x3mRouting x3mRouting ~ Modified OpenVPN Client Screen for 386.1 Asuswrt-Merlin release (31 Jan 2020 update)

[Xentrk]

Thank you, I created the static DHCP reservations, but using the YAzDHCP script, in order to increase the number of manual assignments above of 64. I think the script clears the nvram and stores the static DCHCP static reservations in another location.

So using both commands ...

nvram get dhcp_hostnames
nvram get dhcp_staticlist

there is no results. nvram is clear of DCHP reservations.

Thanks. I will have to update the LAN Client Routing feature to use those files if they exist. Stay tuned...

 

[Xentrk]

@chongnt

I applied a hot fix to repair the firewall-start issue. Update x3mMenu first. Then, check for updates or reinstall the option.

 

[chongnt]

@chongnt

I applied a hot fix to repair the firewall-start issue. Update x3mMenu first. Then, check for updates or reinstall the option.

Thanks @Xentrk , it works. You have done some magic.

From syslog, there are two instances it is being run. The first one return with error but the second time it gets completed. What do you think?

Feb 2 20:41:09 RT-AC86U-DBA8 (x3mRouting.sh): 8959 Starting Script Execution server=2 ipset_name=AstroGo
Feb 2 20:41:09 RT-AC86U-DBA8 (x3mRouting.sh): 8959 Error! Mandatory PREROUTING rule for IPSET name AstroGo does not exist.
...snipped...
Feb 2 20:41:11 RT-AC86U-DBA8 (x3mvpnrouting.sh): 9489 Routing rules created for IPSET list AstroGo
snipped...
Feb 2 20:41:15 RT-AC86U-DBA8 (x3mRouting.sh): 11706 Starting Script Execution server=2 ipset_name=AstroGo
Feb 2 20:41:15 RT-AC86U-DBA8 (x3mRouting.sh): 11706 Completed Script

 

[abir1909]

The permission issue should be unrelated. To fix, type the command

chmod 755 /jffs/scripts/firewall-start

Keep searching down for "x3mRouting.sh): 3585" to see if it completed.

Problem solved! The script wasn’t executable. I ran: chmod a+rx /jffs/scripts/*
Now it’s up and running at boot. Thanks

 

[Xentrk]

Problem solved! The script wasn’t executable. I ran: chmod a+rx /jffs/scripts/*
Now it’s up and running at boot. Thanks

I had another report about a firewall-start issue about the permission this past week. I did apply a patch the other day but realized yesterday that it only applies to new installs. The last hot patch I applied to x3mMenu will perform a repair on firewall-start when selectng option 5 - Update x3mRouting Repo.

 

[abir1909]

I guess we won't see that problem going forward... thanks again.

 

[abir1909]

I had another report about a firewall-start issue about the permission this past week. I did apply a patch the other day but realized yesterday that it only applies to new installs. The last hot patch I applied to x3mMenu will perform a repair on firewall-start when selectng option 5 - Update x3mRouting Repo.

question, i am routing Akamai ASN# through the VPN and it works great with the streaming service i am using. however, by blocking the entire Akamai ASN i noticed couple sites that won't work. for example CVS.com (it says it can only open in the US) my question, is there a way to whitelist the CVS IP range while still blocking all Akamai ASN number? i tried to put the CVS ip range through the WAN but it seems like the ASN routing is taking over. does it make sense?

 

[Xentrk]

question, i am routing Akamai ASN# through the VPN and it works great with the streaming service i am using. however, by blocking the entire Akamai ASN i noticed couple sites that won't work. for example CVS.com (it says it can only open in the US) my question, is there a way to whitelist the CVS IP range while still blocking all Akamai ASN number? i tried to put the CVS ip range through the WAN but it seems like the ASN routing is taking over. does it make sense?

Try changing the order of the events so the rule for CVS matches before the rule for Akamai. Can you do some more analysis on the streaming service to see if you can obtain the domain names rather than having to route an entire CDN? Option 4 contains some tools you can use. The ASN Lookup Tool is a good start followed by the autoscan.sh script. You should first use the follow the log file option in diversion to see if you spot a common name in the query A records. You don't need to be concerned with the reply records. The ipset feature built into dnsmasq will automatically add the ipv4 addresses returned by the reply records. Then, use the autoscan.sh script to search for the keyword and it will report back the top level domain name and the FQDN records being queried.

 

[abir1909]

Try changing the order of the events so the rule for CVS matches before the rule for Akamai. Can you do some more analysis on the streaming service to see if you can obtain the domain names rather than having to route an entire CDN? Option 4 contains some tools you can use. The ASN Lookup Tool is a good start followed by the autoscan.sh script. You should first use the follow the log file option in diversion to see if you spot a common name in the query A records. You don't need to be concerned with the reply records. The ipset feature built into dnsmasq will automatically add the ipv4 addresses returned by the reply records. Then, use the autoscan.sh script to search for the keyword and it will report back the top level domain name and the FQDN records being queried.

