Selective Routing with Asuswrt-Merlin

[Xentrk]

I was also able to configure pfSense to do the same thing this morning. Although the technique is different. No scripting is required. It was all done thru the web gui.

I first created a firewall alias called SlingTV for all of the SlingTV domain names. A copy and paste from the excel spreadsheet made it easy! The utility in pfSense converts the domain names to ip addresses when it is saved. I then created a firewall rule on the LAN interface to route any outbound traffic containing the firewall alias called SlingTV to use the LA VPN Server Gateway. If anyone wants to know how to do it on pfSense, let me know. I will post a how to in the pfsense forums in the next day or two.

 

[MarioCaires]

I was also able to configure pfSense to do the same thing this morning. Although the technique is different. No scripting is required. It was all done thru the web gui.

I first created a firewall alias called SlingTV for all of the SlingTV domain names. A copy and paste from the excel spreadsheet made it easy! The utility in pfSense converts the domain names to ip addresses when it is saved. I then created a firewall rule on the LAN interface to route any outbound traffic containing the firewall alias called SlingTV to use the LA VPN Server Gateway. If anyone wants to know how to do it on pfSense, let me know. I will post a how to in the pfsense forums in the next day or two.

Oh yeah... I have been messing around with pfsense these last days and that's the real deal! It is clearly not as simple to configure certain things however it's amazing what you can do with it! The only thing that is pulling me back for now is the Traffic Shapping aka QoS, it seems is not possible to achieve the same flexibility as Adaptive QoS, or at least is not an easy task with pfsense...

 

[Xentrk]

Oh yeah... I have been messing around with pfsense these last days and that's the real deal! It is clearly not as simple to configure certain things however it's amazing what you can do with it! The only thing that is pulling me back for now is the Traffic Shapping aka QoS, it seems is not possible to achieve the same flexibility as Adaptive QoS, or at least is not an easy task with pfsense...

I have had mine for one year now and am learning new things all the time. I am hanging onto my ASUS routers as a result for the foreseeable future. I've mostly learned by watching youtube videos, blogs and websites where people have posted how-to articles and the pfsense forum. The reason I purchased it is because I am a VPN user and was looking for something with a more powerful CPU. It has been an interesting journey so far.

 

[Xentrk]

NOTE: I have stated in prior posts that the script is potentially flawed in multi-use environments and should be used with caution.

I did a rewrite of my routing scripts to address the potential flaws with the previous version. I wrote one version using domain names and the other using ipset. Both methods do the job. The advantage is I can maintain the list of domain names in a file and reduce the lines of code. Thank you for all of the help. It is greatly appreciated.

Main

#!/bin/sh
# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

#VPN Client 2
ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table 112 prio 9992

ip route flush cache
--snip--

Domain Name Routing

--snip--
# Read contents of SlingTV Domain Names file and route to VPN Client 2
DOMAIN_FILE="/jffs/scripts/slingtvdns"
OUT=$(awk '{ print $1 }' $DOMAIN_FILE)
for DNS in $OUT
  do
    iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000
    iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000
  done

IPSET Routing

--snip--
ipset create SLINGTV hash:net family inet hashsize 1024 maxelem 65536

# Create SLINGTV ipset list
DOMAIN_FILE="/jffs/scripts/slingtvdns"
OUT=$(awk '{ print $1 }' $DOMAIN_FILE)
for DNS in $OUT
  do
    echo "domain name: $DNS"
    for ip in $(nslookup $DNS | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
    ipset add SLINGTV $ip
  done
done

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set SLINGTV src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set SLINGTV src,dst -j MARK --set-mark 0x2000/0x2000

 

[Xentrk]

Well I'm stumped

However, I suggest you retrieve the subnets the 'old-skool' way using curl direct from ipinfo.io (like I do) and ditch your preferred 'whob/radb.net combo' and try

ASNUM="AS40027"
netsv4=`curl http://ipinfo.io/$ASNUM  2>/dev/null | grep -E "a href.*$ASNUM\/" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'`;for net in $netsv4;do echo $net;done;unset netsv4

Spoiler: Output...

admin@RT-AC68U:/jffs/scripts# netsv4=`curl http://ipinfo.io/AS40027  2>/dev/null | grep -E "a href.*AS40027\/" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'`;for net in $netsv4;do
 echo $net;done;unset netsv4
45.57.40.0/24
45.57.8.0/23
45.57.8.0/24
45.57.9.0/24
2a00:86c0:2008::/47
2a00:86c0:2008::/48
2a00:86c0:2009::/48
2a00:86c0:2040::/48
admin@RT-AC68U:/jffs/scripts#

NOTE: whob may be quicker, in so far that 'curl ipinfo.io' returns 2279 lines of HTML code, vs. 429 report lines returned by 'whob whois.radb.net'. but seems to only return 42 subnets vs. 144 from ipinfo.io for AS2906?

