Selective Routing with Asuswrt-Merlin

[Rappy]

Yes it all plays fine like that.

No, I get nothing from that command.

I factory reset my router before beginning afresh just to eliminate any issues from old configs.

 

[Xentrk]

Yes it all plays fine like that.

No, I get nothing from that command.

I factory reset my router before beginning afresh just to eliminate any issues from old configs.

Good. That means iPlayer works via the UK tunnels when using IP address selective routing.

For the scripting method to work, you will need to enable custom domain names with dnsmasq. One method is to install AB-Solution. ABS will enable all of the dnsmasq features and necessary files for you.

Or, you can follow the wiki instructions here:
https://github.com/RMerl/asuswrt-merlin/wiki/Custom-domains-with-dnsmasq

Once dnsmasq is installed, we can collect the list of ip addresses used by iPlayer using the ipset method. Please perform the following:

ipset create IPLAYER hash:net family inet hashsize 1024 maxelem 65536

nano /jffs/configs/dnsmasq.conf.add

and add this line:

ipset=/bbc.co.uk/www.bbc.co.uk/IPLAYER

bounce dnsmasq:

service restart_dnsmasq

Start watching iPlayer on your Applet TV and browse their website. Select as many options as you can to generate traffic. Also, issue the commands to perform more ip address generation

nslookup bbc.co.uk 
nslookup www.bbc.co.uk

When done generating traffic and lookups:, review the list of IP addresses created for iPlayer traffic.

ipset -L IPLAYER

 

[Rappy]

Name: IPLAYER
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 2108
References: 0
Number of entries: 33
Members:
212.58.244.79
212.58.244.71
212.58.246.79
77.72.112.213
52.85.83.80
212.58.244.80
52.85.83.163
52.85.83.150
212.58.246.110
52.85.83.108
52.85.83.239
212.58.246.109
52.85.83.134
212.58.246.95
212.58.246.111
77.72.116.213
212.58.244.23
52.85.83.194
52.85.83.187
52.85.83.116
212.58.246.78
52.85.83.197
52.85.83.188
77.72.118.173
77.72.116.173
52.85.83.208
77.72.118.213
52.85.83.210
52.85.83.105
212.58.244.78
52.85.83.228
212.58.244.22
52.85.83.183


and nslookup has:
Name: bbc.co.uk
Address 1: 2001:41c1:4008::bbc:1 vip-zoneapex-001.live.telhc.bbc.co.uk
Address 2: 212.58.244.23
Address 3: 212.58.246.78
Address 4: 212.58.246.79
Address 5: 212.58.244.22
admin@RT-AC68U-8230:/tmp/home/root# nslookup www.bbc.co.uk
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name: www.bbc.co.uk
Address 1: 212.58.244.71 bbc-vip116.telhc.bbc.co.uk
Address 2: 212.58.246.95 bbc-vip016.cwwtf.bbc.co.uk

 

[Rappy]

I just tried putting in these 3 ranges into the policy rules GUI, which covers all those IPs:

52.85.83.0/24
77.72.112.0/19
212.58.224.0/19

But iPlayer fails to play. I guess I am jumping ahead of myself.

Edit: Got some more IPs but still no luck.

Spoiler: New list of IPs

Name: IPLAYER
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 2556
References: 0
Number of entries: 41
Members:
212.58.244.79
212.58.244.71
212.58.246.79
77.72.112.213
52.85.83.80
212.58.244.80
52.85.83.163
54.230.199.205
54.230.199.245
52.85.83.150
212.58.246.110
54.230.199.195
52.85.83.108
54.230.199.28
52.85.83.239
212.58.246.109
52.85.83.134
212.58.246.95
212.58.246.111
77.72.116.213
54.230.199.249
212.58.244.23
52.85.83.194
52.85.83.187
54.230.199.12
52.85.83.116
212.58.246.78
52.85.83.197
52.85.83.188
54.230.199.136
77.72.118.173
77.72.116.173
52.85.83.208
77.72.118.213
52.85.83.210
54.230.199.248
52.85.83.105
212.58.244.78
52.85.83.228
212.58.244.22
52.85.83.183

 

[Xentrk]

I just tried putting in these 3 ranges into the policy rules GUI, which covers all those IPs:

52.85.83.0/24
77.72.112.0/19
212.58.224.0/19

But iPlayer fails to play. I guess I am jumping ahead of myself.

Edit: Got some more IPs but still no luck.

