x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware (1-Nov-2020)

[Sean Rhodes]

The AppleTV plays fine, but on the iPad I get "this content can only be played in the UK" error.

rhodess@RT-AC3200-4200:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
10501:  from 10.0.1.60 lookup ovpnc3
10502:  from 10.0.1.20 lookup ovpnc3
10503:  from 10.0.1.50 lookup ovpnc3
10504:  from 10.0.1.60 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

It looks like the iPad IP is not being passed through, how do I add the rule for that, I thought it would get passed when I re-ran script 3.

rhodess@RT-AC3200-4200:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
10501:  from 10.0.1.60 lookup ovpnc3
10502:  from 10.0.1.90 lookup ovpnc3
10503:  from 10.0.1.20 lookup ovpnc3
10504:  from 10.0.1.50 lookup ovpnc3
10505:  from 10.0.1.60 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

When I go to the VPN Client GUI and add the IP address and restart the tunnel, it gets picked up and works. I thought for x3mRouting options 1 and 3, that I did not have to add an IP address and it took them from the x3mRouting_client_rules? Can you tell me what I'm misunderstanding? Also, why is 10.1.0.60 showing twice in the rules?

rhodess@RT-AC3200-4200:/tmp/home/root# cat /jffs/scripts/x3mRouting/x3mRouting_client_rules
#########################################################
# Assign the interface for each LAN client by entering  #
# the appropriate interface number in the first column  #
# 0 = WAN                                               #
# 1 = OVPNC1                                            #
# 2 = OVPNC2                                            #
# 3 = OVPNC3                                            #
# 4 = OVPNC4                                            #
# 5 = OVPNC5                                            #
#########################################################
3 10.0.1.20 40TCLRokuTV
3 10.0.1.50 AppleTV-2
3 10.0.1.60 AppleTV
3 10.0.1.90 iPad_sean

I re-ran the x3mRouting_client_nvram.sh script again which made another duplicate entry so I removed two of the rules:

ip rule del prio 10504
ip rule del prio 10505

It seems to be working fine:

rhodess@RT-AC3200-4200:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
10501:  from 10.0.1.60 lookup ovpnc3
10502:  from 10.0.1.90 lookup ovpnc3
10503:  from 10.0.1.50 lookup ovpnc3
32766:  from all lookup main
32767:  from all lookup default

but I think these are from the GUI not the client_ rules

I read through some of the older posts and I think I have both 1 and 3 running, so I think I will uninstall and reinstall again:

rhodess@RT-AC3200-4200:/tmp/home/root# df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/root                31872     31872         0 100% /
devtmpfs                127576         0    127576   0% /dev
tmpfs                   127716      1848    125868   1% /tmp
/dev/mtdblock4           65536      5548     59988   8% /jffs
/dev/mtdblock4           65536      5548     59988   8% /www/Main_LogStatus_Content.asp
/dev/sda1              7687396   2412368   4884524  33% /tmp/mnt/usb_sr
tmpfs                   127716      1848    125868   1% /www/index_style.css
tmpfs                   127716      1848    125868   1% /www/require/modules/menuTree.js
/dev/mtdblock4           65536      5548     59988   8% /usr/sbin/vpnrouting.sh
/dev/mtdblock4           65536      5548     59988   8% /usr/sbin/updown-client.sh

I apologize for the long winded post, I thought more info than less would be better

 

[Xentrk]

The iPlayer app may be querying other domains that I did not pick up when I surfed using Windows and Fire TV. Unfortunately, the iPlayer app is out of date on my iPad and it will take some effort to side load it again.

You'll need to perform additional analysis of the domains the iPlayer app uses. Set all of your traffic to use the VPN:

Force Internet traffic through tunnel=Yes

Then, access the iPlayer app and see if it works. If you still have issues, see if location services is turned on. If it is, turn if off and test again. If it's working, you can surf around the menu options to generate traffic. Then, run the autoscan.sh script and search for bbc. See if you pick up additional domains. Turn policy routing back on. Then, remove the prior BBC ipset list and create the new one adding the new domains to the list. If you still have issues, turn off policy rules and set it back to route all traffic to the VPN connected to UK. Then, run the getdomainnames.sh script and give it the IP address of your iPad. Surf around app and select as many options as you can. When done, press ctrl-c to view the list of domains the iPad queried while you surfed the app.

