Selective Routing with Asuswrt-Merlin

[Martineau]

One potential alternative that might be worth investigating, based on Asus's own VPN Fusion: using iptables for port-based routing.

ASUS VPN Fusion GT-AC5300 feature ?

Well as usual, the help works (but it wouldn't be the first time that a 'useful' feature isn't actually enabled in the current iptables v1.4.14 version!)

EDIT: Looks like this function is deprecated in ALL versions of iptables later than v1.4.14!!! (which is the current version in the firmware?)

iptables -j ROUTE --help

ROUTE target v1.11 options:
    --oif   ifname   Route packet through `ifname' network interface
    --iif   ifname   Change packet's incoming interface to `ifname'
    --gw     ip      Route packet via this gateway `ip'
    --continue        Route packet and continue traversing the
                      rules. Not valid with --iif or --tee.
    --tee    Duplicate packet, route the duplicate,
                      continue traversing with original packet.
                      Not valid with --iif or --continue.

So it seems to allow the '-j ROUTE' rules to be created...

iptables -A PREROUTING -t mangle -i br0 -p tcp --dport 80  -j ROUTE --oif  tun11
iptables -A PREROUTING -t mangle -i br0 -p tcp --dport 443 -j ROUTE --oif  tun11

iptables -nvL PREROUTING --line -t mangle

Chain PREROUTING (policy ACCEPT 1746 packets, 293K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     1506 89800 MARK       all  --  !eth0  *       0.0.0.0/0            xxx.xxx.xxx.xxx      MARK or 0x8000
2        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set WAN0 src,dst MARK or 0x7000
3        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN1 src,dst MARK or 0x1000
4        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN2 src,dst MARK or 0x2000
5        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN3 src,dst MARK or 0x3000
6        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN4 src,dst MARK or 0x4000
7        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN5 src,dst MARK or 0x5000
8        0     0 MARK       tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            multiport sports 5000:5001 MARK or 0x7000
9      429 26320 ROUTE      tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80ROUTE oif:tun11
10    1353  103K ROUTE      tcp  --  br0    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443ROUTE oif:tun11
11       0     0 ROUTE      all  --  tun11  *       0.0.0.0/0            0.0.0.0/0           ROUTE iif:br0

So it is definitely doing something...and ports 80 and 443 appear to be redirected, but I'm not getting the Web pages

Look like I may have got the return translation wrong...guess I'll have a play later.

 

[RMerlin]

ASUS VPN Fusion GT-AC5300 feature ?

Yes, tho I suspect they will make it available to other models as well once they get moved to the 382 codebase.

If you want to look into how they implement it, grab the GT-AC5300 GPL. Amazingly enough, rc/vpn_fusion.c isn't closed source (yet...)

They seem to also be developing an RPDB-based implementation in parallel, but by default they enable the iptables-based one.

Either way, I doubt I will migrate my own implementation to theirs if I ever merge 382 in. Mine seems more flexible at this point (and keeping things in a script rather than in rc will provide more flexibility for users who want to further cusstomize it).

 

[Martineau]

If you want to look into how they implement it, grab the GT-AC5300 GPL.

I suspect they will make it available to other models as well once they get moved to the 382 codebase.

GPL_GT_AC5300_300438210397

Well 'VPN Fusion' seemingly doesn't/won't work on the GT-AC5300 for Selective Port forwarding until they get the syntax right!

  else if(target_port >= 0) //has target port
   eval("iptables", "-A", "PREROUTING", "-t", "mangle", "-i", (char*)lan_ifname, "-m", "mac", "--mac-source",
    (char*)client_mac, "--dport", port, "-j", "ROUTE", "--oif", (char*)vpnc_ifname);

Also not 100% sure why they qualify the '-j ROUTE' rule by source MAC address rather than IP address, as clearly RPDB entries cannot use MAC addresses, so they have to correlate/translate the MAC address into the associated IP address later on in the process anyway.

Maybe another 'work-in-progress' ASUS feature?, but sadly ASUS have previously (regularly) shown that they have no qualms about shamefully dumping shonky firmware out to be 'tested' by gullible end-users that ultimately will never meet the slick 'marketing' techo-babble e.g. F.A.S.T and now the latest must-have 'killer' VPN Fusion expectations on the box.

