Good. That means iPlayer works via the UK tunnels when using IP address selective routing.Yes it all plays fine like that.
No, I get nothing from that command.
I factory reset my router before beginning afresh just to eliminate any issues from old configs.
ipset create IPLAYER hash:net family inet hashsize 1024 maxelem 65536
nano /jffs/configs/dnsmasq.conf.add
ipset=/bbc.co.uk/www.bbc.co.uk/IPLAYER
service restart_dnsmasq
nslookup bbc.co.uk
nslookup www.bbc.co.uk
ipset -L IPLAYER
The challenge is identifying the IP addresses or domain names.I just tried putting in these 3 ranges into the policy rules GUI, which covers all those IPs:
52.85.83.0/24
77.72.112.0/19
212.58.224.0/19
But iPlayer fails to play. I guess I am jumping ahead of myself.
Edit: Got some more IPs but still no luck.
Name: IPLAYER
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 2556
References: 0
Number of entries: 41
Members:
212.58.244.79
212.58.244.71
212.58.246.79
77.72.112.213
52.85.83.80
212.58.244.80
52.85.83.163
54.230.199.205
54.230.199.245
52.85.83.150
212.58.246.110
54.230.199.195
52.85.83.108
54.230.199.28
52.85.83.239
212.58.246.109
52.85.83.134
212.58.246.95
212.58.246.111
77.72.116.213
54.230.199.249
212.58.244.23
52.85.83.194
52.85.83.187
54.230.199.12
52.85.83.116
212.58.246.78
52.85.83.197
52.85.83.188
54.230.199.136
77.72.118.173
77.72.116.173
52.85.83.208
77.72.118.213
52.85.83.210
54.230.199.248
52.85.83.105
212.58.244.78
52.85.83.228
212.58.244.22
52.85.83.183
#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 6553
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536
ipset create IPLAYER hash:net family inet hashsize 1024 maxelem 65536
# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)
# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
do
ipset add OVPNC1 $ip
done
# extract IPLAYER ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/IPLAYER)
do
ipset add IPLAYER $ip
done
# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990
#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991
ip route flush cache
###########################################################
#Create table to contain items added automatically by wan #
###########################################################
# WAN
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
# VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
# Route iPlayer traffic to VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000
logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."
I meant delete the policy routing for your laptop in the OpenVPN web gui and delete it from /jffs/scripts/OVPNC1. Also, type: ipset del OVPNC1 xxx.xxx.xxx.xxx where x's are your IP address for the laptop. Bounce VPN Client. We want to test if you default to the WAN but the lookup to whatismyipaddress.com goes to UK.Sorry, I get lost when you say remove laptop from GUI and from OVPNC1 but then say whatismyipaddress should show UK (presumably from the laptop browser). It shows US and I can't see how it would show UK if I removed that laptop from the policy rules?
In any case, I have run that script, if by run you mean choose Execute from the right click menu in winSCP. The Apple TV is still able to browse iPlayer, but that is because the policy rule is still there for the apple TV to send all its traffic through the tunnel. (Removing that rule in the GUI for the appletv stops iPlayer again).
# Route iPlayer traffic to VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000
# Route iPlayer traffic to VPN Client 1
iptables -D PREROUTING -t mangle -m set --match-set IPLAYER dst -j MARK --set-mark 0x1000/0x1000
iptables -A PREROUTING -t mangle -m set --match-set IPLAYER dst -j MARK --set-mark 0x1000/0x1000
Whatusmyipaddress reports WAN IP. As I said before there is no reason for it to report anything differently since your previous request was for me to remove all mention of my laptop IP from the script and from policy rules.I meant delete the policy routing for your laptop in the OpenVPN web gui and delete it from /jffs/scripts/OVPNC1. Also, type: ipset del OVPNC1 xxx.xxx.xxx.xxx where x's are your IP address for the laptop. Bounce VPN Client. We want to test if you default to the WAN but the lookup to whatismyipaddress.com goes to UK.
