x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[TheChez]

I basically used to have Merlin running and some devices on VPN and some on WAN so that they can access services that aren't VPN friendly. I have some port forwards from my server that need to be available which seems to cause the biggest issue.
About a month ago, the port forwards weren't working anymore and TorGuard and I couldn't figure out what was wrong. I updated Merlin and set back up but either WAN works or VPN works but not both at the same time if I use policy rules. I downgraded to v 13 and it wouldn't work either.
So, I was hoping to use option 1 to overpower the router and specify what goes through VPN and what goes through WAN. The issue is this router is much faster than my other router that I keep as a backup (not a bridge).

 

[Xentrk]

This is such a cool idea to get around the blocking of VPNs.
I tried method 1 but it didn't create any of the files it was supposed to in the /jffs/configs folder so there was nothing I could edit.
I also tried method 3 but it's definitely above my pay grade. I'm not entirely understanding all of the steps on that one. I would really just like if option 1 worked for me but it's not creating the files.

I've not had much luck routing between VPN and WAN with my 3100 router. I'm starting to think I have a dud and just need to sell it. Any help?

This is the output I get when I run the script:

# ./x3mRouting_client_config.sh
(x3mRouting_client_config.sh): 25119 Starting Script Execution

_______________________________________________________________
|                                                             |
|  Welcome to the x3mRouting LAN Client Configuration Script  |
|  Version 1.0.0 by Xentrk                                    |
|                                                             |
|           Configuration instuctions available at            |
|            https://github.com/Xentrk/x3mRouting             |
|         ____        _         _                             |
|        |__  |      | |       | |                            |
|  __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _     |
|  \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \    |
|   /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |    |
|  /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|    |
|                                                             |
|_____________________________________________________________|

Existing /jffs/configs/x3mRouting_client_rules file found.
A backup of the existing file was made.

You must now edit /jffs/configs/x3mRouting_client_rules and
assign the interface for each LAN client.

(x3mRouting_client_config.sh): 25119 Ending Script Execution

Please note there was a change in 384.14 to allow the entry of a DNS entry for LAN clients in the DHCP Static Lease assignment screen. I am in the process of updating the code to account for the new DNS field.

If you still have issues, you can edit the code and remove the # from the set -x line to run in debug mode.

# Uncomment the line below for debugging
#set -x

 

[Torson]

With all due respect the last entries in this thread are out of sequence !?

 

[Xentrk]

[x3mRouting for LAN Clients Method - Code Update]

A change was made in the 384.14 and 384.14_2 firmware that allows users to specify DNS for LAN Clients in the Manual Assigned IP section of the DHCP Server screen. The x3mRouting_client_config.sh script has been updated to accommodate the change. You can download the update using Option 7 on the x3mRouting menu. You only need to rerun this script if you have made changes to DHCP static assignments or accidentally deleted the /jffs/configs/x3mRouting_client_rules file and don't have a backup.

/jffs/configs/x3mRouting_client_rules

#########################################################
# Assign the interface for each LAN client by entering  #
# the appropriate interface number in the first column  #
# 0 = WAN                                               #
# 1 = OVPNC1                                            #
# 2 = OVPNC2                                            #
# 3 = OVPNC3                                            #
# 4 = OVPNC4                                            #
# 5 = OVPNC5                                            #
#########################################################
0 192.168.1.150 SamsungTV
1 192.168.1.151 Samsung-Phone
2 192.168.1.152 Asus-Laptop
2 192.168.1.153 iPad
1 192.168.1.154 Lenovo-Laptop

 

[j911]

I'm using the IPSET shell scripts for a streaming service which is running an nginx proxy. The service requires a username and password to redirect to the actual ip for the .ts stream. The stream links are hosted by another CDN provider.

How can I automate the retrieval of .ts link after providing my login credentials so I can get the redirected ip automatically?

 

[mister]

Dear all,
since 14_2 I have a routing problem, and maybe you can support me a little bit.

Normally specific traffic (marked via IPs on the webui) should be routet via VPN1 , all the other should be routed via VPN4. It worked till the update from 14 to 14_2 without any problems.
But now, all traffic is routed via VPN1 even if I add manually an specific IP at the VPN4 Webui page to be routed to vpn4.

In the vpn4 section 192.168.111.0/24 to 0.0.0.0 is active and should force the internet traffic trough this vpn. In the vpn1 section only specific IPs are mentioned to be routed via VPN1.