For those who have not heard of the gaming-related unique VPN Fusion feature:
https://www.asus.com/ROG-Republic-Of-Gamers/ROG-Rapture-GT-AC5300/
(scroll down about 40%) on the marketing URL

e.g. any glowing recommendations for using Dual-WAN anyone?

P.S. Is it just me but has the F.A.S.T acronym been subtly changed for the newer models?

 

[mobileman88]

This is a little off topic. I bought a couple of TMobile TM-AC1900 since it is supposed to be the same as the AC68U. How can I flash it to this firmware?

 

[Martineau]

This is a little off topic.

So why post in this thread?

I bought a couple of TMobile TM-AC1900 since it is supposed to be the same as the AC68U. How can I flash it to this firmware?

You should use the search function to find the TMobile TM-AC1900 threads.

However the third hit brought this up.... but I suspect this is probably beyond your skill level?

https://decepticlone.com/?p=1653

 

[mobileman88]

So why post in this thread?



You should use the search function to find the TMobile TM-AC1900 threads.

However the third hit brought this up.... but I suspect this is probably beyond your skill level?

https://decepticlone.com/?p=1653

Awesome. This is exactly what I was looking for. I am totally comfortable with the CLI/CFE stuff. Just needed the link and right areas to edit.

 

[GARYK]

Hi,

I want to bypass HULU to use my local WAN while all other LAN traffic uses my VPN. I am looking for some help in placing the correct code into my openvpn-event file for this to happen. Can anyone on this thread help me out? I appreciate it.

My RT-AC68U is all set and ready to copy this file into my partitioned JFFS/Scripts location. I just need the right code.

 

[Martineau]

Hi,

I want to bypass HULU to use my local WAN while all other LAN traffic uses my VPN. I am looking for some help in placing the correct code into my openvpn-event file for this to happen. Can anyone on this thread help me out? I appreciate it.

My RT-AC68U is all set and ready to copy this file into my partitioned JFFS/Scripts location. I just need the right code.

You don't need an openvpn-event.

First you need to start identifying the IP addresses/subnets used by Hulu.

Add to

/jffs/configs/dnsmasq.conf.add

ipset=/hulu.com/www.hulu.com/releasegeo.hulu.com/Hulu

and restart dnsmasq so issue:

service restart_dnsmasq

Now create the Hulu IPSET, issue

create Hulu hash:net family inet hashsize 1024 maxelem 65536
ipset list Hulu

Now let's see if the router can automatically populate the Hulu IPSET with IP addresses; issue:

nslookup www.hulu.com
nslookup hulu.com
nslookup releasegeo.hulu.com
ipset list Hulu

Hopefully there should be 3 member addresses listed?

If you have already done your own research and snaffled a list of Hulu addresses off the internet, then you can manually add them to the Hulu IPSET now...

ipset add Hulu xxx.xxx.xxx.xxx
etc.

ipset list Hulu

OK, now that the router is capturing valid Hulu addresses (give it a few mins to see if the count goes up or repeat the three nslookup commands at regular intervals!) you need the following two RPDB rules, so enter

ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Now test if your Hulu traffic is via the WAN....then issue the following to confirm the setup is correct:

iptables -t mangle -nvL PREROUTING --line
ip rule
ipset list Hulu

Once you have proved it works, you need to permanently add the rules to

/jffs/scripts/nat-start

ip rule del prio 9990
ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -D PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

 

[GARYK]

Martineau,

Thank you you for taking the time to write up a process for me. However I am new to this. I am using WinSCP to do the editing in my ASUS RT-AC68U.

I logged into my router and added the
dnsmasq.conf.add file in the directory of /jffs/configs/

I am not sure what you mean by issue: does that mean to execute the command to write it into the dnsmasq.conf.add file?

I am assuming my dnsmasq.conf.add file should have all the code written in side correct?

I added two screenshots of me using WinSCP am I on the right track?