If you are still having issues, you can try adding the ASN method:

x3mRouting ALL 3 BBC_ASN asn=AS2818,AS31459

Interesting...Looks like Content Delivery Network is in play (Fastly).

asn bbc.co.uk

----------------------------
| ASN lookup for bbc.co.uk |
----------------------------

- Resolving "bbc.co.uk"... 8 IP addresses found:

     151.101.64.81 +PTR -
                   +ASN 54113 (FASTLY, US)
                   +ORG Fastly
                   +NET 151.101.64.0/22 (SKYCA-3)
                   +ABU abuse@fastly.com
                   +GEO San Francisco, California (US)

    151.101.128.81 +PTR -
                   +ASN 54113 (FASTLY, US)
                   +ORG Fastly
                   +NET 151.101.128.0/22 (SKYCA-3)
                   +ABU abuse@fastly.com
                   +GEO San Francisco, California (US)
<snip>

I have another list of IPv4 address I generated from all of the domains I mined a few years back. If you still have issues, I can upload the list for you to try.

If you use the LAN client routing feature, it first processes clients in the GUI followed by clients listed in the nvram files located in /jffs/addons/x3mRouting/ovpnc3.nvram which was created per x3mRouting_client_rules file for VPN Client 3. It does not check for duplicate entries. Check the OpenVPN Client Screen for the 10.0.1.60 entry.

 

[Xentrk]

@Sean Rhodes

I was able to remember the email I used for my UK app store account so I could update the iPlayer app. I picked up one additional domain and found I fat fingered llnwi.net in my original post.

This is working for me

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB3 dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,cloudfunctions.net,co.uk,fastly.net,gscontxt.net,llnwi.net,net.uk

 

[ewokuk]

Just discovered an issue where somehow Binance.com is getting my real ip instead of the vpn ip. I think this must be related to my xemrouting setup because checking the login history, all logins I have done to binance since using xemrouting have revealed my real ip.

Below are the commands I used when setting it up (I am no linux expert but i can type the commands in ok ;P), the only thing I can think of is that somehow it has picked up binance.com in one of these and so binance is bypassing the vpn along with bbc etc? Whenever I run leak tests the tests show only my vpn ip and my vpn dns so things do seem to be going over the vpn. If I had to guess, perhaps binance is using an amazon ASN and so has ended up bypassing it with the router thinking its an amazon site? This also has me slightly worried about what other sites could end up unintentionally bypassing the vpn with the current rules I have set.

x3mRouting 1 0 BBC asnum=AS2818,AS31459
x3mRouting 1 0 NETFLIX asnum=AS2906
x3mRouting 1 0 AMAZON_EU aws_region=EU
x3mRouting 1 0 LOTTERY asnum=AS2856
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB dnsmasq=bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net

my liststats is
AMAZON_EU - 518
AMAZON_GLOBAL - 108
AMAZON_US - 961
BBC - 5
BBC_WEB - 3
LOTTERY - 207
NETFLIX - 151

 

[Xentrk]

Just discovered an issue where somehow Binance.com is getting my real ip instead of the vpn ip. I think this must be related to my xemrouting setup because checking the login history, all logins I have done to binance since using xemrouting have revealed my real ip.

Below are the commands I used when setting it up (I am no linux expert but i can type the commands in ok ;P), the only thing I can think of is that somehow it has picked up binance.com in one of these and so binance is bypassing the vpn along with bbc etc? Whenever I run leak tests the tests show only my vpn ip and my vpn dns so things do seem to be going over the vpn. If I had to guess, perhaps binance is using an amazon ASN and so has ended up bypassing it with the router thinking its an amazon site? This also has me slightly worried about what other sites could end up unintentionally bypassing the vpn with the current rules I have set.

x3mRouting 1 0 BBC asnum=AS2818,AS31459
x3mRouting 1 0 NETFLIX asnum=AS2906
x3mRouting 1 0 AMAZON_EU aws_region=EU
x3mRouting 1 0 LOTTERY asnum=AS2856
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB dnsmasq=bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net

binance.com is getting routed to WAN as it belongs to AS2906:

ASN Lookup Tool

 asn binance.com

------------------------------
| ASN lookup for binance.com |
------------------------------

- Resolving "binance.com"... 4 IP addresses found:

   54.65.90.24 +PTR ec2-54-65-90-24.ap-northeast-1.compute.amazonaws.com
               +ASN 16509 (AMAZON-02, US)
               +ORG Amazon.com, Inc.
               +NET 54.64.0.0/15 (AMAZON-2011L)
               +ABU abuse@amazonaws.com
               +GEO Tokyo, Tokyo (JP

You could edit nat-start and add an entry on the first line for biance.com using the dnsmasq method e.g. dnsmasq=binance.com. Then, run nat-start e.g. sh nat-start. The iptables rule for binance will be before the AS2906 rule. However...