P.S. I left out the '#!/bin/sh' line!

I wanted to experiment with this. So, I wrote a script that will bypass the VPN and route traffic to specific websites to the WAN. From my brief testing, I found that 'whob whois.radb.net' failed to return all of the IP addresses required for a certain website. I had to add the missing IP address by issuing the nslookup command.

I can confirm that whob is much quicker than the curl method. But perhaps not as accurate.

#!/bin/sh
# set -xo
#####################################################################################################
# This program is a demo on how to route certain traffic over the WAN.
# For demo purposes, I am using the websites whatismyipaddress.com, whatismyip.com and beta.speedtest.net
# STEP 1
#     copy the following line to /jffs/configs/dnsmasq.conf.add
#        ipset=/whatismyipaddress.com/WHATISMYIPADDRESS
#        ipset=/whatismyip.com/WHATISMYIP
#        ipset=/beta.speedtest.net/SPEEDTEST
#
#     Then issue the command:  service restart_dnsmasq

# Note1: ipset syntax differs between version 6 and 4.5
#             Syntax for ipset v6
#                ipset create WAN0 list:set
#                ipset add WAN0 setlist (e.g. SPEEDTEST)
#             for routers running ipset v4.5 (ipset -V)
#                ipset -N WAN0 setlist (e.g. SPEEDTEST)
#
# Note 2: Mining domain IP Addresses
#            For the best performance install entware package whob (e.g. opkg install whob) and use the following code example
#               netsv4=`whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"`
#            Othwerwise, use the curl command. My brief testing has shown this to yield better results:
#               netsv4=`curl http://ipinfo.io/AS16625  2>/dev/null | grep -E "a href.*AS16625\/" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'`;for net in $netsv4;do echo $net;done;unset netsv4
#
# Note 3: In the event one needs to use IPv6 in the future, the syntax is: ipset -N WHATISMYIP-v6 hash:net family ipv6
#
ipset create WAN0 list:set
ipset create WHATISMYIPADDRESS hash:net family inet hashsize 1024 maxelem 65536
ipset create WHATISMYIP hash:net family inet hashsize 1024 maxelem 65536
ipset create SPEEDTEST hash:net family inet hashsize 1024 maxelem 65536

###################################################################
# Go to https://www.ultratools.com/ to lookup ASN
#######################################################################


#Pull all IPs listed for whatismyipaddress.com on radb.net
netsv4=`whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
  ipset add WHATISMYIPADDRESS $net
done
unset netsv4
#Pull all IPs listed for whatismyip.com on radb.net
netsv4=`whob -h whois.radb.net -- '-i origin AS13335' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
  ipset add WHATISMYIP $net
done
unset netsv4
#Pull all IPs listed for beta.speedtest.net
netsv4=`whob -h whois.radb.net -- '-i origin AS40027' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
  ipset add SPEEDTEST $net
done
unset netsv4

#########################################################################
# Add domains that you want to use WAN inteface to the WAN0 ipset list  #
#########################################################################
ipset add WAN0 WHATISMYIPADDRESS
ipset add WAN0 WHATISMYIP
ipset add WAN0 SPEEDTEST

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
ip rule del prio 9990
ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -D PREROUTING -t mangle -m set --match-set WAN0 dst -j MARK --set-mark 0x7000/0x7000
iptables -A PREROUTING -t mangle -m set --match-set WAN0 dst -j MARK --set-mark 0x7000/0x7000

 

[Rappy]

Hello. I have tried about twenty different ideas in this thread, but either they are out of date, or I am missing some preamble. I need (want) to setup my network so that only attempts to access BBC iPlayer go through my VPN Config 1 (from any client or just my appletv if that is easier). I have tried using policy rules from four ip ranges I found from way back, but the wheel just spins. I have tried to get the current ip ranges, but I am unsure of how to write the ipset command since the / seems to mean a new domain in this case, whereas I need it to mean bbc.co.uk/iplayer. Anyway, if someone could walk me through this like the old man that I am, or better yet, just spell out your own successful settings (and Ip ranges) if you have a similar setup, i'd greatly appreciate it. It's been driving me mad for about 6 months, off and on as I feel like I am getting close then I give up. Thank you.

