x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware (1-Nov-2020)

[Suresh]

You are right, I see only one entry in the ipset.

Suresh@AX86U:/jffs/scripts# ipset -L ZEE5
Name: ZEE5
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 416
References: 1
Number of entries: 1
Members:
23.41.169.15

I can live without amazon.com rule, should I delete both amazon and zee5 and re-add just zee5? hope it populates correctly in ipset list.

removed both amazon and Netflix since I really don't need them. re-added zee5, still same situation. somehow zee5 is still detecting my ip with both US and IN vpn on. I turned off, US vpn, it works but when I turn US back on, it doesn't. something isn't going well when both vpn's are on.

 

[Xentrk]

removed both amazon and Netflix since I really don't need them. re-added zee5, still same situation. somehow zee5 is still detecting my ip with both US and IN vpn on. I turned off, US vpn, it works but when I turn US back on, it doesn't. something isn't going well when both vpn's are on.

I'll do some analysis on the site and report back what I find. Please post what you current have for the dnsmasq method.

 

[Suresh]

I'll do some analysis on the site and report back what I find. Please post what you current have for the dnsmasq method.

I used your code dnsmasq=kaltura.com,minute.ly,qgr.ph,qgraph.io,quantumgraph.com,zee5.com

 

[Sean Rhodes]

BBC iPlayer Update

rhodess@RT-AX86U-DC18:/tmp/home/root# liststats
BBC_ASN - 8
BBC_WEB1 - 43
Skynet-Blacklist - 43528
Skynet-BlockedRanges - 1812
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 7990

Here are the latest routing rules I have set up to force BBC traffic to VPN client 4.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 AWS-EU aws_region=EU
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 BBC_ASN asnum=AS2818,AS31459
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 BBC_WEB1 dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,co.uk,dotmetrics.net,net.uk

Hi Xentrk,

I installed option 3 and added the rules above and when I start the VPN, I can't even connect to the internet with the AppleTV, it looks like the VPN is blocking it. I get a blank screen and eventually it just times out. I tried uninstalling option 3 and going back to option 2 but no luck. I also completely removed x3mRouting and re-installed to see if that fixed the issue, and tried alternate servers but no luck. Below is my new router setup using NordVPN:
1. X3mRouting options 3 and 4 installed
2. OVPN3 setup for AppleTV 10.0.1.60 for BBC access
3. OVPN3 Gui settings: Accept DNS Strict, Policy rules strict, source IP 10.0.1.60
4. asnum & dnsmasq added:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_ASN asnum=AS2818,AS31459
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB1 dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,co.uk,dotmetrics.net,net.uk

5. Went to iPlayer in browser and went through all menus to populate dns log with BBC IP's
Here's my liststats:

rhodess@RT-AX86U-DC18:/tmp/home/root# liststats
BBC_ASN - 8
BBC_WEB1 - 43
Skynet-Blacklist - 43528
Skynet-BlockedRanges - 1812
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 7990

and my IP rule:

rhodess@RT-AX86U-DC18:/tmp/home/root# ip rule
0:      from all lookup local
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
10501:  from 10.0.1.60 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

and my routing tables:

rhodess@RT-AX86U-DC18:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 5012 packets, 1199K bytes)
num   pkts bytes target     prot opt in     out     source               destination       
1    15292 5112K BWDPI_FILTER  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0         
2        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_ASN dst MARK or 0x4000
3        3   192 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB1 dst MARK or 0x4000

From what I see it all looks good, ovpn3 is routed to the VPN and so are the BBC rules.
When I disable the VPN it all works.

I tried setting to exclusive both with and without the custom config setting dhcp-option DNS x.x.x.x for the NordVPN dns addresses, but still no luck.

Do you have any ideas?

Update: To rule out the VPN itself, I used the same configuration on OVPN1, but without the x3mRouting ipset routing rules and I have no issues connecting to the web, my geolocation is detected though

 

[Xentrk]

I used your code dnsmasq=kaltura.com,minute.ly,qgr.ph,qgraph.io,quantumgraph.com,zee5.com

Okay. I thought you commented that added a few more domains. Last night, I did start writing a query that will give me a report of the domains the website uses. I am unable to create an account on the site as it needs to send an OTP code to my phone and my country is not supported. That will restrict my ability to examine all of the domains the site uses. I report back later with my findings.