Suggested solution
It may be best to not use AS2906 for Netflix. Use the dnsmasq instead as AS2906 is used by many streaming services like Amazon, Disney+ and Netflix.

Delete the current entry first.

x3mRouting ipset_name=NETFLIX del

Add new entry.

x3mRouting 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Updated BBC (21 Nov 2020)
Delete the current entry first.

x3mRouting ipset_name=BBC_WEB del

Add new entry..

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,cloudfunctions.net,co.uk,fastly.net,gscontxt.net,llnwi.net,net.uk

 

[ewokuk]

I tried removing netflix and adding it back using the dnsmasq method above but now I find that Netflix is no longer working and binance is still bypassing the vpn. I am probably doing something wrong somewhere.

Liststats now shows this (I have removed amazon_us now as I don't think I need it):

AMAZON_EU - 518
AMAZON_GLOBAL - 108
BBC - 5
BBC_WEB - 0
LOTTERY - 208
NETFLIX - 0

I get this now. bbc_web i am guessing is usually being caught by rule 2 so hasn't been used yet (I have only just rebooted) but I have a similar issue with national-lottery.co.uk where i added the asn (2856) but the site still refuses to work and the rule isn't being used after going to the site and trying to log in. Netflix seems to be allowing some things but I can't play anything on it since removing the asn and adding the dnsmasq method instead

Chain PREROUTING (policy ACCEPT 312 packets, 50518 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      257 35811 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_EU dst MARK or 0x8000
2        6   315 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC dst MARK or 0x8000
3       56  3095 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_GLOBAL dst MARK or 0x8000
4        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set LOTTERY dst MARK or 0x8000
5       69  3907 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x8000
6        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000

Overall BBC and amazon seem to be working ok still. I am rebooting the router after making changes, not sure if I need to do that or not.

*edit* It seems to be inconsistent in loading things, I haven't touched the bbc or amazon rules at all since the above, bbc and amazon are now not working after rebooting the router (so right now none of them are working) and I am getting this (and over time the netflix number seems to be going up, it now shows 181 instead of 157):

AMAZON_EU - 518
AMAZON_GLOBAL - 108
BBC - 0
BBC_WEB - 0
LOTTERY - 0
NETFLIX - 157

Chain PREROUTING (policy ACCEPT 36643 packets, 23M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       88 12562 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_EU dst MARK or 0x8000
2        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC dst MARK or 0x8000
3       69  3283 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON_GLOBAL dst MARK or 0x8000
4        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set LOTTERY dst MARK or 0x8000
5       11   798 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX dst MARK or 0x8000
6        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000

 

[Sean Rhodes]

@Sean Rhodes

I was able to remember the email I used for my UK app store account so I could update the iPlayer app. I picked up one additional domain and found I fat fingered llnwi.net in my original post.

This is working for me

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB3 dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,cloudfunctions.net,co.uk,fastly.net,gscontxt.net,llnwi.net,net.uk

Thanks Xentrk, so far it seems to be working well

 

[ewokuk]

I have removed all the rules on mine, uninstalled option 3 and 4, reinstalled option 3 and 4 and just re-added the bbc one using dnsmasq method but its refusing to work. I noticed your line had ",co.uk" and ",net.uk" in it, should they have bbc infront of them?

I used this (I am using vpn client 1) but its not working. I am not sure what I have broken
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 BBC_WEB dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,cloudfunctions.net,co.uk,fastly.net,gscontxt.net,llnwi.net,net.uk

liststats
BBC_WEB - 0

Chain PREROUTING (policy ACCEPT 12622 packets, 5576K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000

I have now tried adding bbc again via option 3, still can't get it to work again. Something seems to have completely broken it.

