Selective Routing with Asuswrt-Merlin

[Xerxist]

Just found out that Netflix is using ipv6 so from my pc with the chrome plugin i get the USA Netflix via Hurricane Electric Ipv6 tunnel

Sent from my GT-I9505 using Tapatalk 4

 

[Sky1111]

Yeap, it does return 1.
When I connect to the router with WinSCP, it shows in the root folder jffs folder with the following rights: rwxr-xr-x, and under the properties the Octal is 0755

More attempts:
- I re-saved my OpenVPN keys, and then try to format the jffs /reboot
the router hung during reboot (!)
- power cycle - back online
- disable jffs, reboot
- enable jffs, format jffs, reboot

still the same result.. blank jffs folder

 

[RMerlin]

More attempts:
- I re-saved my OpenVPN keys, and then try to format the jffs /reboot
the router hung during reboot (!)
- power cycle - back online
- disable jffs, reboot
- enable jffs, format jffs, reboot

still the same result.. blank jffs folder

Formatting takes time. What you thought was a hung router could simply be the router was busy reformatting.

Again, check System Log for any actual error message related to JFFS.

All I can say is it works fine here, and for other users having the same router model.

 

[Sky1111]

this is becoming very frustrating... feels like I am the only one with such problem...

Tried the following:
- re-flash router back to RT-AC56U_3.0.0.4_374.32_0.trx
- erased the NVRAM (back to default settings)
- restore the configuration from .CFG which was I believe created from 374.32
- enable/format JFFS
- reboot
- connect using WinSCP - and same empty jffs folder...

Guys - what step am I missing?

 

[Sky1111]

In the log file (cleared before doing anyting)

Dec 31 19:00:11 kernel: Creating 2 MTD partitions on "brcmnand":
Dec 31 19:00:11 kernel: 0x000002000000-0x000008000000 : "brcmnand"
Dec 31 19:00:11 kernel: 0x000004000000-0x000006000000 : "jffs2"

(note that there is no jffs2 when I connect to the router via WinSCP - only jffs is visible!)

I see no evidence in the log that the partition JFFS was formatted!

I am attaching the log for your feedback.

Is there any way to manually format JFFS partition? will it create the needed folder for scripts and set permissions to allow putting script there?

 

[krabs]

In the log file (cleared before doing anyting)

Dec 31 19:00:11 kernel: Creating 2 MTD partitions on "brcmnand":
Dec 31 19:00:11 kernel: 0x000002000000-0x000008000000 : "brcmnand"
Dec 31 19:00:11 kernel: 0x000004000000-0x000006000000 : "jffs2"

(note that there is no jffs2 when I connect to the router via WinSCP - only jffs is visible!)

I see no evidence in the log that the partition JFFS was formatted!

I am attaching the log for your feedback.

Is there any way to manually format JFFS partition? will it create the needed folder for scripts and set permissions to allow putting script there?

Try using another telnet/ssh client it may be WinSCP that is being the culprit

http://forums.smallnetbuilder.com/showthread.php?t=9202&page=4

 

[Sky1111]

Try using another telnet/ssh client it may be WinSCP that is being the culprit

http://forums.smallnetbuilder.com/showthread.php?t=9202&page=4

thanks, what would you recommend?

 

[krabs]

thanks, what would you recommend?

I'm using putty on windows and it works fine for me. But I'm not 100% sure that winSCP is your problem, but it could be.

 

[RMerlin]

The jffs2 partition can be erased with:

mtd-erase2 jffs2

jffs2 is the name of the partition - it won't match the /jffs mount point simply because historically, Tomato was supporting JFFS1 before switching to JFFS2. This is normal.

I do see a bad block reported in your syslog. Could be also what's preventing the erase from succeeding, tho I should have fixed bad block handling a year ago with the RT-AC66U (which uses a similar flash chip).

Once erased, you have to reboot for the partition to get mounted. You could manually mount it, but on the next reboot you'd be back to the same point if it doesn't automatically mount itself.

 

[RMerlin]

Try using another telnet/ssh client it may be WinSCP that is being the culprit

http://forums.smallnetbuilder.com/showthread.php?t=9202&page=4

The Tools -> Sysinfo page will report whether the jffs partition is mounted or not.

