x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware (1-Nov-2020)

[Xentrk]

Use this thread to discuss x3mRouting issues

 

[Olivier L]

hello
I am using x3mrouting method 3 for all my VPN routing stuff. I just noticed something weird.
In my nat-start i have

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
do
ip rule del prio 999$VPN_ID 2>/dev/null
sleep 1
done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992 # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993 # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994 # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995 # VPN 3 fwmark

but afterwards I have

ip rule
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9992: from all fwmark 0x3000/0x3000 lookup ovpnc5
9992: from all fwmark 0x7000/0x7000 lookup ovpnc4
9994: from all fwmark 0x2000/0x2000 lookup ovpnc2
9995: from all fwmark 0x4000/0x4000 lookup ovpnc3
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10001: from 192.168.1.210 to 192.168.0.254 lookup main
10101: from 192.168.1.208/28 lookup ovpnc1
10102: from 10.8.0.0/24 lookup ovpnc1
10301: from 192.168.1.22 lookup ovpnc2
10701: from 192.168.1.192/28 lookup ovpnc4
32766: from all lookup main
32767: from all lookup default

whats' wrong with prio ?

???

 

[Xentrk]

hello
I am using x3mrouting method 3 for all my VPN routing stuff. I just noticed something weird.
In my nat-start i have


but afterwards I have



whats' wrong with prio ?

???

x3mRouting does not place those entries in nat-start. Remove them if using x3mRouting. Or, did you create those entries for Policy Routing for ports? nat-start is creating the RPDB rules. Then, x3mRouting runs which removes the rules and updates per the x3mRouting code.

x3mRouting FWMARKS and RPDB rules

## Define interface/bitmask to route traffic to below
Set_Fwmark_Parms() {

  FWMARK_WAN="0x8000/0x8000"
  FWMARK_OVPNC1="0x1000/0x1000"
  FWMARK_OVPNC2="0x2000/0x2000"
  FWMARK_OVPNC3="0x4000/0x4000"
  FWMARK_OVPNC4="0x7000/0x7000"
  FWMARK_OVPNC5="0x3000/0x3000"
}

Set_IP_Rule() {

  VPN_ID="$1"

  case "$VPN_ID" in
  0)
    if [ "$(ip rule | grep -cm 1 "$TAG_MARK")" -eq 0 ]; then
      ip rule add from 0/0 fwmark "$TAG_MARK" table 254 prio 9990 && logger -st "($(basename "$0"))" $$ "Created fwmark $TAG_MARK"
      ip route flush cache
    fi
    ;;
  1)
    if [ "$(ip rule | grep -cm 1 "$TAG_MARK")" -eq 0 ]; then
      ip rule add from 0/0 fwmark "$TAG_MARK" table ovpnc1 prio 9995 && logger -st "($(basename "$0"))" $$ "Created fwmark $TAG_MARK"
      ip route flush cache
    fi
    ;;
  2)
    if [ "$(ip rule | grep -cm 1 "$TAG_MARK")" -eq 0 ]; then
      ip rule add from 0/0 fwmark "$TAG_MARK" table ovpnc2 prio 9994 && logger -st "($(basename "$0"))" $$ "Created fwmark $TAG_MARK"
      ip route flush cache
    fi
    ;;
  3)
    if [ "$(ip rule | grep -cm 1 "$TAG_MARK")" -eq 0 ]; then
      ip rule add from 0/0 fwmark "$TAG_MARK" table ovpnc3 prio 9993 && logger -st "($(basename "$0"))" $$ "Created fwmark $TAG_MARK"
      ip route flush cache
    fi
    ;;
  4)
    if [ "$(ip rule | grep -cm 1 "$TAG_MARK")" -eq 0 ]; then
      ip rule add from 0/0 fwmark "$TAG_MARK" table ovpnc4 prio 9992 && logger -st "($(basename "$0"))" $$ "Created fwmark $TAG_MARK"
      ip route flush cache
    fi
    ;;
  5)
    if [ "$(ip rule | grep -cm 1 "$TAG_MARK")" -eq 0 ]; then
      ip rule add from 0/0 fwmark "$TAG_MARK" table ovpnc5 prio 9991 && logger -st "($(basename "$0"))" $$ "Created fwmark $TAG_MARK"
      ip route flush cache
    fi
    ;;
  *)
    Error_Exit "ERROR $1 should be 0-WAN or 1-5=VPN"
    ;;
  esac
}

 

[Olivier L]

You are right. I created this before using using x3mrouting so that I can reach ssh and web server on a device protected behind a VPN.

