x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

Does option 2 only work with final firmwares? ie doesn't work with Alpha/Beta?

I keep tabs on any changes to certain programs that I've modified from source that would impact x3mRouting. From what I can tell, there haven't been any changes in 384.14 Alpha that should cause a problem with any of the methods. If you experience any issues, please provide any error messages or screen prints and let me know what router model you have.

 

[Xentrk]

I am trying to route netflix traffic over vpn1 and have run into a snag with a chromecast. The routing works using the netflix app on my android phone but when I try to cast to the chromecast I get the dreaded proxy error.

I believe the problem lies within the hard coded DNS on the chromecasts, also I have read that the chromecasts now use DNS over TLS.

I am using the shell script method and this is my nat-start file.

#!/bin/sh

### IPSET Shell Script Method

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 NETFLIX1 amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,nflximg.com,netflix.net,nflxext.com,nflxso.net
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -d 8.8.4.4 -p udp --dport 53 -j DNAT --to 162.168.0.1
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -d 8.8.8.8 -p udp --dport 53 -j DNAT --to 162.168.0.1
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -d 8.8.4.4 -p tcp --dport 53 -j DNAT --to 162.168.0.1
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -d 8.8.8.8 -p tcp --dport 53 -j DNAT --to 162.168.0.1
ip6tables -I FORWARD --destination 2001:4860:4860::8844 -j REJECT
ip6tables -I FORWARD --destination 2001:4860:4860::8888 -j REJECT
iptables -A INPUT -p tcp --destination-port 853 -j DROP
iptables -A OUTPUT -p tcp --destination-port 853 -j DROP

What am I doing something wrong here?
Should I be using something like this instead of the PREROUTING/FORWARD/IN/OUT rules to route requests from the chromecast to port 53 and port 853(DoT) to vpn1?

iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range <CHROMECAST_IP> -p tcp -m multiport --dport 53,853 -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range <CHROMECAST_IP> -p udp -m multiport --dport 53,853 -j MARK --set-mark 0x1000/0x1000

Also, thanks for the excellent work on this project Xentrk.

Hard coded DNS shouldn't have an impact unless you use a VPN service from NordVPN or Express VPN. They use dnsproxy to circumvent VPN blocks put in place by Netflix. You can use the DNSFILTER function on the router to force all LAN clients to use the DNS specified by the router. My service offers dedicate IP address to get around the blocks.

Since Netflix blocks known VPN servers, many users use the script to route NF traffic to the WAN interface. Android devices are able to share your true location even if connected to a VPN which makes location spoofing impossible for some services. That may be why it works on your Android.

The first step to try is to disable the VPN and test if NF works. Then, route ALL TRAFFIC to the VPN and test NF again. If you get the proxy error, then NF is blocking your VPN server.

For the Selective routing of Ports/MACs and IPSETs, you must enter a “dummy” VPN Client entry if you don't have any LAN clients entered in the table. The firmware only creates the appropriate DNSVPN iptable chain if the table isn't empty. Use a valid IPv4 address for the DummyVPN entry that differs from your LAN IPv4 address range. I recommend using a bogon IP addres for this purpose.

 

[Exciting]

I am using ExpressVPN as my provider.
If I disable the VPN local NF works, if I direct all chromecast and phone traffic through the VPN NF also works but then I am unable to use other local streaming services and other location aware sites and services are a bit of a pain, I can live with it but the Mrs will be annoyed and we can't have that..
I have entered a dummyVPN in the VPN Client so that shouldn't be a problem.
I will try the DNSFILTER next and see how we go.

Thanks for the assistance.

 

[Xentrk]

I am using ExpressVPN as my provider.
If I disable the VPN local NF works, if I direct all chromecast and phone traffic through the VPN NF also works but then I am unable to use other local streaming services and other location aware sites and services are a bit of a pain, I can live with it but the Mrs will be annoyed and we can't have that..
I have entered a dummyVPN in the VPN Client so that shouldn't be a problem.
I will try the DNSFILTER next and see how we go.

Thanks for the assistance.

I failed to mention this in my previous post..From the reports I've seen on the forum, I am fairly certain ExpressVPN is using the DNS pushed by the VPN Server as a dns proxy service to circumvent VPN blocks put in place by Netflix and other streaming services. Since you are using Policy Rules, set Accept DNS Configuration = Exclusive so all services using the VPN Client will use the DNS pushed by ExpressVPN.