Change
toCode:# Route iPlayer traffic to VPN Client 1 iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000 iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000
Rerun scriptCode:# Route iPlayer traffic to VPN Client 1 iptables -D PREROUTING -t mangle -m set --match-set IPLAYER dst -j MARK --set-mark 0x1000/0x1000 iptables -A PREROUTING -t mangle -m set --match-set IPLAYER dst -j MARK --set-mark 0x1000/0x1000
What does whatismyipaddress.com report?
Code:ip rule add from 0/0 fwmark 0x7000 table main prio 9990 iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
admin@RT-AC68U:/tmp/home/root# iptables -A PREROUTING -t mangle -m set --match-set AmazonPrime dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
Since we listed the ip addresses of whatismyipaddress.com in the IPLAYER ipset , it was hoping the system would have routed the request via the VPN tunnel and reported the UK location and not the WAN. Even though your laptop is on the WAN. So, there is an issue with the script or other setting. Let me review my scripts and do some testing on my end.Whatusmyipaddress reports WAN IP. As I said before there is no reason for it to report anything differently since your previous request was for me to remove all mention of my laptop IP from the script and from policy rules.
OK, thanks.Since we listed the ip addresses of whatismyipaddress.com in the IPLAYER ipset , it was hoping the system would have routed the request via the VPN tunnel and reported the UK location and not the WAN. Even though your laptop is on the WAN. So, there is an issue with the script or other setting. Let me review my scripts and do some testing on my end.
#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC2 hash:net family inet hashsize 1024 maxelem 65536
# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)
# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
do
ipset add OVPNC1 $ip
done
# extract OVPNC2 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC2)
do
ipset add OVPNC2 $ip
done
# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990
#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991
#VPN Client 2
ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table 112 prio 9992
#VPN Client 3
ip rule del fwmark 0x3000
ip rule add fwmark 0x3000 table 113 prio 9993
ip route flush cache
###########################################################
#Create table to contain items added automatically by wan #
###########################################################
# WAN
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
# VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
# VPN Client 2
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC2 src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC2 src,dst -j MARK --set-mark 0x2000/0x2000
# VPN Client 3
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC3 src,dst -j MARK --set-mark 0x3000/0x3000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC3 src,dst -j MARK --set-mark 0x3000/0x3000
# Route SlingTV Domain Names to VPN Client 2
for DNS in $(awk '{ print $1 }' /jffs/scripts/slingtvdns)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000
done
logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."
#!/bin/sh
set -xo
#####################################################################################################
# This program is a demo on how to route certain traffic over the WAN.
# For demo purposes, I am using the websites whatismyipaddress.com, whatismyip.com and beta.speedtest.net
# STEP 1
# copy the following line to /jffs/configs/dnsmasq.conf.add
# ipset=/whatismyipaddress.com/WHATISMYIPADDRESS
# ipset=/whatismyip.com/WHATISMYIP
# ipset=/beta.speedtest.net/SPEEDTEST
#
# Then issue the command: service restart_dnsmasq
# Note1: ipset syntax differs between version 6 and 4.5
# Syntax for ipset v6
# ipset create WAN0 list:set
# ipset add WAN0 setlist (e.g. SPEEDTEST)
# for routers running ipset v4.5 (ipset -V)
# ipset -N WAN0 setlist (e.g. SPEEDTEST)
#
# Note 2: Mining domain IP Addresses
# For the best performance install entware package whob (e.g. opkg install whob) and use the following code example
# netsv4=`whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"`
# Othwerwise, use the curl command. My brief testing has shown this to yield better results:
# netsv4=`curl http://ipinfo.io/AS16625 2>/dev/null | grep -E "a href.*AS16625\/" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'`;for net in $netsv4;do echo $net;done;unset netsv4
#
# Note 3: In the event one needs to use IPv6 in the future, the syntax is: ipset -N WHATISMYIP-v6 hash:net family ipv6
#
ipset create WAN0 list:set
ipset create WHATISMYIPADDRESS hash:net family inet hashsize 1024 maxelem 65536
ipset create WHATISMYIP hash:net family inet hashsize 1024 maxelem 65536
ipset create SPEEDTEST hash:net family inet hashsize 1024 maxelem 65536