Spoiler: New list of IPs

Name: IPLAYER
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 2556
References: 0
Number of entries: 41
Members:
212.58.244.79
212.58.244.71
212.58.246.79
77.72.112.213
52.85.83.80
212.58.244.80
52.85.83.163
54.230.199.205
54.230.199.245
52.85.83.150
212.58.246.110
54.230.199.195
52.85.83.108
54.230.199.28
52.85.83.239
212.58.246.109
52.85.83.134
212.58.246.95
212.58.246.111
77.72.116.213
54.230.199.249
212.58.244.23
52.85.83.194
52.85.83.187
54.230.199.12
52.85.83.116
212.58.246.78
52.85.83.197
52.85.83.188
54.230.199.136
77.72.118.173
77.72.116.173
52.85.83.208
77.72.118.213
52.85.83.210
54.230.199.248
52.85.83.105
212.58.244.78
52.85.83.228
212.58.244.22
52.85.83.183

The challenge is identifying the IP addresses or domain names.

Thanks for trying thru the web gui though.

I was able to tunnel to UK and mined a larger list of ip addresses.

Spoiler: ipset -L IPLAYER

Name: IPLAYER
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 2836
References: 0
Number of entries: 47
Members:
212.58.246.90
52.18.183.74
212.58.246.109
212.58.244.215
52.18.216.98
54.229.34.151
34.250.133.37
52.210.71.57
34.252.65.162
212.58.244.67
52.17.209.18
52.209.115.140
54.229.213.180
54.72.107.191
54.154.177.105
52.31.59.194
212.58.246.91
212.58.244.81
212.58.232.65
104.81.9.36
176.34.132.170
212.58.244.115
52.49.97.51
52.16.221.145
212.58.244.22
34.248.16.230
212.58.246.203
212.58.246.213
52.19.105.245
52.213.158.82
212.58.244.23
52.214.135.167
34.251.12.243
52.50.247.145
52.31.207.163
212.58.244.66
212.58.246.78
34.252.184.215
212.58.227.225
212.58.246.79
52.50.136.22
212.58.244.114
212.58.246.212
212.58.246.112
34.249.5.74
52.51.252.38
212.58.244.78

I will start a new post for next steps

 

[Xentrk]

Copy the list of IP addresses that were mined and copy them to /jffs/scripts/IPLAYER.
Add whatismyipaddress.com to the IPLAYER ipset in dnsmasq. e..g ipset=/whatismyipaddress.com/bbc.co.uk/www.bbc.co.uk/IPLAYER
Then issue service restart_dnsmasq. Do an nslookup on whatismyiaddress.com. Remove your laptop from the VPN gui and apply changes. Remove your laptop ip addresss from /jffs/scripts/OVPNC1 file. We want it to default to WAN. You can go to another geo ip tracking site to determine your WAN location. whatismyipaddress.com should report a location in UK.

Run this script:

#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 6553
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536
ipset create IPLAYER hash:net family inet hashsize 1024 maxelem 65536

# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)

# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
    do
        ipset add OVPNC1 $ip
    done

# extract IPLAYER ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/IPLAYER)
    do
        ipset add IPLAYER $ip
    done

# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

ip route flush cache

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
# WAN
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

# Route iPlayer traffic to VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000

logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

 

[Rappy]

Sorry, I get lost when you say remove laptop from GUI and from OVPNC1 but then say whatismyipaddress should show UK (presumably from the laptop browser). It shows US and I can't see how it would show UK if I removed that laptop from the policy rules?

In any case, I have run that script, if by run you mean choose Execute from the right click menu in winSCP. The Apple TV is still able to browse iPlayer, but that is because the policy rule is still there for the apple TV to send all its traffic through the tunnel. (Removing that rule in the GUI for the appletv stops iPlayer again).

 

[Xentrk]

Sorry, I get lost when you say remove laptop from GUI and from OVPNC1 but then say whatismyipaddress should show UK (presumably from the laptop browser). It shows US and I can't see how it would show UK if I removed that laptop from the policy rules?

In any case, I have run that script, if by run you mean choose Execute from the right click menu in winSCP. The Apple TV is still able to browse iPlayer, but that is because the policy rule is still there for the apple TV to send all its traffic through the tunnel. (Removing that rule in the GUI for the appletv stops iPlayer again).

I meant delete the policy routing for your laptop in the OpenVPN web gui and delete it from /jffs/scripts/OVPNC1. Also, type: ipset del OVPNC1 xxx.xxx.xxx.xxx where x's are your IP address for the laptop. Bounce VPN Client. We want to test if you default to the WAN but the lookup to whatismyipaddress.com goes to UK.

