Selective Routing with Asuswrt-Merlin

Rappy · Oct 1, 2017

Hi Xentrik, I am also getting the same fault everywhere in that latest script.

+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
+ awk { print $1 } /jffs/scripts/IPLAYER
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.246.90 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.246.90 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.18.183.74 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.18.183.74 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.246.109 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.246.109 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.244.215 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.244.215 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.18.216.98 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.18.216.98 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 54.229.34.151 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 54.229.34.151 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 34.250.133.37 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 34.250.133.37 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.210.71.57 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.210.71.57 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 34.252.65.162 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 34.252.65.162 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.244.67 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.244.67 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.17.209.18 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.17.209.18 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.209.115.140 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.209.115.140 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 54.229.213.180 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 54.229.213.180 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 54.72.107.191 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 54.72.107.191 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 54.154.177.105 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 54.154.177.105 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.31.59.194 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.31.59.194 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.246.91 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.246.91 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.244.81 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.244.81 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.232.65 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.232.65 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 104.81.9.36 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 104.81.9.36 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 176.34.132.170 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 176.34.132.170 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.244.115 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.244.115 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.49.97.51 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.49.97.51 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.16.221.145 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.16.221.145 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.244.22 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.244.22 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 34.248.16.230 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 34.248.16.230 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.246.203 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.246.203 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.246.213 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.246.213 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.19.105.245 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.19.105.245 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.213.158.82 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.213.158.82 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.244.23 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.244.23 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.214.135.167 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.214.135.167 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 34.251.12.243 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 34.251.12.243 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.50.247.145 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.50.247.145 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 52.31.207.163 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 52.31.207.163 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.244.66 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.244.66 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 212.58.246.78 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -d 212.58.246.78 -j MARK --set-mark 0x1000
+ iptables -t mangle -D PREROUTING -i br0 -d 34.252.184.215 -j MARK --set-mark 0x1000
iptables: No chain/target/match by that name.
... etc....etc

Rappy · Oct 1, 2017

I restarted my VPN Client and reran the script. A lot less errors this time, but still some:

+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.

Xentrk · Oct 1, 2017

Jerry Reynolds said:
Hi, I’m a complete noob here, but I started looking into policy base routing to route Sling TV traffic through a VPN. I’m interested in how you did this using pfSense. Any help would be greatly appreciated.

You can start by reading these series of articles.
https://www.infotechwerx.com/blog/Creating-Policy-Route-to-Send-All-Traffic-Host-Through-OpenVPN

Update:
Here is the link to my post in the pfSense forum on how to set it up.

I have a smaller list being used on one router and I updated another with additional domain names I just mined.

2-01-4d34-0008.cdx.cedexis.net
2-01-4d34-0015.cdx.cedexis.net
2-01-4d34-0018.cdx.cedexis.net
2-01-4d34-001b.cdx.cedexis.net
aptime.movenetworks.com
cbd46b77.cdn.cms.movetv.com
cbd46b77.cdn.cms.movetv.com.c.footprint.net
cws.conviva.com
cws-iad1.conviva.com
cws-usw2.conviva.com
dms.p.sling.com
dmsprod.shrbt.com
oem.twimg.com
p.ads.roku.com
p.slingtv.map.fastly.net
p-cdn1-101-cg14-linear-cbd46b77.movetv.com
p-cdn1-803-cg14-linear-cbd46b77.movetv.com
p-cg7-cmw.movetv.com
p-cmw.movetv.com
p-geo.movetv.com
p-gp2-dvrmfs-1101.movetv.com
p-gp2-dvrmfs-1102.movetv.com
p-gp2-dvrmfs-1103.movetv.com
p-gp2-dvrmfs-1104.movetv.com
p-gp2-dvrmfs-1105.movetv.com
p-gp2-dvrmfs-1106.movetv.com
p-gp2-dvrmfs-1107.movetv.com
p-gp2-dvrmfs-1108.movetv.com
p-img.movetv.com
p-rubens.movetv.com
p-ums.movetv.com
p-ums.movetv.com.cdn.cloudflare.net
smdrm.qcg7.movetv.com
smsprod.shrbt.com.cloudflare.net
stats.movenetworks.com
webapp.movetv.com
wildcard.movetv.com.edgekey.net

Xentrk · Oct 1, 2017

Rappy said:
I restarted my VPN Client and reran the script. A lot less errors this time, but still some:

+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.