 

[Xentrk]

Hello. I have tried about twenty different ideas in this thread, but either they are out of date, or I am missing some preamble. I need (want) to setup my network so that only attempts to access BBC iPlayer go through my VPN Config 1 (from any client or just my appletv if that is easier). I have tried using policy rules from four ip ranges I found from way back, but the wheel just spins. I have tried to get the current ip ranges, but I am unsure of how to write the ipset command since the / seems to mean a new domain in this case, whereas I need it to mean bbc.co.uk/iplayer. Anyway, if someone could walk me through this like the old man that I am, or better yet, just spell out your own successful settings (and Ip ranges) if you have a similar setup, i'd greatly appreciate it. It's been driving me mad for about 6 months, off and on as I feel like I am getting close then I give up. Thank you.

One solution is to find a VPN provider that works with BBC iPlayer. I tested with my provider and did not have any issues.

Identifying the traffic generated by a media streaming channel is where the most work is. You need to watch e.g. tail -f dnsmasq.log file when you start up the iPlayer to see what domain names are being used. Try to minimize other traffic on the network when doing this. Focus on records that have the word "query" in the line and the IP address of the client that is generating traffic to iPlayer.

First, find out where the dnsmasq.log file is located. Issue the commands:

cat /jffs/configs/dnsmasq.conf.add | grep log-facility

cat /etc/dnsmasq.conf | grep log-facility

Output to a temp file. Extract domain names, delete duplicates and save in file for analysis.

tail -f dnsmasq.log > temp

ctrl-c (to stop logging to temp)

cat temp | grep query | grep xxx.xxx.xxx.xxx | awk '{ print $6 }' | sort -u > output_file

cat output_file

 

[Rappy]

One solution is to find a VPN provider that works with BBC iPlayer. I tested with my provider and did not have any issues.

Identifying the traffic generated by a media streaming channel is where the most work is. You need to watch e.g. tail -f dnsmasq.log file when you start up the iPlayer to see what domain names are being used. Try to minimize other traffic on the network when doing this. Focus on records that have the word "query" in the line and the IP address of the client that is generating traffic to iPlayer.

First, find out where the dnsmasq.log file is located. Issue the commands:

cat /jffs/configs/dnsmasq.conf.add | grep log-facility

cat /etc/dnsmasq.conf | grep log-facility

Output to a temp file. Extract domain names, delete duplicates and save in file for analysis.

tail -f dnsmasq.log > temp

ctrl-c (to stop logging to temp)

cat temp | grep query | grep xxx.xxx.xxx.xxx | awk '{ print $6 }' | sort -u > output_file

cat output_file

Thanks, but this also jumps in halfway. First of all, I do not have dnsmasq unless I enable dns filtering. This throws off everything. Is there a way to get it without using dns filtering? Secondly, I cannot look for domains since I cannot correctly set the ipset variable, since the iplayer domain uses a back slash.

 

[Rappy]

Is it possible someone else with the iplayer domains can just post them? Sure would be a lot easier and more helpful. I have searched and searched on the internet. The only ones I have found were from 2016 and do not work now:

23.3.13.178
23.3.13.146
178.79.192.0/18
212.58.224.0/19

I appreciate your help, but isn't there a simplified wiki around here for all this that takes people by the hand?

 

[Rappy]

One solution is to find a VPN provider that works with BBC iPlayer. I tested with my provider and did not have any issues.

Identifying the traffic generated by a media streaming channel is where the most work is. You need to watch e.g. tail -f dnsmasq.log file when you start up the iPlayer to see what domain names are being used. Try to minimize other traffic on the network when doing this. Focus on records that have the word "query" in the line and the IP address of the client that is generating traffic to iPlayer.

