split tunnel netflix

[Xentrk]

@LevesqueOnline

if you are using QoS, turn it off to see if that helps.

 

[LevesqueOnline]

Everything looks okay to me. I see packets traversing the iptables chain for Amazon but not for Netflix.

17 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst MARK or 0x8000
18 781 191K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS dst MARK or 0x8000

Try to surf NF in a browser and again on your streaming device and see if the packet count goes up. Do you get the proxy error when try to stream on NF?

Also try adding the router IP to the Policy Rules and route to the WAN per the post above.

sorry for delay, yes I get the error in the app saying they detected im using the proxy.

I added the WAN entry like your picture for mine, will also reboot the device again and try again. I am in canada so im assuming the netflix IP's in the script cover me, if not then it may not be hitting that rule

 

[LevesqueOnline]

sorry for delay, yes I get the error in the app saying they detected im using the proxy.

I added the WAN entry like your picture for mine, will also reboot the device again and try again. I am in canada so im assuming the netflix IP's in the script cover me, if not then it may not be hitting that rule

So Interestingly enough.

Downstairs firestick 192.168.50.10 is working in both netflix but amazon prime knows its a proxy, but we dont use downstairs much so im guessing if we watch tv down there alot too it will know and block, since it took a bit for them to block .11 too
upstairs firestick 192.168.50.11 will not work in either netflix or amazon prime

So it is definitely still NATing both netflix AND amazon through the openVPN versus my wan sir

I really do appreciate all of the help

I should note I couldnt do the last step so im manually starting after reboot as i dont have the nat-start option in the scripts location, only IPSET_Netflix.sh post-mount services-start and services-stop

"If the script runs successfully, you can have the script execute at system start-up by calling it from /jffs/scripts/nat-start by including the line sh /jffs/scripts/IPSET_Netflix.sh in the file. Make sure nat-start has a she-bang as the first line in the file #!/bin/sh and is executable e.g. chmod 755 /jffs/scripts/nat-start."

admin@RT-AC86U-6D00:/jffs/scripts# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 159K packets, 152M bytes)
num pkts bytes target prot opt in out source destination
1 6308 917K MARK all -- * * 192.168.50.0/24 192.168.50.1 MARK set 0x9
2 6308 917K RETURN all -- * * 192.168.50.0/24 192.168.50.1
3 0 0 MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC D4:E6:B7:C2:8A:0B MARK set 0x1e
4 0 0 RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC D4:E6:B7:C2:8A:0B
5 26940 7821K MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.150-192.168.50.225 MARK set 0x1f
6 26940 7821K RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.150-192.168.50.225
7 61055 7402K MARK all -- * * 192.168.50.10 !192.168.50.0/24 MARK set 0x20
8 61055 7402K RETURN all -- * * 192.168.50.10 !192.168.50.0/24
9 2851 1005K MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC F0:81:73:FC:36:F0 MARK set 0x21
10 2851 1005K RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC F0:81:73:FC:36:F0
11 691 87716 MARK all -- * * 192.168.50.12 !192.168.50.0/24 MARK set 0x22
12 691 87716 RETURN all -- * * 192.168.50.12 !192.168.50.0/24
13 1333 406K MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC 98:9C:57:ACB:12 MARK set 0x23
14 1333 406K RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC 98:9C:57:ACB:12
15 0 0 MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.60-192.168.50.65 MARK set 0x24
16 0 0 RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.60-192.168.50.65
17 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst MARK or 0x8000
18 419 111K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS dst MARK or 0x8000
admin@RT-AC86U-6D00:/jffs/scripts#

 

[LevesqueOnline]

Also Interesting, for the amazon rule in the script or netflix, i DO see things hitting it not in iptables. But only once i started streaming on my amazon Echo (not in the VPN NAT rule) or my laptop watching netflix.