###################################################################
# use nslookup www.website.com to find ip address. Then, go to
# https://www.ultratools.com/ to lookup ASN
#######################################################################
#Pull all IPs listed for whatismyipaddress.com on radb.net
netsv4=`whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
ipset add WHATISMYIPADDRESS $net
done
unset netsv4
#Pull all IPs listed for whatismyip.com on radb.net
netsv4=`whob -h whois.radb.net -- '-i origin AS13335' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
ipset add WHATISMYIP $net
done
unset netsv4
#Pull all IPs listed for beta.speedtest.net
netsv4=`whob -h whois.radb.net -- '-i origin AS40027' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
ipset add SPEEDTEST $net
done
unset netsv4
#########################################################################
# Add domains that you want to use WAN inteface to the WAN0 ipset list #
#########################################################################
ipset add WAN0 WHATISMYIPADDRESS
ipset add WAN0 WHATISMYIP
ipset add WAN0 SPEEDTEST
###########################################################
#Create table to contain items added automatically by wan #
###########################################################
#ip rule del prio 9990
#ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -D PREROUTING -t mangle -m set --match-set WAN0 dst -j MARK --set-mark 0x3000/0x3000
iptables -A PREROUTING -t mangle -m set --match-set WAN0 dst -j MARK --set-mark 0x3000/0x3000
logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."
#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
# Route BBC Player to VPN Client 3
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000
done
logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."
ipset=/whatismyipaddress.com/WHATISMYIPADDRESS
ipset=/whatismyip.com/WHATISMYIP
ipset=/beta.speedtest.net/SPEEDTEST
ipset=/www.bbc.co.uk/www.bbc.co.uk/IPLAYER
for domain_name in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
do
echo "domain name:" $domain_name
for ip in $(nslookup $DNS | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
echo "ip address is:" $ip
ipset add IPLAYER $ip
done
done
# Route BBC Player to VPN Client 3
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000
#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536
# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)
# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
do
ipset add OVPNC1 $ip
done
# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990
#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991
ip route flush cache
###########################################################
# LAN to WAN devices
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
# LAN to VPN Client 1 devices
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
# Route BBC iPlayer Domain Names to VPN Client 2
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
do
iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x1000
iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x1000
done
logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."
The copy and paste phantom does it everytime! check contents of your ipset lists e.g. ipset -L setname@Xentrk I'm trying the same scripts but receiving the No chain/target match by that name. What am I doing wrong?
Thanks
Hi, I’m a complete noob here, but I started looking into policy base routing to route Sling TV traffic through a VPN. I’m interested in how you did this using pfSense. Any help would be greatly appreciated.I was also able to configure pfSense to do the same thing this morning. Although the technique is different. No scripting is required. It was all done thru the web gui.
I first created a firewall alias called SlingTV for all of the SlingTV domain names. A copy and paste from the excel spreadsheet made it easy! The utility in pfSense converts the domain names to ip addresses when it is saved. I then created a firewall rule on the LAN interface to route any outbound traffic containing the firewall alias called SlingTV to use the LA VPN Server Gateway. If anyone wants to know how to do it on pfSense, let me know. I will post a how to in the pfsense forums in the next day or two.
The copy and paste phantom does it everytime! check contents of your ipset lists e.g. ipset -L setname
And issue command to check fwmarks were created: ip rule
I always get that message the first time I run the script as the -D option deletes the chain. If I have not run the script yet, there is nothing for the command to remove, thus the error message. But, the -A opton will add it. If I run the script a second time, it finds matching chain with the iptables -D deletes the chain. Thus, no error message.
iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
admin@RT-AC68U:/tmp/home/root# iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!