Selective Routing with Asuswrt-Merlin

[Rappy]

You first need to check that you enabled dnsmasq logging. Did you specify a dnsmasq.log file location in /jffs/configs/dnsmasq.conf.add? e.g. log-facility=/jffs/logs/dnsmasq.log

I put log-facility=/jffs/logs/dnsmasq.log in my dnsmasq.conf.add file and then restarted the service. However nothing gets created in that location. Am i missing something?

 

[Xentrk]

I put log-facility=/jffs/logs/dnsmasq.log in my dnsmasq.conf.add file and then restarted the service. However nothing gets created in that location. Am i missing something?

What are the contents of /tmp/etc/dnsmasq.conf? Is there a log-facility specified there?

 

[john9527]

I put log-facility=/jffs/logs/dnsmasq.log in my dnsmasq.conf.add file and then restarted the service. However nothing gets created in that location. Am i missing something?

Did you make a /jffs/logs directory? It won't make the directory if it doesn't exist.

 

[Rappy]

What are the contents of /tmp/etc/dnsmasq.conf? Is there a log-facility specified there?

Yes, /jffs/logs/dnsmasq.log

 

[Rappy]

Did you make a /jffs/logs directory? It won't make the directory if it doesn't exist.

Yes I made the directory. I didn't make the file though.

 

[Xentrk]

Please double check the settings with the instructions in the wiki just to be safe.

If not present in the dnsmasq.conf file, add these two lines after the log-facility line:

log-async
log-queries

Followed by

service restart_dnsmasq

 

[Rappy]

Please double check the settings with the instructions in the wiki just to be safe.

If not present in the dnsmasq.conf file, add these two lines after the log-facility line:

log-async
log-queries

Followed by

service restart_dnsmasq

That did it! Thanks. Now where were we?

 

[Rappy]

Im back at this:

Code:
#!/bin/sh
#set -xo
# This script will format the output of tail -f dnsmasq.log > logfile
# where logfile is the output of tail -f dnsmasq.log
#  1. extract records whose contents contain the word "query"
#  2. output only the domain name
#  3. sort file for unique contents to elimnate duplicates
#  4. save to $1_output
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
#     e.g. ./getdomainnames.sh logfile
#
source_file=/tmp/mnt/absolution/adblocking/logs/$1
output_file=$source_file"_output"
cat $source_file | grep query | grep 192.168.22.152 | awk '{ print $6 }' | sort -u > $output_file
#cat $source_file | grep cached | awk '{ print $6 }' | sort -u > $output_file

But when I run it, it says error on line 1 : no code. If I try to run

tail -f dnsmasq.log > logfile

it just crashes my WinSCP. However when I log back in, I see a logfile created next to dnsmasq.log. I do not know why the source file in your code is referring to adblocking? I have changed that to just this logfile at /jffs/logs/

Here is the exact code of my getdomainnames.sh script in case its wrong.

Code:
#!/bin/sh
#set -xo
# This script will format the output of tail -f dnsmasq.log > logfile
# where logfile is the output of tail -f dnsmasq.log
#  1. extract records whose contents contain the word "query"
#  2. output only the domain name
#  3. sort file for unique contents to elimnate duplicates
#  4. save to $1_output
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
#     e.g. ./getdomainnames.sh logfile
#
source_file=/jffs/logs/$1
output_file=$source_file"_output"
cat $source_file | grep query | grep 192.168.1.175 | awk '{ print $6 }' | sort -u > $output_file
#cat $source_file | grep cached | awk '{ print $6 }' | sort -u > $output_file

And when I run it
/jffs/scripts$ sh getdomainnames.sh logfile
getdomainnames.sh: line 1: Code:: not found

Still this error.

dnsmasq.log seems to be populated now, but not by much to be honest, just a few DHCP
requests and stuff like that.

