Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

[archiel]

Whilst I do not wish to offend @Swinson, in light of his current ongoing forum absence since June 2021, I have created a generic version of his original script that should allow you to designate any VPN client without the need to edit/hack the script.

You can download/test it from

Unbound-Asuswrt-Merlin/unbound_DNS_via_OVPN.sh at dev · MartineauUK/Unbound-Asuswrt-Merlin

Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlin

github.com

Clearly your previous statement [the script] 'did not provide a reliable solution' needs to be made clearer... i.e. are you absolutely sure that the DNS Leak test is always 100% accurate?

IMHO, x3mrouting shouldn't be necessary just for your DNS routing requirement? - see below

If not using x3mrouting then you need to implement the RPDB fwmark rules manually...
see '/jffs/scripts/nat-start'
Policy based Port routing (manual method) · RMerl/asuswrt-merlin.ng Wiki · GitHub
to ensure that the RPDB fwmark rules are always available should the firewall be rebuilt whilst the VPN Client is UP.
(x3mrouting dynamically adds/deletes the RPDB fwmark rules only when the VPN Client is actually started/stopped!)

EDIT:
If you decide to test my generic '/jffs/addons/unbound/unbound_DNS_via_OVPN.sh' script then you should ensure ALL of the 'vpnclientX-route-*' event scripts contain the appropriate call

e.g. VPN Client 5

'/jffs/scripts/vpnclient5-route-up'

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID requested....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" start &
fi

and

'/jffs/scripts/vpnclient5-route-pre-down'

VPN_ID=${dev:4:1}
[ -z "$VPN_ID" ] && { SCR=$(basename $0); VPN_ID=${SCR:9:1}; }    # Allow manual debugging from commandline

if [ -n "$(which unbound-control)" ] && [ -n "$(unbound-control status | grep -E "unbound.*running")" ];then
    Say "Unbound DNS requests via VPN Client $VPN_ID terminating....."
    /jffs/addons/unbound/unbound_DNS_via_OVPN.sh "$VPN_ID" stop
fi

Can you help with some very basic questions on this.

I have updated vpnclient5-route-up and vpnclient5-route-pre-down as noted above and created /jffs/addons/unbound/unbound_DNS_via_OVPN.sh and x3mrouting was already installed (previously used with setting VPN 5 from unbound_manager advanced).

How do I get this to run?

If I run

 /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 5 start

via ssh then I get

(unbound_DNS_via_OVPN.sh): 11079 Starting Script Execution 5 start
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=60 time=17.950 ms

--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 17.950/17.950/17.950 ms
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=60 time=653.335 ms

--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 653.335/653.335/653.335 ms
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes

until I Cntrl-C and run

 /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 5 stop

which sets everything back

1. Does it matter if vpnclient5-route-up and vpnclient5-route-pre-down are in /jffs/scripts or in /jfffs/scripts/x3mrouting?
2. If I want the script to run automatically (at start-up) do I leave it in /jffs/addons/unbound/ or move it to /jffs/scripts or do something else?
3. How can I check to see if the requests are being sent to the VPN provider?

 

[chongnt]

Can you help with some very basic questions on this.

I have updated vpnclient5-route-up and vpnclient5-route-pre-down as noted above and created /jffs/addons/unbound/unbound_DNS_via_OVPN.sh and x3mrouting was already installed (previously used with setting VPN 5 from unbound_manager advanced).

How do I get this to run?

If I run

 /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 5 start

via ssh then I get

(unbound_DNS_via_OVPN.sh): 11079 Starting Script Execution 5 start
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=60 time=17.950 ms

--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 17.950/17.950/17.950 ms
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes
64 bytes from 9.9.9.9: seq=0 ttl=60 time=653.335 ms

--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 653.335/653.335/653.335 ms
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
PING 9.9.9.9 (9.9.9.9): 56 data bytes

until I Cntrl-C and run

 /jffs/addons/unbound/unbound_DNS_via_OVPN.sh 5 stop

which sets everything back

1. Does it matter if vpnclient5-route-up and vpnclient5-route-pre-down are in /jffs/scripts or in /jfffs/scripts/x3mrouting?
2. If I want the script to run automatically (at start-up) do I leave it in /jffs/addons/unbound/ or move it to /jffs/scripts or do something else?
3. How can I check to see if the requests are being sent to the VPN provider?