If I deactivate VPN1 the traffic is routed via VPN4 as it should, but as soon as I activate VPN1 the old situation occurs.
I already forced an x3mrouting update without success. Any hints or ideas, what I can do ?

thanks

Hugo.


ip rule:
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9991: from all fwmark 0x3000/0x3000 lookup ovpnc5
9992: from all fwmark 0x7000/0x7000 lookup ovpnc4
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10001: from 192.168.111.1 lookup main
10002: from 192.168.111.0/24 to 192.168.0.1 lookup main
10003: from 192.168.111.0/24 to 192.168.2.1 lookup main
10004: from 192.168.111.0/24 to 192.168.0.114 lookup main
10005: from 192.168.111.0/24 to 192.168.0.112 lookup main
10006: from 192.168.0.112 to 192.168.111.0/24 lookup main
10007: from 192.168.0.114 to 192.168.111.0/24 lookup main
10008: from 192.168.10.0/24 to 192.168.111.77 lookup main
10009: from 192.168.111.77 to 192.168.10.0/24 lookup main
10010: from 192.168.111.88 to 192.168.10.0/24 lookup main
10011: from 192.168.10.0/24 to 192.168.111.88 lookup main
10012: from 192.168.10.0/24 to 192.168.111.0/24 lookup main
10013: from 192.168.111.0/24 to 192.168.10.0/24 lookup main
10101: from 192.168.111.66 lookup ovpnc1
10102: from 192.168.111.185 lookup ovpnc1
10103: from 192.168.111.141 lookup ovpnc1
10104: from 192.168.111.88 lookup ovpnc1
10105: from 192.168.111.77 lookup ovpnc1
10106: from 192.168.111.116 lookup ovpnc1
10107: from 192.168.111.108 lookup ovpnc1
10601: from 192.168.111.1 lookup main
10602: from 192.168.111.0/24 to 192.168.0.1 lookup main
10603: from 192.168.111.0/24 to 192.168.2.1 lookup main
10701: from 192.168.111.0/24 lookup ovpnc4
10801: from 192.168.111.1 lookup main
10802: from 192.168.111.0/24 to 192.168.0.1 lookup main
10803: from 192.168.111.0/24 to 192.168.2.1 lookup main
10804: from 192.168.111.0/24 to 192.168.0.112 lookup main
10805: from 192.168.111.0/24 to 192.168.0.114 lookup main
10901: from 192.168.111.0/24 lookup ovpnc5
10902: from 192.168.5.0/24 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default

 

[Xentrk]

Dear all,
since 14_2 I have a routing problem, and maybe you can support me a little bit.

Normally specific traffic (marked via IPs on the webui) should be routet via VPN1 , all the other should be routed via VPN4. It worked till the update from 14 to 14_2 without any problems.
But now, all traffic is routed via VPN1 even if I add manually an specific IP at the VPN4 Webui page to be routed to vpn4.

In the vpn4 section 192.168.111.0/24 to 0.0.0.0 is active and should force the internet traffic trough this vpn. In the vpn1 section only specific IPs are mentioned to be routed via VPN1.

If I deactivate VPN1 the traffic is routed via VPN4 as it should, but as soon as I activate VPN1 the old situation occurs.
I already forced an x3mrouting update without success. Any hints or ideas, what I can do ?

thanks

Hugo.