 

[Xentrk]

Im back at this:

Code:
#!/bin/sh
#set -xo
# This script will format the output of tail -f dnsmasq.log > logfile
# where logfile is the output of tail -f dnsmasq.log
#  1. extract records whose contents contain the word "query"
#  2. output only the domain name
#  3. sort file for unique contents to elimnate duplicates
#  4. save to $1_output
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
#     e.g. ./getdomainnames.sh logfile
#
source_file=/tmp/mnt/absolution/adblocking/logs/$1
output_file=$source_file"_output"
cat $source_file | grep query | grep 192.168.22.152 | awk '{ print $6 }' | sort -u > $output_file
#cat $source_file | grep cached | awk '{ print $6 }' | sort -u > $output_file

But when I run it, it says error on line 1 : no code. If I try to run

tail -f dnsmasq.log > logfile

it just crashes my WinSCP. However when I log back in, I see a logfile created next to dnsmasq.log. I do not know why the source file in your code is referring to adblocking? I have changed that to just this logfile at /jffs/logs/

Here is the exact code of my getdomainnames.sh script in case its wrong.

Code:
#!/bin/sh
#set -xo
# This script will format the output of tail -f dnsmasq.log > logfile
# where logfile is the output of tail -f dnsmasq.log
#  1. extract records whose contents contain the word "query"
#  2. output only the domain name
#  3. sort file for unique contents to elimnate duplicates
#  4. save to $1_output
#
# Parameters Passed
# $1 = provide the name of the source file when running the script
#     e.g. ./getdomainnames.sh logfile
#
source_file=/jffs/logs/$1
output_file=$source_file"_output"
cat $source_file | grep query | grep 192.168.1.175 | awk '{ print $6 }' | sort -u > $output_file
#cat $source_file | grep cached | awk '{ print $6 }' | sort -u > $output_file

And when I run it
/jffs/scripts$ sh getdomainnames.sh logfile
getdomainnames.sh: line 1: Code:: not found

Still this error.

dnsmasq.log seems to be populated now, but not by much to be honest, just a few DHCP
requests and stuff like that.

The reason my dnsmasq.log file directory is different is because I am using AB-Solution to block ads. When combined with Asuswrt-Merlin, it makes a surfing the web a much better experience! The log is written to a USB drive, which is something I recommend. Writing log files to the /jffs directory is not recommended to avoid wearing it out. But let's focus on getting it working first.

You can always remove the comment from the set -xo line to get more verbose output to determine the error.

Changing the code to match your location is the change that is required. e.g. /jffs/logs/dnsmasq.log.

Are you in a SSH session when you enter the tail -f command? It shouldn't crash the SSH client.

Here is how I run it. Directory locations will differ since your log file is in /jffs/logs/dnsmasq.log.

1. Navigate to the dnsmasq.log file location

cd /tmp/mnt/absolution/adblocking/logs

2. tail the dnsmasq.log file while watching streaming media:

 tail -f dnsmasq.log > temp

Hit ctrl-C to stop logging to temp

3. Navigate to /jffs/scripts directory or have another session open and run the getdomainnames.sh script. Provide the file name as a parameter:

./getdomainnames.sh temp

Here are the Raw contents of temp

 cat temp

Oct  7 07:00:30 dnsmasq[21978]: reply e13290.e4.akamaiedge.net is 23.48.240.187
Oct  7 07:00:31 dnsmasq[21978]: query[A] cbd46b77.cdn.cms.movetv.com from 192.168.22.157
Oct  7 07:00:31 dnsmasq[21978]: cached cbd46b77.cdn.cms.movetv.com is <CNAME>
Oct  7 07:00:31 dnsmasq[21978]: cached 2-01-4d34-0008.cdx.cedexis.net is <CNAME>
Oct  7 07:00:31 dnsmasq[21978]: cached cbd46b77.cdn.cms.movetv.com.c.footprint.net is 8.253.129.218
Oct  7 07:00:31 dnsmasq[21978]: cached cbd46b77.cdn.cms.movetv.com.c.footprint.net is 8.254.243.232
Oct  7 07:00:34 dnsmasq[21978]: query[A] dns.msftncsi.com from 127.0.0.1
Oct  7 07:00:34 dnsmasq[21978]: cached dns.msftncsi.com is 131.107.255.255
Oct  7 07:00:39 dnsmasq[21978]: query[A] dns.msftncsi.com from 127.0.0.1
Oct  7 07:00:39 dnsmasq[21978]: cached dns.msftncsi.com is 131.107.255.255
Oct  7 07:00:40 dnsmasq[21978]: query[A] aptime.movetv.com from 192.168.22.157
Oct  7 07:00:40 dnsmasq[21978]: forwarded aptime.movetv.com to 104.223.91.194
Oct  7 07:00:41 dnsmasq[21978]: reply aptime.movetv.com is 67.21.50.65
Oct  7 07:00:41 dnsmasq[21978]: query[A] dishpurchasingcorporation.d1.sc.omtrdc.net from 192.168.22.157
Oct  7 07:00:41 dnsmasq[21978]: forwarded dishpurchasingcorporation.d1.sc.omtrdc.net to 104.223.91.194
Oct  7 07:00:41 dnsmasq[21978]: reply dishpurchasingcorporation.d1.sc.omtrdc.net is 66.235.139.1
Oct  7 07:00:41 dnsmasq[21978]: reply dishpurchasingcorporation.d1.sc.omtrdc.net is 66.235.139.211
Oct  7 07:00:41 dnsmasq[21978]: reply dishpurchasingcorporation.d1.sc.omtrdc.net is 66.235.138.197
Oct  7 07:00:41 dnsmasq[21978]: reply dishpurchasingcorporation.d1.sc.omtrdc.net is 66.235.139.209
Oct  7 07:00:41 dnsmasq[21978]: reply dishpurchasingcorporation.d1.sc.omtrdc.net is 66.235.138.199
Oct  7 07:00:41 dnsmasq[21978]: reply dishpurchasingcorporation.d1.sc.omtrdc.net is 66.235.138.198
Oct  7 07:00:41 dnsmasq[21978]: reply dishpurchasingcorporation.d1.sc.omtrdc.net is 66.235.139.210
Oct  7 07:00:41 dnsmasq[21978]: reply dishpurchasingcorporation.d1.sc.omtrdc.net is 66.235.139.2

