What's new

x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

hello @Xentrk
i have always had log verbosity 4. thats how im getting the Sep 16 21:14:25 RT-AC3100-0548 ovpn-client1[19688]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx messages. no other messages show up as i believe that the vpn connection stays alive but the routing gets damaged some how.

my dnsmasq.conf.add is as simplest as it can be now
Code:
strict-order
dhcp-option=lan,42,10.0.0.1 # ntpMerlin

server=/use-application-dns.net/
server=/pool.ntp.org/8.8.8.8

my openvpn client custom conf is
Code:
mssfix 1430
resolv-retry infinite
tls-client
remote-cert-tls server
#ignore-unknown-option block-outside-dns
#block-outside-dns
setenv opt block-outside-dns
auth-nocache

theres something on the selective routing that messes up the vpn connection and drops all packages to the vpn server

Remove this line: setenv opt block-outside-dns and see if you still have an issue. Remove the two comment (#) lines too.

The option is only available on Windows platforms.
–block-outside-dns Block DNS servers on other network adapters to prevent DNS leaks. This option prevents any application from accessing TCP or UDP port 53 except one inside the tunnel. It uses Windows Filtering Platform (WFP) and works on Windows Vista or later.This option is considered unknown on non-Windows platforms and unsupported on Windows XP, resulting in fatal error. You may want to use –setenv opt or –ignore-unknown-option (not suitable for Windows XP) to ignore said error. Note that pushing unknown options from server does not trigger fatal errors.
 
Last edited:
Remove this line: setenv opt block-outside-dns and see if you still have an issue. Remove the two comment (#) lines too.

The option is only available on Windows platforms.

hi
still no luck :(
Code:
Sep 17 09:00:18 RT-AC3100-0548 ovpn-client1[8774]: Initialization Sequence Completed
Sep 17 09:49:18 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 17 09:49:23 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 17 09:49:28 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 17 09:49:33 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 17 09:49:38 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443

here is my custom config on the openvpn client
1600354437542.png

Code:
mssfix 1430
resolv-retry infinite
tls-client
remote-cert-tls server
auth-nocache
 
hi
still no luck :(
Code:
Sep 17 09:00:18 RT-AC3100-0548 ovpn-client1[8774]: Initialization Sequence Completed
Sep 17 09:49:18 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 17 09:49:23 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 17 09:49:28 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 17 09:49:33 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443
Sep 17 09:49:38 RT-AC3100-0548 ovpn-client1[8774]: Recursive routing detected, drop tun packet to [AF_INET]3.xx.xxx.xx:443

here is my custom config on the openvpn client
View attachment 26300
Code:
mssfix 1430
resolv-retry infinite
tls-client
remote-cert-tls server
auth-nocache
I think the issue is the LAN IP. It looks like the same subnet as the VPN. Try another private subnet for the LAN e.g. 172.16.1.1 or 192.168.1.1
 
I think the issue is the LAN IP. It looks like the same subnet as the VPN. Try another private subnet for the LAN e.g. 172.16.1.1 or 192.168.1.1
i will give this a try tonight and change the vpn network to 192.168.1.1 / 255.255.255.0 . just fyi, both networks are in different subnets:
LAN: 10.0.0.0 / 24
VPNCLIENT1: 10.0.2.0 / 24

will report back


EDIT:
issue persists :(
 
Last edited:
i will give this a try tonight and change the vpn network to 192.168.1.1 / 255.255.255.0 . just fyi, both networks are in different subnets:
LAN: 10.0.0.0 / 24
VPNCLIENT1: 10.0.2.0 / 24

will report back


EDIT:
issue persists :(
I just did a web search and there does not seem to be a common root cause. There is a suggested fix in the first link below.


 
thanks. no luck.
i tried to use the --local parameter but it cant work together with --nobind.
--nobind comes by default as the router embeds on the config and i cant seem to disable it

ill keep trying
 
@Xentrk i think i have narrowed it down.
i have my vpn client up and running.
i deleted this line from the vpn client config and ran your script. finally no more errors on the vpn log and vpn stays up. but, no selective routing works
1600443529446.png


this setup is giving me promising results with the fact the the vpn remains alive after runnning your script but the selective routes arent working