# Ensure duplicate rules are not created
for VPN_ID in 0 1 2 3 4 5
do
ip rule del prio 999$VPN_ID 2>/dev/null
sleep 1
done

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x8000/0x8000" table main prio 9990 # WAN fwmark
ip rule add from 0/0 fwmark "0x7000/0x7000" table ovpnc4 prio 9991 # VPN 4 fwmark
ip rule add from 0/0 fwmark "0x3000/0x3000" table ovpnc5 prio 9992 # VPN 5 fwmark
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993 # VPN 1 fwmark
ip rule add from 0/0 fwmark "0x2000/0x2000" table ovpnc2 prio 9994 # VPN 2 fwmark
ip rule add from 0/0 fwmark "0x4000/0x4000" table ovpnc3 prio 9995 # VPN 3 fwmark

iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.22 -p tcp -m multiport --sport 22,80,443 -j MARK --set-mark 0x8000/0x8000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.22 -p tcp -m multiport --sport 22,80,443 -j MARK --set-mark 0x8000/0x8000

I still need this.

Maybe there is a conflict there with x3mrouting ?

 

[Xentrk]

You are right. I created this before using using x3mrouting so that I can reach ssh and web server on a device protected behind a VPN.

I still need this.

Maybe there is a conflict there with x3mrouting ?

I just started working on adding on port routing to x3mRouting. You will have to change your nat-start code to match x3mRouting code. Alternatively, you can take advantage of x3mRouting features as follows if you have a rule to route the entire LAN to OpenVPN.

Create a dummy routing rule to bypass VPN Client 1 so the WAN fwmark gets created.

x3mRouting 1 0 DUMMY ip=172.16.0.1

Create the file /jffs/scripts/x3mRouting/vpnclient1-route-up

iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.22 -p tcp -m multiport --sport 22,80,443 -j MARK --set-mark 0x8000/0x8000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.22 -p tcp -m multiport --sport 22,80,443 -j MARK --set-mark 0x8000/0x8000

/jffs/scripts/x3mRouting/vpnclient1-route-pre-down

iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.22 -p tcp -m multiport --sport 22,80,443 -j MARK --set-mark 0x8000/0x8000 2> /dev/null

Bounce the VPN client to implement. The rule gets applied when the vpn client starts and the rule gets removed when the VPN client goes down.

 

[Olivier L]

Thanks a lot for your help, I have cleaned up my nat-start so that I now use only x3mrouting scripts. no need to use a dummy rule as I have already real one in my setup. So far it looks perfect. Thanks.

 

[SpykeYs]

Hello everyone !

I did spend a few hours reading many posts on this forum and I think what I need is x3mRouting but I am looking for some guidance and/or assistance. I want my whole network to be protected behind a PIA vpn using an asus AC-3100 which I have been able to successfully configured. I have also been able to create PBR in order to exclude a laptop from the VPN and send him directly to my WAN... YAY

My new Chromecast with Google TV is therefor fully behind VPN but unfortunately I need Netflix and Disney+ to go out to my WAN as my VPN provider is being blocked by both. This is where x3mRouting comes into play right ? I have been reading the documentation but I am still very confused. Sorry, I am a newb.

Goal:

My router: ASUS AC-3100 with Merlin 384.19

1. Whole network behind VPN (Already completed via Asus AC-3100 & Private Internet Access)
2. Laptop excluded by VPN (Already completed via PBR)
3. Netflix + Disney+ excluded from VPN and sent to WAN - NEED HELP

Step #1 : Do I really need a USB key to install entware ? I'm reading that it can be installed via amtm who is already installed on firmware 384.19
Step #2: SSH + sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/master/Install_x3mRouting.sh)" ?
Step #3: ?

This is where I get lost a bit.

Anyone help would be greatly appreciated. My goal is very simple.. everything behind VPN, PBR in order to exclude 1 laptop and Netflix+Displey+ excluded from VPN and sent to WAN.

MANY THANKS in advance, sorry for being new to this.

 

[SpykeYs]

Anyone ?

i would also add Amazon Prime to the list to be sent to WAN.

Thanks

 

[Kingp1n]

Anyone ?

i would also add Amazon Prime to the list to be sent to WAN.