 

[faria]

I used the autoscan.sh and getdomainnames.sh to analyse the domains. autoscan is searching for any domain with the "bbc" reference and outputting the top level domain name. Here is a snip from autoscan.sh:

 sh autoscan.sh autoscan=bbc

2cnt.net
bbc.com
bbcverticals.com
cloudfunctions.net
co.uk
fastly.net
llnwi.net
net.uk

getdomainnames.sh is a little more noisy as it will pick up all traffic from the device specified. I used my laptop and shut down most apps I could. I didn't specify the riddle.com and akamai.net domains and it seems to work.

a1488.w16.akamai.net
b2rbsov.bidi.live.bbc.co.uk
bbc.map.fastly.net
bitesize.files.bbci.co.uk
boomr.iplayer.api.bbc.co.uk
cdn.riddle.com
childrens-binary.files.bbci.co.uk
childrens-web.files.bbci.co.uk
cookie-oven.api.bbc.co.uk
d1joia3f2630yx.cloudfront.net
e1534.dscb.akamaiedge.net
e3891.dscf.akamaiedge.net
europe-west1-bbc-otg-traf-mgr-bq-prod-4591.cloudfunctions.net
gn-web-assets.api.bbc.com
graph.ibl.api.bbc.co.uk
ibl-live-alb-ibl-edibl-196200881.eu-west-1.elb.amazonaws.com
ibl.api.bbc.co.uk
ibl.api.bbci.co.uk
ichef.bbci.co.uk
idcta.api.bbc.co.uk
iplayer-web.files.bbci.co.uk
live-boom-componen-jfwbkqnbc592-729160446.eu-west-1.elb.amazonaws.com
live-compo-oyhzo7uy78p6-2104956810.eu-west-1.elb.amazonaws.com
live-noti-componen-9nj5c6fwh1nl-1633728249.eu-west-1.elb.amazonaws.com
m.files.bbci.co.uk
ocsp.pki.goog
pki-goog.l.google.com
preferences.notifications.api.bbc.com
static-web-assets.gnl-common.bbcverticals.com
static.files.bbci.co.uk
telemetry.dropbox.com
time.akamai.com
vs-cmaf-push-uk.live.cf.md.bbci.co.uk
vs-dash-uk-live.akamaized.net
weather-broker-cdn.api.bbci.co.uk
weather.files.bbci.co.uk
www.bbc.com
www.riddle.com

I first removed the old entry using the command:

x3mRouting ipset_name=BBC_WEB del

I choose not to remove the save/restore file though.

New entry below. There was some redundancy in the first one I gave you. Note the IPSET name change. I'll revert back to the prior name once everything checks out okay. So far so good.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 3 BBC_WEB3 dnsmasq=2cnt.net,bbcverticals.com,cloudfunctions.net,co.uk,bbc.com,fastly.net,gscontxt.net,lllnwi.net,net.uk

See GitHub for more information on the x3mRouting Utility Scripts

hi, isn't all traffic from ALL websites containing "co.uk" gonna be routed via the vpn in this case?
If that's the case then it may cause unwanted issues.
An example is Banks , my bank is very picky about the ip location i log from ,if it detects an sudden geo changes it blocks my online account and then i have to call them to unlock it.
thanks.

background:
I live in a British crown dependency , everything is the same as Uk except Google,Netlix,Apple etc refuse to give us the same content/apps etc as the Uk, so vpns are a must.

 

[Xentrk]

I have removed all the rules on mine, uninstalled option 3 and 4, reinstalled option 3 and 4 and just re-added the bbc one using dnsmasq method but its refusing to work. I noticed your line had ",co.uk" and ",net.uk" in it, should they have bbc infront of them?

I used this (I am using vpn client 1) but its not working. I am not sure what I have broken
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 BBC_WEB dnsmasq=2cnt.net,at-o.net,bbc.com,bbcverticals.com,cloudfunctions.net,co.uk,fastly.net,gscontxt.net,llnwi.net,net.uk

liststats
BBC_WEB - 0

Chain PREROUTING (policy ACCEPT 12622 packets, 5576K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000

I have now tried adding bbc again via option 3, still can't get it to work again. Something seems to have completely broken it.

Since the list is not being populated, I suspect that dnsmasq logging is not enabled. dnsmasq logging needs to be enabled for dnsmasq method to work. Click on the link to view. Or, install Diversion and it will do the dnsmasq logging setup for you.

I think I will update x3mRouting to check that dnsmasq logging is enabled if the dnsmasq method is specified. And prompt the user to enable if it's not.