 

[abir1909]

Try changing the order of the events so the rule for CVS matches before the rule for Akamai. Can you do some more analysis on the streaming service to see if you can obtain the domain names rather than having to route an entire CDN? Option 4 contains some tools you can use. The ASN Lookup Tool is a good start followed by the autoscan.sh script. You should first use the follow the log file option in diversion to see if you spot a common name in the query A records. You don't need to be concerned with the reply records. The ipset feature built into dnsmasq will automatically add the ipv4 addresses returned by the reply records. Then, use the autoscan.sh script to search for the keyword and it will report back the top level domain name and the FQDN records being queried.

Changing the order of the entry didn’t help. Tried few times before, didn’t work!
I will try to dig deeper, all my searches before led me to Akamai. Will try again. Thx

 

[chongnt]

Changing the order of the entry didn’t help. Tried few times before, didn’t work!
I will try to dig deeper, all my searches before led me to Akamai. Will try again. Thx

Perhaps can check in /jffs/configs/dnsmasq.conf.add if there is any old sequence still there? Not sure if this is necessary but I find that some time delete the ipset name and then start with a clean one worth a try.

 

[MatteoPV]

I think I'm on the right page to ask for this info.

I am using my paid VPN with openvpn protocol. I have already created some tunnel rules regarding the devices I use every day. Now I would like to activate the guest line on my router, so that if I have people at home, they connect to this. I would like to make sure that everyone who connects to the guest line is directed to the VPN. Is it possible with x3mrouting?
Can I also manage the use of the vpn client servers or do I need another app?

 

[Xentrk]

I think I'm on the right page to ask for this info.

I am using my paid VPN with openvpn protocol. I have already created some tunnel rules regarding the devices I use every day. Now I would like to activate the guest line on my router, so that if I have people at home, they connect to this. I would like to make sure that everyone who connects to the guest line is directed to the VPN. Is it possible with x3mrouting?
Can I also manage the use of the vpn client servers or do I need another app?

YazFi sounds like the best fit for your requirement. It can be installed via AMTM.

 

[MatteoPV]

I installed x3mrouting via AMTM and installed
OpenVPN Client GUI, OpenVPN Event & x3mRouting.sh Script. Now I have an extra entry at the bottom of the vpn client server. Is there a guide on how to use it?
What is IPSET Name? How should Dim 1 and Dim 2 be adjusted?

 

[chongnt]

I installed x3mrouting via AMTM and installed
OpenVPN Client GUI, OpenVPN Event & x3mRouting.sh Script. Now I have an extra entry at the bottom of the vpn client server. Is there a guide on how to use it?
What is IPSET Name? How should Dim 1 and Dim 2 be adjusted?

Detail information is in this link:

GitHub - Xentrk/x3mRouting: Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware

Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - Xentrk/x3mRouting

github.com

I don't know about Dim1 and Dim2. I leave it as default Dim1 DST and Dim2 empty. It works for what I wanted so I didn't explore on this settings.

 

[MatteoPV]

Detail information is in this link:

GitHub - Xentrk/x3mRouting: Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware

Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - Xentrk/x3mRouting

github.com

I don't know about Dim1 and Dim2. I leave it as default Dim1 DST and Dim2 empty. It works for what I wanted so I didn't explore on this settings.

OK thank you very much

 

[Martineau]

Now I have an extra entry at the bottom of the vpn client server. Is there a guide on how to use it?
What is IPSET Name? How should Dim 1 and Dim 2 be adjusted?

IPSET brief definition

Basically an IPSET can contain thousands of entries and needs only a single firewall rule to very efficiently match the contents.

The IPSETs created by X3mRouting are considered 1-DIMensional because each entry contains only one column value i.e. an IP address

e.g. 1st column is an IP address used by the domain

xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx

The firewall rule needs to know if the column represents a source or destination IP, so as X3mRouting is Selectively routing to a domain such as 'bbc.co.uk'

we need to set DIM1=DST

If we added another column to the IPSET

e.g. 2nd column is a port so we now have a 2-DIMension IPSET

xxx.xxx.xxx.xxx     nnnn
bad.xxx.xxx.xxx     nnnn

Now for the firewall rule, how should it evaluate the port match? - inbound or outbound?

so we need to set DIM2=SRC or DIM2=DST as appropriate.

 

[MatteoPV]

Ok, I think I understand

 

[chongnt]

Hi @Xentrk,

Previously I use
x3mRouting 1 0 ipset_name=AstroGo autoscan=astro

and it auto generated ipset_name=AstroGo dnsmasq=amazonaws.com,cloudflare.net,com.my,vsscloud-astroprod.tv

Everything works fine. But then I find the ipset AstroGo keeps growing until I realized I am adding way more that what I needed to the ipset.

After redo again with more specific query, I trim it down to only 3 IP.
Update: I have change to manual ip mode like this now in nat-start.