I think you need to add this in /jffs/scripts/init-start

modprobe xt_comment

Vpnclient event under x3mrouting directory should work just fine. Once you have it configured it will run when vpn client come up during startup automatically. If your vpn client 5 already up before you add this, you can run it manually or reset the vpn client to trigger it.

 

[Kingp1n]

Whilst I do not wish to offend @Swinson, in light of his current ongoing forum absence since June 2021, I have created a generic version of his original script that should allow you to designate any VPN client without the need to edit/hack the script.

You can download/test it from

Unbound-Asuswrt-Merlin/unbound_DNS_via_OVPN.sh at dev · MartineauUK/Unbound-Asuswrt-Merlin

Install and manage unbound (Recursive DNS) on Asus routers - MartineauUK/Unbound-Asuswrt-Merlin

github.com

[/CODE]

I appreciate this mod. I'm trying it out now without any issues. Thanks!

 

[Martineau]

Thanks @Martineau, this is very nice and complete. I am using @Swinson script to bind unbound to wireguard. Will definitely use your enhanced version for it.
For line 39, I noticed it will take anything that contains number 1-5. Say 16 is valid. I edit a bit and seems now it will only take 1-5.

[ -z $(echo "$VPN_ID" | grep -E "[1-5]") ] --> ! [ "$VPN_ID" -ge 1 ] || ! [ "$VPN_ID" -le 5 ]

Regex "[1-5]" matches a single digit between 1 and 5
However, for grep I missed the explicit forcing of the single digit acceptance

i.e.

[ -z $(echo "$VPN_ID" | grep -E "[1-5]") ]

changed to

[ -z $(echo "$VPN_ID" | grep -E "^[1-5]$") ]

 

[Kingp1n]

i.e.

[ -z $(echo "$VPN_ID" | grep -E "[1-5]") ]

changed to

[ -z $(echo "$VPN_ID" | grep -E "^[1-5]$") ]

I noticed the following note on the github page for this mod script while testing the script:

"For testing allow user to specify the MAX wait rather than the hard-coded 150 (300 secs/5 mins)"

What would be the recommended wait time or we can leave it as is once testing is completed? Thanks again!

 

[Martineau]

I noticed the following note on the github page for this mod script while testing the script:

"For testing allow user to specify the MAX wait rather than the hard-coded 150 (300 secs/5 mins)"

What would be the recommended wait time or we can leave it as is once testing is completed? Thanks again!

It depends.....

The 300 second timeout is widely used but in truth it is probably far too high for all cases.

i.e. if you intend to prevent DNS leaks, are you prepared to let the default 5 minutes elapse before you get the failure notification in order to rectify the exposure?

Increasing the MAX wait time beyond 5 mins may be justified in rare cases, but probably highly unlikely, however reducing it is far more likely

e.g. if normally it takes say 15 secs for the VPN tunnel to be capable of passing the desired DNS requests, surely 30 secs may be more appropriate?

 

[archiel]

I think you need to add this in /jffs/scripts/init-start

modprobe xt_comment

Vpnclient event under x3mrouting directory should work just fine. Once you have it configured it will run when vpn client come up during startup automatically. If your vpn client 5 already up before you add this, you can run it manually or reset the vpn client to trigger it.

I tried adding the above and rebooting

If I use a site like ipleak.net, then before it would show IP address: WAN ipv4 address and desktop ipv6 address and DNS addresses: WAN for ipv4 and ipv6, both are as I would have expected if unbound is acting as the resolver

After rebooting then the IP addresses are unchanged, but the DNS address now include the WAN addresses as before plus a whole set of OpenDNS (Cisco) DNS servers (ipv4 and ipv6) - I have OpenDNS servers set in WAN and IPv6. What I do not see is the VPN DNS server.

In regard to my three questions,

1. Does it matter if vpnclient5-route-up and vpnclient5-route-pre-down are in /jffs/scripts or in /jfffs/scripts/x3mrouting?
I tried deleting the vpnroute... scripts from /jffs/scripts and putting them in /jfffs/scripts/x3mrouting and the result was the same as before installing unbound_DNS_via_OVPN.sh so It would seem they need to be in /jffs/scripts Ooops, Waited a few minutes and all the OpendDNS DNS servers reappeared.

