Selective Routing with Asuswrt-Merlin

[Rappy]

The easiest way to do this is to is to go to the VPN GUI page and once you enable policy rules, list the device in the table that you want to bypass the VPN as follows

Roku 192.168.1.100 0.0.0.0 WAN
others 192.168.2.111 0.0.0.0 VPN...

Then, the Roku player will bypass VPN. However, if you have other streaming media requirements that require VPN then this won't work since all traffic from Roku will go thru the WAN! Or, switch providers and pay the extra fee to get an private IP that will allow you to use iPlayer.

I can sometimes get iPlayer to work on my laptop using this hack. But I can't get it to work on Roku

Spoiler: iPlayer works over VPN with this hack

1. Create a VPN Client for a UK VPN server
2. In the WAN GUI, enable Policy rules and set Accept DNS Configuration = Exclusive
3. Run script to route traffic to the various VPN clients
4. In the WAN GUI, disable Policy rules and set to No
The above stops the DNS leak and I can now watch iPlayer over VPN! Policy rules must still be enabled for the other VPN clients.

You have it right. You need to put the list of domain names in BBCdns file. The script will read from the file line by line and issue the iptables command for each domain. You may still need to experiment with the list. There may be other domains that are called if streaming from a media player vs a web page.

Do you have jffs partition formatted and enabled? Do you have SSH enabled? Do you have an SSH client such as WinSCP or MobaXterm?

https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
https://www.htpcguides.com/enable-ssh-asus-routers-without-ssh-keys/ (don't enable access via WAN!)

For now, call the script something meaningful for you. Then, test it out. Once you are happy it is working, you can call the script from nat-start as follows.

#!/bin/sh
sh /jffs/scripts/policyrouting.sh

What is this script then? /jffs/scripts/OVPNC1
Is this something created by your policyrouting.sh script? Or do I need to create it and fill it with something?
The BBCdns script also seems to be created by your policyrouting script. Do I definitely need to create that with the domains you have found?

 

[Rappy]

And do I need a shebang at the beginning of the BBCdns file?

 

[Xentrk]

That is a file containing the IP addresses of the clients I want to go thru OpenVPN Client 1. You have to create it yourself. You need to assign static IP address to each client. BBCdns is a text file containing the iPlayer domain names.

Spoiler: example

admin@RT-AC88U:/jffs/scripts# cat OVPNC1
192.168.1.150
192.168.1.151
192.168.1.153
192.168.1.154
192.168.1.155
192.168.1.156
192.168.1.157
192.168.1.158
192.168.1.170

admin@RT-AC88U:/jffs/scripts# cat BBCdns
a1089.d.akamai.net
a1104.w10.akamai.net
a2.w10.akamai.net
account-origin-live.bbc.net.uk
account.bbc.com
b.scorecardresearch.com
b1rbsov.bidi.live.bbc.co.uk
bbcdotcom.2cnt.net
bootstrapcdn.jdorfman.netdna-cdn.com
cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
cdn.optimizely.com....

 

[Xentrk]

And do I need a shebang at the beginning of the BBCdns file?

No. It is a text file.

 

[Rappy]

No. It is a text file.

I have the OVPN file with my appletv IP
I have the BBCdns with all the domains,
I have the policyrouting.sh and nat-start.sh scripts with shebangs and with proper permissions (0777) and I have made them executable.
However despite this, everything on my network still goes through the VPN and there is no filtering. What am I doing wrong?
This is the case if I set Redirect Internet Traffic to No, or Yes.

 

[Rappy]

If I set Redirect to use Policy Rules, it just does the regular thing of sending ALL apple tv traffic through the VPN. Basically the script is not working at all.

 

[Xentrk]

If I set Redirect to use Policy Rules, it just does the regular thing of sending ALL apple tv traffic through the VPN. Basically the script is not working at all.

1. On VPN Client gui page, set Accept DNS Configuration = Exclusive.
2. Redirect Internet Traffic = Policy Rules (Strict)
3. Delete all entries in the policy routing table! You will use the OVPNC1 file to list the ip address of the devices that will go thru the VPN. Apply Changes.
4. Add the domain name "whatismyipaddress.com" to the BBCdns file.
5. rerun the script
6. verify ipset lists are populated. Issue the commands
ipset -L OVPNC1
ipset -L WAN_GW
7. verify tables set up: ip rule
8. Go to whatismyipaddress.com in a web browser. Does it report your location per ISP or VPN?