Thanks

Yes download the x3mRouting script option 3. It should create some files inside your router. SSH into router and look for the nat-start script. And you can copy and paste some files i have to this file or you input them manually. They should be in the original x3mRouting forum but let me know if you can't them. It looks like alot to taken on but its not too difficult once you read thru the forums.

 

[Xentrk]

Hello everyone !

I did spend a few hours reading many posts on this forum and I think what I need is x3mRouting but I am looking for some guidance and/or assistance. I want my whole network to be protected behind a PIA vpn using an asus AC-3100 which I have been able to successfully configured. I have also been able to create PBR in order to exclude a laptop from the VPN and send him directly to my WAN... YAY

My new Chromecast with Google TV is therefor fully behind VPN but unfortunately I need Netflix and Disney+ to go out to my WAN as my VPN provider is being blocked by both. This is where x3mRouting comes into play right ? I have been reading the documentation but I am still very confused. Sorry, I am a newb.

Goal:

My router: ASUS AC-3100 with Merlin 384.19

1. Whole network behind VPN (Already completed via Asus AC-3100 & Private Internet Access)
2. Laptop excluded by VPN (Already completed via PBR)
3. Netflix + Disney+ excluded from VPN and sent to WAN - NEED HELP

Step #1 : Do I really need a USB key to install entware ? I'm reading that it can be installed via amtm who is already installed on firmware 384.19
Step #2: SSH + sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/master/Install_x3mRouting.sh)" ?
Step #3: ?

This is where I get lost a bit.

Anyone help would be greatly appreciated. My goal is very simple.. everything behind VPN, PBR in order to exclude 1 laptop and Netflix+Displey+ excluded from VPN and sent to WAN.

MANY THANKS in advance, sorry for being new to this.

Yes, a USB is required to install entware. There are packages required by the utility in entware. You can create a routing rule for the entire LAN to use the VPN using CIDR notation 192.168.1.0/24 on the OpenVPN Client Screen. Then, use x3mRouting to create the VPN bypass rule for Netflix, Prime and Disney.

 

[wolvenstein]

I'm using Torguard with dedicated streaming IP. And x3mrouting had been working superbly. Until today, Disney+ geo-blocking my IP. Upon troubleshooting, I have to change the "Accept DNS Configuration" from strict to exclusive to make it work again. But the problem now is x3mrouting is no longer working well, as I can't route some domain to WAN. Any tips to solve this?

 

[Sean Rhodes]

How do I install x3mrouting V1.0? I have the RT3200, so 384.13_10 is the max upgrade I can go to on this router. I just did a complete wipe and reset, only to find that x3mrouting V2.40 is not compatible with my router now

Invalid firmware version detected - 384.13. This option of x3mRouting requires version 384.19 and above.
You can force update x3mRouting by typing the word 'force' below.
You must perform a 384.19+ firwmare update immediately after updating x3mRouting.

 

[Xentrk]

I'm using Torguard with dedicated streaming IP. And x3mrouting had been working superbly. Until today, Disney+ geo-blocking my IP. Upon troubleshooting, I have to change the "Accept DNS Configuration" from strict to exclusive to make it work again. But the problem now is x3mrouting is no longer working well, as I can't route some domain to WAN. Any tips to solve this?

DNS shouldn't matter with TorGuard. Last time I checked, TG was using Cloudflare DNS.

You can try using the dnsmasq method for Disney using the code below to see if that helps.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 DISNEY dnsmasq=demdex.net,disney-plus.net,disneyplus.co,disneyplus.com,dssott.com,go.com

This is routing Disney traffic to VPN Client 1 which is my Private IP with TorGuard.

 

[Xentrk]

How do I install x3mrouting V1.0? I have the RT3200, so 384.13_10 is the max upgrade I can go to on this router. I just did a complete wipe and reset, only to find that x3mrouting V2.40 is not compatible with my router now

Invalid firmware version detected - 384.13. This option of x3mRouting requires version 384.19 and above.
You can force update x3mRouting by typing the word 'force' below.
You must perform a 384.19+ firwmare update immediately after updating x3mRouting.

I saved a compatible version in the branch on GitHub.

GitHub - Xentrk/x3mRouting at x3mRouting-384.18

Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - GitHub - Xentrk/x3mRouting at x3mRouting-384.18

github.com

Installation

sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/Install_x3mRouting.sh)"

 

[wolvenstein]

DNS shouldn't matter with TorGuard. Last time I checked, TG was using Cloudflare DNS.