2. If I want the script to run automatically (at start-up) do I leave it in /jffs/addons/unbound/ or move it to /jffs/scripts or do something else?
With your addition to /jffs/scripts/init-start it would seem that the script does auto-start

3. How can I check to see if the requests are being sent to the VPN provider?
I still do not know how to check this.

 

[chongnt]

I tried adding the above and rebooting

If I use a site like ipleak.net, then before it would show IP address: WAN ipv4 address and desktop ipv6 address and DNS addresses: WAN for ipv4 and ipv6, both are as I would have expected if unbound is acting as the resolver

After rebooting then the IP addresses are unchanged, but the DNS address now include the WAN addresses as before plus a whole set of OpenDNS (Cisco) DNS servers (ipv4 and ipv6) - I have OpenDNS servers set in WAN and IPv6. What I do not see is the VPN DNS server.

In regard to my three questions,

1. Does it matter if vpnclient5-route-up and vpnclient5-route-pre-down are in /jffs/scripts or in /jfffs/scripts/x3mrouting?
I tried deleting the vpnroute... scripts from /jffs/scripts and putting them in /jfffs/scripts/x3mrouting and the result was the same as before installing unbound_DNS_via_OVPN.sh so It would seem they need to be in /jffs/scripts Ooops, Waited a few minutes and all the OpendDNS DNS servers reappeared.

2. If I want the script to run automatically (at start-up) do I leave it in /jffs/addons/unbound/ or move it to /jffs/scripts or do something else?
With your addition to /jffs/scripts/init-start it would seem that the script does auto-start

3. How can I check to see if the requests are being sent to the VPN provider?
I still do not know how to check this.

Regarding your questions.
1. I use x3mRouting option 3. So I have vpnclient5-route-up and vpnclient5-route-pre-down script in /jffs/scripts/x3mrouting directory. As long as vpnclient up or down event trigger the script to run it is fine. I added the following in vpnclient5-route-up and vpnclient5-route-pre-down script so that I can see it in syslog when this happen.

Spoiler: vpnclient5-route-up

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 5 coming up ..."

Spoiler: vpnclient5-route-pre-down

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 5 going down ..."

2. The unbound_DNS_via_VPN.sh script is called in the vpnclient5-route-up script. So it does not matter where we put unbound_DNS-via_VPN.sh as long as we have the correct path configured in vpnclient5 event script.
3. I am not using vpnclient5 as of now. But we can verify if rule for vpnclient 5 is created, it should be something like "9991: from all fwmark 0x3000/0x3000 lookup ovpnc5". iptables output should have something like this "udp dpt:53 /* unbound_rule */ MARK or 0x3000"

ip rule show
iptables -nvL OUTPUT -t mangle --line

 

[Kingp1n]

I tried adding the above and rebooting

If I use a site like ipleak.net, then before it would show IP address: WAN ipv4 address and desktop ipv6 address and DNS addresses: WAN for ipv4 and ipv6, both are as I would have expected if unbound is acting as the resolver

After rebooting then the IP addresses are unchanged, but the DNS address now include the WAN addresses as before plus a whole set of OpenDNS (Cisco) DNS servers (ipv4 and ipv6) - I have OpenDNS servers set in WAN and IPv6. What I do not see is the VPN DNS server.

In regard to my three questions,

1. Does it matter if vpnclient5-route-up and vpnclient5-route-pre-down are in /jffs/scripts or in /jfffs/scripts/x3mrouting?
I tried deleting the vpnroute... scripts from /jffs/scripts and putting them in /jfffs/scripts/x3mrouting and the result was the same as before installing unbound_DNS_via_OVPN.sh so It would seem they need to be in /jffs/scripts Ooops, Waited a few minutes and all the OpendDNS DNS servers reappeared.

2. If I want the script to run automatically (at start-up) do I leave it in /jffs/addons/unbound/ or move it to /jffs/scripts or do something else?
With your addition to /jffs/scripts/init-start it would seem that the script does auto-start

3. How can I check to see if the requests are being sent to the VPN provider?
I still do not know how to check this.

I have disabled IPV6 on my router since this causes dns leaks. Have you tested ipleak while IPv6 is disabled?