 

[Xentrk]

hi, isn't all traffic from ALL websites containing "co.uk" gonna be routed via the vpn in this case?
If that's the case then it may cause unwanted issues.
An example is Banks , my bank is very picky about the ip location i log from ,if it detects an sudden geo changes it blocks my online account and then i have to call them to unlock it.
thanks.

background:
I live in a British crown dependency , everything is the same as Uk except Google,Netlix,Apple etc refuse to give us the same content/apps etc as the Uk, so vpns are a must.

Yes, you are correct. Any domain that ends with "co.uk" will get added to the ipset list. Was not sure if it's binance.com or binance.co.uk. Looks like I used binance.com in the prior example though.

If you need to get more granular, you need to drill down and determine the IPv4 addresses used by binance.co.uk Using nslookup, we can see the binance.co.uk is assigned to an Amazon AWS server.

 asn binance.co.uk

--------------------------------
| ASN lookup for binance.co.uk |
--------------------------------

- Resolving "binance.co.uk"... 4 IP addresses found:

65.9.169.43 +PTR -
             +ASN 16509 (AMAZON-02, US)
             +ORG Amazon.com, Inc.
             +NET 65.9.168.0/22 (AMAZO-CF)
             +ABU abuse@amazonaws.com
             +GEO Seattle, Washington (US)

nslookup binance.co.uk
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      binance.co.uk
Address 1: 65.9.169.43
Address 2: 65.9.169.87
Address 3: 65.9.169.71
Address 4: 65.9.169.77

Create the ipset list for binance.com using the manual ip address method:

x3mRouting 1 0 BINANCE ip=65.9.169.43,65.9.169.87,65.9.169.71,65.9.169.77

If there are still issues, you may have to view the source code of the website and search for ".net" and ".com" references to see if other domains are being used. Or, follow the dnsmasq.log file while surfing the site or use the getdomainnames.sh script when surfing the site to help determine what domains are being queried.

 

[OBENZ]

Great tools, although I'm hesitant deploying it as it requires latest FW and I'm still on .17 since I read a lot of issues about it I'm kinda scared to upgrade. I also have a question regarding the latest Netflix apps. On my Q95T samsung TV and my nvidia shield Netflix is somehow checking my location and throwing the using proxy message..does this script fix it ?

 

[Xentrk]

Great tools, although I'm hesitant deploying it as it requires latest FW and I'm still on .17 since I read a lot of issues about it I'm kinda scared to upgrade. I also have a question regarding the latest Netflix apps. On my Q95T samsung TV and my nvidia shield Netflix is somehow checking my location and throwing the using proxy message..does this script fix it ?

I saved the prior version that will work with .17 in a branch. See the repo here.

Installation

sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/Install_x3mRouting.sh)"

The proxy error is because you are using a known public VPN server. x3mRouting has a VPN bypass feature to route NF to the WAN interface.

Route all VPN Client 1 traffic matching IPSET list NETFLIX to the WAN

x3mRouting 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

 

[OBENZ]

I saved the prior version that will work with .17 in a branch. See the repo here.

Installation

sh -c "$(curl -sL https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/Install_x3mRouting.sh)"

The proxy error is because you are using a known public VPN server. x3mRouting has a VPN bypass feature to route NF to the WAN interface.

Route all VPN Client 1 traffic matching IPSET list NETFLIX to the WAN

x3mRouting 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

I don't think so, my other devices Work just fine using the same VPN only these 2 devices that are throwing that error

 

[ewokuk]

Since the list is not being populated, I suspect that dnsmasq logging is not enabled. dnsmasq logging needs to be enabled for dnsmasq method to work. Click on the link to view. Or, install Diversion and it will do the dnsmasq logging setup for you.

I think I will update x3mRouting to check that dnsmasq logging is enabled if the dnsmasq method is specified. And prompt the user to enable if it's not.

I don't think it's that, I noticed that for hours it wasn't working after making any changes, I went to bed, wake up this morning and without changing a single thing I now get this, and bbc is once again working when last night it wouldn't work at all on any device and liststats showed zero for the asn rule and the dnsmasq rule.

liststats
BBC - 5
BBC_WEB - 2

Chain PREROUTING (policy ACCEPT 3911K packets, 4460M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      312 24932 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000
2       36  2061 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC dst MARK or 0x8000

So for some reason any changes I make do not seem to take effect until the next day. This is despite several router reboots while trying to get it to work, device reboots, router vpn reconnections, tests on multiple different devices. Nothing seems to get the rules to take effect until I leave it overnight and it magically starts working the next day. I noticed this when I first installed it as well when I thought nothing was working and the next day it was somehow working without having touched a thing. Any ideas why it would take so long to start working?