 

[GTi-6]

Hi,

I also want to implement this feature to my router. I am using RT-AC66U as a router and RT-N66U as an access point in my home. In AC66U, I did the configuration with OpenVPN and it is working perfectly fine.

I enabled and formatted my JFFS partition and it is mounted from Tools -> Sysinfo.

But when I connected to my router via WinSCP in /jffs/scripts/ there are no files like:

services-start
services-stop
wan-start
firewall-start
nat-start
init-start
pre-mount
post-mount
unmount
dhcpc-event
openvpn-event

do they have to there from default?

Because I cant seem to make this script work.

 

[Nerre]

You need to create the scripts you want to use. They are not automatically created (because it would not make sense to create empty files).

 

[GTi-6]

Thanks Nerre. So my JFFS partition is working. Now I have to figure out this selective routing.

I created a file called openvpn-event.sh in Notepad++ and copy/paste the script given in here and placed it /jffs/scripts/ via WinSCP and made its octal to 0777. I rebooted the router but again all connections go through VPN.

Can I create a ip pool for just VPN like 192.168.1.50-100 and others go through my ISP with full speed?

I am very new to this stuff. At least, a direction to where I can find relevant info would be great.

 

[RMerlin]

I created a file called openvpn-event.sh in Notepad++

Double check the filename. As you see on the list you previously posted, there should not be a .sh extension.

 

[GTi-6]

@RMerlin, as your advice I double checked my filename and changed it to openvpn-event. I used again chmod 700 /jffs/scripts/openvpn-event to make it executable.

Here is the script I used:

#!/bin/sh


sleep 2

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
| while read ROUTE ; do
ip route add table 100 $ROUTE
done


ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#


# All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# All traffic from Apple TV will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.189 -j MARK --set-mark 0

# All traffic from Sony TV will use the US VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.179 -j MARK --set-mark 0

exit 0

Right now OpenVPN is connected but all of the traffic goes through VPN. No change. Also I got this message a lot in syslog:

Sep 22 20:58:42 miniupnpd[3287]: SSDP packet sender 192.168.0.254:1025 not from a LAN, ignoring

Thanks for any help.

 

[janosek]

If you go to the folder
/tmp

do you see a 0 byte file called: 000wanstarted

?

 

[Sky1111]

@RMerlin, as your advice I double checked my filename and changed it to openvpn-event. I used again chmod 700 /jffs/scripts/openvpn-event to make it executable.

Here is the script I used:



Right now OpenVPN is connected but all of the traffic goes through VPN. No change. Also I got this message a lot in syslog:

Sep 22 20:58:42 miniupnpd[3287]: SSDP packet sender 192.168.0.254:1025 not from a LAN, ignoring

Thanks for any help.

I had the same problem on mine.. I could not get the script to work and gave up...

 

[janosek]

Wizin was able to get it to work. I wonder if he has any ideas. My issues were different along the way. Openvpn-script fixed my timing issues.

 

[GTi-6]

If you go to the folder
/tmp

do you see a 0 byte file called: 000wanstarted

?

Yeap. I checked and 000wanstarted file is there. I couldn't figure this out. I give up.

Just a basic question: lets say I set AC66U and N66U as both routers. One on 192.168.1.1 and other one 192.168.2.1. I will set a OpenVPN client to N66U for US connection. But from 192.168.1.1 and I want to see and share files with the computers on 192.168.2.1. I can see files from 192.168.1.1 when I joined the network from the second router. How can I make this possible?

 

[Martineau]

My local network is 10.88.*.* as this makes PPTP to my to my remote family networks easier as they too have unique 10.xxx.*.* networks.

I have successfully used this script for selective routing so the bedroom PS3 is hard coded to ALWAYS use the HMA VPN, and device U200_115 can be dynamically switched from the ISP to the VPN using the tagging '--set mark 1 or 0' as required on the command line (I SSH into the router to execute the tagging command)

#!/bin/sh

logger -t "($(basename $0))" $$ HMA VPN Selective customisation starting.... " $0${*:+ $*}."


