What's new

x3mRouting UPDATE: x3mRouting 2.4.3 (2 February, 2021)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Xentrk

Part of the Furniture
x3mRouting Updates (2 February, 2021)

x3mMenu
Perform 386.x firmware version compatibility check for the modified x3mRouting Advanced_OpenVPNClient_Content.asp Screen.

Advanced_OpenVPNClient_Content.asp
Applied 386.1 updates.

LAN Client Routing (Option 1)
x3mRouting_client_config.sh Script - Check if DHCP Static Lease reservations exist for LAN clients. Update README with the requirement.

Stay Safe and Be Excellent To Each Other

Update x3mMenu
1612241629349.png


Update x3mRouting Repository
1612241371914.png
 
Last edited:
I had to apply a hot fix to patch an issue with firewall-start. Please run option 7 even if it is not displayed followed by option 5 just to be safe if you have already applied the update above.
 
I had to apply a hot fix to the prior hot fix related to a firewall-start issue. Update x3mMenu to 2.4.4 and select option 5 for any necessary corrections to be applied.
 
I noticed some items play perfectly fine while using CBS all access and other newer shows don't play at all? I belive they udpated their domains. Any one else having issues with CBS All Access?

Below are the rules I'm currently using (let me know if I need to update them):

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CBS asnum=AS15169

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 CBS_WEB dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com

sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_DNS dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com

sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_IPV4

Update: Disregard, I was missing the following domain (pubads.g.doubleclick.net) in my whitelist. All is good!
 
Last edited:
I noticed some items play perfectly fine while using CBS all access and other newer shows don't play at all? I belive they udpated their domains. Any one else having issues with CBS All Access?

Below are the rules I'm currently using (let me know if I need to update them):





Update: Disregard, I was missing the following domain (pubads.g.doubleclick.net) in my whitelist. All is good!
I just mined dnsmasq. braze dot com does not have a cbs in it's name. But I see it being queried between two CBS domains. This is the updated list.
Code:
dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsi.video,cbsig.net,cbsistatic.com,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com,braze.com

Code:
sh autoscan.sh scan=cbs

IPSET Format
-------------------------------------
cbs.com
cbsaavideo.com
cbsi.com
cbsi.video
cbsig.net
cbsistatic.com
cbsstatic.com
irdeto.com
omtrdc.net
syncbak.com


FQDN Format
-------------------------------------
ads.play.cbsi.video
can.cbs.com
cbsi.live.ott.irdeto.com
cbsinteractive.hb.omtrdc.net
cbsnews2.cbsistatic.com
cbsplaylistserver.aws.syncbak.com
cbsservice.aws.syncbak.com
entclips.cbsaavideo.com
kcbsgeniii.syncbak-mediastore-cedexis.cbsaavideo.com
saa.cbsi.com
sparrow.cbs.com
thumbnails.cbsig.net
vod-gcs-cedexis.cbsaavideo.com
www.cbs.com
wwwimage-secure.cbsstatic.com
wwwimage.cbsstatic.com

Code:
 sh autoscan.sh scan=braze

IPSET Format
-------------------------------------
braze.com

FQDN Format
-------------------------------------
ceres.iad-03.braze.com

Code:
asn ceres.iad-03.braze.com

-----------------------------------------
| ASN lookup for ceres.iad-03.braze.com |
-----------------------------------------

- Resolving "ceres.iad-03.braze.com"... 1 IP address found:

151.101.9.208 +PTR -
               +ASN 54113 (FASTLY, US)
               +ORG Fastly
               +NET 151.101.8.0/22 (SKYCA-3)
               +ABU abuse@fastly.com
               +GEO San Francisco, California (US)


Tracing path to 151.101.9.208 (press CTRL-C to cancel)...^C
Interrupted
 
Thanks for the updated list. I've made the changes to my list.

I copy and pasted the response below from the older x3mRouting forum. I wanted to ask you what would you recommend if I'm using currently diversion with unbound and PIA VPN (for Accept DNS configuration)?