First, find out where the dnsmasq.log file is located. Issue the commands:

cat /jffs/configs/dnsmasq.conf.add | grep log-facility

cat /etc/dnsmasq.conf | grep log-facility

Output to a temp file. Extract domain names, delete duplicates and save in file for analysis.

tail -f dnsmasq.log > temp

ctrl-c (to stop logging to temp)

cat temp | grep query | grep xxx.xxx.xxx.xxx | awk '{ print $6 }' | sort -u > output_file

cat output_file

Hi, I tried all your suggestions but the second code crashed my WinSCP and erased all my SCP settings.

Can someone please just lay down in writing the current IP ranges for iPlayer?

 

[Xentrk]

Try these two

 nslookup www.bbc.co.uk
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.bbc.co.uk
Address 1: 212.58.246.90
Address 2: 212.58.244.66

 

[Xentrk]

I generated traffic to iPlayer. Following is the list of domain names. The google and scorecardresearch domains may be extra noise. Try it without those first.

Spoiler: domain names

a1089.d.akamai.net
ad.crwdcntrl.net
advertising.bbcworldwide.com
api.onedrive.com
b.scorecardresearch.com
cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
cdn.optimizely.com
component.iplayer.api.bbc.co.uk
dcky6u1m8u6el.cloudfront.net
detectportal.firefox.com
e3891.dscf.akamaiedge.net
emp.bbc.co.uk
emp.bbci.co.uk
fonts.googleapis.com
google-analytics.com
googleadapis.l.google.com
ibl.api.bbc.co.uk
ichef.bbci.co.uk
iplayer-web.files.bbci.co.uk
live-ibl-componen-3y285w56k7w5-887784694.eu-west-1.elb.amazonaws.com
live-tvip-componen-poadok30hype-1266449070.eu-west-1.elb.amazonaws.com
mvt.api.bbc.com
mybbc-analytics.files.bbci.co.uk
mybbc.files.bbci.co.uk
nav.files.bbci.co.uk
sa.bbc.co.uk
sb.scorecardresearch.com
search.files.bbci.co.uk
static.bbc.co.uk
static.bbci.co.uk

 

[Xentrk]

I was able to get it to work over a vpn connection a few times. But most of the time, I was blocked due to geo location. Even though my DNS was not leaking. My provider has a solution for a small fee of $4/month or $27.50/year.

Spoiler: support request

Hello,

Thank you for contacting us.

At the moment all of our shared servers have been blocked by BBC.

We are currently able to offer a UK streaming dedicated IP at $4 per month or $27.50 annually (which includes a 50% discount) to bypass this.

Let us know if you're interested in this offer.

Kind regards

PS. Please bear in mind that torrenting is forbidden on streaming IPs

TorGuard Advanced Support
E: support@torguard.net | W: torguard.net
Add us on Twitter: http://www.twitter.com/TorGuard

 

[Rappy]

I was able to get it to work over a vpn connection a few times. But most of the time, I was blocked due to geo location. Even though my DNS was not leaking. My provider has a solution for a small fee of $4/month or $27.50/year.

Spoiler: support request

Hello,

Thank you for contacting us.

At the moment all of our shared servers have been blocked by BBC.

We are currently able to offer a UK streaming dedicated IP at $4 per month or $27.50 annually (which includes a 50% discount) to bypass this.

Let us know if you're interested in this offer.

Kind regards

PS. Please bear in mind that torrenting is forbidden on streaming IPs

TorGuard Advanced Support
E: support@torguard.net | W: torguard.net
Add us on Twitter: http://www.twitter.com/TorGuard

Thanks

 

[Rappy]

Thanks for doing this. What were the IP ranges you used? How would you know it was working if you were geoblocked? I get as far as pressing play and the 5 second preamble ad loading but not playing. Then an error that something went wrong. With full VPN it plays fine and with no vpn it says you must be in the UK.

 

[Xentrk]

Thanks for doing this. What were the IP ranges you used? How would you know it was working if you were geoblocked? I get as far as pressing play and the 5 second preamble ad loading but not playing. Then an error that something went wrong. With full VPN it plays fine and with no vpn it says you must be in the UK.

Does "full VPN" mean Redirect Internet Traffic = All and Accept DNS Configuration = Exclusive? This setting will not leak your DNS. If policy rules are enabled, DNS leaks

Here is a more updated list that is working for me. Source is from dnsmasq.log.