ip rule:
0: from all lookup local
9990: from all fwmark 0x8000/0x8000 lookup main
9991: from all fwmark 0x3000/0x3000 lookup ovpnc5
9992: from all fwmark 0x7000/0x7000 lookup ovpnc4
9995: from all fwmark 0x1000/0x1000 lookup ovpnc1
10001: from 192.168.111.1 lookup main
10002: from 192.168.111.0/24 to 192.168.0.1 lookup main
10003: from 192.168.111.0/24 to 192.168.2.1 lookup main
10004: from 192.168.111.0/24 to 192.168.0.114 lookup main
10005: from 192.168.111.0/24 to 192.168.0.112 lookup main
10006: from 192.168.0.112 to 192.168.111.0/24 lookup main
10007: from 192.168.0.114 to 192.168.111.0/24 lookup main
10008: from 192.168.10.0/24 to 192.168.111.77 lookup main
10009: from 192.168.111.77 to 192.168.10.0/24 lookup main
10010: from 192.168.111.88 to 192.168.10.0/24 lookup main
10011: from 192.168.10.0/24 to 192.168.111.88 lookup main
10012: from 192.168.10.0/24 to 192.168.111.0/24 lookup main
10013: from 192.168.111.0/24 to 192.168.10.0/24 lookup main
10101: from 192.168.111.66 lookup ovpnc1
10102: from 192.168.111.185 lookup ovpnc1
10103: from 192.168.111.141 lookup ovpnc1
10104: from 192.168.111.88 lookup ovpnc1
10105: from 192.168.111.77 lookup ovpnc1
10106: from 192.168.111.116 lookup ovpnc1
10107: from 192.168.111.108 lookup ovpnc1
10601: from 192.168.111.1 lookup main
10602: from 192.168.111.0/24 to 192.168.0.1 lookup main
10603: from 192.168.111.0/24 to 192.168.2.1 lookup main
10701: from 192.168.111.0/24 lookup ovpnc4
10801: from 192.168.111.1 lookup main
10802: from 192.168.111.0/24 to 192.168.0.1 lookup main
10803: from 192.168.111.0/24 to 192.168.2.1 lookup main
10804: from 192.168.111.0/24 to 192.168.0.112 lookup main
10805: from 192.168.111.0/24 to 192.168.0.114 lookup main
10901: from 192.168.111.0/24 lookup ovpnc5
10902: from 192.168.5.0/24 lookup ovpnc5
32766: from all lookup main
32767: from all lookup default

I noticed these two rules have a reference to an IP address on a subnet that is different from the router's IP address.

10003: from 192.168.111.0/24 to 192.168.2.1 lookup main
10803: from 192.168.111.0/24 to 192.168.2.1 lookup main

 

[mister]

Hi Xentrk,
that is correct. The asus is behind a dslrouter. This DSL router is connected to my parents DSL router (192.168.2.1) via VPN. And it should routed via wan, but not over VPN1.
I created these rules, that the DSL - router is accessable from my net.

I made a downgrade back to 14_1 but , it doesn´t work either. ....
Could it be related to the recent changes on the x3mrouting script ?


Any ideas what I could test ?

 

[Xentrk]

I just noticed that jq package is not working for me:

# jq -r '.prefixes | .[].ip_prefix' < ip-ranges.json
jq: error while loading shared libraries: libonig.so: cannot open shared object file: No such file or directory
# jq
jq: error while loading shared libraries: libonig.so: cannot open shared object file: No such file or directory
# echo $PATH
/opt/bin:/opt/sbin:/bin:/usr/bin:/sbin:/usr/sbin:/home/wizard:/mmc/sbin:/mmc/bin:/mmc/usr/sbin:/mmc/usr/bin:/opt/sbin:/opt/bin:/opt/usr/sbin:/opt/usr/bin
# find / -name libonig.so

#

The jq package is required by the Amazon Selective routing scripts.

I reported the issue: https://github.com/Entware/Entware/issues/391

You can test by typing jq on the command line. Let me know if you have the same issue. The router in question is a RT-AC88U on 384.14_2 test release. I will update to 3894.14_2 final ASAP.

You should save off a copy of any Amazon IPSET lists using a different file name so you can use it as a restore file until jq is fixed. The default location is /opt/tmp. Alternatively, you can use the ASN method e.g. AS16509, AS14618, etc for Amazon.

To see if your Amazon IPSET list is empty, type liststats at the command line.

# liststats
AMAZON-EU - 0
AMAZON_US - 0
BBC_WEB - 260
CBS_WEB - 434
HULU_WEB - 171
MOVETV - 561
NETFLIX - 152
PANDORA - 14
Skynet-Blacklist - 146896
Skynet-BlockedRanges - 1597
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 5948

Edit: I will enhance the code to check the outcome of jq command prevent the program from updating the IPSET save/restore file if there is an issue.

It appears that jq may be out of order for awhile.

Looks like opkg fails to detect new jq dependency. This error can't be reproduced on fresh install, so I'm closing this issue.

opkg install oniguruma
Package oniguruma (6.9.3-1) installed in root is up to date.
# jq
jq: error while loading shared libraries: libonig.so: cannot open shared object file: No such file or director

People will have to revert to the ASN method for Amazon AWS traffic.

 

[Xentrk]

Hi Xentrk,
that is correct. The asus is behind a dslrouter. This DSL router is connected to my parents DSL router (192.168.2.1) via VPN. And it should routed via wan, but not over VPN1.
I created these rules, that the DSL - router is accessable from my net.