So it appears the rule setup in openvpn to send all traffic from the .10 and .11 is still bypassing the rule to send that traffic over the WAN for these 2 specific devices only which are routing through the openvpn.

if that makes sense


17 43 3885 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst MARK or 0x8000
18 1860 693K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS dst MARK or 0x8000

I feel like its got to be natting around it, adding in the iprules per the troubleshooting doc

admin@RT-AC86U-6D00:/jffs/scripts# ip rule
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9991: from all fwmark 0x3000/0x3000 lookup ovpnc5
9992: from all fwmark 0x7000/0x7000 lookup ovpnc4
9993: from all fwmark 0x4000/0x4000 lookup ovpnc3
9994: from all fwmark 0x2000/0x2000 lookup ovpnc2
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10001: from 192.168.50.1 lookup main
10101: from 192.168.50.11 lookup ovpnc1
10102: from 192.168.50.10 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default

 

[Sonyrolfy]

Hi, Small Noob Q, is there a way you can make this work like in AMTM? Im reading this and putting some lines from above into Putty but i cant get Netflix to work If you can make this work i think you make a lot Noobs and experts ( i think) very happy !!

 

[LevesqueOnline]

Hi, Small Noob Q, is there a way you can make this work like in AMTM? Im reading this and putting some lines from above into Putty but i cant get Netflix to work If you can make this work i think you make a lot Noobs and experts ( i think) very happy !!

Well, I think were close did you get through the full setup as well or stuck before the finish line?

 

[Sonyrolfy]

Well, I think were close did you get through the full setup as well or stuck before the finish line?

To be honest. I tried some lines and look if i can find some Netflix servers with: /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/netflix-vpn-bypass/maste......... etc etc. And the outcome was that i did see Dload and speed. However, I’ve no clue what to do with it If Xentrk just can make it simple, a lot of ppl will be happy!

 

[Xentrk]

May be time for me to purchase a HND router to see if there are differences that may be causing the issues. I can just see the wife dinging me now - why do you need another router? I know of one HND router use who was having issue. But they were not using the current fwmark/bitmask assignments the script uses but got it to work once they made the update. On my system, I have the streaming device configured to route to a shared VPN server that NF, Hulu and Prime block. I use the script to send this traffic to my Private VPN server .

I propose we place the effort temporarily on hold. I have a more user friendly version I have been working on. I plan to perform another round of testing later this afternoon. I was hoping to finish it yesterday. But discovered some last minute changes I had to make. I want to do another round of QA testing. It will come with a menu to assist with the installation. Rather than requiring the user to edit the script to change routing destinations, you simply pass the script the required parameters. See my prior post for the example. Some command line knowledge is still required.

Regarding /jffs/nat-start, you have to create it if it does not exist. See https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts.

The new method still requires that one have a USB drive with entware installed on the router as the scripts require the use of entware's /opt/tmp directory as the default ipset save/restore location. Much better to make frequent writes to USB drive rather than /jffs directory to avoid /jffs disk burn out. Optionally, you can also select another location by passing a directory parameter e.g. dir=/mnt/AC88U. I have a small 2 GB hard drive with four partitions, one for diversion, entware, swap file and another for backup files and miscellaneous items. There is an option in AMTM to format USB. I have not used it though. I have used both Ease US Partition and MiniTool Partition on my Win 10 machine to format the USB.

Stay tuned and I will let you know when it is ready.

 

[Xentrk]

So Interestingly enough.

Downstairs firestick 192.168.50.10 is working in both netflix but amazon prime knows its a proxy, but we dont use downstairs much so im guessing if we watch tv down there alot too it will know and block, since it took a bit for them to block .11 too
upstairs firestick 192.168.50.11 will not work in either netflix or amazon prime

So it is definitely still NATing both netflix AND amazon through the openVPN versus my wan sir

I really do appreciate all of the help

I should note I couldnt do the last step so im manually starting after reboot as i dont have the nat-start option in the scripts location, only IPSET_Netflix.sh post-mount services-start and services-stop

"If the script runs successfully, you can have the script execute at system start-up by calling it from /jffs/scripts/nat-start by including the line sh /jffs/scripts/IPSET_Netflix.sh in the file. Make sure nat-start has a she-bang as the first line in the file #!/bin/sh and is executable e.g. chmod 755 /jffs/scripts/nat-start."