It is normal to get that message for the row with the D the first time you run the script. There is no iptables to delete as it has not been created yet.

Make sure you do not have any non-unix characters in the script when you copied and pasted. Issue the command

dos2unix scriptname.sh where the later is the name of the script.

Did the fwmarks get created? Type
ip rule

Is the OpenVPN Client on with Traffic set to Policy Rules (Strict)?

Xentrk · Oct 1, 2017

kman said:
@Xentrk I'm trying the same scripts but receiving the No chain/target match by that name. What am I doing wrong?

Thanks

See above suggestion.
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-32#post-350386

kman · Oct 1, 2017

Xentrk said:
See above suggestion.
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-32#post-350386

It is set to Strict. See results:

Code:

admin@RT-AC68U:/tmp/home/root# ip rule
0: from all lookup local
9990: from all fwmark 0x7000 lookup main
10101: from 192.168.1.121 lookup ovpnc1
10102: from 192.168.1.150 lookup ovpnc1
10103: from 192.168.1.106 lookup ovpnc1
10104: from 192.168.1.118 lookup ovpnc1
10105: from 192.168.1.104 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

admin@RT-AC68U:/tmp/home/root# iptables -nvL PREROUTING --line -t mangle
Chain PREROUTING (policy ACCEPT 2372K packets, 2282M bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1     761K 1013M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3    27836 2469K MARK       all  --  !ppp0  *       0.0.0.0/0            171.912.312.118         MARK or 0x8000

Xentrk · Oct 1, 2017

kman said:

It is set to Strict. See results:

Code:

admin@RT-AC68U:/tmp/home/root# ip rule
0: from all lookup local
9990: from all fwmark 0x7000 lookup main
10101: from 192.168.1.121 lookup ovpnc1
10102: from 192.168.1.150 lookup ovpnc1
10103: from 192.168.1.106 lookup ovpnc1
10104: from 192.168.1.118 lookup ovpnc1
10105: from 192.168.1.104 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

admin@RT-AC68U:/tmp/home/root# iptables -nvL PREROUTING --line -t mangle
Chain PREROUTING (policy ACCEPT 2372K packets, 2282M bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1     761K 1013M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2        0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3    27836 2469K MARK       all  --  !ppp0  *       0.0.0.0/0            174.92.3.104         MARK or 0x8000

Please summarize your objective and post the latest version of the code you are using. Thanks.

Jack Yaz · Oct 1, 2017

kman said:
Okay I'm following post #548 instructions. I've got everything working but this step is giving me an error.

Code:

iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

I've copy/pasted it as well as typed it out, but constantly getting:

Code:

admin@RT-AC68U:/tmp/home/root# iptables -A PREROUTING -t mangle -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000 iptables: No chain/target/match by that name.

I have AC68U with 380.68 FW and iptables v1.4.14.

Any help will be appreciated it. Thanks.

try

Code:

iptables -t mangle -A PREROUTING -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Note that -t mangle must come before the -A/-D command

Xentrk · Oct 1, 2017

Jack Yaz said:
try

Code:

iptables -t mangle -A PREROUTING -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Note that -t mangle must come before the -A/-D command

Thanks Jack, good catch.

And note the differences in iptable commands. One is using IP address to specify fmwark to use and the other is using a list of domain names.