I'm currently have it as "Disabled" but I left it like this after switching from the built-in DoT to Unbound. Should I setup "Accept DNS configuration as "Strict" and use the dhcp-option DNS x.x.x.x or leave as disabled with PIA in-conjuction with Unbound?

Also, I do have DNSFilter set to "Router" as well. I'm just trying to setup as best possible. Thanks again for your assitance.

Code:
I am not sure why Strict is no longer working for you. Check that you have the right IP address specified in the custom config section.  You can check the system log for "dhcp-option DNS" to find the DNS pushed by the provider. x3mRouting doesn't alter the way firmware handles DNS.  Also, some streaming devices have google DNS hard coded in their firmware. Use the DNS Filter feature of Merlin to force all clients to use the DNS specified by the router.
[QUOTE="Xentrk, post: 518687, member: 49161"]

Not having Diversion work when setting Accept DNS Configuration = Exclusive when using Policy Rules is a known concern that comes up frequently.  Note: if you don't use Policy Rules and route All Traffic thru the tunnel, Diversion will work when you have Accept DNS Configuration = Exclusive!  What?!?!

I have long promoted the use of the Strict setting as a workaround solution.  But with the launch of DoT, I also recommend setting Accept DNS Configuration = Disabled as an option. The VPN tunnel will use the DNS specified on the WAN page. The DNS traffic will be encrypted with DoT.  I cover the issue in detail in my blog post policy-rule-routing-on-asuswrt-merlin-firmware

On my test router, I have DoT enabled to Cloudflare and have accept DNS Configuration = Disabled with no issues. Streaming services that block known VPN providers don't care what DNS I use.  I use a TorGuard dedicated VPN IP addresss. On another tunnel, I have Accept DNS Configuration = Exclusive.  So you can spin up a second VPN client and route your streaming devices over one tunnel and the other devices to other tunnel and have the DNS configured differently. But for NordVPN or Express, you must use their DNS over the VPN tunnel to stream from paid subscription services that block VPNs as they are using a DNS proxy service similar to https://www.smartdnsproxy.com/.

There are no other options available that I am aware of other than what I listed above. I've played with some iptables rules. But I bailed after digging into how the firmware is coded and saw all of the hooks in other places in of code.  FYI, you can specify the DNS server in dnsmasq.conf.add by adding the server entry e.g. server=1.1.1.1.
[/QUOTE]
 
Thanks for the updated list. I've made the changes to my list.

I copy and pasted the response below from the older x3mRouting forum. I wanted to ask you what would you recommend if I'm using currently diversion with unbound and PIA VPN (for Accept DNS configuration)?

I'm currently have it as "Disabled" but I left it like this after switching from the built-in DoT to Unbound. Should I setup "Accept DNS configuration as "Strict" and use the dhcp-option DNS x.x.x.x or leave as disabled with PIA in-conjuction with Unbound?

Also, I do have DNSFilter set to "Router" as well. I'm just trying to setup as best possible. Thanks again for your assitance.
The few times I used Unbound, I always made sure dnsmasq was still enabled so the dnsmasq method will work. After one has collected all of the IPv4 addresses, you should be able to disable dnsmasq if you want. x3mRouting will have the backup of the IPv4 addresses collected and will load it at boot time. The iptables rules will match the traffic. You just wont be able to collect new IPv4 address.

You'll just have to experiment with the setting and see what works best for your use case. The other solution I really like is to set a custom DNS in DNS Filter. For example, my provider uses Cloudflare DNS. I set custom DNS to 1.1.1.1. Then, enter the mac address of the device and tell it to use 1.1.1.1. When I peform a dns leak test, the DNS end point is the same geo location as the VPN server. When CDN come into play, this may have an impact based on my recent experience on pfSense using Unbound when trying to get HBOMAX to work from the IPv4 addresses I mined on Asuswrt-Merlin.