Change

# Route iPlayer traffic to VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000

to

# Route iPlayer traffic to VPN Client 1
iptables -D PREROUTING -t mangle -m set --match-set IPLAYER dst -j MARK --set-mark 0x1000/0x1000
iptables -A PREROUTING -t mangle -m set --match-set IPLAYER dst -j MARK --set-mark 0x1000/0x1000

Rerun script

What does whatismyipaddress.com report?

 

[Rappy]

I meant delete the policy routing for your laptop in the OpenVPN web gui and delete it from /jffs/scripts/OVPNC1. Also, type: ipset del OVPNC1 xxx.xxx.xxx.xxx where x's are your IP address for the laptop. Bounce VPN Client. We want to test if you default to the WAN but the lookup to whatismyipaddress.com goes to UK.

Change

# Route iPlayer traffic to VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set IPLAYER src,dst -j MARK --set-mark 0x2000/0x2000

to

# Route iPlayer traffic to VPN Client 1
iptables -D PREROUTING -t mangle -m set --match-set IPLAYER dst -j MARK --set-mark 0x1000/0x1000
iptables -A PREROUTING -t mangle -m set --match-set IPLAYER dst -j MARK --set-mark 0x1000/0x1000

Rerun script

What does whatismyipaddress.com report?

Whatusmyipaddress reports WAN IP. As I said before there is no reason for it to report anything differently since your previous request was for me to remove all mention of my laptop IP from the script and from policy rules.

 

[kman]

ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

I asked a similar question on a different thread - posting it to a more relevant thread. Why am I receiving No chain/target/match by that name?

admin@RT-AC68U:/tmp/home/root# iptables -A PREROUTING -t mangle -m set --match-set AmazonPrime dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.

 

[Xentrk]

Whatusmyipaddress reports WAN IP. As I said before there is no reason for it to report anything differently since your previous request was for me to remove all mention of my laptop IP from the script and from policy rules.

Since we listed the ip addresses of whatismyipaddress.com in the IPLAYER ipset , it was hoping the system would have routed the request via the VPN tunnel and reported the UK location and not the WAN. Even though your laptop is on the WAN. So, there is an issue with the script or other setting. Let me review my scripts and do some testing on my end.

 

[Rappy]

Since we listed the ip addresses of whatismyipaddress.com in the IPLAYER ipset , it was hoping the system would have routed the request via the VPN tunnel and reported the UK location and not the WAN. Even though your laptop is on the WAN. So, there is an issue with the script or other setting. Let me review my scripts and do some testing on my end.

OK, thanks.
It could also be that I am not rerunning the script properly as I do not know the proper commands to do that. I have just been executing from right click menu in winscp.

 

[Xentrk]

This was the first script I ran. It assigns clients to OVPNC1 or OVPNC2:

#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC2 hash:net family inet hashsize 1024 maxelem 65536

# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)

# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
   do
       ipset add OVPNC1 $ip
   done

# extract OVPNC2 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC2)
   do
       ipset add OVPNC2 $ip
   done

# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

#VPN Client 2
ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table 112 prio 9992

#VPN Client 3
ip rule del fwmark 0x3000
ip rule add fwmark 0x3000 table 113 prio 9993

ip route flush cache

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
# WAN
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# VPN Client 1
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

# VPN Client 2
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC2 src,dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC2 src,dst -j MARK --set-mark 0x2000/0x2000

# VPN Client 3
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC3 src,dst -j MARK --set-mark 0x3000/0x3000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC3 src,dst -j MARK --set-mark 0x3000/0x3000

# Route SlingTV Domain Names to VPN Client 2
for DNS in $(awk '{ print $1 }' /jffs/scripts/slingtvdns)
   do
     iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000
     iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000
   done

logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

Using the script below, I was able to route my whatismyipaddress.com and beta.speedtest.net traffic to Client 3 in UK while my IP defaults everything else to Client 1.

#!/bin/sh
set -xo
#####################################################################################################
# This program is a demo on how to route certain traffic over the WAN.
# For demo purposes, I am using the websites whatismyipaddress.com, whatismyip.com and beta.speedtest.net
# STEP 1
#     copy the following line to /jffs/configs/dnsmasq.conf.add
#        ipset=/whatismyipaddress.com/WHATISMYIPADDRESS
#        ipset=/whatismyip.com/WHATISMYIP
#        ipset=/beta.speedtest.net/SPEEDTEST
#
#     Then issue the command:  service restart_dnsmasq