Spoiler: domain names

a1089.d.akamai.net
a1104.w10.akamai.net
a2.w10.akamai.net
account-origin-live.bbc.net.uk
account.bbc.com
b.scorecardresearch.com
b1rbsov.bidi.live.bbc.co.uk
bbcdotcom.2cnt.net
bootstrapcdn.jdorfman.netdna-cdn.com
cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
cdn.optimizely.com
component.iplayer.api.bbc.co.uk
detectportal.firefox.com
dns.msftncsi.com
dynamic.simpleyoutubeconverter.com
e3891.dscf.akamaiedge.net
e3891.f.akamaiedge.net
emp.bbc.co.uk
emp.bbci.co.uk
fig.bbc.co.uk
fig.bbc.net.uk
fonts.googleapis.com
fonts.gstatic.com
googleadapis.l.google.com
gstaticadssl.l.google.com
ibl.api.bbc.co.uk
ichef.bbci.co.uk
iplayer-web.files.bbci.co.uk
live-ibl-componen-3y285w56k7w5-887784694.eu-west-1.elb.amazonaws.com
live-matc-componen-14ucw7bt4o3x5-61844696.eu-west-1.elb.amazonaws.com
live-noti-componen-9nj5c6fwh1nl-1633728249.eu-west-1.elb.amazonaws.com
live-tvip-componen-poadok30hype-1266449070.eu-west-1.elb.amazonaws.com
maxcdn.bootstrapcdn.com
mm.bidi.bbc.co.uk
music.files.bbci.co.uk
mvt.api.bbc.com
mybbc-analytics.files.bbci.co.uk
mybbc.files.bbci.co.uk
nav.files.bbci.co.uk
navpromo.90fe2324ce3eb149.xhst.bbci.co.uk
navpromo.api.bbci.co.uk
open-live.bbc.net.uk
open.live.bbc.co.uk
polling.bbc.co.uk
preferences.notifications.api.bbc.co.uk
r.bbci.co.uk
sa-live.com
sa.bbc.co.uk
sb.scorecardresearch.com
search.bbc.co.uk
search.bbc.net.uk
search.files.bbci.co.uk
session-origin-live.bbc.net.uk
session.bbc.co.uk
ssl.bbc.co.uk
ssl.bbc.net.uk
static.bbc.co.uk
static.bbci.co.uk
stats.bbc.co.uk
tile-service.weather.microsoft.com
uf2f.com
vod-dash-uk-live.akamaized.net
vod-dash-uk-live.bbcfmt.hs.llnwd.net
vod-thumb-uk-live.akamaized.net
win10.ipv6.microsoft.com
www-bbc-com.bbc.net.uk
www.bbc.co.uk
www.bbc.com
www.bbc.net.uk

CODE

Spoiler: selective routing script

#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536

# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)

# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
do
ipset add OVPNC1 $ip
done

# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

ip route flush cache

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
# WAN
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

# Route BBC Player to WAN
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x7000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x7000
done


logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

 

[Rappy]

Does "full VPN" mean Redirect Internet Traffic = All and Accept DNS Configuration = Exclusive? This setting will not leak your DNS. If policy rules are enabled, DNS leaks

Here is a more updated list that is working for me. Source is from dnsmasq.log.