I made a downgrade back to 14_1 but , it doesn´t work either. ....
Could it be related to the recent changes on the x3mrouting script ?


Any ideas what I could test ?

The update wouldn't have had any impact. But using the LAN Clients Routing functionality may help simplify your setup.

It would be easier to debug the issue if you can post a screen snip of how the routing rules are setup in the web gui.

 

[mister]

The update wouldn't have had any impact. But using the LAN Clients Routing functionality may help simplify your setup.

It would be easier to debug the issue if you can post a screen snip of how the routing rules are setup in the web gui.

The file "/jffs/configs/x3mRouting_client_rules" does not exists at my router. I created the routing rules via webui.(see below)

The strange thing is, that it worked for months ago without any problem.
Since yesterday where I updated the amtm scripts (diversion, skynet and x3mrouting script) and the firmware from 14_1 to 14_2 the problem appeared.

Another strange thing is that after updating skynet and then forcing the x3m script update the routing is correct (over VPN4) till I reboot the router. After rebooting the same strange behavior was seen.....

Could it be an unwanted interaction with Skynet ?

I attach the vpnclient1-route-up script as well. Maybe there could be the problem, but I didn´t change it as well for months.....

 

[mister]

It is getting a little bit clearer.
Everytime I force skynet to update, the routing works as it should.

I went to amtm; opened skynet; update skynet; force update skynet even if not update is there ---> Routing is working as it should.

But I do not know, what is happening....

I removed Skynet, but that doesn´t solve the problem......
It seems to me, that the procedure of updating or installing skynet deblocks something (e.g. it restarts the system firewall). Could that an approach ?


OK: For those people, who have a similar problem, here comes my workaround (but I don´t know why it is working, because nothing changed in general).

1. Updating to the 14_2 Firmware
2. Restoring an old jffs Partion backup (My backup was from 20-01-01)
3. Rebooting the Router
4. Upgrading Skynet


Acutally it is working normally. As I said: Nothing is changed in the router settings (VPN) , but even after rebooting it is working. Maybe one upgrade of Skynet broke the configuration.....

If anybody knows, what happened or why, please write.....

 

[mister]

Dear all,
sorry for asking for further support, but maybe you have an solution for my problem.

I want, that every traffic for german public streaming Services are routed through ovpnc1


for example this adress, which has an geo block, is not accessable with my configuration :

https://pdvideosdaserste-a.akamaihd...0ff8-495c-892a-b7104b4e4356/1280-1_582274.mp4


strange is, that it is accessable, if i use the vpn1 connection directly on my mobile with the same server as in the router. the difference to the router in my opinion is, that all traffic of my phone is routed to through the vpn without a selection.

in my route up Script (see Posting from the 6th of January) has the following entries:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 ZDF AS43354 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 ARD1 AS200093 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 ARD2 AS13237 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 WDR AS8303 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 SWR AS8881 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 KIKA AS680 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 BR AS35739 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 Arte AS8839 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 Akamai1 AS35994 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 Akamai2 AS20940 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 Akamai3 AS16625 sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 Mediatheken zdf.de,zdfmediathek.de,ard.de,wdr.de,kika.de,phoenix.de,swr.de,swrmediathek.de,br.de,ardmediathek.de,wdrmediathek.de,phoenix.de,akamaihd.net,hr.de,akamaistream.net,dw.de,sr-online.de,ndr.de,rbb-online.de,apa.at,tagesschau.de,heute.de,akamai.com,rodlzdf-a.akamaihd.net sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 Mediatheken2 rodlzdf-a.akamaihd.net,rodl.zdf.de,nrodl.zdf.de,wdrmedien-a.akamaihd.net,tvdownloaddw-a.akamaihd.net,srstorage01-a.akamaihd.net,srfvodhd-vh.akamaihd.net,rodlzdf-a.akamaihd.net,rbbmediapmdp-a.akamaihd.net,cdn-storage.br.de,hr.gl-systemhaus.de,wdrmedien-a.akamaihd.net,wdradaptiv-vh.akamaihd.net,tv-download.dw.de,rbprogressivedl-a.akamaihd.net,nrodl.zdf.de,mediastorage01.sr-online.de,mediandr-a.akamaihd.net,media.ndr.de,http-stream.rbb-online.de,hrardmediathek-a.akamaihd.net,cdn-storage.br.de,arte.gl-systemhaus.de,apasfdp.apa.at,arteconcert-a.akamaihd.net,arteptweb-a.akamaihd.net,hdvodsrforigin-f.akamaihd.net,odmdr-a.akamaihd.net,pdodswr-a.akamaihd.net,pmdonlinekika-a.akamaihd.net,akamaistream.net



do you have an idea, why this file is not routed correctly in my router? what is the difference between normal public streaming contentoon akamaihd.net and the above link? is there an option to modify the route up configuration file to get these streams working on my router (without establishing an additional vpn on the device for some blocked contents?