1600464958718.png1600464983624.png


Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# ipset -L aws1
Name: aws1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 540
References: 1
Number of entries: 4
Members:
104.24.123.146
208.85.40.20
104.24.122.146
172.67.189.102
andresmorago@RT-AC3100-0548:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 4342 packets, 992K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        8   416 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set aws1 dst MARK or 0x1000
andresmorago@RT-AC3100-0548:/tmp/home/root#
 

Attachments

  • 1600444937543.png
    1600444937543.png
    97.6 KB · Views: 138
Last edited:
@Xentrk i think i have narrowed it down.
i have my vpn client up and running.
i deleted this line from the vpn client config and ran your script. finally no more errors on the vpn log and vpn stays up. but, no selective routing works
View attachment 26332

this setup is giving me promising results with the fact the the vpn remains alive after runnning your script but the selective routes arent working

View attachment 26344View attachment 26345


Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# ipset -L aws1
Name: aws1
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 540
References: 1
Number of entries: 4
Members:
104.24.123.146
208.85.40.20
104.24.122.146
172.67.189.102
andresmorago@RT-AC3100-0548:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 4342 packets, 992K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        8   416 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set aws1 dst MARK or 0x1000
andresmorago@RT-AC3100-0548:/tmp/home/root#
The only issue I can spot is Accept DNS Configuration is set to Exclusive. As a result, dnsmasq is being bypassed. You need dnsmasq when using the dnsmasq or dnsmasq_file methods.

IPSET entries shouldn't be getting added as a result but it appears that there are some entries and packets are traversing the iptables chain. I set mine to Disabled and use DoT on the WAN page.

You should change your LAN IP so you can add the router IP to the Policy Routing section. It will be an issue if you selectively route using more than one VPN Client from my testing.
 
hello @Xentrk
The only issue I can spot is Accept DNS Configuration is set to Exclusive. As a result, dnsmasq is being bypassed. You need dnsmasq when using the dnsmasq or dnsmasq_file methods.
done. I just switched it to strict. is that correct?

IPSET entries shouldn't be getting added as a result but it appears that there are some entries and packets are traversing the iptables chain. I set mine to Disabled and use DoT on the WAN page.
where do you set the ipset entries as “disabled”?
Btw, i do have DoT enabled on my WAN:
  • DNS server 1 and dns sever 2 require a field. It won’t leave me leave them blank
  • Dns filter is set as Router in lan page
E341FCF6-0A23-47A0-972E-C35E463AEFD4.jpeg


You should change your LAN IP so you can add the router IP to the Policy Routing section. It will be an issue if you selectively route using more than one VPN Client from my testing.
Sorry. i understand the need of adding the Routers lan ip to the policy routing section but I don’t quite get your point on changing my lan ip since all the networks are in different subnets. What would be an appropriate Lan ip per your advise? I could accommodate if i have to.
Current networks are
LAN: 10.0.0.0/24
VPNserver1: 10.0.1.0/24
VPNclient1: 10.0.2.1/24

thanks!
 
hello @Xentrk

done. I just switched it to strict. is that correct?

where do you set the ipset entries as “disabled”?
Strict will work. The "disabled" reference was not about IPSET lists. I was referring to the
Accept DNS Configuration = Disabled setting.

Sorry. i understand the need of adding the Routers lan ip to the policy routing section but I don’t quite get your point on changing my lan ip since all the networks are in different subnets. What would be an appropriate Lan ip per your advise? I could accommodate if i have to.
Current networks are
LAN: 10.0.0.0/24
VPNserver1: 10.0.1.0/24
VPNclient1: 10.0.2.1/24

thanks!
Routing the Routers's IP to the WAN is recommend if one has a rule to route the entire LAN thru the VPN and block internet access if the tunnel goes down e.g. 192.168.1.0/24. This way, router services like NTP can still access the WAN if the VPN goes down.