## CUSTOMIZE YOUR SCRIPT VARIABLES
#
## Uncomment and assign/change value(s) as needed to customize your rules
#
# ip_range1="192.168.10.200-192.168.10.203"
# ip_range2="192.168.10.8/29"
# ip_range3=""
#
# If your IP addresses don't fall in a contiguous range, you'll need separate rules instead.

U200_115="10.88.8.115"
PS3_Bedroom="10.88.8.142"

# ip_address3=""
#
# Spotify
# website_dst_range1="78.31.8.1-78.31.15.254"
# website_dst_range2="193.182.8.1-193.182.15.254"
# Another website
#
# website_dst_range3=""
##

# SHELL COMMANDS FOR MAINTENANCE.
# DO NOT UNCOMMENT, THESE ARE INTENDED TO BE USED IN A SHELL COMMAND LINE
#
# List Contents by line number
#iptables -L PREROUTING -t mangle -n --line-numbers
#
# Delete rules from mangle by line number
#iptables -D PREROUTING type-line-number-here -t mangle
#
# To list the current rules on the router, issue the command:
# iptables -t mangle -L PREROUTING
#
# Flush/reset all the rules to default by issuing the command:
# iptables -t mangle -F PREROUTING

# */* #
# First it is necessary to disable Reverse Path Filtering on all
# current and future network interfaces:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 0 > $i
done

#
# Delete table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING

#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#

#iface_lst=`route | awk ' {print $8}'`
#for tun_if in $iface_lst; do
# if [ "$tun_if" = "tun11" ]; then
# exit 0
# elif [ "$tun_if" = "tun12" ]; then
# exit 0
# fi
#done

tun_if="tun21"

ip route show table main | grep -Ev ^default | grep -Ev $tun_if \
| while read ROUTE ; do
ip route add table 100 $ROUTE
logger -t "($(basename $0))" $$ HMA VPN Table 100 added entry: $ROUTE
done

ip route add default table 100 via $(nvram get wan_gateway)
logger -t "($(basename $0))" $$ HMA VPN default added to Table 100 for $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache


# EXAMPLES:
#
# All LAN traffic will bypass the VPN (Useful to put this rule first,
# so all traffic bypasses the VPN and you can configure exceptions afterwards)
# iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
#
# Ports 80 and 443 will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 1
#
# All traffic from a particular computer on the LAN will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.2 -j MARK --set-mark 0
#
# All traffic to a specific Internet IP address will use the VPN
# iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range 216.146.38.70 -j MARK --set-mark 0
#
# All UDP and ICMP traffic will bypass the VPN
# iptables -t mangle -A PREROUTING -i br0 -p udp -j MARK --set-mark 1
# iptables -t mangle -A PREROUTING -i br0 -p icmp -j MARK --set-mark 1


# By default all traffic bypasses the VPN
iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1

# IP_RANGES - Uncomment as necessary
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range2 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_range3 -j MARK --set-mark 0

# IP_ADDRESSES - Uncomment as necessary
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address2 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $ip_address3 -j MARK --set-mark 0

logger -t "($(basename $0))" $$ HMA VPN Selective customisation for: "$"PS3_Bedroom $PS3_Bedroom
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range $PS3_Bedroom -j MARK --set-mark 0
# Optionally FORCE the use of the VPN tunnel, so if the VPN tunnel drops, the device will not use the unencrypted default WAN
#iptables -I FORWARD -i br0 -s $PS3_Bedroom -o eth0 -j DROP

# Spotify explicitly uses the VPN
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range1 -j MARK --set-mark 0
#iptables -t mangle -A PREROUTING -i br0 -m iprange --dst-range website_dst_range2 -j MARK --set-mark 0


# There is a timing issue for Merlin build 270.26b and earlier where the Client VPN starts
# before the wan-start execution of this script.
# As a 'temporary'workaround set the 'VPN enabled on WAN'option to NO on the GUI,
# then then uncomment the following line

service start_vpnclient1

# Routing for the above devices can be validated by using web page http://www.ip2location.com/
# Although if Port 80 is excluded from the VPN then it will always show the local GEO ISP location!

logger -t "($(basename $0))" $$ HMA VPN Selective customisation completed.