Here are the contents of temp_output after running the getdomainnames.sh script:

#cat temp_output

aptime.movetv.com
cbd46b77.cdn.cms.movetv.com
dishpurchasingcorporation.d1.sc.omtrdc.net

 

[Raspy]

The reason my dnsmasq.log file directory is different is because I am using AB-Solution to block ads. When combined with Asuswrt-Merlin, it makes a surfing the web a much better experience! The log is written to a USB drive, which is something I recommend. Writing log files to the /jffs directory is not recommended to avoid wearing it out. But let's focus on getting it working first.

Hi Xentrk. This is Rappy, with a new, slightly more aggrieved username. It appears I have been banned from this site by cloudflare. It happened when I was entering in the code for what is in my temp file, as I tried writing a PM to you and at the exact same moment of pasting the code that page was also blocked.

Anyway, the temp file output doesn't contain much. It only contains a few references to time warner cable in a different state to me. This is after I browsed the iPlayer on the AppleTV for a while with the VPN off and with no policy rules.

Temp_output was created, but it is completely empty.

 

[Xentrk]

Hi Xentrk. This is Rappy, with a new, slightly more aggrieved username. It appears I have been banned from this site by cloudflare. It happened when I was entering in the code for what is in my temp file, as I tried writing a PM to you and at the exact same moment of pasting the code that page was also blocked.

Anyway, the temp file output doesn't contain much. It only contains a few references to time warner cable in a different state to me. This is after I browsed the iPlayer on the AppleTV for a while with the VPN off and with no policy rules.

Temp_output was created, but it is completely empty.

You can put the code in pastebin.com and send a link. Doesn’t the vpn to UK need to be turned on though with your device set to use the UK tunnel? Do a tail or cat on the dnsmasq.log file for clues. Look for the IP address of the Apple TV for example.

 

[Rappy]

You can put the code in pastebin.com and send a link. Doesn’t the vpn to UK need to be turned on though with your device set to use the UK tunnel? Do a tail or cat on the dnsmasq.log file for clues. Look for the IP address of the Apple TV for example.

I switched the VPN on again but still no more stuff in the temp file nor the dnsmasq.log

https://pastebin.com/raw/jCN4qbnw

Thats from the latest attempt. It doesn't have anything related to the ip of my Apple TV.

I guess, I'm about ready to give up on this. I just can't believe no one with an Apple TV has tried to do this and can't help out with the domain list.

 

[Xentrk]

I switched the VPN on again but still no more stuff in the temp file nor the dnsmasq.log

https://pastebin.com/raw/jCN4qbnw

Thats from the latest attempt. It doesn't have anything related to the ip of my Apple TV.

I guess, I'm about ready to give up on this. I just can't believe no one with an Apple TV has tried to do this and can't help out with the domain list.

