What's new

x3mRouting x3mRouting failed to configure based on VPN client routing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

worf

Occasional Visitor
Hi, guys.

First, I restored to factory default.

Configure vpn in web ui

relaxed: Accept DNS Configuration
Policy Rules (strict) :"Force Internet traffic through tunnel

step:
1、Test VPN without using x3mRouting
The result is that all traffic is a broadband interface
Code:
traceroute to www.baidu.com (14.215.177.38), 30 hops max, 38 byte packets
 1  10.0.0.1 (10.0.0.1)  0.301 ms  0.230 ms  0.207 ms
 2  100.64.0.1 (100.64.0.1)  2.409 ms  2.758 ms  2.779 ms
 3  182.150.190.221 (182.150.190.221)  3.606 ms  3.728 ms  3.522 ms
 4  171.208.199.65 (171.208.199.65)  3.760 ms  171.208.199.213 (171.208.199.213)  3.975 ms  61.139.121.41 (61.139.121.41)  3.541 ms
 5  202.97.29.21 (202.97.29.21)  30.634 ms  202.97.96.34 (202.97.96.34)  38.512 ms  202.97.29.17 (202.97.29.17)  30.351 ms
 6  113.96.5.82 (113.96.5.82)  40.200 ms  113.96.5.126 (113.96.5.126)  37.439 ms^C

2、The test uses x3mRouting Policy routing.

run command
Code:
x3mRouting ALL 1 TEST aws_region=US

The ip test result used in the applet is still broadband output

Code:
13.34.31.128/27
52.93.178.143
44.192.0.0/11
52.93.60.0/24
52.93.50.150/31
99.77.151.0/24
54.190.198.32/28
52.93.50.174/31
52.144.194.192/26
54.210.0.0/15
15.230.39.70/31
44.242.161.20/30
52.93.50.164/31


num pkts bytes target prot opt in out source destination


1 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set TEST dst MARK or 0x1000



wolf@RT-AC86U-E308:/tmp/home/root# ip rule


0: from all lookup local


9995: from all fwmark 0x1000/0x1000 lookup ovpnc1


32766: from all lookup main


32767: from all lookup default


What should I do to use it correctly?
 
Amazon US traffic is not traversing thru the iptables rule.

Please try this...go into the policy routing section of the OpenVPN Screen and add an entry for your router IP address and route to the WAN interface. Then, create a DummyVPN1 entry and route to the WAN.

1610948536611.png


What website are you accessing to test?

Test 1
Test is to route a website thru the VPN tunnel:

x3mRouting ALL 1 WIP dnsmasq=whatismyipaddress.com

Then, go to the website. It should report the ip address of your VPN.

Test 2

Go to the OpenVPN screen and add an entry to route your laptop to the VPN. Then, go to whatismyip.com. It should report the IP address of the VPN. Next, create a vpn bypass rule for the website.

x3mRouting 1 0 WIMYP dnsmasq=whatismyip.com

You may have to clear broswer cache for this to work or open a tab in a different browser. Then, go to whatismyip.com. It should report your WAN ip address.
 
Last edited:
Amazon US traffic is not traversing thru the iptables rule.

Please try this...go into the policy routing section of the OpenVPN Screen and add an entry for your router IP address and route to the WAN interface. Then, create a DummyVPN1 entry and route to the WAN.

View attachment 29628

What website are you accessing to test?

Test 1
Test is to route a website thru the VPN tunnel:

x3mRouting ALL 1 WIP dnsmasq=whatismyipaddresss.com

Then, go to the website. It should report the ip address of your VPN.

Test 2

Go to the OpenVPN screen and add an entry to route your laptop to the VPN. Then, go to whatismyip.com. It should report the IP address of the VPN. Next, create a vpn bypass rule for the website.

x3mRouting 1 0 WIMYP dnsmasq=whatismyip.com

You may have to clear broswer cache for this to work or open a tab in a different browser. Then, go to whatismyip.com. It should report your WAN ip address.

Thanks Xentrk.

I want to test the first method "Test 1".
I must add two policy routing . One route IP to wan interface,eg. my lan IP 192.168.50.0/24 to wan. and add Dummy ip to vpn . eg. 172.16.0.1 to vpn

Then run the command
"x3mRouting ALL 1 WIP dnsmasq=whatismyipaddresss.com", correct?
 