Thanks,
Gary

 

[wizin]

Will wait for Janoesk to make a proper wiki but for extreme novice users like me - got it working with the help of Janosek and here are the steps

THE CODE

#!/bin/sh


sleep 2

touch /tmp/000wanstarted

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
      echo 0 > $i
done



#US VPN

#
# Delete and table 100 and flush any existing rules if they exist.
#
ip route flush table 100
ip route del default table 100
ip rule del fwmark 1 table 100
ip route flush cache
iptables -t mangle -F PREROUTING



#
# Copy all non-default and non-VPN related routes from the main table into table 100.
# Then configure table 100 to route all traffic out the WAN gateway and assign it mark "1"
#
# NOTE: Here I assume the OpenVPN tunnel is named "tun11".
#
#
ip route show table main | grep -Ev ^default | grep -Ev tun11 \
  | while read ROUTE ; do
      ip route add table 100 $ROUTE
 done



ip route add default table 100 via $(nvram get wan_gateway)
ip rule add fwmark 1 table 100
ip route flush cache
 



#
# Define the routing policies for the traffic. The rules will be applied in the order that they
# are listed. In the end, packets with MARK set to "0" will pass through the VPN. If MARK is set
# to "1" it will bypass the VPN.
#




#  All LAN traffic will bypass the VPN (Useful to put this rule first, so all traffic bypasses the VPN and you can # configure exceptions afterwards)

   iptables -t mangle -A PREROUTING -i br0 -j MARK --set-mark 1
 


# All traffic from[B] Roku Wireless [/B]will use the UK VPN
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.103 -j MARK --set-mark 0




exit 0

If you notice the code, I only have 1 device configured to use VPN ( Roku Wireless )
Rest is all via regular LAN Speed

Save the above as "openvpn-event" ( without the quotes and NO FILE EXTENSION at all )

1) Assuming you have VPN Account and have it already working with OpenVPN in your Asus-Merlin Router ( test manually if VPN works first )
2) So make sure its ON and Start with WAN option
3) Goto to Administration > System

• Enable JFFS partition = YES
• Format JFFS partition at next boot = YES

REBOOT ROUTER
4) Download a Software like WinSCP
File Protocoal - SCP
Hostname: 192.168.1.1
Username/Password: Whatever you use to login to the router
Port 22
5) Need to go upto the root folder where you see jffs folder
6) Go Inside Folder then Go Inside Scripts Folder
7) Place the code openvpn-event you made above in this folder, right click > Properties > Change Octal to 0777

Thats it

Close WinSCP
Reboot Router

GOOD TO GO

Want to to revisit my own post from 4 years ago - this doesnt work. Everything goes via VPN only, any update or what changes

 

[M@tt]

To be honest, I don't believe there is any valid reason to use the manual scripting method anymore even when Selective Port Routing (which isn't supported via the GUI) is required using the necessary custom fwmarks.

i.e. using the (far more reliable) GUI Selective Routing Policy Rules environment you should be able to configure the Selective routing for a single device via the VPN (using the Policy Rules GUI) whilst everything else (by default) remains routed via the WAN;

UseVPN 192.168.77.2 0.0.0.0 VPN

and rather than use a (flawed obsolete) script, simply issue just two commands?

ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -t mangle -A PREROUTING -i br0 -p tcp --sport 8080 -j MARK --set-mark 0x7000/0x7000

NOTE: The subtle difference in the '--set-mark' directive.

I tested this right now and it does exactly what I need, nothing more to add. Thank you very much for this answer!

 

[Xentrk]

You don't need an openvpn-event.

First you need to start identifying the IP addresses/subnets used by Hulu.

Add to

/jffs/configs/dnsmasq.conf.add

ipset=/hulu.com/www.hulu.com/releasegeo.hulu.com/Hulu

and restart dnsmasq so issue:

service restart_dnsmasq

Now create the Hulu IPSET, issue

create Hulu hash:net family inet hashsize 1024 maxelem 65536
ipset list Hulu

Now let's see if the router can automatically populate the Hulu IPSET with IP addresses; issue:

nslookup www.hulu.com
nslookup hulu.com
nslookup releasegeo.hulu.com
ipset list Hulu

Hopefully there should be 3 member addresses listed?