You can try using the dnsmasq method for Disney using the code below to see if that helps.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 DISNEY dnsmasq=demdex.net,disney-plus.net,disneyplus.co,disneyplus.com,dssott.com,go.com

This is routing Disney traffic to VPN Client 1 which is my Private IP with TorGuard.

Works like a charm. Thanks!!

 

[Sean Rhodes]

I saved a compatible version in the branch on GitHub.

GitHub - Xentrk/x3mRouting at x3mRouting-384.18

Selectively route LAN clients, website or streaming media traffic over the WAN or OpenVPN client interfaces on Asuswrt-Merlin firmware - GitHub - Xentrk/x3mRouting at x3mRouting-384.18

github.com

Installation

sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/Install_x3mRouting.sh)"

Perfect thanks for the help

 

[Xentrk]

Works like a charm. Thanks!!

The AWS region method using US or GLOBAL worked last time I tested it. Or, the ASN method using AS16509, which also happens to be the same ASN used by Netflix.

ASN Lookup Tool Output

# asn disneyplus.com

---------------------------------
| ASN lookup for disneyplus.com |
---------------------------------

- Resolving "disneyplus.com"... 1 IP address found:

54.71.61.241 +PTR ec2-54-71-61-241.us-west-2.compute.amazonaws.com
              +ASN 16509 (AMAZON-02, US)
              +ORG Amazon.com, Inc.
              +NET 54.70.0.0/15 (AMAZON-2011L)
              +ABU abuse@amazonaws.com
              +GEO Portland, Oregon (US)
<snip>

# asn netflix.com

------------------------------
| ASN lookup for netflix.com |
------------------------------

- Resolving "netflix.com"... 8 IP addresses found:

   52.18.96.227 +PTR ec2-52-18-96-227.eu-west-1.compute.amazonaws.com
                +ASN 16509 (AMAZON-02, US)
                +ORG Amazon.com, Inc.
                +NET 52.18.0.0/15 (AMAZON-DUB)
                +ABU abuse@amazonaws.com
                +GEO Dublin, Dublin (IE)

 

[Sean Rhodes]

Xentrk, I followed the numerous posts between you and Rappy back in 2017 and found those invaluable. I have the BBC iPlayer working fine on my AppleTV now, I have to re-run the script again each day before using, otherwise the ATV comes up with a blank screen, but once run it works fine. I have 3 main questions.
1. Is it better to use domain names to lessen the chance of IP changes vs using say an IPSET of all the BBC IP's?
2. Is the VPN Gui update available in FW 384.13 to try out option 2?
3. The VPN stays up the whole time, so why would I have to re-run the script again?

 

[Xentrk]

Xentrk, I followed the numerous posts between you and Rappy back in 2017 and found those invaluable. I have the BBC iPlayer working fine on my AppleTV now, I have to re-run the script again each day before using, otherwise the ATV comes up with a blank screen, but once run it works fine. I have 3 main questions.
1. Is it better to use domain names to lessen the chance of IP changes vs using say an IPSET of all the BBC IP's?
2. Is the VPN Gui update available in FW 384.13 to try out option 2?
3. The VPN stays up the whole time, so why would I have to re-run the script again?

I learned a lot since that conversation.

This is the latest iteration that works for BBC using the dnsmasq method.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB dnsmasq=bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net

If copy/paste the above in an SSH session, x3mRouting will create all of the necessary entries. Note that my rule is to route all BBC traffic to VPN Client 3. Adjust the VPN client as necessary.

See if this solves your issues first before trying other solutions. I tested on iPlayer app on iPad, Firefox on Win10 and FireTV. You shouldn't have to rerun the script.

The issue with the GUI is I have to keep it current with the firmware versions are they are released. Best to stay away from using the GUI if you don't intend to stay current with the firmware releases.

 

[Sean Rhodes]

I learned a lot since that conversation.

This is the latest iteration that works for BBC using the dnsmasq method.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB dnsmasq=bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net

If copy/paste the above in an SSH session, x3mRouting will create all of the necessary entries. Note that my rule is to route all BBC traffic to VPN Client 3. Adjust the VPN client as necessary.

See if this solves your issues first before trying other solutions. I tested on iPlayer app on iPad, Firefox on Win10 and FireTV. You shouldn't have to rerun the script.

The issue with the GUI is I have to keep it current with the firmware versions are they are released. Best to stay away from using the GUI if you don't intend to stay current with the firmware releases.

Thanks for all the help, I will try tonight and see how it goes