 

[Rappy]

1. On VPN Client gui page, set Accept DNS Configuration = Exclusive.
2. Redirect Internet Traffic = Policy Rules (Strict)
3. Delete all entries in the policy routing table! You will use the OVPNC1 file to list the ip address of the devices that will go thru the VPN. Apply Changes.
4. Add the domain name "whatismyipaddress.com" to the BBCdns file.
5. rerun the script
6. verify ipset lists are populated. Issue the commands
ipset -L OVPNC1
ipset -L WAN_GW
7. verify tables set up: ip rule
8. Go to whatismyipaddress.com in a web browser. Does it report your location per ISP or VPN?

"ipset -L WAN_GW" returns an error: ipset v6.32: The set with the given name does not exist

My browser gives my WAN IP when checking location and my AppleTV doesn't send anything through the VPN.

 

[Rappy]

Looking at your script I'm sure you meant LAN_GW. The commands return this --

ipset -L OVPNC1:
Name: OVPNC1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 372
References: 0
Number of entries: 1
Members:
192.168.1.175

ipset -L LAN_GW:
Name: LAN_GW
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 372
References: 0
Number of entries: 1
Members:
192.168.1.1

ip rule returns this:
0: from all lookup local
9990: from all fwmark 0x7000 lookup main
9991: from all fwmark 0x1000 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

But still not playing ball with the domains. iPlayer says you must be in the UK to use, which indicates no attempts to pass through the VPN

P.S. Do you have DNS filtering on or off? It doesn't change things either way for me, but thought I should be on the same page.

 

[Xentrk]

Looking at your script I'm sure you meant LAN_GW. The commands return this --

ipset -L OVPNC1:
Name: OVPNC1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 372
References: 0
Number of entries: 1
Members:
192.168.1.175

ipset -L LAN_GW:
Name: LAN_GW
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 372
References: 0
Number of entries: 1
Members:
192.168.1.1

ip rule returns this:
0: from all lookup local
9990: from all fwmark 0x7000 lookup main
9991: from all fwmark 0x1000 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

But still not playing ball with the domains. iPlayer says you must be in the UK to use, which indicates no attempts to pass through the VPN

P.S. Do you have DNS filtering on or off? It doesn't change things either way for me, but thought I should be on the same page.

Put your laptop or desktop IP address in the OVPNC1 file.

Add www.whatismyipaddress.com to BBCdns file along with the updated list below.

Rerun script

What happens when you go to www.whatismyipaddress.com? Does it report WAN ip address of UK origin or the VPN IP address?

Spoiler: Updated List of Domain Names

5ms9t.x.incapdns.net
a1089.d.akamai.net
a1104.w10.akamai.net
a2.w10.akamai.net
account-origin-live.bbc.net.uk
account.bbc.com
b.scorecardresearch.com
b1rbsov.bidi.live.bbc.co.uk
bbcdotcom.2cnt.net
bbciplayer.metafaq.com
bit.ly
bootstrapcdn.jdorfman.netdna-cdn.com
cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
cdn.globalsigncdn.com
cdn.optimizely.com
component.iplayer.api.bbc.co.uk
detectportal.firefox.com
dns.msftncsi.com
dynamic.simpleyoutubeconverter.com
e3891.dscf.akamaiedge.net
e3891.f.akamaiedge.net
edigitalsurvey.com
emp.bbc.co.uk
emp.bbci.co.uk
fig.bbc.co.uk
fig.bbc.net.uk
fonts.googleapis.com
fonts.gstatic.com
google-analytics.com
googleadapis.l.google.com
gstaticadssl.l.google.com
ibl.api.bbc.co.uk
ichef.bbc.co.uk
ichef.bbci.co.uk
iplayer-web.files.bbci.co.uk
iplayerhelp.external.bbc.co.uk
live-ibl-componen-3y285w56k7w5-887784694.eu-west-1.elb.amazonaws.com
live-matc-componen-14ucw7bt4o3x5-61844696.eu-west-1.elb.amazonaws.com
live-noti-componen-9nj5c6fwh1nl-1633728249.eu-west-1.elb.amazonaws.com
live-tvip-componen-poadok30hype-1266449070.eu-west-1.elb.amazonaws.com
maxcdn.bootstrapcdn.com
mm.bidi.bbc.co.uk
music.files.bbci.co.uk
mvt.api.bbc.com
mybbc-analytics.files.bbci.co.uk
mybbc.files.bbci.co.uk
nav.files.bbci.co.uk
navpromo.90fe2324ce3eb149.xhst.bbci.co.uk
navpromo.api.bbci.co.uk
ocsp.usertrust.com
ocsp2.globalsign.com
open-live.bbc.net.uk
open.live.bbc.co.uk
polling.bbc.co.uk
preferences.notifications.api.bbc.co.uk
r.bbci.co.uk
sa-live.com
sa.bbc.co.uk
sb.scorecardresearch.com
search.bbc.co.uk
search.bbc.net.uk
search.files.bbci.co.uk
session-origin-live.bbc.net.uk
session.bbc.co.uk
session.bbc.com
ssl.bbc.co.uk
ssl.bbc.net.uk
static.bbc.co.uk
static.bbci.co.uk
stats.bbc.co.uk
tile-service.weather.microsoft.com
uf2f.com
vod-dash-uk-live.akamaized.net
vod-dash-uk-live.bbcfmt.hs.llnwd.net
vod-thumb-uk-live.akamaized.net
win10.ipv6.microsoft.com
www-bbc-com.bbc.net.uk
www.bbc.co.uk
www.bbc.com
www.bbc.net.uk
www.tvlicensing.co.uk