# Note1: ipset syntax differs between version 6 and 4.5
#             Syntax for ipset v6
#                ipset create WAN0 list:set
#                ipset add WAN0 setlist (e.g. SPEEDTEST)
#             for routers running ipset v4.5 (ipset -V)
#                ipset -N WAN0 setlist (e.g. SPEEDTEST)
#
# Note 2: Mining domain IP Addresses
#            For the best performance install entware package whob (e.g. opkg install whob) and use the following code example
#               netsv4=`whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"`
#            Othwerwise, use the curl command. My brief testing has shown this to yield better results:
#               netsv4=`curl http://ipinfo.io/AS16625  2>/dev/null | grep -E "a href.*AS16625\/" | sed 's/^.*\">//; s/<.*//; /^\s*$/d'`;for net in $netsv4;do echo $net;done;unset netsv4
#
# Note 3: In the event one needs to use IPv6 in the future, the syntax is: ipset -N WHATISMYIP-v6 hash:net family ipv6
#
ipset create WAN0 list:set
ipset create WHATISMYIPADDRESS hash:net family inet hashsize 1024 maxelem 65536
ipset create WHATISMYIP hash:net family inet hashsize 1024 maxelem 65536
ipset create SPEEDTEST hash:net family inet hashsize 1024 maxelem 65536

###################################################################
# use nslookup www.website.com to find ip address. Then, go to
# https://www.ultratools.com/ to lookup ASN
#######################################################################


#Pull all IPs listed for whatismyipaddress.com on radb.net
netsv4=`whob -h whois.radb.net -- '-i origin AS16625' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
  ipset add WHATISMYIPADDRESS $net
done
unset netsv4
#Pull all IPs listed for whatismyip.com on radb.net
netsv4=`whob -h whois.radb.net -- '-i origin AS13335' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
  ipset add WHATISMYIP $net
done
unset netsv4
#Pull all IPs listed for beta.speedtest.net
netsv4=`whob -h whois.radb.net -- '-i origin AS40027' | grep -Eo "([0-9.]+){4}/[0-9]+"`
for net in $netsv4
do
  ipset add SPEEDTEST $net
done
unset netsv4

#########################################################################
# Add domains that you want to use WAN inteface to the WAN0 ipset list  #
#########################################################################
ipset add WAN0 WHATISMYIPADDRESS
ipset add WAN0 WHATISMYIP
ipset add WAN0 SPEEDTEST

###########################################################
#Create table to contain items added automatically by wan #
###########################################################
#ip rule del prio 9990
#ip rule add from 0/0 fwmark 0x7000 table main prio 9990
iptables -D PREROUTING -t mangle -m set --match-set WAN0 dst -j MARK --set-mark 0x3000/0x3000
iptables -A PREROUTING -t mangle -m set --match-set WAN0 dst -j MARK --set-mark 0x3000/0x3000

logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

At first, it did not work. I had to bounce all of the VPN clients by selecting the Apply button and giving it a few seconds after the bounce was completed. whatismyipaddress.com resolved right away. It took three screen refreshes on beta.speedtest.net before it routed to UK tunnel.

Route iPlayer traffic to UK VPN

#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo

# Route BBC Player to VPN Client 3
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
    do
      iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000
      iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000
    done

logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

I am able to watch iPlayer on my laptop while my geo location remains US!

dnsmasq.conf.add

ipset=/whatismyipaddress.com/WHATISMYIPADDRESS
ipset=/whatismyip.com/WHATISMYIP
ipset=/beta.speedtest.net/SPEEDTEST
ipset=/www.bbc.co.uk/www.bbc.co.uk/IPLAYER

I took some backups of the settings and files. I will leave my config as is for the time being. Breaking the scripts apart was helpful so I could focus getting one piece of functionality working and tested before adding more layers.

 

[Rappy]

So I shoudl replace the IPLAYER script with the one you have here? What about changing the Client 3 to Client 1? Do I change anything else in the script?

Maybe it's easier for me to just fix what was wrong in the old script, but I do not know what you discovered.

 

[Xentrk]

You will have an WAN and OVPNC1 (UK) with fwmarks 0x7000 and 0x1000 respectively.

For your purposes, I would revise the first script to reference wan (0x7000) and opvnc1 (0x1000). Change the second script to route whatismyipaddress.com to opvnc1 (0x1000). In the third script, you can need to change it to route traffic to OVPNC1 or 0x1000 fwmark. You can leave the domain name look up sections or leave it as is for now. I had populated my ipset using the domain names earlier. So the contents of IPLAYER I posted earlier should already contain them. Or, remove these sections and see if it works for you:

for domain_name in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
    do
      echo "domain name:" $domain_name
      for ip in $(nslookup $DNS | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
        echo "ip address is:" $ip
        ipset add IPLAYER $ip
    done
done

# Route BBC Player to VPN Client 3
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
    do
      iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000
      iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x3000

There is still fine tuning required. Running the routing for iPlayer broke my routing for SlingTV. I would need to do some more testing and refinement of the domain names and/or ipset list to resolve it. I may work on it as this has been interesting. I probably captured some roku domain names when I was trying to get it to work on Roku that need to be removed. The iPlayer channel on Roku is not supported for North American units so that is why it probably does not work for me. I had to load it as a private channel.