 

[Xentrk]

Hi Xentrk,

I installed option 3 and added the rules above and when I start the VPN, I can't even connect to the internet with the AppleTV, it looks like the VPN is blocking it. I get a blank screen and eventually it just times out. I tried uninstalling option 3 and going back to option 2 but no luck. I also completely removed x3mRouting and re-installed to see if that fixed the issue, and tried alternate servers but no luck. Below is my new router setup using NordVPN:
1. X3mRouting options 3 and 4 installed
2. OVPN3 setup for AppleTV 10.0.1.60 for BBC access
3. OVPN3 Gui settings: Accept DNS Strict, Policy rules strict, source IP 10.0.1.60
4. asnum & dnsmasq added:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_ASN asnum=AS2818,AS31459
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB1 dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,co.uk,dotmetrics.net,net.uk

5. Went to iPlayer in browser and went through all menus to populate dns log with BBC IP's
Here's my liststats:

rhodess@RT-AX86U-DC18:/tmp/home/root# liststats
BBC_ASN - 8
BBC_WEB1 - 43
Skynet-Blacklist - 43528
Skynet-BlockedRanges - 1812
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 7990

and my IP rule:

rhodess@RT-AX86U-DC18:/tmp/home/root# ip rule
0:      from all lookup local
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
10501:  from 10.0.1.60 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

and my routing tables:

rhodess@RT-AX86U-DC18:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 5012 packets, 1199K bytes)
num   pkts bytes target     prot opt in     out     source               destination     
1    15292 5112K BWDPI_FILTER  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0       
2        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_ASN dst MARK or 0x4000
3        3   192 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB1 dst MARK or 0x4000

From what I see it all looks good, ovpn3 is routed to the VPN and so are the BBC rules.
When I disable the VPN it all works.

I tried setting to exclusive both with and without the custom config setting dhcp-option DNS x.x.x.x for the NordVPN dns addresses, but still no luck.

Do you have any ideas?

Update: To rule out the VPN itself, I used the same configuration on OVPN1, but without the x3mRouting ipset routing rules and I have no issues connecting to the web, my geolocation is detected though

ExpressVPN and NordVPN users seem to always have the most issues due to their DNS requirement.

As a test, configure the VPN client for BBC and route all traffic to the tunnel or just the Apple TV device and your laptop/computer. Try first with the Accept DNS Configuration=Strict combined with the "dhcp-option DNS xx.xx.xx.xx" in the custom config section using the NordVPN. Perform an ipleak.net or dnsleak.com test to make sure you are using NordDNS.

Try adding the AWS region EU to the mix. This is what I am currently using. Works in iOS iPlayer app, web browser and FireTV iPlayer app:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 AWS_EU aws_region=EU
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 BBC_ASN asnum=AS2818,AS31459
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 BBC_WEB1 dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,co.uk,dotmetrics.net,net.uk

The other thing I did was to force my FireTV to use the UK tunnel. I then watched iPlayer via the course of several days, selecting all of the options, etc. This allowed the ipset list to populate with more IPv4 addresses. I have to check, but I think my list is over 100 entries for the dnsmasq method.

 

[Sean Rhodes]

ExpressVPN and NordVPN users seem to always have the most issues due to their DNS requirement.

As a test, configure the VPN client for BBC and route all traffic to the tunnel or just the Apple TV device and your laptop/computer. Try first with the Accept DNS Configuration=Strict combined with the "dhcp-option DNS xx.xx.xx.xx" in the custom config section using the NordVPN. Perform an ipleak.net or dnsleak.com test to make sure you are using NordDNS.

Try adding the AWS region EU to the mix. This is what I am currently using. Works in iOS iPlayer app, web browser and FireTV iPlayer app:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 AWS_EU aws_region=EU
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 BBC_ASN asnum=AS2818,AS31459
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 BBC_WEB1 dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,co.uk,dotmetrics.net,net.uk

The other thing I did was to force my FireTV to use the UK tunnel. I then watched iPlayer via the course of several days, selecting all of the options, etc. This allowed the ipset list to populate with more IPv4 addresses. I have to check, but I think my list is over 100 entries for the dnsmasq method.