 

[archiel]

Regarding your questions.
1. I use x3mRouting option 3. So I have vpnclient5-route-up and vpnclient5-route-pre-down script in /jffs/scripts/x3mrouting directory. As long as vpnclient up or down event trigger the script to run it is fine. I added the following in vpnclient5-route-up and vpnclient5-route-pre-down script so that I can see it in syslog when this happen.

Spoiler: vpnclient5-route-up

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 5 coming up ..."

Spoiler: vpnclient5-route-pre-down

#!/bin/sh
logger -t $(basename $0) "OpenVPN Client 5 going down ..."

2. The unbound_DNS_via_VPN.sh script is called in the vpnclient5-route-up script. So it does not matter where we put unbound_DNS-via_VPN.sh as long as we have the correct path configured in vpnclient5 event script.
3. I am not using vpnclient5 as of now. But we can verify if rule for vpnclient 5 is created, it should be something like "9991: from all fwmark 0x3000/0x3000 lookup ovpnc5". iptables output should have something like this "udp dpt:53 /* unbound_rule */ MARK or 0x3000"

ip rule show
iptables -nvL OUTPUT -t mangle --line

Making some progress, but not certain I am there yet. For testing I have disabled IPv6 and have got the vpnclient5-route-up running (at least using your suggestions I can see it in syslog

However I am not certain if the results of

ip rule show
iptables -nvL OUTPUT -t mangle --line

are what they are meant to be, particularly as the result of ip rule show is unchanged whether unbound_DNS_via_OVPN.sh is running or not

Script not installed

admin@RT-AX88U-5050:/tmp/home/root# ip rule show
0:      from all lookup local
11010:  from 10.00.00.150 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AX88U-5050:/tmp/home/root# iptables -nvL OUTPUT -t mangle --line
Chain OUTPUT (policy ACCEPT 1874 packets, 358K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Script installed

admin@RT-AX88U-5050:/tmp/home/root# ip rule show
0:      from all lookup local
11010:  from 10.00.00.150 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AX88U-5050:/tmp/home/root# iptables -nvL OUTPUT -t mangle --line
Chain OUTPUT (policy ACCEPT 4830K packets, 5759M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        9   549 MARK       udp  --  *      *       0.0.0.0/0            208.67.220.222       udp dpt:53 /* unbound_rule */ MARK or 0x8000
2      135  9116 MARK       udp  --  *      *       0.0.0.0/0            208.67.220.220       udp dpt:53 /* unbound_rule */ MARK or 0x8000
3        4   256 MARK       tcp  --  *      *       0.0.0.0/0            208.67.220.222       tcp dpt:53 /* unbound_rule */ MARK or 0x8000
4        0     0 MARK       tcp  --  *      *       0.0.0.0/0            208.67.220.220       tcp dpt:53 /* unbound_rule */ MARK or 0x8000
5       68  4020 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* unbound_rule */ MARK or 0x3000
6    17869 1448K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* unbound_rule */ MARK or 0x3000

I cannot see anything like "9991: from all fwmark 0x3000/0x3000 lookup ovpnc5" and not know whether the rules pointing to the OpenDNS DNS servers should also be in there

 

[Kingp1n]

Making some progress, but not certain I am there yet. For testing I have disabled IPv6 and have got the vpnclient5-route-up running (at least using your suggestions I can see it in syslog

However I am not certain if the results of

ip rule show
iptables -nvL OUTPUT -t mangle --line

are what they are meant to be, particularly as the result of ip rule show is unchanged whether unbound_DNS_via_OVPN.sh is running or not

Script not installed

admin@RT-AX88U-5050:/tmp/home/root# ip rule show
0:      from all lookup local
11010:  from 10.00.00.150 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AX88U-5050:/tmp/home/root# iptables -nvL OUTPUT -t mangle --line
Chain OUTPUT (policy ACCEPT 1874 packets, 358K bytes)
num   pkts bytes target     prot opt in     out     source               destination