 

[lazmo88]

Wow, I think this is exactly what I was trying to find a solution for

I'm having a double geoblock situation, where the first one is solved by installing the Asus AC87U into that country and running VPN (both PPTP and OVPN servers). This works great.

Now, I also would like to see BBC iPlayer via UK VPN. As far as I understood, I can setup a OVPN client that tunnels traffic to UK and I can use selective routing to only route the BBC iPlayer traffic, right? Basically a split tunneling setup, where all incoming VPN connections are routed either to WAN (default) or UK VPN TUN (BBC iPlayer traffic only).

My phone > VPN > Country 1 (AC87U) > WAN

My phone (BBC iPlayer) > VPN > Country 1 (AC87U) > UK VPN TUN

Is above achievable without any excessive maintenance? IP ranges may change, does the script keep track of IPs which needs to he selectively routed?

Thanks in advance

Edit. After doing further research, I can't find an example where VPN server clients gets routed to outgoing VPN tunnel. Any advice on this would be appreciated.

 

[kman]

Question about routing using IPSET. When accessing a domain through a client connected via VPN server.

The following is the response if dnsmasq.conf.add has server specified:

server=/pandora.com/107.170.15.247

It is forwarded to the respective the server:

13:52:23 dnsmasq[24407]: query[A] pandora.com from 10.8.0.2
13:52:23 dnsmasq[24407]: forwarded pandora.com to 107.170.15.247

However, using IPSET, it forwards to the local DNS and not the IPSET rule defined:

13:44:48 dnsmasq[11220]: query[A] www.pandora.com from 10.8.0.2
13:44:48 dnsmasq[11220]: forwarded www.pandora.com to 1.0.0.1
13:44:48 dnsmasq[11220]: ipset add PANDORA 208.85.40.20 www.pandora.com

How can a client connected through router's VPN use IP rules defined?

 

[Xentrk]

Wow, I think this is exactly what I was trying to find a solution for

I'm having a double geoblock situation, where the first one is solved by installing the Asus AC87U into that country and running VPN (both PPTP and OVPN servers). This works great.

Now, I also would like to see BBC iPlayer via UK VPN. As far as I understood, I can setup a OVPN client that tunnels traffic to UK and I can use selective routing to only route the BBC iPlayer traffic, right? Basically a split tunneling setup, where all incoming VPN connections are routed either to WAN (default) or UK VPN TUN (BBC iPlayer traffic only).

My phone > VPN > Country 1 (AC87U) > WAN

My phone (BBC iPlayer) > VPN > Country 1 (AC87U) > UK VPN TUN

Is above achievable without any excessive maintenance? IP ranges may change, does the script keep track of IPs which needs to he selectively routed?

Thanks in advance

Edit. After doing further research, I can't find an example where VPN server clients gets routed to outgoing VPN tunnel. Any advice on this would be appreciated.

I used Amazon Prime, BBC, CBS All Access, Hulu, Netflix and Sling streaming media services in developing the project and include them in the examples on the project GitHub page.

Please beware that Amazon Prime, BBC, Hulu and Netflix block known VPN servers. If you want a VPN provider who can circumvent the VPN blocks, see my blog post Why I use Torguard as my VPN Provider to learn more.

Route BBC Traffic to VPN Client 3

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 3 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net

The routing rules are defined in such a way that they take priority over rules for individual LAN clients. So, I can have my Laptop defined to use VPN in Los Angeles, but BBC traffic will take priority and get routed to VPN Client 3.

 

[Xentrk]

Question about routing using IPSET. When accessing a domain through a client connected via VPN server.

The following is the response if dnsmasq.conf.add has server specified:

server=/pandora.com/107.170.15.247

It is forwarded to the respective the server:

13:52:23 dnsmasq[24407]: query[A] pandora.com from 10.8.0.2
13:52:23 dnsmasq[24407]: forwarded pandora.com to 107.170.15.247

However, using IPSET, it forwards to the local DNS and not the IPSET rule defined:

13:44:48 dnsmasq[11220]: query[A] www.pandora.com from 10.8.0.2
13:44:48 dnsmasq[11220]: forwarded www.pandora.com to 1.0.0.1
13:44:48 dnsmasq[11220]: ipset add PANDORA 208.85.40.20 www.pandora.com

How can a client connected through router's VPN use IP rules defined?