Another hack is to enter the DNS in the policy routing section in the OpenVPN GUI.

Regarding change to Paramount+, I think it will be minimal impact. It appears the website is using Amazon AWS servers. I already have a rule for AWS Global region which includes AS16509.

Code:
 asn paramountplus.com

------------------------------------
| ASN lookup for paramountplus.com |
------------------------------------

- Resolving "paramountplus.com"... 2 IP addresses found:

  54.68.182.72 +PTR ec2-54-68-182-72.us-west-2.compute.amazonaws.com
               +ASN 16509 (AMAZON-02, US)
               +ORG Amazon.com, Inc.
               +NET 54.68.0.0/15 (AMAZON-2011L)
               +ABU abuse@amazonaws.com
               +GEO Portland, Oregon (US)

34.213.106.51 +PTR ec2-34-213-106-51.us-west-2.compute.amazonaws.com
               +ASN 16509 (AMAZON-02, US)
               +ORG Amazon.com, Inc.
               +NET 34.208.0.0/12 (AT-88-Z)
               +ABU abuse@amazonaws.com
               +GEO Portland, Oregon (US)
 
Last edited:
@Xentrk

Hope all is well. I see that CBS is now Paramount+....I still have the all CBS rules and I noticed some videos don't play in paramount. The Live TV works fine but certain videos are not. I believe I need to add the Paramount domains to my rules. If you already have a rule setup would you mind sharing. I appreciated.

Update: Hold that thought...I restarted my router for another issue and now it seems all is working. I'll keep testing different videos.
 
Last edited:
@Xentrk

Hope all is well. I see that CBS is now Paramount+....I still have the all CBS rules and I noticed some videos don't play in paramount. The Live TV works fine but certain videos are not. I believe I need to add the Paramount domains to my rules. If you already have a rule setup would you mind sharing. I appreciated.

Update: Hold that thought...I restarted my router for another issue and now it seems all is working. I'll keep testing different videos.
I have not finished the analysis yet. But AS16509 covers many of the domains. Using autoscan script and search for paramount, cbs, plus yielded some domains. Not sure about tv.rlcdn.com yet. Found it using the follow the log file feature. Adding it seemed to solve an issue with a VDO playing. I also had to whitelist it. But I want to experiment removing it when I have more time.

I currently route AWS region GLOBAL. But I added AS16509 when I was trying to figure it all out. Some refinement may be required.
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 AS16509 asnum=AS16509
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 PARAMOUNT dnsmasq=cbs.com,cbsaavideo.com,cbsallaccess.com,cbsi.com,cbsi.video,cbsig.net,cbsnews.com,irdeto.com,omtrdc.net,syncbak.com,paramountplus.com,pplusstatic.com,rlcdn.com

On my pfSense box, I have a rule for AS16509 before the rule for the file containing all of the IPv4 address I posted previously. So far, those two rules are catching all of the Paramount+ traffic.

Just did a lookup on some of the IPv4 addresses collected so far and see that some belong to AS14618.
 
Last edited:
@Kingp1n

I have it working with this set up so far. You can probably substitute AWS Global region with US region.

Code:
Chain PREROUTING (policy ACCEPT 13792 packets, 11M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     3020  255K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_GLOBAL dst MARK or 0x1000
2    56312 5240K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set PARAMOUNT dst MARK or 0x1000
3    48028 3915K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set CBS_IPv4 dst MARK or 0x1000


Looks like you also need to route scorecardresearch.com. VDO were not loading when the domain was queried. Adding it fixed it.

Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 PARAMOUNT dnsmasq=braze.com,cbs.com,cbsaavideo.com,cbsallaccess.com,cbsi.com,cbsi.video,cbsig.net,cbsnews.com,conviva.com,doubleclick.net,googlevideo.com,irdeto.com,kochava.com,omtrdc.net,paramountplus.com,pplusstatic.com,rlcdn.com,scorecardresearch.com,syncbak.com,theplatform.com
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top