If you have already done your own research and snaffled a list of Hulu addresses off the internet, then you can manually add them to the Hulu IPSET now...

ipset add Hulu xxx.xxx.xxx.xxx
etc.

ipset list Hulu

OK, now that the router is capturing valid Hulu addresses (give it a few mins to see if the count goes up or repeat the three nslookup commands at regular intervals!) you need the following two RPDB rules, so enter

ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Now test if your Hulu traffic is via the WAN....then issue the following to confirm the setup is correct:

iptables -t mangle -nvL PREROUTING --line
ip rule
ipset list Hulu

Once you have proved it works, you need to permanently add the rules to

/jffs/scripts/nat-start

ip rule del prio 9990
ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -D PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Hi @Martineau, I have spent many hours reading through this forum today. I found this post interesting and perhaps applicable to my situation. Here is my use case:

I use Roku 4 to stream media. I have a private IP openvpn server subscription with TorGuard. This allows me to get around the N.Flix and H-lu vpn blocks. Until just recently, my private IP geo location was in a major market in USA. By being geo located in a major market location, I had access to live NBC and Fox Network on SlingTV. Recently, TorGuard moved my private to a smaller city. As a result, I no longer have access to live NBC or Fox, only the on-demand service of these two networks, when connected through my Private IP. If I really wanted to watch something live on these networks, my work around is to change my OpenVPN server location from my Private IP to a server located in a major market area like L.A on the web gui. But I need to change it back to my Private IP if I want to watch N.Flix or H-lu.

It would be kewl if I could use selective routing to do this for me.

Using your technique, I was able to get an IP on *.slingtv.com. I tried to get a hit on releasegeo.slingtv.com but no luck:

nslookup: can't resolve 'releasegeo.slingtv.com'

That little voice inside me says the IP of the website is not going to work. But I could be wrong. A web search has not yet turned up any list of sling tv server ip addresses. Is there a way I can trace the traffic when I have SlingTV running to see what server the Roku is connecting to? Thanks for the help.

 

[Martineau]

Using your technique, I was able to get an IP on *.slingtv.com. I tried to get a hit on releasegeo.slingtv.com but no luck:

nslookup: can't resolve 'releasegeo.slingtv.com'

That little voice inside me says the IP of the website is not going to work. But I could be wrong. A web search has not yet turned up any list of sling tv server ip addresses. Is there a way I can trace the traffic when I have SlingTV running to see what server the Roku is connecting to?

If the Roku is using dnsmasq, then you may get clues from its log....

dnsmasq[3186]: query[A] slingtv.com.Martineau.lan from 10.88.8.114
dnsmasq[3186]: config slingtv.com.Martineau.lan is NXDOMAIN
dnsmasq[3186]: query[AAAA] slingtv.com.Martineau.lan from 10.88.8.114
dnsmasq[3186]: config slingtv.com.Martineau.lan is NXDOMAIN
dnsmasq[3186]: query[A] slingtv.com from 10.88.8.114
dnsmasq[3186]: forwarded slingtv.com to 79.79.79.77

dnsmasq[3186]: reply slingtv.com is 66.170.250.200

dnsmasq[3186]: query[A] mdconfig.sling.com from 10.88.8.90

dnsmasq[3186]: query[A] download.slingmedia.com from 10.88.8.90
dnsmasq[3186]: forwarded download.slingmedia.com to 79.79.79.77
dnsmasq[3186]: reply download.slingmedia.com is <CNAME>
dnsmasq[3186]: reply download.slingmedia.com.edgesuite.net is <CNAME>

etc.

Usually, Google does eventually pop-up with an appropriate forum post or Wiki/Blog entry, otherwise you will need to install tcpdump to generate the Roku.pcap data for later analysis - Wireshark etc.

 

[Xentrk]

If the Roku is using dnsmasq, then you may get clues from its log....

dnsmasq[3186]: query[A] slingtv.com.Martineau.lan from 10.88.8.114
dnsmasq[3186]: config slingtv.com.Martineau.lan is NXDOMAIN
dnsmasq[3186]: query[AAAA] slingtv.com.Martineau.lan from 10.88.8.114
dnsmasq[3186]: config slingtv.com.Martineau.lan is NXDOMAIN
dnsmasq[3186]: query[A] slingtv.com from 10.88.8.114
dnsmasq[3186]: forwarded slingtv.com to 79.79.79.77

dnsmasq[3186]: reply slingtv.com is 66.170.250.200

dnsmasq[3186]: query[A] mdconfig.sling.com from 10.88.8.90

dnsmasq[3186]: query[A] download.slingmedia.com from 10.88.8.90
dnsmasq[3186]: forwarded download.slingmedia.com to 79.79.79.77
dnsmasq[3186]: reply download.slingmedia.com is <CNAME>
dnsmasq[3186]: reply download.slingmedia.com.edgesuite.net is <CNAME>

etc.