View attachment 17252

admin@RT-AC86U-6D00:/jffs/scripts# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 159K packets, 152M bytes)
num pkts bytes target prot opt in out source destination
1 6308 917K MARK all -- * * 192.168.50.0/24 192.168.50.1 MARK set 0x9
2 6308 917K RETURN all -- * * 192.168.50.0/24 192.168.50.1
3 0 0 MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC D4:E6:B7:C2:8A:0B MARK set 0x1e
4 0 0 RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC D4:E6:B7:C2:8A:0B
5 26940 7821K MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.150-192.168.50.225 MARK set 0x1f
6 26940 7821K RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.150-192.168.50.225
7 61055 7402K MARK all -- * * 192.168.50.10 !192.168.50.0/24 MARK set 0x20
8 61055 7402K RETURN all -- * * 192.168.50.10 !192.168.50.0/24
9 2851 1005K MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC F0:81:73:FC:36:F0 MARK set 0x21
10 2851 1005K RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC F0:81:73:FC:36:F0
11 691 87716 MARK all -- * * 192.168.50.12 !192.168.50.0/24 MARK set 0x22
12 691 87716 RETURN all -- * * 192.168.50.12 !192.168.50.0/24
13 1333 406K MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC 98:9C:57:ACB:12 MARK set 0x23
14 1333 406K RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 MAC 98:9C:57:ACB:12
15 0 0 MARK all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.60-192.168.50.65 MARK set 0x24
16 0 0 RETURN all -- * * 0.0.0.0/0 !192.168.50.0/24 source IP range 192.168.50.60-192.168.50.65
17 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_NETFLIX dst MARK or 0x8000
18 419 111K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set x3mRouting_AMAZONAWS dst MARK or 0x8000
admin@RT-AC86U-6D00:/jffs/scripts#

I don’t recognize the iptable entries above the ones we created for routing NF. Do you have QoS enabled? They may be interfering. Rather than appending the iptable rules for NF, we can insert the rules so they are at the top. Change the iptables entry in the script from -A to -I.

Other thing is to try the other script, IPSET_Netflix_ Domains.sh to see if you have better results.

 

[LevesqueOnline]

let me know if you want a Guinea pig to help install and qa documentation, it honestly wasnt that bad after (not that it worked) the hardest part for me was getting the USB drive ready but google always prevails.

I do not have QOS enabled, the main reason i went with Asus was bandwidth limiter, i love in a location where im capped at slower speeds so i try to control the kids etc.

another thought i had as many firewalls read top down, i wonder if i should have the WAN rule in the VPN NAT first then do the VPN rules as well.

Ill try changing that entry or moving on the method 2 as you suggested, cant thank you enough looking to trying the new model, but this was honestly a great setup, i can maybe from a noob perspective help make it a little friendlier for others if you want

 

[Xentrk]

let me know if you want a Guinea pig to help install and qa documentation, it honestly wasnt that bad after (not that it worked) the hardest part for me was getting the USB drive ready but google always prevails.

I do not have QOS enabled, the main reason i went with Asus was bandwidth limiter, i love in a location where im capped at slower speeds so i try to control the kids etc.

another thought i had as many firewalls read top down, i wonder if i should have the WAN rule in the VPN NAT first then do the VPN rules as well.

Ill try changing that entry or moving on the method 2 as you suggested, cant thank you enough looking to trying the new model, but this was honestly a great setup, i can maybe from a noob perspective help make it a little friendlier for others if you want

Thanks for voluntering to be a tester. I made good progress this weekend. Wednesday is a holiday here so I may be able to wrap things up then.

This is a teaser of the GUI implementation courtesy of forum member @Martineau

However, you can't route IPSET lists thru the WAN using the OpenVPN Client screen like you can with LAN Clients. But no worries. The other option is the script approach:

Using the AS number for Netflix, route Netflix traffic to the WAN:
load_ASN_ipset_iface.sh 0 NETFLIX AS2906

Using the IPSET feature in DNSMASQ, route Netflix domains to the WAN:
load_DNSMASQ_ipset_iface.sh 0 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,dvd.netflix.com

Route Amazon Prime to VPN Client 1:
load_AMAZON_ipset_iface.sh 1

Use a list of IP addresses stored in a file located in /opt/tmp to populate the IPSET list CBS and route to VPN Client 5:
load_MANUAL_ipset_iface.sh 5 CBS