Code:

# VPN Client 3
iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC3 src,dst -j MARK --set-mark 0x3000/0x3000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC3 src,dst -j MARK --set-mark 0x3000/0x3000

# Route SlingTV Domain Names to VPN Client 2
for DNS in $(awk '{ print $1 }' /jffs/scripts/slingtvdns)
   do
     iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000
     iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x2000
   done

kman · Oct 1, 2017

Jack Yaz said:
try

Code:

iptables -t mangle -A PREROUTING -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Note that -t mangle must come before the -A/-D command

@Xentrk I'm trying the use case posted in 548. Not using a script, entering it directly to test functionality first.

@Jack Yaz thanks, but same result :

Code:

admin@RT-AC68U:/tmp/home/root# iptables -t mangle -A PREROUTING -m set --match-s
et Hulu dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name

Xentrk · Oct 1, 2017

kman said:
@Xentrk I'm trying the use case posted in 548. Not using a script, entering it directly to test functionality first.

@Jack Yaz thanks, but same result :

Code:

admin@RT-AC68U:/tmp/home/root# iptables -t mangle -A PREROUTING -m set --match-s et Hulu dst -j MARK --set-mark 0x7000/0x7000 iptables: No chain/target/match by that name

Try this one:

Code:

iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Does the ipset list return any values?

Code:

ipset -L Hulu

kman · Oct 1, 2017

Xentrk said:
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Thanks - same result. Am I missing something very trivial?

Code:

admin@RT-AC68U:/tmp/home/root# iptables -t mangle -A PREROUTING -i br0 -p tcp -m
set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.

Jack Yaz · Oct 1, 2017

kman said:
Thanks - same result. Am I missing something very trivial?

Code:

admin@RT-AC68U:/tmp/home/root# iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000 iptables: No chain/target/match by that name.

What does this return?

Code:

iptables -t mangle -nvL

Xentrk · Oct 1, 2017

kman said:
Thanks - same result. Am I missing something very trivial?

Code:

admin@RT-AC68U:/tmp/home/root# iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000 iptables: No chain/target/match by that name.

Please check the contents of your ipset list.

kman · Oct 1, 2017

@Jack Yaz see results:

Code:

admin@RT-AC68U:/tmp/home/root# iptables -t mangle -nvL
Chain PREROUTING (policy ACCEPT 748K packets, 793M bytes)
 pkts bytes target     prot opt in     out     source               destination       
 282K  374M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
    0     0 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
27836 2469K MARK       all  --  !ppp0  *       0.0.0.0/0            171.96.31.11         MARK or 0x8000
Chain INPUT (policy ACCEPT 330K packets, 403M bytes)
 pkts bytes target     prot opt in     out     source               destination       
Chain FORWARD (policy ACCEPT 418K packets, 389M bytes)
 pkts bytes target     prot opt in     out     source               destination       
45205   49M MARK       all  --  *      br0     192.168.1.0/24       192.168.1.0/24       MARK xset 0x1/0x7
Chain OUTPUT (policy ACCEPT 160K packets, 43M bytes)
 pkts bytes target     prot opt in     out     source               destination       
Chain POSTROUTING (policy ACCEPT 578K packets, 432M bytes)
 pkts bytes target     prot opt in     out     source               destination       
Chain BWDPI_FILTER (0 references)
 pkts bytes target     prot opt in     out     source               destination

@Xentrk see Ipset -L

Code:

Name: Hulu
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 540
References: 0
Number of entries: 4
Members:
104.27.193.92
104.27.192.92
23.34.217.198
104.106.28.127

Xentrk · Oct 1, 2017

For comparison purposes, here are my ip rules.

Code:

0:      from all lookup local
9990:   from all fwmark 0x7000 lookup main
9991:   from all fwmark 0x1000 lookup ovpnc1
9992:   from all fwmark 0x2000 lookup ovpnc2
9993:   from all fwmark 0x3000 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

Here are the commands used to create them.