@Martineau explain how to set it up in this post for all clients connected to the VPN tunnel

If you need to get more granular and specify rules by device, see https://openvpn.net/community-resources/how-to/ for instructions on how to create static IP addresses for devices connected to the VPN subnet. Then, change the iptables rule to specify the device IP address rather than the entire subnet.

 

[kman]

Thank you I'll have a look.

Any idea how to specify YouTube to route through VPN client. I tried the simple YouTube.com but that didn't get all the IPs and I was still geo blocked.

 

[Xentrk]

Thank you I'll have a look.

Any idea how to specify YouTube to route through VPN client. I tried the simple YouTube.com but that didn't get all the IPs and I was still geo blocked.

Hello @kman,

I did an nslookup on youtube.com - 216.58.196.46. I then entered the IP address on the search function on Hurricane Electric site https://bgp.he.net. The IPv4 address belongs to AS15169. You can try the ASN method using AS15169. If that doesn't work, then mining the dnsmasq log file for domain names would be the next step. The issue with using the ASN for YouTube is that all google traffic will get routed through the VPN client. So mining dsnmasq log file for domains may be the best option for you. You can use the getdomainnames.sh script to help with the mining process. See https://github.com/Xentrk/netflix-vpn-bypass for a description and download instructions.

 

[lazmo88]

The routing rules are defined in such a way that they take priority over rules for individual LAN clients. So, I can have my Laptop defined to use VPN in Los Angeles, but BBC traffic will take priority and get routed to VPN Client 3.

Thanks for the reply, I understand you can route LAN clients to different VPN clients depending on the rules. But I'm still unsure if we can route VPN server (running on AC87U) clients to another VPN tunnel based on the policy

Does VPN clients respect the policy based routing as LAN clients would, or is this something that can't be achieved?

 

[Xentrk]

Thanks for the reply, I understand you can route LAN clients to different VPN clients depending on the rules. But I'm still unsure if we can route VPN server (running on AC87U) clients to another VPN tunnel based on the policy

Does VPN clients respect the policy based routing as LAN clients would, or is this something that can't be achieved?

Are you referring to routing clients connected to the router via the VPN Server to one of the VPN Clients running on the router? If so, see post 168 above.

 

[lazmo88]

Are you referring to routing clients connected to the router via the VPN Server to one of the VPN Clients running on the router? If so, see post 168 above.

Yes, indeed. Managed to set the iptables as required and it worked for all traffic and all clients. That's great

You mentioned Policy Rules (Strict), with IPSET are high priority and will allow us now to route only certain traffic via VPN Client connection. Yet, with the iptables rules mentioned in the link are routing all VPN Server subnet traffic by default via VPN Client tun11/1+.

iptables -I POSTROUTING -t nat -s VPN_SUBNET/24 -o tun11 -j MASQUERADE

I guess only missing piece to this puzzle is to fix routing rest of the VPN Server traffic to WAN. Or is this automatically done?

Edit. I installed the x3mRouting via amtm and selected option 2. The script you mentioned sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh is not included in the directory of installation, is this expected behavior or? Option 2 says it includes the GUI and shell scripts.

Edit 2. So, it seems that the iface scripts are only available on the installation option #3 and having both #2 and #3 installed, broke the GUI (couldn't save any changes). Uninstalled x3mRouting via amtm, reinstalled the script with option #3. Ran the BBC command, script executed successfully. Tested the connection, still connected via WAN. Modified iptables to allow routing from VPN Server client to VPN Clients. Made a policy rule for my VPN client via the standard GUI, and all traffic was routed to VPN client 1. I'm puzzled how to achieve selective routing for VPN Server clients Obviously I am missing the last piece of the puzzle. Any help is much appreciated

 

[kman]

@Martineau explain how to set it up in this post for all clients connected to the VPN tunnel

If you need to get more granular and specify rules by device, see https://openvpn.net/community-resources/how-to/ for instructions on how to create static IP addresses for devices connected to the VPN subnet. Then, change the iptables rule to specify the device IP address rather than the entire subnet.