For selective routing, I also got mixed results if I did not have the router entry and need to selectively route to two or more VPN Clients.

I've never seen the error you posted in the 4 plus years I've been participating on the forum. So, if you do have the two use cases mentioned above, you will probably need to change the LAN address so you can enter the router's LAN address without the error. Otherwise, you should be okay.
 
I would first like to express my thanks for this script which helped me greatly.
I have been using this for 2 years now. I do have a slight problem with the new version though.

I just updated my system to 384.19 and saw that x3mrouting had also changed. Previously I was using "load_MANUAL_ipset_iface.sh". It was creating an ipset rule based on a file filled with ip addresses and selectively routing traffic just for these ip addresses for the whole network.
With the new version, I saw that you can skip getting the ip addresses manually and use domain names and let the router do the job which is super convenient.
Now, I am using "x3mRouting ALL 1 GULIBU dnsmasq_file=/jffs/scripts/x3mRouting/Hosts"

with Hosts file filled with domain entries per line:
example.com
It is creating a GULIBU ipset list.
I am also using DoT for DNS in the router.

However, sometimes when I open a website, my browser shows a DNS error. To fix it, I have to reload the page or it automatically reloads itself when I focus that particular tab in my browser. This does not always happen. It is totally irregular and for websites that is not listed in the "Hosts" file.
With previous version of x3mrouting, I did not have this issue. Is it possible that dnsmasq failing occasionally? If it helps, I can send you the relevant logs if you can point me where and how to get them.

If this behavior continues, I might switch to ip method again instead of dnsmasq.
There is nothing else installed on the router other than x3mrouting.
 
hel
Strict will work. The "disabled" reference was not about IPSET lists. I was referring to the
Accept DNS Configuration = Disabled setting.


Routing the Routers's IP to the WAN is recommend if one has a rule to route the entire LAN thru the VPN and block internet access if the tunnel goes down e.g. 192.168.1.0/24. This way, router services like NTP can still access the WAN if the VPN goes down.

For selective routing, I also got mixed results if I did not have the router entry and need to selectively route to two or more VPN Clients.

I've never seen the error you posted in the 4 plus years I've been participating on the forum. So, if you do have the two use cases mentioned above, you will probably need to change the LAN address so you can enter the router's LAN address without the error. Otherwise, you should be okay.

So i changed all the networks so they are in a different segment.
LAN - 10.0.0.0/24
VPNclient1 (tun11) - 172.16.1.24/24
VPNserver1 (tun21) - 192.168.1.0/24

Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# ifconfig
br0       Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:3015305 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6524144 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3033356144 (2.8 GiB)  TX bytes:5353048180 (4.9 GiB)

br0:pixelserv-t Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.6  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:181.xxx.xxx.xxx  Bcast:181.xxx.xxx.xxx  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16968457 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10253233 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1259394980 (1.1 GiB)  TX bytes:4254345056 (3.9 GiB)
          Interrupt:181 Base address:0x6000

eth1      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:267068 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:210658988 (200.8 MiB)

eth2      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:4C
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4651021 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3011935941 (2.8 GiB)

fwd0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:263080 errors:0 dropped:0 overruns:0 frame:0
          TX packets:89731 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:14295316 (13.6 MiB)
          Interrupt:179 Base address:0x4000

fwd1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:4646625 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2708107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:2738844461 (2.5 GiB)
          Interrupt:180 Base address:0x5000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:225958 errors:0 dropped:0 overruns:0 frame:0
          TX packets:225958 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:50482888 (48.1 MiB)  TX bytes:50482888 (48.1 MiB)

lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

tun11     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.1.3  P-t-P:172.16.1.3  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:43 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:31704 (30.9 KiB)  TX bytes:3569 (3.4 KiB)

tun21     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.1.1  P-t-P:192.168.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:314 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:20132 (19.6 KiB)

vlan1     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:3501650 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6551351 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3067542507 (2.8 GiB)  TX bytes:5381380575 (5.0 GiB)

vlan2     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# ip route
181.xxx.xxx.xxx dev eth0  proto kernel  scope link
181.xxx.xxx.xxx/24 dev eth0  proto kernel  scope link  src 181.52.250.149
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
192.168.1.0/24 dev tun21  proto kernel  scope link  src 192.168.1.1
172.16.1.0/24 dev tun11  proto kernel  scope link  src 172.16.1.3
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.xxx dev eth0

still, when running x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01 with this,
1600540227671.png

i get dozens of these errors and none of the websites being routed through the vpn will work