Script installed

admin@RT-AX88U-5050:/tmp/home/root# ip rule show
0:      from all lookup local
11010:  from 10.00.00.150 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

admin@RT-AX88U-5050:/tmp/home/root# iptables -nvL OUTPUT -t mangle --line
Chain OUTPUT (policy ACCEPT 4830K packets, 5759M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        9   549 MARK       udp  --  *      *       0.0.0.0/0            208.67.220.222       udp dpt:53 /* unbound_rule */ MARK or 0x8000
2      135  9116 MARK       udp  --  *      *       0.0.0.0/0            208.67.220.220       udp dpt:53 /* unbound_rule */ MARK or 0x8000
3        4   256 MARK       tcp  --  *      *       0.0.0.0/0            208.67.220.222       tcp dpt:53 /* unbound_rule */ MARK or 0x8000
4        0     0 MARK       tcp  --  *      *       0.0.0.0/0            208.67.220.220       tcp dpt:53 /* unbound_rule */ MARK or 0x8000
5       68  4020 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* unbound_rule */ MARK or 0x3000
6    17869 1448K MARK       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* unbound_rule */ MARK or 0x3000

I cannot see anything like "9991: from all fwmark 0x3000/0x3000 lookup ovpnc5" and not know whether the rules pointing to the OpenDNS DNS servers should also be in there

I'm not sure if you're running x3mRouting but if you're not try installing option 3.

Once you have that that installed, try running this and then run ip rule again:

x3mRouting ALL 1 dummy dnsmasq=dummy.me (might need to change 1 to 5)

I was having a similar issue with the previoius script and this pushed the missing “from all fwmark 0x1000/0x1000 lookup ovpnc1

 

[Martineau]

Making some progress, but not certain I am there yet. For testing I have disabled IPv6 and have got the vpnclient5-route-up running (at least using your suggestions I can see it in syslog

However I am not certain if the results of

ip rule show
iptables -nvL OUTPUT -t mangle --line

are what they are meant to be, particularly as the result of ip rule show is unchanged whether unbound_DNS_via_OVPN.sh is running or not

The RPDB rules should be static and created by nat-start see the Wiki
Policy based Port routing (manual method) · RMerl/asuswrt-merlin.ng Wiki · GitHub

 

[archiel]

I'm not sure if you're running x3mRouting but if you're not try installing option 3.

Once you have that that installed, try running this and then run ip rule again:

x3mRouting ALL 1 dummy dnsmasq=dummy.me (might need to change 1 to 5)

I was having a similar issue with the previoius script and this pushed the missing “from all fwmark 0x1000/0x1000 lookup ovpnc1

Perfect - I am running x3mRouting, but it needed x3mRouting ALL 5 dummy dnsmasq=dummy.me as you suggested and now (when the VPN is up) I see

admin@RT-AX88U-5050:/tmp/home/root# ip rule show
0:      from all lookup local
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
11010:  from 10.00.00.150 lookup ovpnc5
32766:  from all lookup main
32767:  from all lookup default

and if I check on ipleak.net then I just see my VPN provider's DNS server.

Next steps are to see what happens when I re-enable IPv6 (the VPN'd device has IPv6 disabled) both on the device going though the VPN and generally.

 

[archiel]

The RPDB rules should be static and created by nat-start see the Wiki
Policy based Port routing (manual method) · RMerl/asuswrt-merlin.ng Wiki · GitHub

Thank you. I had assumed that if I had x3mrouting installed the I did not need to directly edit nat-start . Not sure why the push from 3mRouting ALL 5 dummy dnsmasq=dummy.me was needed, but it is now behaving.

 

[Kingp1n]

Thank you. I had assumed that if I had x3mrouting installed the I did not need to directly edit nat-start . Not sure why the push from 3mRouting ALL 5 dummy dnsmasq=dummy.me was needed, but it is now behaving.

Great.

From my previous testing...IPV6 enabled in the router always leaks when using it with my current VPN service.

They're a few VPN services that supposedly work when IPv6 is enabled but I haven't try them.

It's alot easier for me to disable IPV6 and strictly use IPv4...its not for everyone though.

 

[Khadanja]

Can someone please test this link and advise if they see an ad on the right side of the page just under updates? Please try on a laptop or desktop as I don't see the ad on a mobile device, only on a laptop, tried all browsers. I have been a Diversion user for a long time but just moved to unbound with adblock so just wondering why I see this ad. Posted on Diversion thread and someone replied saying that don't see the ad. I'm using this list.

 

[chongnt]

Can someone please test this link and advise if they see an ad on the right side of the page just under updates? Please try on a laptop or desktop as I don't see the ad on a mobile device, only on a laptop, tried all browsers. I have been a Diversion user for a long time but just moved to unbound with adblock so just wondering why I see this ad. Posted on Diversion thread and someone replied saying that don't see the ad. I'm using this list.