#!/bin/sh
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 client=1
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 ipset_name=AstroGo ip=13.228.31.33,13.250.167.128,18.140.144.126
sh /jffs/scripts/x3mRouting/x3mRouting.sh server=2 ipset_name=AstroGo
sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 WAN_IP dnsmasq=whatsmyip.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 VPN_IP dnsmasq=whatismyipaddress.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 2 DummyVPN2 dnsmasq=dummyvpn2.me

Everything is working fine.

        RPDB Rules
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 192.168.1.1 lookup main
10101:  from 10.16.0.0/24 lookup ovpnc1
10102:  from 192.168.1.2 lookup ovpnc1
10103:  from 192.168.1.11 lookup ovpnc1
10104:  from 192.168.1.21 lookup ovpnc1
10105:  from 192.168.1.91 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

        Client ovpnc1 port 1194 udp
default via 10.8.2.1 dev tun11
10.8.2.0/24 dev tun11  proto kernel  scope link  src 10.8.2.2
        Client ovpnc2 port 443 tcp-client
default via 10.7.1.1 dev tun12
10.7.1.0/24 dev tun12  proto kernel  scope link  src 10.7.1.3
        Client ovpnc3 port 1194 udp
        Client ovpnc4 port 1194 udp
        Client ovpnc5 NOT configured

        Table main
default via 60.51.46.254 dev ppp0


        FWMARK Tagging
Chain PREROUTING (policy ACCEPT 356 packets, 648K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set DummyVPN2 dst MARK or 0x2000
2        0     0 MARK       all  --  tun22  *       0.0.0.0/0            0.0.0.0/0            match-set AstroGo dst MARK or 0x8000
3        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AstroGo dst MARK or 0x8000
4        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set WAN_IP dst MARK or 0x8000
5        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN_IP dst MARK or 0x1000

Here is a weird problem. I have nothing but a dummy in VPN Client 2. If I go to VPN page GUI Client 2 turn off and turn on the button everything is fine. In scMerlin, if I reset VPN Client 1, everything is working fine. Somehow whenever I use scMerlin to reset VPN Client 2, both AstroGo route will get deleted.

        RPDB Rules
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10001:  from 192.168.1.1 lookup main
10101:  from 10.16.0.0/24 lookup ovpnc1
10102:  from 192.168.1.2 lookup ovpnc1
10103:  from 192.168.1.11 lookup ovpnc1
10104:  from 192.168.1.21 lookup ovpnc1
10105:  from 192.168.1.91 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

        Client ovpnc1 port 1194 udp
default via 10.8.2.1 dev tun11
10.8.2.0/24 dev tun11  proto kernel  scope link  src 10.8.2.2
        Client ovpnc2 port 443 tcp-client
default via 10.7.2.1 dev tun12
10.7.2.0/24 dev tun12  proto kernel  scope link  src 10.7.2.2
        Client ovpnc3 port 1194 udp
        Client ovpnc4 port 1194 udp
        Client ovpnc5 NOT configured

        Table main
default via 60.51.46.254 dev ppp0


        FWMARK Tagging
Chain PREROUTING (policy ACCEPT 862 packets, 167K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set WAN_IP dst MARK or 0x8000
2        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set VPN_IP dst MARK or 0x1000
3        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set DummyVPN2 dst MARK or 0x2000

I am not sure why reset of VPN Client 2 in scMerlin will have such effect. I added iptables for AstroGo in vpnclient2-route-up which seems to solve the issue. I don't need this in vpnclient1-route-up script though.

admin@RT-AC86U-DBA8:/tmp/mnt/amtm/entware/tmp# more /jffs/scripts/x3mRouting/vpnclient2-route-up
#!/bin/sh

logger "VPN Client 2 coming up ..."
iptables -t mangle -D PREROUTING -i br0 -m set --match-set DummyVPN2 dst -j MARK --set-mark 0x2000/0x2000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set DummyVPN2 dst -j MARK --set-mark 0x2000/0x2000
iptables -t mangle -D PREROUTING -i tun22 -m set --match-set AstroGo dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i tun22 -m set --match-set AstroGo dst -j MARK --set-mark 0x8000/0x8000
iptables -t mangle -D PREROUTING -i br0 -m set --match-set AstroGo dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set AstroGo dst -j MARK --set-mark 0x8000/0x8000

 

[abir1909]

Try changing the order of the events so the rule for CVS matches before the rule for Akamai. Can you do some more analysis on the streaming service to see if you can obtain the domain names rather than having to route an entire CDN? Option 4 contains some tools you can use. The ASN Lookup Tool is a good start followed by the autoscan.sh script. You should first use the follow the log file option in diversion to see if you spot a common name in the query A records. You don't need to be concerned with the reply records. The ipset feature built into dnsmasq will automatically add the ipv4 addresses returned by the reply records. Then, use the autoscan.sh script to search for the keyword and it will report back the top level domain name and the FQDN records being queried.

Hi Xentrk, is there a way to view the ipsets I created? What’s the command to show the ip sets and what they contain? (ASN/ Domains)
Thanks