Thanks a lot for your support

Hugo

 

[Xentrk]

Dear all,
sorry for asking for further support, but maybe you have an solution for my problem.

I want, that every traffic for german public streaming Services are routed through ovpnc1


for example this adress, which has an geo block, is not accessable with my configuration :

https://pdvideosdaserste-a.akamaihd...0ff8-495c-892a-b7104b4e4356/1280-1_582274.mp4


strange is, that it is accessable, if i use the vpn1 connection directly on my mobile with the same server as in the router. the difference to the router in my opinion is, that all traffic of my phone is routed to through the vpn without a selection.

in my route up Script (see Posting from the 6th of January) has the following entries:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 ZDF AS43354 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 ARD1 AS200093 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 ARD2 AS13237 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 WDR AS8303 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 SWR AS8881 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 KIKA AS680 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 BR AS35739 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 Arte AS8839 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 Akamai1 AS35994 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 Akamai2 AS20940 sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 Akamai3 AS16625 sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 Mediatheken zdf.de,zdfmediathek.de,ard.de,wdr.de,kika.de,phoenix.de,swr.de,swrmediathek.de,br.de,ardmediathek.de,wdrmediathek.de,phoenix.de,akamaihd.net,hr.de,akamaistream.net,dw.de,sr-online.de,ndr.de,rbb-online.de,apa.at,tagesschau.de,heute.de,akamai.com,rodlzdf-a.akamaihd.net sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 Mediatheken2 rodlzdf-a.akamaihd.net,rodl.zdf.de,nrodl.zdf.de,wdrmedien-a.akamaihd.net,tvdownloaddw-a.akamaihd.net,srstorage01-a.akamaihd.net,srfvodhd-vh.akamaihd.net,rodlzdf-a.akamaihd.net,rbbmediapmdp-a.akamaihd.net,cdn-storage.br.de,hr.gl-systemhaus.de,wdrmedien-a.akamaihd.net,wdradaptiv-vh.akamaihd.net,tv-download.dw.de,rbprogressivedl-a.akamaihd.net,nrodl.zdf.de,mediastorage01.sr-online.de,mediandr-a.akamaihd.net,media.ndr.de,http-stream.rbb-online.de,hrardmediathek-a.akamaihd.net,cdn-storage.br.de,arte.gl-systemhaus.de,apasfdp.apa.at,arteconcert-a.akamaihd.net,arteptweb-a.akamaihd.net,hdvodsrforigin-f.akamaihd.net,odmdr-a.akamaihd.net,pdodswr-a.akamaihd.net,pmdonlinekika-a.akamaihd.net,akamaistream.net



do you have an idea, why this file is not routed correctly in my router? what is the difference between normal public streaming contentoon akamaihd.net and the above link? is there an option to modify the route up configuration file to get these streams working on my router (without establishing an additional vpn on the device for some blocked contents?

Thanks a lot for your support

Hugo

Since the website has two IP addresses, you can try and enter them in the Web GUI for the German VPN Client and specify that all clients get routed thru the tunnel

# nslookup pdvideosdaserste-a.akamaihd.net
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      pdvideosdaserste-a.akamaihd.net
Address 1: 195.10.18.11
Address 2: 195.10.18.19

Or, use the DNSMASQ method and specify the entire domain name pdvideosdaserste-a.akamaihd.net.

 

[mister]

Hi Xentrk,
thank you for your reply.
Because I already had added the full domain akamaihd.net in my script with the DSNMASQ method, I thought that all subdomains would be routed over VPN1 as well

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 Mediatheken zdf.de,zdfmediathek.de,ard.de,wdr.de,kika.de,phoenix.de,swr.de,swrmediathek.de,br.de,ardmediathek.de,wdrmediathek.de,phoenix.de,akamaihd.net,hr.de,akamaistream.net,dw.de,sr-online.de,ndr.de,rbb-online.de,apa.at,tagesschau.de,heute.de,akamai.com,rodlzdf-a.akamaihd.net

But as described - it is not working.