I don't see the ads too. A quick glance in dnsmasq logs seems to block these four domains. All these are in your lists.

/opt/share/diversion/list/blockinglist js-agent.newrelic.com is 192.168.1.254
/opt/share/diversion/list/blockinglist www.clarity.ms is 192.168.1.254
/opt/share/diversion/list/blockinglist snap.licdn.com is 192.168.1.254
/opt/share/diversion/list/blockinglist static.cloudflareinsights.com is 192.168.1.254

 

[Martineau]

Thank you. I had assumed that if I had x3mrouting installed the I did not need to directly edit nat-start .

Correct

Not sure why the push from 3mRouting ALL 5 dummy dnsmasq=dummy.me was needed, but it is now behaving.

For whatever reason the firmware does not create the Selective Routing table
e.g. VPN Client 5

ip route show table 115

if there are no IPs/Subnets Selectively routed through the target VPN.

If you are not already using x3mRouting to Selectively Route domains/IPSETs/Ports, basically you are unnecessarily installing x3mRouting to achieve what you could do simply thru' the GUI to create the dummy routing entry to force the creation of the routing table

i.e. assuming your LAN is not 172.16.1.* - force creation of the routing table for VPN Client 1

 

[Khadanja]

unbound (pid 26046) is running... uptime: 5 days 04:52:57 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Thu Oct 14 15:05:53 DST 2021)
***ERROR Unable to verify Github version...check DNS/Internet access!
What does this mean?

 

[Martineau]

unbound (pid 26046) is running... uptime: 5 days 04:52:57 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Thu Oct 14 15:05:53 DST 2021)
***ERROR Unable to verify Github version...check DNS/Internet access!
What does this mean?

This is the unbound_manager health check and usually means that DNS resolution is failing on the router - specifically the unbound_manager Github repository, or internet access is physically DOWN.

There are commands available in the unbound_manager Advanced menu to help try and diagnose what the issue is...be it a router issue or a client issue.

e.g.

e  = Exit Script [?]

A:Option ==> dig github.com


; <<>> DiG 9.17.13 <<>> txt github.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16413
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;github.com.            IN    TXT

;; ANSWER SECTION:
github.com.        3600    IN    TXT    "docusign=087098e3-3d46-47b7-9b4e-8a23028154cd"
github.com.        3600    IN    TXT    "stripe-verification=f88ef17321660a01bab1660454192e014defa29ba7b8de9633c69d6b4912217f"
github.com.        3600    IN    TXT    "v=spf1 ip4:192.30.252.0/22 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com include:spf.protection.outlook.com include:mail.zendesk.com include:_spf.salesforce.com include:servers.mcsv.net ip4:166.78.69.169 ip4:1" "66.78.69.170 ip4:166.78.71.131 ip4:167.89.101.2 ip4:167.89.101.192/28 ip4:192.254.112.60 ip4:192.254.112.98/31 ip4:192.254.113.10 ip4:192.254.113.101 ip4:192.254.114.176 ~all"
github.com.        3600    IN    TXT    "MS=6BF03E6AF5CB689E315FB6199603BABF2C88D805"
github.com.        3600    IN    TXT    "MS=ms44452932"
github.com.        3600    IN    TXT    "MS=ms58704441"
github.com.        3600    IN    TXT    "adobe-idp-site-verification=b92c9e999aef825edc36e0a3d847d2dbad5b2fc0e05c79ddd7a16139b48ecf4b"
github.com.        3600    IN    TXT    "atlassian-domain-verification=jjgw98AKv2aeoYFxiL/VFaoyPkn3undEssTRuMg6C/3Fp/iqhkV4HVV7WjYlVeF8"

;; Query time: 20 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Tue Oct 19 08:47:18 IST 2021
;; MSG SIZE  rcvd: 957


; <<>> DiG 9.17.13 <<>> github.com @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12372
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;github.com.            IN    A

;; ANSWER SECTION:
github.com.        1200    IN    A    140.82.121.4

;; Query time: 30 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Tue Oct 19 08:47:18 IST 2021
;; MSG SIZE  rcvd: 55

or

e  = Exit Script [?]