I am not sure why dnsmasq is not logging your traffic. The ASUS I was testing all of this on since we started is now bricked and I have to return it for RMA tomorrow. So I will be very limited in helping for the short term. I have a back up of the scripts I wrote and will need to transfer them to the other AC88U later today. I wanted to look at my dnsmasq.conf file to see if there is anything else we may have missed.

Before giving up, I recommend that you install AB-Solution https://www.ab-solution.info/. That is what I use and the dnsmasq functionality for logging is already built it. It also includes some utilities to follow the dnsmasq.log file as it is being used. @thelonelycoder provides excellent support. Once installed, you will have the ability to log and mine the domain names.

 

[Rappy]

I am not sure why dnsmasq is not logging your traffic. The ASUS I was testing all of this on since we started is now bricked and I have to return it for RMA tomorrow. So I will be very limited in helping for the short term. I have a back up of the scripts I wrote and will need to transfer them to the other AC88U later today. I wanted to look at my dnsmasq.conf file to see if there is anything else we may have missed.

Before giving up, I recommend that you install AB-Solution https://www.ab-solution.info/. That is what I use and the dnsmasq functionality for logging is already built it. It also includes some utilities to follow the dnsmasq.log file as it is being used. @thelonelycoder provides excellent support. Once installed, you will have the ability to log and mine the domain names.

Oh dear. Sorry to hear that. Hopefully I didn't contribute to that. I thought Asus routers were mainly unbrickable nowadays.

I think I'm going to try a new avenue. Setup an ad-hoc network from Apple TV to laptop then scan domains with little snitch.

 

[Xentrk]

Oh dear. Sorry to hear that. Hopefully I didn't contribute to that. I thought Asus routers were mainly unbrickable nowadays.

I think I'm going to try a new avenue. Setup an ad-hoc network from Apple TV to laptop then scan domains with little snitch.

I am stumped as to why the log-queries line is not logging your DNS queries. Is the "Log DHCP queries" -option under LAN/DHCP Server on the web GUI turned on?

These options should have got it working:

log-queries
    Log the results of DNS queries handled by dnsmasq. 

log-facility=<facility>
    Set the facility to which dnsmasq will send syslog entries.

 

[Rappy]

I am stumped as to why the log-queries line is not logging your DNS queries. Is the "Log DHCP queries" -option under LAN/DHCP Server on the web GUI turned on?

These options should have got it working:

log-queries
    Log the results of DNS queries handled by dnsmasq.

log-facility=<facility>
    Set the facility to which dnsmasq will send syslog entries.

There is no such option under my UI. There is instead a Hide DHCP/RA queries option, which is set to No.

 

[Rappy]

Is the "Log DHCP queries" -option under LAN/DHCP Server on the web GUI turned on?

Here is a screenshot of my options, maybe another is wrong.

https://imgur.com/a/pRhyq

 

[Xentrk]

Here is a screenshot of my options, maybe another is wrong.

https://imgur.com/a/pRhyq

Turn on Advertise router's IP in addition to user-specified DNS and see if that works.

 

[kman]

This was the first script I ran. It assigns clients to OVPNC1 or OVPNC2...

Hi @Xentrk from the above post, I tried executing the script but for both of these lines:

iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set LAN_GW src,dst -j MARK --set-mark 0x7000/0x7000

iptables -t mangle -A PREROUTING -i br0 -p tcp -m set --match-set OVPNC1 src,dst -j MARK --set-mark 0x1000/0x1000

I received:
iptables: No chain/target/match by that name.

To recap, this is my configuration:

1. On VPN Client GUI page, set Accept DNS Configuration = Exclusive
2. Redirect Internet Traffic = Policy Rules (Strict)
3. All entries from the policy routing table have been removed and Create NAT on tunnel is set to Yes.
4. I have specified the VPN clients in the OVPNC1 file to list the ip address of the devices that will go thru the VPN.

I have verified the IPSET lists are populate for OVPNC1 and WAN_GW. The IP RULE confirms the rules are created. But issuing the above -t mangle command just throws iptables: No chain/target/match by that name.

Can something be blocking this script from running or creating the PREROUTING for LAN_GW/OVPNC1?

 

[Rappy]

Turn on Advertise router's IP in addition to user-specified DNS and see if that works.

I'm afraid that does nothing.