x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Olivier L]

looks like I need to create my own IPSET list.

 

[Xentrk]

looks like I need to create my own IPSET list.

For those websites you want to route to the WAN, do you need to specify one LAN client or all LAN Clients?

 

[Olivier L]

For those websites you want to route to the WAN, do you need to specify one LAN client or all LAN Clients?

A few LAN clients (subnet 192.168.1.192/28)

Envoyé de mon BLA-L29 en utilisant Tapatalk

 

[Xentrk]

A few LAN clients (subnet 192.168.1.192/28)

Envoyé de mon BLA-L29 en utilisant Tapatalk

I will look into what is required to modify an existing script to allow the user to specify exception rules for LAN clients. The revised script will need to give you the ability to specify a LAN IP address as the source. How do you want to create the destination IPSET list? You can do it using the dnsmasq method, ASN method or the manual method. You can read the methods on the GitHub page. Knowing what method you want to use will allow me to focus on the modifications that fit the method.

 

[Olivier L]

I will look into what is required to modify an existing script to allow the user to specify exception rules for LAN clients. The revised script will need to give you the ability to specify a LAN IP address as the source. How do you want to create the destination IPSET list? You can do it using the dnsmasq method, ASN method or the manual method. You can read the methods on the GitHub page. Knowing what method you want to use will allow me to focus on the modifications that fit the method.

I think it will be manual because will be various ASNs

Envoyé de mon BLA-L29 en utilisant Tapatalk

 

[Torson]

I think it will be manual because will be various ASNs

Envoyé de mon BLA-L29 en utilisant Tapatalk

Hi,
On an RT-AC86U -384.15 I have a notebook, a PC, smartphone and other streaming devices configured to use OVPN1 (everything else uses the WAN interface) and connect to the internet only if the tunnel is established. Also, I have a number of cloud servers that can be accessed only from my WAN IP.

I created a Cloud_Srv file in /opt/tmp/ in which I listed all the cloud IPs (one per line). Then I added this script to /jffs/scripts/nat-start:
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 0 Cloud_Srv.

Now regardless of the source IP I can access the cloud servers just fine - devices that are not connecting through a VPN client default to the WAN interface anyway, and the ones connecting through the VPN client will use the WAN interface only for the IPs listed in the /opt/tmp/Cloud_Srv file. All this is based on the GitHub documented method 3 (script method) with the MANUAL script.

How is this different than the @Oliver_L's scenario? As a side note, for some reason, after several weeks of usage some cloud servers access was blocked by Skynet. I whitelisted those IPs in the firewall and all works well for several months now.

Edit - also wanted to mention a shortcut worth using. If you do not already have a /jffs/configs/profile.add just download the script from Xentrk's Linux shell scripts GitHub at https://github.com/Xentrk/Asuswrt-Merlin-Linux-Shell-Scripts. Then add this line to it:
alias mng='iptables -nvL PREROUTING -t mangle --line'. Restart the SSH session and type 'mng' it will show the MANUAL entry I described before as:
12 11655 4920K MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 match-set Cloud_Srv dst MARK or 0x8000

 

[Olivier L]

Thanks Torson. It becomes clearer to me but my need is a bit different. I do not want all my VPN connected devices bypassing the VPN for a list of IPs but only a part of my VPN connected devices.
You do it for all VPN connected devices.

 

[Torson]

@Oliver_L, you're actually right... I work under the assumption (!) that all this being a home based scenario it's not an issue if the streaming devices could potentially get to the cloud. It would be nice indeed to be able to just filter access for specific LAN clients.

 

[Xentrk]

I think it will be manual because will be various ASNs

Envoyé de mon BLA-L29 en utilisant Tapatalk

You can use the existing functionality of x3mRouting to achieve your goal. This will get you up and running until I have more time to add some automation to perform some of the manual steps in the next release.

Single LAN Client or LAN Client range set up instructions

1. Install x3mRouting options 2 and 6.

2. Create IPSET Lists using one of the the available methods: Amazon, Manual, ASN, DNSMASQ for the destination IP addresses. In this example, I created IPSET list for the website whatismyipaddress.com using the DNSMASQ method.

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh WIMIPCOM whatismyipaddress.com

3. Create Policy Rules and configure so the rules are run at boot & VPN Client start-up

jffs/scripts/x3mRouting/vpnclientX-route-up, where X = VPN Client Number

When I am connected to the VPN tunnel and go to whatismyipaddress.com, it reports my WAN ipaddress. If I go to whatismyip.com, it reports my VPN server address. How cool is that?

