "/jffs/scripts/vpnflix.ipset" 2>/dev/null; fi
        ipset destroy VPNFlix-Master
        ipset destroy VPNFlix-Netflix
        ipset destroy VPNFlix-Other
        echo "Complete!"
    ;;
    install)
        Check_Lock "$@"
        echo "Installing VPNFlix..."
        if [ ! -f "/jffs/scripts/firewall-start" ]; then
            echo "#!/bin/sh" > /jffs/scripts/firewall-start
        elif [ -f "/jffs/scripts/firewall-start" ] && ! head -1 /jffs/scripts/firewall-start | grep -qE "^#!/bin/sh"; then
            sed -i '1s~^~#!/bin/sh\n~' /jffs/scripts/firewall-start
        fi
        cmdline="sh /jffs/scripts/vpnflix.sh start # VPNFlix"
        if grep -E "sh /jffs/scripts/vpnflix.sh .* # VPNFlix" /jffs/scripts/firewall-start 2>/dev/null | grep -qvE "^#"; then
            sed -i "s~sh /jffs/scripts/vpnflix.sh .* # VPNFlix .*~$cmdline~" /jffs/scripts/firewall-start
        else
            echo "$cmdline" >> /jffs/scripts/firewall-start
        fi
        echo "Complete!"
    ;;
    *)
        echo "Command Not Recognized, Please Try Again"
        echo "Accepted Commands Are; (sh $0 [start|save|disable])"
        echo; exit 2
    ;;

esac

if [ -f "/tmp/vpnflix.lock" ] && [ "$$" = "$(sed -n '2p' /tmp/vpnflix.lock)" ]; then rm -rf "/tmp/vpnflix.lock"; fi
 
Last edited:
After more testing and dusting off my old AC86U, I can confirm this issue is unique to the AX88U. @RMerlin

Steps to reproduce;

Code:
Get current IP for comparison (http://whatismyip.host/my-ip-address-details )

ip rule add fwmark 0x7000/0x7000 table 254 prio 9990

ip rule add fwmark 0x1000/0x1000 table 111 prio 9991

iptables -A PREROUTING -t mangle -d 34.233.244.94 -j MARK --set-mark 0x1000/0x1000

Get new IP for comparison (http://whatismyip.host/my-ip-address-details )
 
Last edited:
Policy routing through the webui works for me. To the left is a VM with a policy rule through the VPN, the right is my main machine without rule.

upload_2019-2-23_14-17-24.png
 
Policy routing through the webui works for me. To the left is a VM with a policy rule through the VPN, the right is my main machine without rule.

View attachment 16358

Policy routing via the webui also works for me (which is why I was so confused at first).

The issue is when marking packets as shown in the example above. You can substitute "34.233.244.94" with any destination IP, on the AC86U and AC68U traffic is re-routed through VPNClient1 as expected, on the AX88U its being ignored and going through WAN.
 
Xentrk,
I ran the getdomainnames.sh script to strip out the dnsmasq noise and sort the domain names to up with the list below. You may need to perform more web surfing and streaming to capture domain names if you still have issues. Some sites require more effort than others.

We are in the US and are watching German Online-Channel. A couple of items are geo-blocked, instead of locking devices into the VPN, I'd like to only have a few domains/IPs go through the VPN.

I tried your script with German station ard.de, ard-mediathek in the sky_domains file. then ran your getdomains.sh script. script runs, but after waiting a bit, Ard.de still didnt recognize me as local.

Did I miss any steps?
 
Xentrk,

We are in the US and are watching German Online-Channel. A couple of items are geo-blocked, instead of locking devices into the VPN, I'd like to only have a few domains/IPs go through the VPN.

I tried your script with German station ard.de, ard-mediathek in the sky_domains file. then ran your getdomains.sh script. script runs, but after waiting a bit, Ard.de still didnt recognize me as local.

Did I miss any steps?
Another thing is to access their website in a browser, then right click and choose the view source code option from the menu. Then, search the website for .net, .com, https, etc to see if their are any domains you may have missed. Sometimes, I find other domains when trying to watch on an app or browser than I capture only from a streaming media player.

I did an nslookup on ard.de and ard-mediathek to determine their IP address. I then did a search on the bgp.he.net website and got a match on AS200093 and AS13237:

https://bgp.he.net/ip/83.125.35.3
https://bgp.he.net/AS200093#_prefixes
https://bgp.he.net/AS13237#_prefixes
upload_2019-3-7_14-41-21.png


Rather than trying to mine domain names, you can edit or copy/paste lines 70 - 96 for the two ASNs listed above and modify the code as appropriate. You will also have to add the code to create the ipset lists and matching iptables rules.

Before doing that, you may want to try adding the two ipv4 addresses above to the VPN Client Gui and see if that is all that is required. Sometimes though, the services main website has no relation with the domains or ASN of the streaming service. Sling TV is one example. The domains for the streaming service are listed under "Move Networks". If this is the case, take one or two of the domains you harvested. Then, do a search on bgp.he.net to find the AS number which will then give you the entire list of IPv4 addresses use by the service.
 
Last edited:
Xentrk, Good information as always. re post #307 Was wondering what app you referred to on your Fire TV while traveling, is it a portable client for TG? I left left the portable stick alone, with amazon's system intact since we don't travel much. If the app would work for either the stick or the FIre HD10 tablet, this would help tomake the next trip more enjoyable:) Many thanks.
 
@busch09,
Working on a new script that will provide more flexibility to users to specify other sites or streaming services. It will also have a method to get the domain names from dnsmasq and place them the ipset definition in dnsmasq.conf.add. Stay tuned.
 
Similar threads
Thread starter Title Forum Replies Date
H Routing wireguard VPN 0

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top