Failure. I've never been able to configure it correctly

3C109511-7544-4424-8C76-D5A2BB51A9E7.jpg


488233B5-F0D1-4182-B1EC-BFBA355D2633.jpg


Code:
x3mRouting 1 0 WIP dnsmasq=baidu.com,qq.com,sogou.com
Code:
x3mRouting 1 0 WICN dir=/tmp/mnt/vpn/RT-AC86U/vpn

1610988774111.png


1610989713761.png
 
Last edited:
Thanks Xentrk.

I want to test the first method "Test 1".
I must add two policy routing . One route IP to wan interface,eg. my lan IP 192.168.50.0/24 to wan. and add Dummy ip to vpn . eg. 172.16.0.1 to vpn

Then run the command
"x3mRouting ALL 1 WIP dnsmasq=whatismyipaddresss.com", correct?
Let's take a step back and clarify your requirement. Do you want to route all of your LAN traffic to the VPN and bypass certain sites like Baidu? In the first example, you were not routing any LAN clients to VPN Client 1. But then you were creating a rule to bypass VPN client 1 for Amazon. So that confused me. Then, in a later example, you were creating rules to route certain websites to the VPN.

I wanted you to route the Router IP address 192.168.50.1 to the WAN. Not the entire LAN (e.g. 192.168.50.0/24). Unless that is what you want to do. I just wanted to see an entry in RPDB for VPN Client 1 to help in the troubleshooting.

Examples:

 
Last edited:
Failure. I've never been able to configure it correctly

View attachment 29648

View attachment 29649

Code:
x3mRouting 1 0 WIP dnsmasq=baidu.com,qq.com,sogou.com
Code:
x3mRouting 1 0 WICN dir=/tmp/mnt/vpn/RT-AC86U/vpn

View attachment 29650

View attachment 29651
Please do the test 1 and test 2 as I outlined in my post above rather than changing the websites. It will prove if the rules are working correctly.

Test 1
Test is to route a website thru the VPN tunnel:

x3mRouting ALL 1 WIP dnsmasq=whatismyipaddress.com

Then, go to the website. It should report the ip address of your VPN.

Test 2
Go to the OpenVPN screen and add an entry to route your laptop to the VPN. Then, go to whatismyip.com. It should report the IP address of the VPN. Next, create a vpn bypass rule for the website.

x3mRouting 1 0 WIMYP dnsmasq=whatismyip.com

You may have to clear browser cache for this to work or open a tab in a different browser. Then, go to whatismyip.com. It should report your WAN ip address.
 
Last edited:
Hi Xentrk,

A question regarding the routing. How can we configure to route all LAN traffic to WAN and only Netflix ASN to the VPN?

Thanks.
 
Hi Xentrk,

A question regarding the routing. How can we configure to route all LAN traffic to WAN and only Netflix ASN to the VPN?

Thanks.
You need option 3. In the OpenVPN Client Screen, turn on Policy Rules.

In this example, VPN Client 1 is the destination. Source is 'ALL' traffic. This will force all Netflix traffic to the VPN, no matter the LAN device.

ASN Method​


Route all traffic matching IPSET list NETFLIX created from AS2906 to VPN Client1.

Code:
x3mRouting ALL 1 NETFLIX asnum=AS2906

This may

dnsmasq Method​

Code:
x3mRouting ALL 1 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net

This requires that Accept DNS Configuration not be set to Exclusive though. When using Exclusive + Policy Rules, dnsmasq is bypassed.
 
Thanks for sharing the commands and your prompt reply! I have added both commands using different IPSET name.

However, my LAN traffics are still routed to the WAN instead of VPN Client 1 for Netflix. Here are some of the information that I have captured.


/tmp/home/root# liststats
NETFLIXASN - 180

NETFLIXDNS - 0

/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 5303 packets, 1420K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIXASN dst MARK or 0x1000
2 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIXDNS dst MARK or 0x1000


DNS: Strict
Router Mode: RT-AX86U

Screenshot 2021-03-06 at 1.38.45 PM.png
 
Last edited:
Thanks for sharing the commands and your prompt reply! I have added both commands using different IPSET name.

However, my LAN traffics are still routed to the WAN instead of VPN Client 1 for Netflix. Here are some of the information that I have captured.