@Xentrk I did look at the post and it is for routing entire traffic from VPN client connected to router through external VPN client.

I guess to be more specific, when running:

iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 1331K packets, 391M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2650  253K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2     453K  322M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3      18M   24G BWDPI_FILTER  udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
4     122K 8622K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x1000

Have a PREROUTING rule for forwarding IPSET to 0x1000 for tun21, i.e.

4     122K 8622K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x1000

So that only traffic matching that IPSET from tun21 is routed to 0x1000 and everything else remains as is.

I hope this makes sense.

EDIT: I manually added:

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-mark 0x1000/0x1000

However, when running pandora.com from client connected to router through VPN, it was stuck. Not resolving to anything.

 

[Xentrk]

Yes, indeed. Managed to set the iptables as required and it worked for all traffic and all clients. That's great

You mentioned Policy Rules (Strict), with IPSET are high priority and will allow us now to route only certain traffic via VPN Client connection. Yet, with the iptables rules mentioned in the link are routing all VPN Server subnet traffic by default via VPN Client tun11/1+.

iptables -I POSTROUTING -t nat -s VPN_SUBNET/24 -o tun11 -j MASQUERADE

I guess only missing piece to this puzzle is to fix routing rest of the VPN Server traffic to WAN. Or is this automatically done?

Edit. I installed the x3mRouting via amtm and selected option 2. The script you mentioned sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh is not included in the directory of installation, is this expected behavior or? Option 2 says it includes the GUI and shell scripts.

Edit 2. So, it seems that the iface scripts are only available on the installation option #3 and having both #2 and #3 installed, broke the GUI (couldn't save any changes). Uninstalled x3mRouting via amtm, reinstalled the script with option #3. Ran the BBC command, script executed successfully. Tested the connection, still connected via WAN. Modified iptables to allow routing from VPN Server client to VPN Clients. Made a policy rule for my VPN client via the standard GUI, and all traffic was routed to VPN client 1. I'm puzzled how to achieve selective routing for VPN Server clients Obviously I am missing the last piece of the puzzle. Any help is much appreciated

I think I better understand your issue now. You want the clients connected to the router via the VPN Server to follow the routing rules you setup for routing LAN traffic to BBC rather than defaulting to one of the VPN Clients running on the router. I will have to do some analysis for your use case as it is something I have not done myself or grovel for help from the snbforums VPN routing expert @Martineau. Give me a few days to see what I can come up with. When I am on the road traveling, I use the TorGuard VPN client on my devices to circumvent geo restrictions than then connecting to the router.

FYI, it is probably best to use the -D (delete) before issuing the -I (insert) or -A (append) on the iptables command so you don't create duplicate rules:

iptables -D POSTROUTING -t nat -s VPN_SUBNET/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s VPN_SUBNET/24 -o tun11 -j MASQUERADE

Also, option 2 (IPSET Shell Scripts + OpenVPN GUI) and 3 (IPSET Shell Scripts) can coexist if you install Option 3 first followed by option 2.

 

[Xentrk]

@Xentrk I did look at the post and it is for routing entire traffic from VPN client connected to router through external VPN client.

I guess to be more specific, when running:

iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 1331K packets, 391M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     2650  253K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2     453K  322M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3      18M   24G BWDPI_FILTER  udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
4     122K 8622K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x1000

Have a PREROUTING rule for forwarding IPSET to 0x1000 for tun21, i.e.

4     122K 8622K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x1000

So that only traffic matching that IPSET from tun21 is routed to 0x1000 and everything else remains as is.

I hope this makes sense.

EDIT: I manually added:

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-mark 0x1000/0x1000

However, when running pandora.com from client connected to router through VPN, it was stuck. Not resolving to anything.

Hey @kman
Looks like you and @lazmo88 have similar use case. Please see my reply above.

 

[Martineau]

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-mark 0x1000/0x1000

However, when running pandora.com from client connected to router through VPN, it was stuck. Not resolving to anything.

What happens if you simply skip the DNS and specify the 'pandora.com' IP address 208.85.40.20?

FYI, based in the UK, I have VPN Client 3 routed via US, and the following

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-xmark 0x4000/0x4000

allows any inbound OpenVPN Server 1 client to be routed outbound via VPN Client 3 if the target IP is defined in the PANDORA IPSET.