 

[Rappy]

Put your laptop or desktop IP address in the OVPNC1 file and rerun the script. Or from the command line:

ipset add OVPNC1 xxx.xxx.xxx.xxx where x's is your laptop IP address.

What happens when you go to www.whatismyipaddress.com? Does it report WAN or VPN IP address?

Spoiler: Updated List of Domain Names

5ms9t.x.incapdns.net
a1089.d.akamai.net
a1104.w10.akamai.net
a2.w10.akamai.net
account-origin-live.bbc.net.uk
account.bbc.com
b.scorecardresearch.com
b1rbsov.bidi.live.bbc.co.uk
bbcdotcom.2cnt.net
bbciplayer.metafaq.com
bit.ly
bootstrapcdn.jdorfman.netdna-cdn.com
cd-megavolt.90fe2324ce3eb149.xhst.bbci.co.uk
cdn.globalsigncdn.com
cdn.optimizely.com
component.iplayer.api.bbc.co.uk
detectportal.firefox.com
dns.msftncsi.com
dynamic.simpleyoutubeconverter.com
e3891.dscf.akamaiedge.net
e3891.f.akamaiedge.net
edigitalsurvey.com
emp.bbc.co.uk
emp.bbci.co.uk
fig.bbc.co.uk
fig.bbc.net.uk
fonts.googleapis.com
fonts.gstatic.com
google-analytics.com
googleadapis.l.google.com
gstaticadssl.l.google.com
ibl.api.bbc.co.uk
ichef.bbc.co.uk
ichef.bbci.co.uk
iplayer-web.files.bbci.co.uk
iplayerhelp.external.bbc.co.uk
live-ibl-componen-3y285w56k7w5-887784694.eu-west-1.elb.amazonaws.com
live-matc-componen-14ucw7bt4o3x5-61844696.eu-west-1.elb.amazonaws.com
live-noti-componen-9nj5c6fwh1nl-1633728249.eu-west-1.elb.amazonaws.com
live-tvip-componen-poadok30hype-1266449070.eu-west-1.elb.amazonaws.com
maxcdn.bootstrapcdn.com
mm.bidi.bbc.co.uk
music.files.bbci.co.uk
mvt.api.bbc.com
mybbc-analytics.files.bbci.co.uk
mybbc.files.bbci.co.uk
nav.files.bbci.co.uk
navpromo.90fe2324ce3eb149.xhst.bbci.co.uk
navpromo.api.bbci.co.uk
ocsp.usertrust.com
ocsp2.globalsign.com
open-live.bbc.net.uk
open.live.bbc.co.uk
polling.bbc.co.uk
preferences.notifications.api.bbc.co.uk
r.bbci.co.uk
sa-live.com
sa.bbc.co.uk
sb.scorecardresearch.com
search.bbc.co.uk
search.bbc.net.uk
search.files.bbci.co.uk
session-origin-live.bbc.net.uk
session.bbc.co.uk
session.bbc.com
ssl.bbc.co.uk
ssl.bbc.net.uk
static.bbc.co.uk
static.bbci.co.uk
stats.bbc.co.uk
tile-service.weather.microsoft.com
uf2f.com
vod-dash-uk-live.akamaized.net
vod-dash-uk-live.bbcfmt.hs.llnwd.net
vod-thumb-uk-live.akamaized.net
win10.ipv6.microsoft.com
www-bbc-com.bbc.net.uk
www.bbc.co.uk
www.bbc.com
www.bbc.net.uk
www.tvlicensing.co.uk

IP shows address of ISP/WAN not VPN.