Code:

# WAN
ip rule del fwmark 0x7000
ip rule add fwmark 0x7000 table 254 prio 9990

#VPN Client 1
ip rule del fwmark 0x1000
ip rule add fwmark 0x1000 table 111 prio 9991

#VPN Client 2
ip rule del fwmark 0x2000
ip rule add fwmark 0x2000 table 112 prio 9992

#VPN Client 3
ip rule del fwmark 0x3000
ip rule add fwmark 0x3000 table 113 prio 9993

ip route flush cache

iptables using Hulu ipset list

Code:

iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set Hulu dst -j MARK --set-mark 0x7000/0x7000

Rappy · Oct 1, 2017

Xentrk said:
It is normal to get that message for the row with the D the first time you run the script. There is no iptables to delete as it has not been created yet.

Make sure you do not have any non-unix characters in the script when you copied and pasted. Issue the command

dos2unix scriptname.sh where the later is the name of the script.

Did the fwmarks get created? Type
ip rule

Is the OpenVPN Client on with Traffic set to Policy Rules (Strict)?

Hi. there were no non-unix character. Here is the output from ip rule:
/jffs/scripts$ ip rule
0: from all lookup local
9990: from all fwmark 0x7000 lookup main
9991: from all fwmark 0x1000 lookup ovpnc1
10101: from 192.168.1.175 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

Yes, policy rules are set to strict.
I reran the script a few times but still those errors show up:

Code:

+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000
iptables: No chain/target/match by that name.
+ iptables -t mangle -D PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.
+ iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000
iptables: No chain/target/match by that name.

and needless to say the script doesn't work.

Rappy · Oct 1, 2017

What should I still have for the Policy Rules? Should I have 0.0.0.0 set for the Appltv ip? Or should the policy rules fields be blank?

Either way it isn't working properly. With 0.0.0.0 everything goes through VPN as youd expect, as if the script doesn't exist, and if Policy rules are blank, nothing goes through the VPN, as if script doesn't exist.

octopus · Oct 1, 2017

Be aware of Linux is case sensitive.

Rappy · Oct 1, 2017

octopus said:
Be aware of Linux is case sensitive.

That is too cryptic for me.

Thread starter	Title	Forum	Replies	Date
E	Multi source selective port forward?	Asuswrt-Merlin	1	Dec 28, 2023
C	Routing my VPN Server through VPN Client 1 Having issues with Facetime	Asuswrt-Merlin	50	Jul 30, 2024
O	PI hole + unbound + domain vpn routing	Asuswrt-Merlin	10	Jun 26, 2024
	VPN Stays connected but Stops Routing after DoH Change	Asuswrt-Merlin	2	Jun 25, 2024
T	[Solved]Configure Policy based routing for transparent proxy	Asuswrt-Merlin	6	Jun 13, 2024
M	OpenVPN / site to site with special security/routing constraints	Asuswrt-Merlin	7	Apr 8, 2024
	Bug Report: nvram chilli_enable=1 when guest network is removed causes no routing to occur	Asuswrt-Merlin	2	Jan 9, 2024
G	[Help] Routing VPN server through VPN client (external VPN Provider)	Asuswrt-Merlin	14	Dec 27, 2023
P	IPv6 routing table flags	Asuswrt-Merlin	2	Dec 21, 2023
	Release Asuswrt-Merlin 3006.102.2 is now available for Wifi 7 devices	Asuswrt-Merlin	28	Sunday at 11:56 AM

Selective Routing with Asuswrt-Merlin

Regular Contributor

Regular Contributor

Part of the Furniture

Part of the Furniture

Part of the Furniture

Regular Contributor

Part of the Furniture

Part of the Furniture

Part of the Furniture

Regular Contributor

Part of the Furniture

Regular Contributor

Part of the Furniture

Part of the Furniture

Regular Contributor

Part of the Furniture

Regular Contributor

Regular Contributor

Part of the Furniture

Regular Contributor

Similar threads

Similar threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest