What's new

Selective Routing with Asuswrt-Merlin

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@Martineau

In the code listed in post#500 of Selective Routing with Asuswrt-Merlin, there are 3 scripts mentioned that I can't seem to find anywhere else in the thread...
VPN_Client_Switch.sh
VPN_IPSETSelect.sh
VPN_PortSelect.sh
Could you help me locate them?
I've been following the advice you have given in this forum. I'm kind of a noob, but what you suggest makes sense to me. I would like to try these scripts on my Asus RT-AC68R running Asuswrt-Merlin firmware 380.68_4.
Like others in the thread I'm trying to allow certain services to bypass the VPN, ie Netflix, Amazon, Plex. I've tried various methods with no success as yet.

Thanks,
@Madelina
 
@Martineau

In the code listed in post#500 of Selective Routing with Asuswrt-Merlin, there are 3 scripts mentioned that I can't seem to find anywhere else in the thread...
VPN_Client_Switch.sh
VPN_IPSETSelect.sh
VPN_PortSelect.sh
Could you help me locate them?
The scripts I use in nat-start are simply 'wrapper' scripts that essentially ensure that my Selective routing environment is reinstated should it be altered due to any event that could inadvertently flush the firewall rules.

VPN_Client_Switch.sh script was first posted here:
Clear/delete vpn profile from router?
and was originally written to provide a more robust/comprehensive method of managing the active VPN Client connections via say cron, and although the original version has since been tweaked/improved, the basic functionality remains the same.
i.e. to bounce/start VPN Client 1 you would simply issue
Code:
service restart_vpnclient1
but my VPN ISP (HMA) prefers that there is a delay between stopping and restarting a connection to their servers otherwise I can appear to have more than my purchased number of concurrent connections - hence the need for a script to actually validate that the bounce of the VPN Client connection is actually working by making a curl data request through the VPN tunnel etc.

Similarly, the VPN_IPSETSelect.sh script basically ensures the 12 (6 iptables and six RPDB) static rules are active (without duplicates) as per
Asuswrt-Merlin Netflix through VPN settings
so effectively only the contents of the appropriate Selective routing IPSETs need to be changed without having to insert/delete individual iptables rules.
i.e. see
Policy routing with 2 VPN connections

The scripts themselves do not provide a one stop solution, but using the techniques I have described then they will assist in providing Selective routing of domains,MACs and Ports if they are correctly defined in the IPSETs.
Like others in the thread I'm trying to allow certain services to bypass the VPN, ie Netflix, Amazon, Plex. I've tried various methods with no success as yet.

Collating a valid list of IPs for say Netflix has been discussed here
Need help with firewall-start for policy based routing OpenVPN
although it is a constant headache to ensure that the list remains comprehensive yet current which is the truly difficult bit.

@Xentrk (amongst others) has followed my techniques and successfully implemented Selective routing of
'services', and has generously posted a script to assist in the 'harvesting' of the necessary domains/IPs for services such as BBC iPlayer etc.



 
Last edited:
Yikes. As always with this, I spoke too soon. The ranges have changed AGAIN. I think this is going to be prohibitively difficult since it seems that iPlayer accesses Akamai CDN servers across such a broad range of IP's for different videos and at different times of the day that the only way to make this work is to send the entire Akamai network through the VPN tunnel. This would likely break other streaming apps however.

I have thought about another technique but not sure it would be possible. It would involve some kind of script that watched out for the opening of the iPlayer app (checking for access of iPlayer domains) and then switches on the VPN. However it would complicated how to then figure out when to turn off the VPN again.
I may have found a solution to your issue with Akamai network.

Using the technique here, https://www.snbforums.com/threads/selective-routing-for-netflix.42661/, we can mine Akamai IPv4 addresses using Akamai AS numbers.

https://bgp.he.net/search?search[search]=akamai&commit=Search yields AS numbers for Akamai. Perhaps start with the UK ASNs plus the BBC ASNs below.

BBC. Go to these sites and click on the Prefixes V4 tab.
AS2818
[URL='https://bgp.he.net/AS31459']AS31459
[/URL]
 
I call my IPSET_VPN_Routing.sh script from nat-start so my selective routing rules run at boot time.

I recently noticed duplicate entries when I run ip rule command:

Code:
0:      from all lookup local
9990:   from all fwmark 0x7000 lookup main
9991:   from all fwmark 0x1000 lookup ovpnc1
9991:   from all fwmark 0x1000 lookup ovpnc1
9992:   from all fwmark 0x2000 lookup ovpnc2
9992:   from all fwmark 0x2000 lookup ovpnc2
9993:   from all fwmark 0x3000 lookup ovpnc3
9993:   from all fwmark 0x3000 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default
:eek:


From the log file, the significant lines that stand out for me are the
Aug 1 07:00:28 custom_script: Running /jffs/scripts/nat-start
Aug 1 07:00:29 (IPSET_VPN_Routing.sh): 907 Starting IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.
Aug 1 07:00:31 (IPSET_VPN_Routing.sh): 1001 Starting IPSET_VPN_Routing.sh...
<snip>
Aug 1 07:00:31 custom_script: Running /jffs/scripts/nat-start
Aug 1 07:00:39 (IPSET_VPN_Routing.sh): 907 Ending IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.
Aug 1 07:00:39 (IPSET_VPN_Routing.sh): 1001 Ending IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.

Code:
Aug  1 07:00:27 kernel: reset usb phy..
Aug  1 07:00:28 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
Aug  1 07:00:28 WAN_Connection: WAN was restored.
Aug  1 07:00:28 custom_script: Running /jffs/scripts/nat-start
Aug  1 07:00:28 kernel: scsi 0:0:0:0: Direct-Access     SMI      USB DISK         1100 PQ: 0 ANSI: 4
Aug  1 07:00:28 kernel: sd 0:0:0:0: Attached scsi generic sg0 type 0
Aug  1 07:00:28 kernel: sd 0:0:0:0: [sda] 15441920 512-byte logical blocks: (7.90 GB/7.36 GiB)
Aug  1 07:00:28 kernel: sd 0:0:0:0: [sda] Write Protect is off
Aug  1 07:00:28 kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Aug  1 07:00:28 kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Aug  1 07:00:28 kernel: sd 0:0:0:0: [sda] Assuming drive cache: write through
Aug  1 07:00:28 kernel: sd 0:0:0:0: [sda] Attached SCSI removable disk
Aug  1 07:00:29 (IPSET_VPN_Routing.sh): 907 Starting IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.
Aug  1 07:00:30 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Aug  1 07:00:30 rc_service: zcip 971:notify_rc start_firewall
Aug  1 07:00:30 zcip_client: configured 169.254.81.53
Aug  1 07:00:31 start_nat_rules: apply the nat_rules(/tmp/nat_rules_ppp0_eth0)!
Aug  1 07:00:31 custom_script: Running /jffs/scripts/nat-start
Aug  1 07:00:31 (IPSET_VPN_Routing.sh): 1001 Starting IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.
Aug  1 07:00:31 kernel: EXT2-fs (sda7): warning: mounting unchecked fs, running e2fsck is recommended
Aug  1 07:00:31 usb: USB ext2 fs at /dev/sda7 mounted on /tmp/mnt/AC88U.
Aug  1 07:00:32 custom_script: Running /jffs/scripts/post-mount (args: /tmp/mnt/AC88U)
Aug  1 07:00:32 rc_service: hotplug 987:notify_rc restart_nasapps
Aug  1 07:00:32 rc_service: waitting "start_firewall" via  ...
Aug  1 07:00:32 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Aug  1 07:00:33 rc_service: ip-up 634:notify_rc start_upnp
Aug  1 07:00:33 rc_service: waitting "stop_upnp" via ip-up ...
Aug  1 07:00:33 iTunes: daemon is stopped
Aug  1 07:00:33 FTP_Server: daemon is stopped
Aug  1 07:00:33 Samba_Server: smb daemon is stopped
Aug  1 07:00:34 kernel: gro disabled
Aug  1 07:00:34 Timemachine: daemon is stopped
Aug  1 07:00:34 kernel: gro enabled with interval 2
Aug  1 07:00:36 Samba_Server: daemon is started
Aug  1 07:00:37 kernel: EXT2-fs (sda5): warning: mounting unchecked fs, running e2fsck is recommended
Aug  1 07:00:37 usb: USB ext2 fs at /dev/sda5 mounted on /tmp/mnt/entware.
Aug  1 07:00:37 custom_script: Running /jffs/scripts/post-mount (args: /tmp/mnt/entware)
Aug  1 07:00:37 rc_service: hotplug 993:notify_rc restart_nasapps
Aug  1 07:00:37 iTunes: daemon is stopped
Aug  1 07:00:37 FTP_Server: daemon is stopped
Aug  1 07:00:38 ntp: start NTP update
Aug  1 07:00:39 Samba_Server: smb daemon is stopped
Aug  1 07:00:39 kernel: gro disabled
Aug  1 07:00:39 (IPSET_VPN_Routing.sh): 907 Ending IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.
Aug  1 07:00:39 (IPSET_VPN_Routing.sh): 1001 Ending IPSET_VPN_Routing.sh... /jffs/scripts/IPSET_VPN_Routing.sh.
Aug  1 07:00:39 Timemachine: daemon is stopped