I like I said earlier, this is where the brunt of the work is and a lot of trial and error.

I would keep the scripts separate for now using my examples until you have it working for you. Then modify one script at a time and test before you update the next script. Once you have all the pieces working, you can combine or keep separate.

For example, in the first script, you want to put your laptop in the WAN and perhaps your tablet or phone in OVPNC1. Then test, if you go to whatismyipaddress.com with your laptop and it reports a WAN location and the table a UK location, then everything is working.

Then, on the second script, test to see if whatismyipaddress.com reports your geo location as UK. Go to another geo ip tracking site and see if your ip addresses reports in USA. Then that part is working. This is where I had to bounce the vpn clients.

And on the third one, see if you can watch videos on iPlayer without getting a geo location error message.

BTW, to run script from the command line if in the directory is:

./scriptname.sh

or

sh scriptname.sh

 

[Xentrk]

Once the list of domain names can be refined and tested, you can probably accomplish everything using this script. It will default all of your traffic to the WAN and send iPlayer traffic to VPN UK tunnel.

#!/bin/sh
logger -t "($(basename $0))" $$ Starting IPSET_VPN_Routing.sh..." $0${*:+ $*}."
# Uncomment the line below for debugging
set -xo
ipset create LAN_GW hash:net family inet hashsize 1024 maxelem 65536
ipset create OVPNC1 hash:net family inet hashsize 1024 maxelem 65536

# extract LAN ip addresses
ipset add LAN_GW $(nvram get lan_ipaddr)

# extract OVPNC1 ip addresses
for ip in $(awk '{ print $1 }' /jffs/scripts/OVPNC1)
    do
        ipset add OVPNC1 $ip
    done


# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

ip route flush cache

###########################################################
# LAN to WAN devices
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

# LAN to VPN Client 1 devices
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

# Route BBC iPlayer Domain Names to VPN Client 2
for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)
    do
      iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x1000
      iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x1000
    done

logger -t "($(basename $0))" $$ Ending IPSET_VPN_Routing.sh..." $0${*:+ $*}."

 

[kman]

@Xentrk I'm trying the same scripts but receiving the No chain/target match by that name. What am I doing wrong?

Thanks

 

[Xentrk]

@Xentrk I'm trying the same scripts but receiving the No chain/target match by that name. What am I doing wrong?

Thanks

The copy and paste phantom does it everytime! check contents of your ipset lists e.g. ipset -L setname
And issue command to check fwmarks were created: ip rule

I always get that message the first time I run the script as the -D option deletes the chain. If I have not run the script yet, there is nothing for the command to remove, thus the error message. But, the -A opton will add it. If I run the script a second time, it finds matching chain with the iptables -D deletes the chain. Thus, no error message.

 

[Jerry Reynolds]

I was also able to configure pfSense to do the same thing this morning. Although the technique is different. No scripting is required. It was all done thru the web gui.

I first created a firewall alias called SlingTV for all of the SlingTV domain names. A copy and paste from the excel spreadsheet made it easy! The utility in pfSense converts the domain names to ip addresses when it is saved. I then created a firewall rule on the LAN interface to route any outbound traffic containing the firewall alias called SlingTV to use the LA VPN Server Gateway. If anyone wants to know how to do it on pfSense, let me know. I will post a how to in the pfsense forums in the next day or two.

Hi, I’m a complete noob here, but I started looking into policy base routing to route Sling TV traffic through a VPN. I’m interested in how you did this using pfSense. Any help would be greatly appreciated.

 

[kman]

The copy and paste phantom does it everytime! check contents of your ipset lists e.g. ipset -L setname
And issue command to check fwmarks were created: ip rule

I always get that message the first time I run the script as the -D option deletes the chain. If I have not run the script yet, there is nothing for the command to remove, thus the error message. But, the -A opton will add it. If I run the script a second time, it finds matching chain with the iptables -D deletes the chain. Thus, no error message.

Okay I'm following post #548 instructions. I've got everything working but this step is giving me an error.

iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

I've copy/pasted it as well as typed it out, but constantly getting:

admin@RT-AC68U:/tmp/home/root# iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.

I have AC68U with 380.68 FW and iptables v1.4.14.

Any help will be appreciated it. Thanks.