 

[Xentrk]

Good! That means the script is working as your request to www.whatismyipaddress bypassed the VPN and went to a WAN location - in the UK.

If you remove your laptop IP address from the OVPNC1 ipset list, then all of you laptop traffic will use the WAN. Test - go to the iPlayer website and play videos.

If this works, then the issue to focus on is identifying domain names and/or network addresses used by the iPlayer service.

I used dnsmasq.log to do this. You can also install a free logging server on your laptop e.g. kiwisyslogger. You could then enable remote logging on the router. Then watch the http(s) traffic scroll by as you go to the iPlayer website. Then, save output to a file to sort and format it. There may be other methods?

This method may be easier.
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-28#post-318141

 

[Rappy]

Good! That means the script is working as your request to www.whatismyipaddress bypassed the VPN and went to a WAN location - in the UK.

If you remove your laptop IP address from the OVPNC1 ipset list, then all of you laptop traffic will use the WAN. Test - go to the iPlayer website and play videos.

If this works, then the issue to focus on is identifying domain names and/or network addresses used by the iPlayer service.

I used dnsmasq.log to do this. You can also install a free logging server on your laptop. You could then enable remote logging on the router. Then watch the http(s) traffic scroll by as you go to the iPlayer website. Then, save output to a file to sort and format it. There may be other methods?

This method may be easier.
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-28#post-318141

No it shows that the script is not working since you had previously asked me to put "whatismyipaddress.com" in the BBCdns file. So that domain should have gone through VPN.

Btw my WAN address is in California not the UK. I am trying to use a VPN to tunnel TO the UK for iPlayer purposes.

Needless to say iPlayer doesn't work.

 

[Xentrk]

No it shows that the script is not working since you had previously asked me to put "whatismyipaddress.com" in the BBCdns file. So that domain should have gone through VPN.

Btw my WAN address is in California not the UK. I am trying to use a VPN to tunnel TO the UK for iPlayer purposes.

That changes things. My understanding is you only want to route only iPlayer traffic to UK tunnel. All other traffic uses WAN.

Change the script so BBCdns goes to OVPNC1 and not the WAN. Update the BBCdns file with my last updates. Make sure whatismyipaddress.com is included in the list.

delete your laptop from the OVPNC1 ipset list/source. You want your laptop to use the WAN.

rerun the script.

when you to to whatismyipaddress.com, does it go to the VPN location? Try accessing iPlayer website.

I can get this to work using my laptop but not with traffic from Roku iPlayer channel.

If you are getting the vpn block message from iPlayer, then you must change your VPN subscription to a service that can get around the block.

 

[Xentrk]

About the ipset method...

edit /jffs/configs/dnsmasq.conf.add and add this line:
ipset=/bbc.co.uk/www.bbc.co.uk/IPLAYER

bounce dnsmasq:
service restart_dnsmasq

start browsing www.bbc.co.uk/iplayer

Spoiler: ip addresses collected by clicking on the website a few times

Name: IPLAYER
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 2612
References: 0
Number of entries: 42
Members:
212.58.246.94
212.58.244.114
212.58.244.81
212.58.244.215
34.249.5.74
52.19.105.245
151.101.196.81
212.58.244.115
91.207.38.132
54.72.107.191
176.34.132.170
52.30.121.35
34.252.184.215
212.58.244.68
212.58.244.27
212.58.244.78
212.58.246.123
212.58.246.212
212.58.246.109
212.58.246.203
52.31.59.194
52.51.252.38
52.18.183.74
52.213.81.77
52.214.135.167
212.58.246.92
104.81.9.36
212.58.246.112
212.58.244.92
212.58.244.157
212.58.244.79
104.125.241.140
212.58.246.160
212.58.246.55
212.58.246.110
23.214.138.244
91.207.38.4
212.58.246.213
212.58.244.70
34.251.12.243
34.248.10.36
34.248.16.230

 

[Rappy]

That changes things. My understanding is you only want to route only iPlayer traffic to UK tunnel. All other traffic uses WAN.