Just successfully tested it.

iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 17752 packets, 8276K bytes)
num   pkts bytes target     prot opt in     out     source               destination
    
<snip>
8     2260  149K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x4000

Also, the appropriate OpenVPN Server subnet(s) (in my case both) 10.8.0.0/24 and 10.16.0.0/24 are also included in the VPN Client 3 Selective routing table

ip route show table 113

10.10.0.61 dev tun13  proto kernel  scope link  src 10.10.0.62
10.16.0.0/24 dev tun22  scope link
10.8.0.0/24 dev tun21  scope link
10.88.8.0/24 dev br0  proto kernel  scope link  src 10.88.8.1
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.88.8.3
default via 10.10.0.61 dev tun13

 

[andresmorago]

Thank you for helping @andresmorago. I will go ahead and add the edge-case for vpn server routing feature and also for the edge-case requirement to route traffic to the WAN1 interface. I'll start with the vpn server routing requirement first as I can test that one with my current setup. I'll need a volunteer to test the WAN1 interface code once I get it done since I don't have dual WAN interfaces.

hello @Xentrk
i dont know if my requirement is related to the ones reported lately. i would appreciate your help whenever you can!

 

[kman]

What happens if you simply skip the DNS and specify the 'pandora.com' IP address 208.85.40.20?

FYI, based in the UK, I have VPN Client 3 routed via US, and the following

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-xmark 0x4000/0x4000

allows any inbound OpenVPN Server 1 client to be routed outbound via VPN Client 3 if the target IP is defined in the PANDORA IPSET.

Just successfully tested it.

iptables -nvL PREROUTING -t mangle --line

Chain PREROUTING (policy ACCEPT 17752 packets, 8276K bytes)
num   pkts bytes target     prot opt in     out     source               destination
 
<snip>
8     2260  149K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x4000

Also, the appropriate OpenVPN Server subnet(s) (in my case both) 10.8.0.0/24 and 10.16.0.0/24 are also included in the VPN Client 3 Selective routing table

ip route show table 113

10.10.0.61 dev tun13  proto kernel  scope link  src 10.10.0.62
10.16.0.0/24 dev tun22  scope link
10.8.0.0/24 dev tun21  scope link
10.88.8.0/24 dev br0  proto kernel  scope link  src 10.88.8.1
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.88.8.3
default via 10.10.0.61 dev tun13

After adding

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-mark 0x1000/0x1000

admin@RT-AC68U:/tmp/home/root# iptables -nvL PREROUTING -t mangle --line
Chain PREROUTING (policy ACCEPT 119K packets, 68M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     5301  418K MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
2     976K  731M MARK       all  --  tun11  *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x1/0x7
3      25M   35G BWDPI_FILTER  udp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0
4     125K 9108K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x1000
5       18  1152 MARK       all  --  tun21  *       0.0.0.0/0            0.0.0.0/0            match-set PANDORA dst MARK or 0x1000

accessing it directly via IP is still proving the same result. How did you add the VPN Server subnet to the VPN Client 3 Selective routing table?

Thanks

EDIT: adding the following code in conjunction with the above PREROUTING rule, it seems to be working.

iptables -D POSTROUTING -t nat -s 10.8.0.1/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s 10.8.0.1/24 -o tun11 -j MASQUERADE

Is this correct?

 

[lazmo88]

@Martineau thanks for the update. However, comparing your iptables rules with @kman there's a minor difference which I don't understand. The --set-mark vs --set-xmark flag seems to be different, why is this?

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-xmark 0x4000/0x4000

iptables -t mangle -A PREROUTING -i tun21 -m set --match-set PANDORA dst -j MARK --set-mark 0x1000/0x1000

Above rule is the one that's missing I guess, and making sure that selective routing is correctly enabled.

tun21 is the incoming/local VPN server tunnel, this is clear. IPSET PANDORA is also clear.

Also tun11 (outgoing VPN client) also makes sense:
iptables -D POSTROUTING -t nat -s 10.8.0.1/24 -o tun11 -j MASQUERADE
iptables -I POSTROUTING -t nat -s 10.8.0.1/24 -o tun11 -j MASQUERADE

Is it possible ELI5 the all necessary rules that needs to be in place to make this work? Required iptables and selective routing options?