Sep 19 13:24:23 RT-AC3100-0548 ovpn-client1[19396]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx:443
 
I would first like to express my thanks for this script which helped me greatly.
I have been using this for 2 years now. I do have a slight problem with the new version though.

I just updated my system to 384.19 and saw that x3mrouting had also changed. Previously I was using "load_MANUAL_ipset_iface.sh". It was creating an ipset rule based on a file filled with ip addresses and selectively routing traffic just for these ip addresses for the whole network.
With the new version, I saw that you can skip getting the ip addresses manually and use domain names and let the router do the job which is super convenient.
Now, I am using "x3mRouting ALL 1 GULIBU dnsmasq_file=/jffs/scripts/x3mRouting/Hosts"

with Hosts file filled with domain entries per line:
example.com
It is creating a GULIBU ipset list.
I am also using DoT for DNS in the router.

However, sometimes when I open a website, my browser shows a DNS error. To fix it, I have to reload the page or it automatically reloads itself when I focus that particular tab in my browser. This does not always happen. It is totally irregular and for websites that is not listed in the "Hosts" file.
With previous version of x3mrouting, I did not have this issue. Is it possible that dnsmasq failing occasionally? If it helps, I can send you the relevant logs if you can point me where and how to get them.

If this behavior continues, I might switch to ip method again instead of dnsmasq.
There is nothing else installed on the router other than x3mrouting.
Thank you for the gratitude. Many hours of labor went into the update and I appreciate the feedback.

The dnsmasq method is being used when specifying the dnsmasq_file= parm. On the OpenVPN Screen, the Accept DNS Configuration = Exclusive setting will bypass dnsmasq. Accept DNS Configuration needs to be set to Disabled, Relaxed or Strict when using the dnsmasq method. The other methods can be used without dnsmasq though.

What may be occurring is the sites may be referencing other domains. Netflix is a good example. netflix.com by itself won't work because the site uses other domains.

The autoscan.sh or getdomainnames.sh scripts can help identify the other domain names the site uses. See the usage intructions here: https://github.com/Xentrk/x3mRouting#4-getdomainnamessh--autoscansh-scripts

Or, just revert back to the Manual method using the new version since you already have the IPv4 addresses.

If you can give tell me one of the websites that is giving you an issue, I can test on my end to confirm this is the issue.
 
hel


So i changed all the networks so they are in a different segment.
LAN - 10.0.0.0/24
VPNclient1 (tun11) - 172.16.1.24/24
VPNserver1 (tun21) - 192.168.1.0/24

Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# ifconfig
br0       Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:3015305 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6524144 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3033356144 (2.8 GiB)  TX bytes:5353048180 (4.9 GiB)

br0:pixelserv-t Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.6  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:181.xxx.xxx.xxx  Bcast:181.xxx.xxx.xxx  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:16968457 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10253233 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1259394980 (1.1 GiB)  TX bytes:4254345056 (3.9 GiB)
          Interrupt:181 Base address:0x6000

eth1      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:267068 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:210658988 (200.8 MiB)

eth2      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:4C
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4651021 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3011935941 (2.8 GiB)

fwd0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:263080 errors:0 dropped:0 overruns:0 frame:0
          TX packets:89731 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:14295316 (13.6 MiB)
          Interrupt:179 Base address:0x4000

fwd1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:4646625 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2708107 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:2738844461 (2.5 GiB)
          Interrupt:180 Base address:0x5000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:225958 errors:0 dropped:0 overruns:0 frame:0
          TX packets:225958 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:50482888 (48.1 MiB)  TX bytes:50482888 (48.1 MiB)

lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

tun11     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:172.16.1.3  P-t-P:172.16.1.3  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:43 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:31704 (30.9 KiB)  TX bytes:3569 (3.4 KiB)

tun21     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.1.1  P-t-P:192.168.1.1  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:314 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:20132 (19.6 KiB)

vlan1     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:3501650 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6551351 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:3067542507 (2.8 GiB)  TX bytes:5381380575 (5.0 GiB)

vlan2     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# ip route
181.xxx.xxx.xxx dev eth0  proto kernel  scope link
181.xxx.xxx.xxx/24 dev eth0  proto kernel  scope link  src 181.52.250.149
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
192.168.1.0/24 dev tun21  proto kernel  scope link  src 192.168.1.1
172.16.1.0/24 dev tun11  proto kernel  scope link  src 172.16.1.3
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.xxx dev eth0

still, when running x3mRouting ALL 1 aws1 dnsmasq_file=/jffs/scripts/x3mRouting/aws_domains_01 with this,
View attachment 26356
i get dozens of these errors and none of the websites being routed through the vpn will work

Sep 19 13:24:23 RT-AC3100-0548 ovpn-client1[19396]: Recursive routing detected, drop tun packet to [AF_INET]3.xxx.xxx.xxx:443
Sorry I can't be of much help on this one. I can't find a common thread in the web searches.

The asuswrt-merlin firmware creates the routing table as shown using the "ip route" command. x3mRouting creates the RPDB rules for the fwmarks used for selective routing and the iptables rule to route the traffic thru the VPN tunnel or WAN.

In the routing table, I see two references for "br0". I only have one. "bro" interface is used by the iptables rules x3mRouting creates. Conflict with 10.0.0.0/8 and 10.0.0.0/24 on the br0 iface?

1600563469062.png

1600563481888.png

I did another search for "recursive routing" in the firmware code. No additional clues other than what is provided by the option below about incoming tun packets having the same destination as the host..

–allow-recursive-routing When this option is set, OpenVPN will not drop incoming tun packets with same destination as host.
@RMerlin any insights on the issue?
 
Sorry I can't be of much help on this one. I can't find a common thread in the web searches.

The asuswrt-merlin firmware creates the routing table as shown using the "ip route" command. x3mRouting creates the RPDB rules for the fwmarks used for selective routing and the iptables rule to route the traffic thru the VPN tunnel or WAN.

In the routing table, I see two references for "br0". I only have one. "bro" interface is used by the iptables rules x3mRouting creates. Conflict with 10.0.0.0/8 and 10.0.0.0/24 on the br0 iface?

View attachment 26360
View attachment 26361
I did another search for "recursive routing" in the firmware code. No additional clues other than what is provided by the option below about incoming tun packets having the same destination as the host..


@RMerlin any insights on the issue?
thanks for pointing that out. i believe that IP (10.0.0.6) listed on the last 10.0.0.0 rule one is the pixelserv ip from diversion. could that be related?

in addition, adding –allow-recursive-routing to my vpnclient config just hides the recursive routing message but the access to vpn is dead after running the selective routing script
 
thanks for pointing that out. i believe that IP (10.0.0.6) listed on the last 10.0.0.0 rule one is the pixelserv ip from diversion. could that be related?
I also have pixelserve-tls installed. I do have two "br0" references when running the ifcong command. But not for the ip route command.

Are you using a commercial VPN server or self hosted on a cloud service? Do they offer support or have a forum?
 
hi. its just an openvpn server i have running on one of my asw instances. i have full control of it
Make sure the VPN server and client are using different port numbers. Port 443 is being referenced in the message. So that may be a clue.

Shut down the VPN client and server on the router and run the ip route command to see if you can determine what is creating this route:

10.0.0.0/8 dev br0 proto kernel scope link src 10.0.0.6

Check the system log for clues. Is TOR enabled?
 
Last edited:
Thank you for the gratitude. Many hours of labor went into the update and I appreciate the feedback.