Change the script so BBCdns goes to OVPNC1 and not the WAN. Update the BBCdns file with my last updates. Make sure whatismyipaddress.com is included in the list.

delete your laptop from the OVPNC1 ipset list/source. You want your laptop to use the WAN.

rerun the script.

when you to to whatismyipaddress.com, does it go to the VPN location? Try accessing iPlayer website.

I can get this to work using my laptop but not with traffic from Roku iPlayer channel.

If you are getting the vpn block message from iPlayer, then you must change your VPN subscription to a service that can get around the block.

By change the script do you mean just change this part :
# Route BBC Player to WAN

for DNS in $(awk '{ print $1 }' /jffs/scripts/BBCdns)

do

iptables -t mangle -D PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x7000

iptables -t mangle -A PREROUTING -i br0 -d $DNS -j MARK --set-mark 0x7000

to be mark 0x1000? Is that all I do to the script or is there some thing else that must be changed?

I tried with just that change but it doesn't make any difference really. iPlayer still doesn't work. My VPN has never had a problem accessing iPlayer. If I turn it on for all domains the appletv plays iPlayer just fine. So it's not that. I think the script just isn't working.

 

[Rappy]

Whether or not I have whatsmyipaddress.com in the BBCdns, that website still shows my IP as the VPN exit tunnel location (UK).

It doesn't even matter if I add or remove my laptop ip from OVPNC1. Whatsmyip still shows VPN address.

Edit:
I think the script is doing something as my laptop shows UK location on whatsmyip but HBOgo still plays (which indicates at least the whatsmyip traffic is going through the VPN tunnel) However whatsmyipaddress is no longer in my BBCdns file, and my laptop IP is no longer in the OVPNC1 file. Maybe it is not updating when I right click in SCP and execute it again. Is there a better way to rerun a script? I am starting from zero understanding of linux here, so bear with me and please be explicit. Looking through RMerlins custom script wiki he just says things like "now run script" or "now retest script" without giving any idea of what that involves or how to do that. I cannot find any other tips elsewhere either. So I am just right clicking in winscp each time and going to custom commands and Execute.

Either way though, iPlayer is definitely not working on either my laptop or Apple TV. If I just stop the dns filtering and go full VPN it works perfectly on both devices.

 

[Rappy]

and trying to get dnsmasq to log my own IPs isn't working either.
This line :
tail -f dnsmasq.log > temp

produces a read-only error, but I cannot find this log anyway, as there was no output from your previous command searching for it. (cat /jffs/configs/dnsmasq.conf.add | grep log-facility)

 

[Rappy]

At this point I'm just asking someone to just take me through this from the start, not from halfway through, not missing out vital important steps, but from the start... as if this were a freshly formatted jffs and newly updated router with wiped settings. This has now taken up two pages of this thread mainly because all the solutions have made assumptions that my box is already setup how yours is in some of the niche config pages. Or with assumptions that I know the workings of your script such that I can "make the BBCdns list go through the VPN" when I thought it already was supposed to be doing this. I had to dispose of the scripts you gave me cos they were creating havoc with my wifes computer, and she was not listed in any of the OVPNC1 IPs.

Please please please, and thank you. I understand this is frustrating for you people to explain this to someone like they are five, but if you do it once, then I'm pretty sure other people will be able to find that explanation in future and you will save yourself some future energy.

 

[Xentrk]

I added to the confusion as I thought you were in UK and iPlayer was blocking you when using a VPN tunnel. From your post above, you can access iPlayer when all traffic is routed to the VPN UK tunnel. Your desired end state, from what I understand, is to only have iPlayer traffic routed to the VPN UK tunnel and everything else thru the WAN.

We need to see if iPlayer works with policy rules. We know it works with All Traffic! Using Policy Rules leaks DNS so that may be the issue.

Let's start from the beginning and in small steps.

Let's first test that you can access the iPlayer website without using any scripts and make sure iPlayer is not blocking the VPN connection when using Policy Rules.

In the OpenVPN GUI page, turn on Policy Rules (strict), and enter your PC IP address to use the VPN tunnel to UK.e.g.

laptop 192.168.1.100 0.0.0.0 VPN

Hit the the + sign and then apply. Now, go to whatismyipaddress.com to verify you get UK IP address.

Now, try to access www.bbc.com/iplayer and play some content.

If this works, go back and add your Apple TV device to the list. Try to access iPlayer.

Please report back the results.

Do you get anything returned with this command?

cat /etc/dnsmasq.conf | grep log-facility