Spoiler: domain names

a1089.d.akamai.net
a1104.w10.akamai.net
a2.w10.akamai.net
account-origin-live.bbc.net.uk
account.bbc.com
b.scorecardresearch.com
b1rbsov.bidi.live.bbc.co.uk
bbcdotcom.2cnt.net
bootstrapcdn.jdorfman.netdna-cdn.com
cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
cdn.optimizely.com
component.iplayer.api.bbc.co.uk
detectportal.firefox.com
dns.msftncsi.com
dynamic.simpleyoutubeconverter.com
e3891.dscf.akamaiedge.net
e3891.f.akamaiedge.net
emp.bbc.co.uk
emp.bbci.co.uk
fig.bbc.co.uk
fig.bbc.net.uk
fonts.googleapis.com
fonts.gstatic.com
googleadapis.l.google.com
gstaticadssl.l.google.com
ibl.api.bbc.co.uk
ichef.bbci.co.uk
iplayer-web.files.bbci.co.uk
live-ibl-componen-3y285w56k7w5-887784694.eu-west-1.elb.amazonaws.com
live-matc-componen-14ucw7bt4o3x5-61844696.eu-west-1.elb.amazonaws.com
live-noti-componen-9nj5c6fwh1nl-1633728249.eu-west-1.elb.amazonaws.com
live-tvip-componen-poadok30hype-1266449070.eu-west-1.elb.amazonaws.com
maxcdn.bootstrapcdn.com
mm.bidi.bbc.co.uk
music.files.bbci.co.uk
mvt.api.bbc.com
mybbc-analytics.files.bbci.co.uk
mybbc.files.bbci.co.uk
nav.files.bbci.co.uk
navpromo.90fe2324ce3eb149.xhst.bbci.co.uk
navpromo.api.bbci.co.uk
open-live.bbc.net.uk
open.live.bbc.co.uk
polling.bbc.co.uk
preferences.notifications.api.bbc.co.uk
r.bbci.co.uk
sa-live.com
sa.bbc.co.uk
sb.scorecardresearch.com
search.bbc.co.uk
search.bbc.net.uk
search.files.bbci.co.uk
session-origin-live.bbc.net.uk
session.bbc.co.uk
ssl.bbc.co.uk
ssl.bbc.net.uk
static.bbc.co.uk
static.bbci.co.uk
stats.bbc.co.uk
tile-service.weather.microsoft.com
uf2f.com
vod-dash-uk-live.akamaized.net
vod-dash-uk-live.bbcfmt.hs.llnwd.net
vod-thumb-uk-live.akamaized.net
win10.ipv6.microsoft.com
www-bbc-com.bbc.net.uk
www.bbc.co.uk
www.bbc.com
www.bbc.net.uk

CODE

Spoiler: selective routing script

#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536

# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)

# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
do
ipset add OVPNC1 $ip
done

# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

ip route flush cache

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
# WAN
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

# Route BBC Player to WAN
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x7000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x7000
done


logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

Thanks again. I do not see any place to put in the domain names you suggested in the Policy Rules part of the GUI, so I am taking it that I need to put in the script instead. I see it refers to another script to supplant the domains (scripts/BBCdns) What is contained in that? Do I need to set "Start on WAN" in the VPN Client GUI for this script to load or will it autoload on reboot?

 

[Rappy]

I think I missed the part in this thread where it seems to have become obvious that using Policy Rules leaks the DNS. I wasn't aware of that.

 

[Rappy]

Anyone able to explain this to me like I'm five? How do you do this if you are starting from a completely formatted Merlin firmware update? Thanks

 

[Xentrk]

Anyone able to explain this to me like I'm five? How do you do this if you are starting from a completely formatted Merlin firmware update? Thanks

The easiest way to do this is to is to go to the VPN GUI page and once you enable policy rules, list the device in the table that you want to bypass the VPN as follows

Roku 192.168.1.100 0.0.0.0 WAN
others 192.168.2.111 0.0.0.0 VPN...

Then, the Roku player will bypass VPN. However, if you have other streaming media requirements that require VPN then this won't work since all traffic from Roku will go thru the WAN! Or, switch providers and pay the extra fee to get an private IP that will allow you to use iPlayer.

I can sometimes get iPlayer to work on my laptop using this hack. But I can't get it to work on Roku

Spoiler: iPlayer works over VPN with this hack

1. Create a VPN Client for a UK VPN server
2. In the WAN GUI, enable Policy rules and set Accept DNS Configuration = Exclusive
3. Run script to route traffic to the various VPN clients
4. In the WAN GUI, disable Policy rules and set to No
The above stops the DNS leak and I can now watch iPlayer over VPN! Policy rules must still be enabled for the other VPN clients.

You have it right. You need to put the list of domain names in BBCdns file. The script will read from the file line by line and issue the iptables command for each domain. You may still need to experiment with the list. There may be other domains that are called if streaming from a media player vs a web page.

Do you have jffs partition formatted and enabled? Do you have SSH enabled? Do you have an SSH client such as WinSCP or MobaXterm?

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
https://www.htpcguides.com/enable-ssh-asus-routers-without-ssh-keys/ (don't enable access via WAN!)

For now, call the script something meaningful for you e.g. policyrouting.sh. Then, test it out. Once you are happy it is working, you can call the script from nat-start as follows so it runs on boot up.

#!/bin/sh
sh /jffs/scripts/policyrouting.sh