When I manually run my routing script manually back to back, it does not create the duplicate ip rule entries.

Where are others placing their selective routing scripts to run at boot time?
 
Last edited:
I call my IPSET_VPN_Routing.sh script from nat-start so my selective routing rules run at boot time.

I recently noticed duplicate entries when I run ip rule command:

When I manually run my routing script manually back to back, it does not create the duplicate ip rule entries.

Where are others placing their selective routing scripts to run at boot time?

I'm assuming that you do actually delete any existing (duplicate) RPDB rule before inserting?

However, there are several threads discussing prevention of nat-start custom code being executed twice during the boot process.

A very crude method is to have a sleep 5 at the start of your script!;)

A better method is either use 'flock', NVRAM variable or the old-skool semaphore file (/tmp/xxx) creation in-inline of your IPSET_VPN_Routing.sh script.

or during the boot process, explicitly ensure the only possible executing call to IPSET_VPN_Routing.sh is ONLY from init_start, but still allow nat-start to call IPSET_VPN_Routing.sh for all other non-boot invocations such as unexpected WAN restarts etc.
 
Last edited:
I'm assuming that you do actually delete any existing (duplicate) RPDB rule before inserting?

However, there are several threads discussing prevention of nat-start custom code being executed twice during the boot process.

A very crude method is to have a sleep 5 at the start of your script!;)

A better method is either use 'flock', NVRAM variable or the old-skool semaphore file (/tmp/xxx) creation in-inline of your IPSET_VPN_Routing.sh script.

or during the boot process, explicitly ensure the only possible executing call to IPSET_VPN_Routing.sh is ONLY from init_start, but still allow nat-start to call IPSET_VPN_Routing.sh for all other non-boot invocations such as unexpected WAN restarts etc.
Thank you once again for your help and support @Martineau!

This snip seems to have fixed the issue. I have done three reboots so far and no duplicate entries have appeared.

Code:
# Prevent script from running twice at boot up
exec 200>/tmp/vpnroutingcheck.lck
flock -x 200 || exit 0
sleep 10
 
Thank you once again for your help and support @Martineau!

This snip seems to have fixed the issue. I have done three reboots so far and no duplicate entries have appeared.