Usually, Google does eventually pop-up with an appropriate forum post or Wiki/Blog entry, otherwise you will need to install tcpdump to generate the Roku.pcap data for later analysis - Wireshark etc.

Thank you. This helps with guidance on next steps. I appreciate the help.

 

[st3v3n]

I'm an old retired guy, even though it says I'm around here. Years ago, I worked my way with Unix and Dos. I can still do basic router set up, flashing, etc, but I sadly getting nowhere. I've searched for a long time on this site and found a massive amount of info that's gotten me close, but not quite, even though I suspect the solution is simple. Our RT-AC3200 works great, and will be upgrading to to Merlin's new 380.66 tomorrow. Netflix blocks anything that isn't handled properly by VPN or by those with much better skill than I have. I only want route our so-called smart tv through the openvpn client on the router; everything else worked great, until I locked the router up with my fiddling at it. I know this is doable from weeks and months of reading on the site (it's a massive trove). The owner of our vpn suggested inserting the following in the router using the run command (it's a small vpn, and the closest guide they have is for DDWRT) :

iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 10.10.10.10
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 10.10.10.10
iptables -t nat -L -v -n # shows nat table

He also suggested flashing DDWRT or using PFsense, but I'd rather pull my old PS3 out of storage and use that for netflix before giving up on this project; I'm sure Sony wouldn't be much help these days. I've done many configurations on the router based on what I've seen here and had the router/openvpn client working fairly well, except for the tv/netflix, and even that worked before I installed the openvpn client, but not afterward. The VPN connected without errors, the PC and tablets were running fast and stable, just no netflix. The TV is on ethernet, no wifi and the IP/DNS is set manually on the set, no updates should be able to get through to the 'smart' part of it. I could 'see' netflix, but it refused to allow any of our programming to route through the client. Somehow after several days, I finally managed to firmly lock the router up, but restored it the next day. Previously, netflix worked with no DNS issues (except it never worked with opendns). I've got the PC back on it's own vpn client, but decided to call a halt, to ask for guidance here. I've read the wiki many times and more posts than I can count. I would appreciate all the patience and pointers you senior members can offer. My apologies for my noobishness; I'm unable to sit up or read for more than a couple of hours per day due to health issues, so please be gentle. My thanks in advance for your patience.

 

[smetlydc2]

Question... can I use this to fwd specific netflix etc traffic directly to my ISP (outside of my VPN tunnel) ?

my bank, amazon, netflix all block my connections when using my VPN

Thanks,

 

[st3v3n]

smetlydc2, sorry for delay answering. Don't know if your situation is similar to mine, but this' preroute ... dport 53' trick supposedly works with various VPNs, including mine. If you want to direct a specific item to face lan, you can do this at the bottom of the VPN client page. I have everything on my LAN except for the supposedly 'smart' TV, routed through the vpn client, and the TV rule added last to face WAN (ie, your ISP). Hope that helps.

 

[DrakeRGS]

Hello guys!

I'm trying to access my router from my work office but I'm having problems. Can anyone help me?

My current scenario is:

Modem from KPN Netherlands (not allow me to put in bridge mode) with DHCP server (192.168.2.1) and DMZ configured to router.

LAN from modem to my router WAN (Asus RT-AC66U_B1 with Asus Merlin 380.67_beta2) with DHCP Server (192.168.50.1 double NAT, because I don't want the modem as my dhcp server)

The thing is, I have openVPN configured successfully and everything passes through VPN, as expected. When VPN is activated I can't access my router remotely, but when deactivated, the remote access works. I'm avoiding DDNS for now to make sure that access will work first.

I want to keep all my devices passing through VPN. I already tried almost all suggestions on this topic without success. I'm trying to access my router remotely through port 8443.

Strange thing is, even with "Redirect Internet traffic" set to no, all traffic is passing through VPN. It's not a problem for me because this is exactly what I want, but seems wrong.

Mainly I want my router to access everything through VPN (further Transmission torrents). I'm thinking to only set the port 8443 forwarded to my ISP instead of VPN. Is that an acceptable solution?

Seems that I have a specific case, different from any post here.

Attached my openvpn configuration.

Any suggestion?

Thanks.