A:Option ==> lookup www.ibm.com

The following name servers are used for lookup of www.ibm.com.
;rrset 155370 13 0 10 0
com.    155370    IN    NS    a.gtld-servers.net.
com.    155370    IN    NS    b.gtld-servers.net.
com.    155370    IN    NS    c.gtld-servers.net.
com.    155370    IN    NS    d.gtld-servers.net.
com.    155370    IN    NS    e.gtld-servers.net.
com.    155370    IN    NS    f.gtld-servers.net.
com.    155370    IN    NS    g.gtld-servers.net.
com.    155370    IN    NS    h.gtld-servers.net.
com.    155370    IN    NS    i.gtld-servers.net.
com.    155370    IN    NS    j.gtld-servers.net.
com.    155370    IN    NS    k.gtld-servers.net.
com.    155370    IN    NS    l.gtld-servers.net.
com.    155370    IN    NS    m.gtld-servers.net.
;rrset 68970 1 1 11 5
com.    68970    IN    DS    30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com.    68970    IN    RRSIG    DS 8 1 86400 20211031210000 20211018200000 14748 . FueYErlG8RuCBAIFepJjDAK8er5n/UG7KWfckuAqxPE7ML6JbipdRaCA5izZ6j54pIBetORYwZ3ccJoV4kwMqwJict2rK9LD3Y0C/jcMdhuaH502CQpac1IHbllTcYvLRoKXZgr9PzvK4TTzvnESXzVJZCPIjc0Nvfz3oYtr/YY2ebhE9bPZ4nf0jYnEmWOHdR07tQRC9RFFKfkQ+UMTD5el6RX8XrfqGdirmDijH8c9dYtwMz+TfzX47PeKF2a2fHmd7dyoyeGNteaQqLpEffnF/OgGtTY7ZQ9aMNrfhUSjkBmS6AbkHwtGyvMiqZCtuINFRngbBFBc6aIcKx/Cfg== ;{id = 14748}
;rrset 155370 1 0 10 0
m.gtld-servers.net.    155370    IN    A    192.55.83.30
;rrset 155370 1 0 10 0
m.gtld-servers.net.    155370    IN    AAAA    2001:501:b1f9::30
;rrset 155370 1 0 10 0
l.gtld-servers.net.    155370    IN    A    192.41.162.30
;rrset 155370 1 0 10 0
l.gtld-servers.net.    155370    IN    AAAA    2001:500:d937::30
;rrset 155370 1 0 10 0
k.gtld-servers.net.    155370    IN    A    192.52.178.30
;rrset 155370 1 0 10 0
k.gtld-servers.net.    155370    IN    AAAA    2001:503:d2d::30
;rrset 155370 1 0 10 0
j.gtld-servers.net.    155370    IN    A    192.48.79.30
;rrset 155370 1 0 10 0
j.gtld-servers.net.    155370    IN    AAAA    2001:502:7094::30
;rrset 155370 1 0 10 0
i.gtld-servers.net.    155370    IN    A    192.43.172.30
;rrset 155370 1 0 10 0
i.gtld-servers.net.    155370    IN    AAAA    2001:503:39c1::30
;rrset 155370 1 0 10 0
h.gtld-servers.net.    155370    IN    A    192.54.112.30
;rrset 155370 1 0 10 0
h.gtld-servers.net.    155370    IN    AAAA    2001:502:8cc::30
;rrset 155370 1 0 10 0
g.gtld-servers.net.    155370    IN    A    192.42.93.30
;rrset 155370 1 0 10 0
g.gtld-servers.net.    155370    IN    AAAA    2001:503:eea3::30
;rrset 155370 1 0 10 0
f.gtld-servers.net.    155370    IN    A    192.35.51.30
;rrset 155370 1 0 10 0
f.gtld-servers.net.    155370    IN    AAAA    2001:503:d414::30
;rrset 155370 1 0 10 0
e.gtld-servers.net.    155370    IN    A    192.12.94.30
;rrset 155370 1 0 10 0
e.gtld-servers.net.    155370    IN    AAAA    2001:502:1ca1::30
;rrset 155370 1 0 10 0
d.gtld-servers.net.    155370    IN    A    192.31.80.30
;rrset 155370 1 0 10 0
d.gtld-servers.net.    155370    IN    AAAA    2001:500:856e::30
;rrset 155370 1 0 10 0
c.gtld-servers.net.    155370    IN    A    192.26.92.30
;rrset 155370 1 0 10 0
c.gtld-servers.net.    155370    IN    AAAA    2001:503:83eb::30
;rrset 155370 1 0 10 0
b.gtld-servers.net.    155370    IN    A    192.33.14.30
;rrset 155370 1 0 10 0
b.gtld-servers.net.    155370    IN    AAAA    2001:503:231d::2:30
;rrset 155370 1 0 10 0
a.gtld-servers.net.    155370    IN    A    192.5.6.30
;rrset 155370 1 0 10 0
a.gtld-servers.net.    155370    IN    AAAA    2001:503:a83e::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:a83e::2:30    not in infra cache.
192.5.6.30          not in infra cache.
2001:503:231d::2:30    not in infra cache.
192.33.14.30        not in infra cache.
2001:503:83eb::30    not in infra cache.
192.26.92.30        not in infra cache.
2001:500:856e::30    not in infra cache.
192.31.80.30        not in infra cache.
2001:502:1ca1::30    not in infra cache.
192.12.94.30        not in infra cache.
2001:503:d414::30    not in infra cache.
192.35.51.30        not in infra cache.
2001:503:eea3::30    not in infra cache.
192.42.93.30        not in infra cache.
2001:502:8cc::30    not in infra cache.
192.54.112.30       rto 302 msec, ttl 136, ping 2 var 75 rtt 302, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:39c1::30    not in infra cache.
192.43.172.30       rto 252 msec, ttl 87, ping 4 var 62 rtt 252, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:7094::30    not in infra cache.
192.48.79.30        not in infra cache.
2001:503:d2d::30    not in infra cache.
192.52.178.30       not in infra cache.
2001:500:d937::30    not in infra cache.
192.41.162.30       not in infra cache.
2001:501:b1f9::30    not in infra cache.
192.55.83.30        rto 297 msec, ttl 585, ping 1 var 74 rtt 297, tA 0, tAAAA 0, tother 0, EDNS 0 probed.