/tmp/home/root# liststats
NETFLIXASN - 180

NETFLIXDNS - 0

/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 5303 packets, 1420K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIXASN dst MARK or 0x1000
2 0 0 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set NETFLIXDNS dst MARK or 0x1000


DNS: Strict
Router Mode: RT-AX86U

View attachment 31623
Don't see any packets passing thru the rules. What does the "ip rule" command show?

You don't need to use both methods for Netflix. Just use the ASN method for now.

As a test, create a rule for an what is my ip address site to the VPN.

Code:
x3mRouting ALL 1 MYIP dnsmasq=whatismyip.com,whatismyip-address.com

Go to one of those websites and verify it displays your VPN IP address.

Next, go to ipchicken.com and see if it reports your WAN IP address.
 
Don't see any packets passing thru the rules. What does the "ip rule" command show?

/tmp/home/root# ip rule
0: from all lookup local
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
32766: from all lookup main
32767: from all lookup default


You don't need to use both methods for Netflix. Just use the ASN method for now.
Noted. I have removed the dnsmasq method.

Go to one of those websites and verify it displays your VPN IP address.

Next, go to ipchicken.com and see if it reports your WAN IP address.

Both websites showing my VPN IP and ipchicken.com show my WAN IP.
 
Last edited:
@hprogramming

Good. If it works, don't change it.

If you install option 4 scripts, there is a utility called ASN Lookup. You can type "asn netflix.com" at the SSH prompt and it will display the ASN the domain belongs to. What ASN displays on your end? I am curious if it is one of the other ASNs that belong to NF.

1615294908443.png
 
If you install option 4 scripts, there is a utility called ASN Lookup. You can type "asn netflix.com" at the SSH prompt and it will display the ASN the domain belongs to. What ASN displays on your end? I am curious if it is one of the other ASNs that belong to NF.

I'm getting the AWS ASN.

- Resolving "netflix.com"... 6 IP addresses found:

54.73.148.110 +PTR ec2-54-73-148-110.eu-west-1.compute.amazonaws.com
+ASN 16509 (AMAZON-02, US)
+ORG Amazon.com, Inc.
+NET 54.73.0.0/16 (AMAZO-ZDUB6)
+ABU abuse@amazonaws.com
+GEO Dublin, Dublin (IE)

18.200.8.190 +PTR ec2-18-200-8-190.eu-west-1.compute.amazonaws.com
+ASN 16509 (AMAZON-02, US)
+ORG Amazon.com, Inc.
+NET 18.200.0.0/16 (AMAZON-DUB)
+ABU abuse@amazonaws.com
+GEO Dublin, Dublin (IE)

54.155.246.232 +PTR ec2-54-155-246-232.eu-west-1.compute.amazonaws.com
+ASN 16509 (AMAZON-02, US)
+ORG Amazon.com, Inc.
+NET 54.155.0.0/16 (AMAZON)
+ABU abuse@amazonaws.com
+GEO Dublin, Dublin (IE)

2a05:d018:76c:b685:3b38:679d:2640:1ced +PTR -
+ASN 16509 (AMAZON-02, US)
+ORG Amazon.com, Inc.
+NET 2a05:d018:400::/38 ()
+ABU email-abuse@amazon.com
+GEO Dublin, Dublin (IE)

2a05:d018:76c:b683:f711:f0cf:5cc7:b815 +PTR -
+ASN 16509 (AMAZON-02, US)
+ORG Amazon.com, Inc.
+NET 2a05:d018:400::/38 ()
+ABU email-abuse@amazon.com
+GEO Dublin, Dublin (IE)

2a05:d018:76c:b684:8e48:47c9:84aa:b34d +PTR -
+ASN 16509 (AMAZON-02, US)
+ORG Amazon.com, Inc.
+NET 2a05:d018:400::/38 ()
+ABU email-abuse@amazon.com
+GEO Dublin, Dublin (IE)
 
I'm getting the AWS ASN.
Thanks for the feedback @hprogramming . I'll retest the ASN method on my end again and make any new recommendations if necessary for those that prefer the ASN method. I made a change a few months back and route all AWS traffic thru my VPN, which includes AS16509. So, I wouldn't have been able to detect an issue. Previously, AS2906 was all that was required.
 
'll retest the ASN method on my end again and make any new recommendations if necessary for those that prefer the ASN method. I made a change a few months back and route all AWS traffic thru my VPN, which includes AS16509. So, I wouldn't have been able to detect an issue. Previously, AS2906 was all that was required.
Understood. Thank you!
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top