The dnsmasq method is being used when specifying the dnsmasq_file= parm. On the OpenVPN Screen, the Accept DNS Configuration = Exclusive setting will bypass dnsmasq. Accept DNS Configuration needs to be set to Disabled, Relaxed or Strict when using the dnsmasq method. The other methods can be used without dnsmasq though.

What may be occurring is the sites may be referencing other domains. Netflix is a good example. netflix.com by itself won't work because the site uses other domains.

The autoscan.sh or getdomainnames.sh scripts can help identify the other domain names the site uses. See the usage intructions here: https://github.com/Xentrk/x3mRouting#4-getdomainnamessh--autoscansh-scripts

Or, just revert back to the Manual method using the new version since you already have the IPv4 addresses.

If you can give tell me one of the websites that is giving you an issue, I can test on my end to confirm this is the issue.

I will test further and inform you.
The issue is not about a particular website. Sometimes it is google or some other website. Totally random. The website is not in the list so it should use regular internet connection. With chrome I get "DNS_PROBE_FINISHED_NXDOMAIN" error.

This points me that there is a problem with DNS resolution.
It is also possible that this is a problem with DoT and not related to x3m at all. It is hard to pinpoint.
 
Check the system log for clues. Is TOR enabled?
always OFF

Make sure the VPN server and client are using different port numbers. Port 443 is being referenced in the message. So that may be a clue.
i turned off the vpn server i had running on my router off for testing purposes

Shut down the VPN client and server on the router and run the ip route command to see if you can determine what is creating this route:

10.0.0.0/8 dev br0 proto kernel scope link src 10.0.0.6
with aws server off, and either vpn client on or off that ip rule you mention is still showing. and 10.0.0.6 is definitely the pixel serve server.


Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# ifconfig

br0       Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:8625282 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22670501 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7018765046 (6.5 GiB)  TX bytes:25052338515 (23.3 GiB)

br0:pixelserv-t Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:10.0.0.6  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1

eth0      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          inet addr:181.xxx.xxx.xxxBcast:181.xxx.xxx.xxxMask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:50276364 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32906211 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:858913774 (819.1 MiB)  TX bytes:2405561012 (2.2 GiB)
          Interrupt:181 Base address:0x6000

eth1      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:588796 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:425039621 (405.3 MiB)

eth2      Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:4C
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19121703 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3969762686 (3.6 GiB)

fwd0      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:578675 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148295 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:23386422 (22.3 MiB)
          Interrupt:179 Base address:0x4000

fwd1      Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:19110580 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7476183 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1833769805 (1.7 GiB)
          Interrupt:180 Base address:0x5000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
          RX packets:576067 errors:0 dropped:0 overruns:0 frame:0
          TX packets:576067 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:128965806 (122.9 MiB)  TX bytes:128965806 (122.9 MiB)

lo:0      Link encap:Local Loopback
          inet addr:127.0.1.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1

vlan1     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:10155732 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22742641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7123461208 (6.6 GiB)  TX bytes:25148947888 (23.4 GiB)

vlan2     Link encap:Ethernet  HWaddr 4C:ED:FB:AC:05:48
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Code:
andresmorago@RT-AC3100-0548:/tmp/home/root# ip route
181.xxx.xxx.xxx dev eth0  proto kernel  scope link
181.xxx.xxx.xxx/24 dev eth0  proto kernel  scope link  src 181.xxx.xxx.xxx
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.xxx dev eth0


i have a completely separate network on a different place with a similar router and that ip route shows as well, so i dont think that should be related with my issue

Code:
ASUSWRT-Merlin RT-AC68U 384.18_0 Sun Jun 28 17:57:07 UTC 2020

admin@RT-AC68U-F680:/tmp/home/root# ip route
73.xxx.xxx.xxx dev eth0  proto kernel  scope link
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
10.10.10.0/24 dev br0  proto kernel  scope link  src 10.10.10.1
73.xxx.xxx.xxx/23 dev eth0  proto kernel  scope link  src 73.xxx.xxx.xxx
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.10.10.2
127.0.0.0/8 dev lo  scope link
default via 73.xxx.xxx.xxx dev eth0
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top