If the router is able to resolve the domain and successfully retrieve the data, then GIthub itself may be down (it has in the past been DOWN, but on very rare occasions) but I suspect that you are more likely to be observing that your LAN clients are unable to successfully access the internet.

i.e. on a Windows LAN client try

nslookup www.ibm.com

nslookup www.ibm.com
Server:  RT-AC86U-6160
Address:  192.168.1.1

Non-authoritative answer:
Name:    e7817.dscx.akamaiedge.net
Address:  23.63.87.115
Aliases:  www.ibm.com
          www.ibm.com.cs186.net
          outer-global-dual.ibmcom-tls12.edgekey.net

So 'http://www.ibm.com' would fail, or using the IP retrieved above 'http://23.63.87.115' may also fail which would give you a clue as to what to try next.

If unbound itself is failing (loads of SERVFAIL messages in the unbound log?)

e.g.

unbound[3123:0] query: 127.0.0.1 www.dailymail.co.uk. A IN
unbound[3123:0] error: SERVFAIL <www.dailymail.co.uk. A IN>: exceeded the maximum nameserver nxdomains
unbound[3123:0] reply: 127.0.0.1 www.dailymail.co.uk. A IN SERVFAIL 0.000000 0 37
unbound[3123:0] query: 127.0.0.1 s.go-mpulse.net. A IN
unbound[3123:0] reply: 127.0.0.1 s.go-mpulse.net. A IN NXDOMAIN 0.000000 1 33
unbound[3123:0] query: 127.0.0.1 www.dailymail.co.uk. A IN
unbound[3123:0] error: SERVFAIL <www.dailymail.co.uk. A IN>: exceeded the maximum nameserver nxdomains

e  = Exit Script [?]

A:Option ==> sa

<snip>
total.requestlist.avg=0             histogram.000001.000000.to.000002.000000=0  num.answer.rcode.SERVFAIL=4625

then this is apparently by design if you have encountered an invalid DNS chain - something that should be fixed by restarting unbound without restoring the cache, but perhaps I was lucky, as I didn't investigate which DNS chain caused the initial SERVFAIL EXCEEDED event; 'www.dailymail.co.uk', surely not blocked