 

[Xentrk]

Hi @Martineau,

I finally had time to work on this the past few days. In summary, my use case is for SlingTV to use Los Angeles VPN server and all other network traffic to use my Private VPN Server. By having SlingTV use LA server, I get access to a few more live network rather than the on demand versions of those networks when using my Private VPN Server. But with my PrivateIP, I can stream media services that block VPN services.

The first thing I did was using your technique to use dnsmasq.log file to identify what domains SlingTV is calling when it is invoked from the Roku player. I closed out my browser sessions to get the network as quiet as possible. I then did a SSH session and did a tail -f dnsmasq.log and watched the domains being output to the dnsmasq.log for one minute. I then did a screen scrape into excel and deleted the text before and after the domain names. I then sorted the list and removed duplicates.

I first started out trying to use the ipset example in post #548 above. But what I struggled with is what to use for the mark 0x7000 for the second VPN connection. In this example, traffic is being sent to WAN whereas I needed it to go to tun12. Example I refer to is below:

iptables -D PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

So, I decided to start reviewing the thread from the beginning. In post #152, @bilboSNB posts an example of routing only google play store traffic thru the VPN. So I used that as a starting point.

I had to change the OpenVPN Client setting for my PrivateIP, Redirect Internet Traffic from All Traffic to Policy Rules and entered all of the devices in the list. This is tun11. For the second OpenVPN Client in Los Angeles, I set Redirect Internet Traffic to No. This is tun12

Following is the script:

#!/bin/sh
#set -xo
logger -t "($(basename $0))" $$ Starting TorGuard VPN Selective Routing Starting for SlingTV..." $0${*:+ $*}."

ip route flush table 10
ip route del default table 10
ip rule del fwmark 10 table 10
ip route flush cache
iptables -t mangle -F PREROUTING

tun_if="tun12"
tun_ip=$(ifconfig $tun_if | grep 'inet addr:'| cut -d: -f2 | awk '{ print $1}')

ip route add default via $tun_ip dev $tun_if table 10
ip rule add fwmark 10 table 10

echo 0 > /proc/sys/net/ipv4/conf/$tun_if/rp_filter

iptables -t mangle -A PREROUTING -i br0 -d 2-01-4d34-0008.cdx.cedexis.net -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d 2-01-4d34-0015.cdx.cedexis.net -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d 2-01-4d34-0018.cdx.cedexis.net -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d 2-01-4d34-001b.cdx.cedexis.net -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d aptime.movenetworks.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d cbd46b77.cdn.cms.movetv.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d cbd46b77.cdn.cms.movetv.com.c.footprint.net -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d cws.conviva.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d dmsprod.shrbt.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d dmsprod.shrbt.com.cdn.cloudflare.net -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d oem.twimg.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p.slingtv.map.fastly.net -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-cdn4-1-cg7-rubens.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-cg7-cmw.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-cmw.movetv.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-geo.movetv.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-gp2-dvrmfs-1101.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-gp2-dvrmfs-1102.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-gp2-dvrmfs-1103.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-gp2-dvrmfs-1105.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-gp2-dvrmfs-1106.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-gp2-dvrmfs-1107.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-gp2-dvrmfs-1108.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-img.movetv.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-rubens.movetv.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-ums.movetv.com    -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d p-ums.movetv.com.cdn.cloudflare.net -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d smdrm.qcg7.movetv.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d webapp.movetv.com -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -d webapp.movetv.com.c.footprint.net -j MARK --set-mark 10

logger -t "($(basename $0))" $$ Completed TorGuard VPN Selective Routing Starting for SlingTV..." $0${*:+ $*}."
exit

I do get on error message here.. But it does not appear to cause any issues.

+ ip route del default table 10
RTNETLINK answers: No such process

Thanks for inspiring me to try this and helping others in this forum. I still have a lot to learn and came across some docs I want to follow up on to increase my knowledge in this area. I still want to try and get the ipset technique to work though.

THANK YOU!!

 

[Martineau]

I do get on error message here.. But it does not appear to cause any issues.

+ ip route del default table 10
RTNETLINK answers: No such process

The message simply means that the you are trying to delete an entity that doesn't exist, so usually it is safe to fully suppress such messgaes by appending

ip route del default table 10 2> /dev/null > /dev/null

NOTE: I have stated in prior posts that the script is potentially flawed in multi-use environments and should be used with caution.