 

[Xentrk]

I don't think so, my other devices Work just fine using the same VPN only these 2 devices that are throwing that error

What is our VPN provider? Express and Nord require that you use their DNS service. Android devices will default to 8.8.8.8. The fix is to use the DNSFilter option to force all LAN clients to use the DNS specified on the router.

Another issue could be the location setting is enabled. Please see the brief write-up here on the topic:

Location Spoofing on Android TV using a VPN - x3mtek Blog Site

Is your Android TV box betraying your location to streaming service providers? If so, what can you do about it?

x3mtek.com

 

[wolvenstein]

Probably, so many streaming services are using AWS these days. So, using Amazon AWS or ASN method may cast too wide of a net.

In /jffs/scripts/nat-start file, try moving Disney to the top of the file before the Netflix VPN Bypass. Use the dnsmasq method for Disney and Netflix to avoid conflicts.

Disney
dnsmasq=demdex.net,disney-plus.net,disneyplus.co,disneyplus.com,dssott.com,go.com


Netflix
dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

If you still have issues, you may have to get a Private VPN IP address and send all AWS traffic to it. That is what I do for the services that block known VPN servers.

Somehow this and set the Accept DNS Setting as strict not working after I restart my router due to power failure in my house. Need set the Accept DNS Setting as Exclusive again for my Disney+ to work. Confusing

 

[Xentrk]

I don't think it's that, I noticed that for hours it wasn't working after making any changes, I went to bed, wake up this morning and without changing a single thing I now get this, and bbc is once again working when last night it wouldn't work at all on any device and liststats showed zero for the asn rule and the dnsmasq rule.

liststats
BBC - 5
BBC_WEB - 2

Chain PREROUTING (policy ACCEPT 3911K packets, 4460M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      312 24932 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000
2       36  2061 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC dst MARK or 0x8000

So for some reason any changes I make do not seem to take effect until the next day. This is despite several router reboots while trying to get it to work, device reboots, router vpn reconnections, tests on multiple different devices. Nothing seems to get the rules to take effect until I leave it overnight and it magically starts working the next day. I noticed this when I first installed it as well when I thought nothing was working and the next day it was somehow working without having touched a thing. Any ideas why it would take so long to start working?

The first line is routing BBC to VPN client 1 and the second line is routing BBC_WEB to the WAN. Delete the entry that is not correct and reenter using the correct interface.

 

[Xentrk]

Somehow this and set the Accept DNS Setting as strict not working after I restart my router due to power failure in my house. Need set the Accept DNS Setting as Exclusive again for my Disney+ to work. Confusing

Do you want to route Disney to the VPN or WAN? Maybe post the contents of nat-start.

If you are routing to a VPN, which provider? Express and Nord require that you use their DNS to get around VPN blocks which explains why you have to set Accept DNS Configuration = Exclusive. With this setting, dnsmasq is bypassed. As a result, the ipset feature in dnsmasq can not load the IPSET list. If this is the case, set Accept DNS Configuration to Strict. The next step is to add the DNS entries for the VPN provider in the custom configuration setting using the syntax below, where x's are IPv4 Address of DNS.

dhcp-option DNS x.x.x.x

Then, apply the changes.

Also, use the DNS Filter option to force all LAN clients to use DNS specified on the router.

 

[OBENZ]

What is our VPN provider? Express and Nord require that you use their DNS service. Android devices will default to 8.8.8.8. The fix is to use the DNSFilter option to force all LAN clients to use the DNS specified on the router.

Another issue could be the location setting is enabled. Please see the brief write-up here on the topic:

Location Spoofing on Android TV using a VPN - x3mtek Blog Site

Is your Android TV box betraying your location to streaming service providers? If so, what can you do about it?

x3mtek.com

Thanks for taking the time to reply, as a matter of fact I have static routes enabled for all Google dns requests going through my unbound server and those 2 clients are using the DNS filter with the specified dns provided by the router. Also both TVs are samsung so they're using Tizen OS but one is newer and on my shield tv location settings as disabled. I think there's a check somewhere on those 2 devices so I might need to sniff out the the traffic