What does "autoscan" in your github description do exactly and should I add it to my script ?

I didn´t understood the difference between the

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh

and

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh

commands as well - or is there no difference?

Thanks a lot again for your support.

Hugo

 

[Xentrk]

Hi Xentrk,
thank you for your reply.
Because I already had added the full domain akamaihd.net in my script with the DSNMASQ method, I thought that all subdomains would be routed over VPN1 as well

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 Mediatheken zdf.de,zdfmediathek.de,ard.de,wdr.de,kika.de,phoenix.de,swr.de,swrmediathek.de,br.de,ardmediathek.de,wdrmediathek.de,phoenix.de,akamaihd.net,hr.de,akamaistream.net,dw.de,sr-online.de,ndr.de,rbb-online.de,apa.at,tagesschau.de,heute.de,akamai.com,rodlzdf-a.akamaihd.net

But as described - it is not working.

What does "autoscan" in your github description do exactly and should I add it to my script ?

I didn´t understood the difference between the

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh

and

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh

commands as well - or is there no difference?

Thanks a lot again for your support.

Hugo

akamai is Content Delivery Networks (CDN) and you may encounter issue with your other routing rules by specifying that all akamai domains get routed thru the VPN client. Many streaming services use akamai.

There are two methods, one is the shell script method and the other is the shell script method + GUI. If you use the GUI method, you don't specify the interface. You run the load_DNSMASQ_ipset.sh script and specify the interface in the GUI. If you don't use the GUI, you have to run the script load_DNSMASQ_ipset_iface.sh and specify the interface. You can't specify the WAN interface when using the shell script + GUI method.

Here is the example I described earlier. Create two lines for each IP address by replacing the 74.125.0.0/16 with the IP addresseses for the domain name in the GUI.

Route All LAN Clients to a destination IP Block
Direct all LAN Clients to use the VPN tunnel when accessing an IP block that belongs to Google.

RouteGoogle 0.0.0.0 74.125.0.0/16 VPN

 

[szimat]

A little too complicated to my knowledge: I have severacl docker containers running on my server. Isnit possible to route one container over VPN (with killswitch).

 

[Xentrk]

A little too complicated to my knowledge: I have severacl docker containers running on my server. Isnit possible to route one container over VPN (with killswitch).

x3mRouting requires a source (LAN Client) and destination IP address on the WWW. You need a source IP address for each container and assign a static dhcp lease on the router.

 

[Chris_J]

Hello, you pointed me in the direction of your project from my thread regarding circumventing Android DNS.
I decided to give up with Netflix in the end, as I can only get BBC to work properly on my Nvidia Shield, so I'd like to route all Netflix traffic to the WAN interface instead. I was wondering whether you could kindly help me with something that is hopefully trivial enough to solve:

I've installed your script and ran option 3.

I then opted to use the ASN method

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

However, is it possible to apply this to a guest Wifi network? I have the 5GHz Guest 3 setup to route all traffic through VPN Client 2 (static private IP), but I'd like to have Netflix route through the WAN on this guest network only. I'm not sure how to apply this ipset to a different subnet.

Thanks in advance!

 

[Xentrk]

Hello, you pointed me in the direction of your project from my thread regarding circumventing Android DNS.
I decided to give up with Netflix in the end, as I can only get BBC to work properly on my Nvidia Shield, so I'd like to route all Netflix traffic to the WAN interface instead. I was wondering whether you could kindly help me with something that is hopefully trivial enough to solve:

I've installed your script and ran option 3.

I then opted to use the ASN method

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

However, is it possible to apply this to a guest Wifi network? I have the 5GHz Guest 3 setup to route all traffic through VPN Client 2 (static private IP), but I'd like to have Netflix route through the WAN on this guest network only. I'm not sure how to apply this ipset to a different subnet.

Thanks in advance!

Are you using Yaz-Fi for routing the guest network over the VPN?

Before I left for work this morning, I did set up a guest network. But when I run the "ip route" command in an SSH session, I don't see an interface get created for it. The current iptables rules need an interface to reference. I will have to investigate this as it's something I have never looked into. I may have to look at the Yaz-Fi code to see how @Jack Yaz is doing the routing.