Code:
# Prevent script from running twice at boot up
exec 200>/tmp/vpnroutingcheck.lck
flock -x 200 || exit 0
sleep 10

Glad that some of my tried and trusted techniques/suggestions can be implemented by others to actually solve their issues! :D
 
Hi all. I've gone through almost all the posts here and now more confused than ever (Also not helping much after watching Mother! :eek:). I've Asus running 380.68_4 FW. I've my Cable streaming box (192.168.1.11) on policy rules to run via VPN. I've got port 80 & 8001 on port forwarding for the box. I want to remote access the box via these ports. Few pages back there was mention that the scripts linked on first few pages here are outdated. Any help or link would be helpful. Also being total noob, you'll probably need to walk me through :) each process.

Thanks.
 
Last edited:
Hi all. I've gone through almost all the posts here and now more confused than ever (Also not helping much after watching Mother! :eek:). I've Asus running 380.68_4 FW. I've my Cable streaming box (192.168.1.11) on policy rules to run via VPN. I've got port 80 & 8001 on port forwarding for the box. I want to remote access the box via these ports. Few pages back there was mention that the scripts linked on first few pages here are outdated. Any help or link would be helpful. Also being total noob, you'll probably need to walk me through :) each process.

Thanks.

Modify '/jffs/scripts/nat-start' with the following
Code:
#!/bin/sh

sleep 5

ip rule del fwmark 0x7000/0x7000 2> /dev/null
ip rule add fwmark 0x7000/0x7000 table main prio 9990

ip route flush cache

LAN_Server='192.168.1.11'

# Remember ports 80,8001 must be port forwarded
# NOTE: Assumes ports use TCP. 
iptables -t mangle -D PREROUTING -i br0 --src $LAN_Server -p tcp -m multiport --sport 80,8001 -j MARK --set-mark 0x7000/0x7000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 --src $LAN_Server -p tcp -m multiport --sport 80,8001 -j MARK --set-mark 0x7000/0x7000

The Wiki has info on how to create scripts etc. Wiki/documentation for Asuswrt-merlin using either the router's 'nano' editor, or there are forum articles on how to use 'WinSCP' if using a Windows device to access the router.
 
Last edited:
Excellent bud. Will test it and report back soon. I found one script from here on post #51 posted on Nov 2013 which looks to be working. But yours look much cleaner and shorter.

regards,
 
0: from all lookup local
9990: from all fwmark 0x7000/0x7000 lookup main
10101: from all to 185.37.100.122 lookup ovpnc1
10102: from all to 104.31.66.0/24 lookup ovpnc1
10103: from all to 104.31.67.0/24 lookup ovpnc1
10104: from 192.168.1.11 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

Thanks very much again. Yes working perfectly. I tested first with removing port 80 and couldn't access box. Then removed 8001, can access but won't stream as expected.

iptables --nVL PREROUTING --line -t mangle output:
Chain PREROUTING (policy ACCEPT 1415 packets, 160K bytes)
num pkts bytes target prot opt in out source destina tion
1 0 0 MARK all -- tun11 * 0.0.0.0/0 0.0.0.0 /0 MARK xset 0x1/0x7
2 0 0 MARK tcp -- br0 * 192.168.1.11 0.0.0.0 /0 multiport sports 80,8001 MARK or 0x7000
3 0 0 MARK tcp -- br0 * 192.168.1.11 0.0.0.0 /0 multiport sports 80,8001 MARK or 0x7000
 
Last edited:
Not sure if device is going through VPN but ip rule cmd shows:
If it's using VPN as expected then accessing and stream both working remotely.

I don't believe there is any way to view RPDB rule statistics, i.e. has rule prio 9990 fired?

You will need to check the iptables rule to see if there are any hits on the tagging rule:
Code:
iptables -nvL PREROUTING --line -t mangle
 
It might seem like a trivial question when ye're dealing with such complex setups, but I cannot have it automated...