Setting DNS Configuration=Strict combined with the "dhcp-option DNS xx.xx.xx.xx" causes my DNS to leak. If I set my DNS based filtering in the GUI to custom, and add the NordVPN dns, or if I create filter rules for my AppleTV and laptop using the NordVPN dns, then I can't even connect to the web. It seems like the dns isn't even working. But then if I disable the VPN completely and set the dns based filtering from router to the NordVPN dns, I can connect to the web and I also don't have a dns leak. I'm totally confused, it seems like there's some interaction occurring when the VPN is active and it's messing up the dns

 

[Xentrk]

Setting DNS Configuration=Strict combined with the "dhcp-option DNS xx.xx.xx.xx" causes my DNS to leak. If I set my DNS based filtering in the GUI to custom, and add the NordVPN dns, or if I create filter rules for my AppleTV and laptop using the NordVPN dns, then I can't even connect to the web. It seems like the dns isn't even working. But then if I disable the VPN completely and set the dns based filtering from router to the NordVPN dns, I can connect to the web and I also don't have a dns leak. I'm totally confused, it seems like there's some interaction occurring when the VPN is active and it's messing up the dns

I just came back to recommed using the DNS Filter option and specify NordVPN as Custom 1 and 2 if applicable. But it looks like you tried it? Make sure Accpet DNS Configuration is not set to Exclusive. dnsmasq is bypassed with the Accept DNS Configuration = Exclusive when using Policy Rules.

 

[Xentrk]

@Suresh

I tested on Google Chrome. I first had my device set to use IN VPN tunnel and ran getdomainnames.sh. I also did some analysis of the domains used on the website. I also used the follow the log file function in Diversion.

This is working for all of the free content:

1. Use dnsmasq method

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 ZEE5 dnsmasq=go-mpulse.net,juspay.in,kaltura.com,licensekeyserver.com,minute.ly,zee5.com

2. Manually add zee5-public-sharing.s3.ap-south-1.amazonaws.com
Manually add the IPv4 addresses returned from the command below to the ipset list:

nslookup zee5-public-sharing.s3.ap-south-1.amazonaws.com

ipset add ZEE5 xx.xx.xx.xx

3. Did not included these as they are blocked by Diversion:

--------------------------------------------------------
users.quantumgraph.com
28bbf0a3decf6d1165032bfd835d6e1844c5d44d.cws.conviva.com

Analysis Results

Spoiler: zee5.com

28bbf0a3decf6d1165032bfd835d6e1844c5d44d.cws.conviva.com
adsmedia.zee5.com
akamaividz.zee5.com
akamaividz2.zee5.com
analytics.kaltura.com
api.quantumgraph.com
api.zee5.com
apv-launcher.minute.ly
b2bapi.zee5.com
catalogapi.zee5.com
cdn-in.pagesense.io
cdn.jsdelivr.net
cdn.qgraph.io
cdn.tercept.com
cdn.zeplin.io
cdnapisec.kaltura.com
counter.snackly.co
country-prd.zee5.com
css.zohocdn.com
css.zohostatic.in
d1vcf5sd85ybdz.cloudfront.net
desk.zoho.com
desk.zoho.in
download.zohopublic.in
gwapi.zee5.com
helpcenter.zee5.com
js.zohocdn.com
js.zohostatic.com
js.zohostatic.in
mediacloudfront.zee5.com
payments.juspay.in
playerscript.zee5.com
r.zee5.com
s.w.org
s3images.zee5.com
salesiq.zoho.in
salesiq.zohopublic.in
snippet.minute.ly
spapi.zee5.com
ss.makestories.io
subscriptionapi.zee5.com
useraction.zee5.com
userapi.zee5.com
users.quantumgraph.com
vid.zee5.com
vts.zohopublic.in
whapi-prod-node.zee5.com
whapi.zee5.com
wv-keyos-aps1.licensekeyserver.com
www.zee5.com
z5ams.akamaized.net
z5vodnews.akamaized.net
zee5-public-sharing.s3.ap-south-1.amazonaws.com
zee5.com
zee5livemedia.zee5.com
zee5vod.akamaized.net

You may have to perform additional analysis for the premium content since I could not access due to subscription requirement or try adding some of the top level domain names from the spoiler.

 

[Suresh]

@Suresh

I tested on Google Chrome. I first had my device set to use IN VPN tunnel and ran getdomainnames.sh. I also did some analysis of the domains used on the website. I also used the follow the log file function in Diversion.

This is working for all of the free content:

1. Use dnsmasq method

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 4 ZEE5 dnsmasq=go-mpulse.net,juspay.in,kaltura.com,licensekeyserver.com,minute.ly,zee5.com

2. Manually add zee5-public-sharing.s3.ap-south-1.amazonaws.com
Manually add the IPv4 addresses returned from the command below to the ipset list:

nslookup zee5-public-sharing.s3.ap-south-1.amazonaws.com

ipset add ZEE5 xx.xx.xx.xx

3. Did not included these as they are blocked by Diversion:

--------------------------------------------------------
users.quantumgraph.com
28bbf0a3decf6d1165032bfd835d6e1844c5d44d.cws.conviva.com

Analysis Results

Spoiler: zee5.com

28bbf0a3decf6d1165032bfd835d6e1844c5d44d.cws.conviva.com
adsmedia.zee5.com
akamaividz.zee5.com
akamaividz2.zee5.com
analytics.kaltura.com
api.quantumgraph.com
api.zee5.com
apv-launcher.minute.ly
b2bapi.zee5.com
catalogapi.zee5.com
cdn-in.pagesense.io
cdn.jsdelivr.net
cdn.qgraph.io
cdn.tercept.com
cdn.zeplin.io
cdnapisec.kaltura.com
counter.snackly.co
country-prd.zee5.com
css.zohocdn.com
css.zohostatic.in
d1vcf5sd85ybdz.cloudfront.net
desk.zoho.com
desk.zoho.in
download.zohopublic.in
gwapi.zee5.com
helpcenter.zee5.com
js.zohocdn.com
js.zohostatic.com
js.zohostatic.in
mediacloudfront.zee5.com
payments.juspay.in
playerscript.zee5.com
r.zee5.com
s.w.org
s3images.zee5.com
salesiq.zoho.in
salesiq.zohopublic.in
snippet.minute.ly
spapi.zee5.com
ss.makestories.io
subscriptionapi.zee5.com
useraction.zee5.com
userapi.zee5.com
users.quantumgraph.com
vid.zee5.com
vts.zohopublic.in
whapi-prod-node.zee5.com
whapi.zee5.com
wv-keyos-aps1.licensekeyserver.com
www.zee5.com
z5ams.akamaized.net
z5vodnews.akamaized.net
zee5-public-sharing.s3.ap-south-1.amazonaws.com
zee5.com
zee5livemedia.zee5.com
zee5vod.akamaized.net

You may have to perform additional analysis for the premium content since I could not access due to subscription requirement or try adding some of the top level domain names from the spoiler.

I can't even get to home page, gets blocked because is geo ip. It works when I don't have my VPN Client 1(US) running but when I have VPN Client1(US) on VPN Client 5(IN) doesn't seem to route traffic through its tunnel.

Accept DNS Configuration is "Disabled" for both VPN clients.

For VPN Client1 (US), these are my settings:

For VPN Client5(IN), I do not have any specific settings at client level.

nat-start

ip rule, liststats & other

 

[Xentrk]

I can't even get to home page, gets blocked because is geo ip. It works when I don't have my VPN Client 1(US) running but when I have VPN Client1(US) on VPN Client 5(IN) doesn't seem to route traffic through its tunnel.

Accept DNS Configuration is "Disabled" for both VPN clients.

For VPN Client1 (US), these are my settings:

View attachment 33434
For VPN Client5(IN), I do not have any specific settings at client level.
View attachment 33435
nat-start
View attachment 33436
ip rule, liststats & other
View attachment 33439

You also need to have Policy Rules (Strict) enabled on the IN tunnel.

 

[Sean Rhodes]

I just came back to recommed using the DNS Filter option and specify NordVPN as Custom 1 and 2 if applicable. But it looks like you tried it? Make sure Accpet DNS Configuration is not set to Exclusive. dnsmasq is bypassed with the Accept DNS Configuration = Exclusive when using Policy Rules.

Thanks Xentrk, I think I need to start from scratch and go step by step since it looks like even with forcing the NordVPN dns servers I still have a dns leak

 

[Suresh]

You also need to have Policy Rules (Strict) enabled on the IN tunnel.

That was it, I knew I was missing something. Thank you so much for your help, great contribution to this forum.

 

[Xentrk]

That was it, I knew I was missing something. Thank you so much for your help, great contribution to this forum.

Great News @Suresh! You're welcome. Very sad news coming out of IN right now. I had to access some of the news channels during testing. Even though I could not understand the words, the pictures said it all. Stay safe.