So, I tried to have selective routing setup - all traffic going from on host should go through vpn. When the tunnel starts (clientIP 10.8.0.2, serverIP 10.8.0.1), up - it doesn't work...

Code:
#> ip rule list
0:      from all lookup local
10101:  from 192.168.64.229 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

#> ip route list table ovpnc1
10.8.0.1 dev tun11  proto kernel  scope link  src 10.8.0.2
192.168.64.0/24 dev br0  proto kernel  scope link  src 192.168.64.2

It seems to me that the rule list is fine, but the ovpnc1 table is missing a default route through the tunnel! When I manually add it
Code:
#> ip route add default via 10.8.0.1 table ovpnc1
it works perfectly.

Am I missing a config parameter somewhere to have it set up automatically?
 
It seems to me that the rule list is fine, but the ovpnc1 table is missing a default route through the tunnel! When I manually add it
Code:
#> ip route add default via 10.8.0.1 table ovpnc1
it works perfectly.

Am I missing a config parameter somewhere to have it set up automatically?

When event OpenVPN Client 'route-up' is triggered, the associated RPDB rules and Selective Routing tables are created.

Perhaps you could try

1. Stop VPN Client

2. Set 'Log verbosity=4' in the VPN Client GUI

3. Start VPN Client

4. Scan Syslog for clues......
Code:
grep openvpn-routing /tmp/syslog.log

If no WARNING message(s) are shown, then you could try debugging by creating your own openvpn-event script, or attempt to debug the firmware script '/usr/sbin/vpnrouting.sh'
 
If no WARNING message(s) are shown, then you could try debugging by creating your own openvpn-event script, or attempt to debug the firmware script '/usr/sbin/vpnrouting.sh'

It seems the $route_vpn_gateway variable is not set. I was under the impression that would always be the far tunnel endpoint IP.

Should that be explicitly pushed from the server?
 
It seems the $route_vpn_gateway variable is not set.

I suspect that the 'WARNING' message was already present in Syslog without the need to increase the log-level! ;)
Should that be explicitly pushed from the server?
It depends!
Code:
redirect-gateway def1
or there may be a conflict/mismatch directive being pushed by your VPN ISP etc. in your Custom Configuration directives.
 
I suspect that the 'WARNING' message was already present in Syslog without the need to increase the log-level! ;)

It was... ;)
It depends!
Code:
redirect-gateway def1
or there may be a conflict/mismatch directive being pushed by your VPN ISP etc. in your Custom Configuration directives.

My VPN ISP is me, but I won't have physical access to the VPN server for a couple of weeks - co I don't want to mess the configuration there.

I've explicitly added
Code:
redirect-gateway def1
to the client config and the routing table looks much better now. Thank you.
 
I too am experiencing this issue, I have multiple vpns in use but have certain websites that need to bypass the vpn, but they're not doing so. I've read through several forum threads looking for an answer to no avail. this was working at one time but obviously something has changed in the last two firmware revisions. Any help with this would be greatly appreciated.

Cheers
 
I too am experiencing this issue, I have multiple vpns in use but have certain websites that need to bypass the vpn, but they're not doing so. I've read through several forum threads looking for an answer to no avail. this was working at one time but obviously something has changed in the last two firmware revisions. Any help with this would be greatly appreciated.

Cheers
What router and firmware are you using? Do you have dnsmasq and jffs enabled? There are some issues with how the VPN client handles DNS with Selective Routing that require two configuration changes in the web gui for it to work right for me. How many VPN clients are you running? I updated my selective routing script Sunday night that allows me to route traffic to the different interfaces: WAN and multiple VPN clients. Let me know if you want to test it. If so, I can send it to you in a PM.
 
I'm using the AC68U with Firmware 384.3 dnsmasq and jffs are both enabled. I have 3 active vpn clients running usually. Sure, sent me the script and I'll give it a go. Detailed installation instructions are always good too. Thanks for your help!
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top