 

[Suresh]

Great News @Suresh! You're welcome. Very sad news coming out of IN right now. I had to access some of the news channels during testing. Even though I could not understand the words, the pictures said it all. Stay safe.

I am based out of US but have immediate family in IN. very bad situation.

 

[Sean Rhodes]

I just came back to recommed using the DNS Filter option and specify NordVPN as Custom 1 and 2 if applicable. But it looks like you tried it? Make sure Accpet DNS Configuration is not set to Exclusive. dnsmasq is bypassed with the Accept DNS Configuration = Exclusive when using Policy Rules.

I'm wondering if something is broken. It seems like I'm stuck between a rock and a hard place at the moment. I have my WAN DNS setting set to the NordVPN DNS servers and with my VPN set to strict, I get a DNS leak, but if I set my VPN to exclusive, then there is no DNS leak, but then my DNS masq is bypassed which defeats the whole purpose. The reason I'm wondering if it's something in the router is because as I understand it, strict routes all devices through the tunnel provided force internet through tunnel is set to yes, but even with that setup and no DNS leak, BBC still detects I'm outside the UK.

Update: got it working more or less. It looks like the BBC are detecting UDP 1194, when I switched to TCP 443, links that were detected previously started working, still not 100%, but definately better

 

[Sean Rhodes]

I'm wondering if something is broken. It seems like I'm stuck between a rock and a hard place at the moment. I have my WAN DNS setting set to the NordVPN DNS servers and with my VPN set to strict, I get a DNS leak, but if I set my VPN to exclusive, then there is no DNS leak, but then my DNS masq is bypassed which defeats the whole purpose. The reason I'm wondering if it's something in the router is because as I understand it, strict routes all devices through the tunnel provided force internet through tunnel is set to yes, but even with that setup and no DNS leak, BBC still detects I'm outside the UK.

Update: got it working more or less. It looks like the BBC are detecting UDP 1194, when I switched to TCP 443, links that were detected previously started working, still not 100%, but definately better

Not sure why the DNS leak would matter for zee5.com. They don't appear to block known VPN servers like other streaming services. Unless they do for the premium content, which I was unable to test with. My DNS was located in another country but my VPN end point for zee5.com was Bangladesh. My laptop was assigned to the Los Angeles tunnel. I was able to get it working on RT-AC86U and RT-AC88U.

You may have to do some more analysis on any features or VDOs that are not working. You can watch the dnsmasq.log file while trying to access the VDO and see what sites it is try to access. You may need to add additional domains.

Lol, I think you got the threads mixed up here Xentrk, your reply was for the thread from Suresh

 

[Xentrk]

Lol, I think you got the threads mixed up here Xentrk, your reply was for the thread from Suresh

Yes, sorry about that. I'll edit.

 

[Suresh]

@Xentrk it seems prime video no longer works with Amazon global dnsmasq method. Is there a new code we can try within US?

x3mRouting.sh 1 0 AMAZON aws_region=GLOBAL

 

[mister]

Dear guys,
I have a problem and maybe you are able to solve that:

I have an RT AC 86U and an Devolo 1750i as Wifi Access Point. I have just updated the AP to the newest OPENWRT Version, because the manufacturer Firmware was not supported anymore by the manufacturer. Beside the fact, that I was not able to configure the AP with VLANs (I didn´t got an internet connection), I try to install a guest network separated from my local LAN.
I am using Yazfi at my RT86U as Guest network and forced the traffic via OVPNC5 which is working.
Now it should expand to the AP - maybe not the "same" guestwork, with the same IP configuration. So it can be differently to the routers guest wifi

I found that how to in the web

[OpenWrt Wiki] Guest Wi-Fi on a dumb wireless AP using LuCI

openwrt.org

I had a lot of problems of establishing - normally the new wifi has to IP or internet access .
At one evening I got the wifi running, but I was not able to force the traffic via OVPNC. It was routed according the same policies as my normal LAN traffic, although I made manually a route in the VPN5 client section 192.168.21.0/24 --> VPN5

After rebooting the AP I was not able to access to the AP anymore - (I think I have made some mistake by selecting masquerading for the LAN section, or something else, because I don´´t know exactly what I had done to get the guest WIFI running), so I had to reset the AP .

Before I try to reinstall the guest network again, I want to ask if there is a possibility to force the traffic, generated from the AP via a guest network according to the link, via VPN5 ?

Do you have any ideas, how to configure the AP in the right way ?

Thanks a lot for your support

Hugo