#!/bin/sh
logger -st "($(basename "$0"))" "Started Policy Routing Rules for VPN Client $VPN_ID"

VPN_ID=${dev:4:1}

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh WIMIPCOM whatismyipaddress.com

# Range Example
iptables -D PREROUTING -t mangle -i br0 -m iprange --src-range 192.168.2.152-192.168.2.155 -m set --match-set WIMIPCOM dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -A PREROUTING -t mangle -i br0 -m iprange --src-range 192.168.2.152-192.168.2.155 -m set --match-set WIMIPCOM dst -j MARK --set-mark 0x8000/0x8000

# Single LAN Client Example
iptables -D PREROUTING -t mangle -i br0 --src 192.168.2.152 -m set --match-set WIMIPCOM dst -j MARK --set-mark 0x8000/0x8000 2>/dev/null
iptables -A PREROUTING -t mangle -i br0 --src 192.168.2.152 -m set --match-set WIMIPCOM dst -j MARK --set-mark 0x8000/0x8000

logger -st "($(basename "$0"))" "Completed Policy Routing Rules for VPN Client $VPN_ID"

/jffs/scripts/x3mRouting/vpnclientX-route-pre-down

#!/bin/sh
# Purge the routing rule when the VPN Client goes down
logger -st "($(basename "$0"))" $$ Starting Script Execution

iptables -D PREROUTING -t mangle -i br0 --src 192.168.2.152 -m set --match-set WIMIPCOM dst -j MARK --set-mark 0x8000/0x8000

logger -st "($(basename "$0"))" $$ Ending Script Execution

4. Issue the command to make the scripts executable. Substitute the X with the VPN client number.

chmod 755 /jffs/scripts/x3mRouting/vpnclientX-route-up
chmod 755 /jffs/scripts/x3mRouting/vpnclientX-route-pre-down

5. Bounce the vpn client to create the routing rules

6. Run the following command to see the iptables rules created and the number of packets traversing the chain.

iptables -nvL PREROUTING -t mangle --line

7. Run the following command to see the IPSET lists and number of entries:

liststats

 

[Olivier L]

thanks a lot, it works perfectly

 

[Olivier L]

Hello
I need further clarifications on how it works. I already have vpnclientX-route-up (just to send an email when vpn connects) and vpnclient1-route-pre-down (used by VPNFailover script) in /jffs/scripts folder.

Can both scripts (ones from x3mrouting folder and ones from scripts folder) be used simultaneously ? Or one folder supeseeds the other ? Is there any conflict' risk ?

Thanks

 

[mbekahs]

First of all I'd like to thank you for making this script/tool, much appreciated. I am only using the third - IPSET Shell Scripts - method and have some general suggestions for future improvements, I am new to ASUS-merlin so my suggestions may not necessarily be optimal for all situations, suggestions are purely based on my needs:

• Allow manual IPSET based routing through WAN for specific LAN clients only, or a range of clients - I understand, as a workaround, you've provided a manual way of doing this a couple of posts earlier already, thanks again. My request is this being a feature, built into the script natively
• If no domain names are harvested from dnsmasq.log, don't create an empty list, or ask user to confirm if they'd like to create an empty list. Perhaps there may be situations where a domain is expected to appear in dnsmasq later and the cron job will harvest it later so let the user decide.
• Allow the option to do nslookup instead of harvesting the dnsmasq for domains (bit like how Skynet does when you want to add a domain to whitelist, it does a nslookup automatically). I'm not sure if this may be relevant for other, definitely was relevant for me.
• Allow this functionality through the SSH terminal session interactively (through the script) instead of relying on manually running scripts to create forwarding rules and manually adding items to nat-start, openvpn events etc.
• For creation/deletion of manual IPSET list, allow adding comments in the file that contains list of IP addresses. Is this already possible perhaps, I just don't know about it?
• Finally, if the script functionality can be done through GUI, that would be perfect!

Thank you again.

 

[Xentrk]

Hello
I need further clarifications on how it works. I already have vpnclientX-route-up (just to send an email when vpn connects) and vpnclient1-route-pre-down (used by VPNFailover script) in /jffs/scripts folder.

Can both scripts (ones from x3mrouting folder and ones from scripts folder) be used simultaneously ? Or one folder supeseeds the other ? Is there any conflict' risk ?

Thanks

They can be used together. When you install openvpn-event from x3mRouting, it creates the file /jffs/scripts/x3mRouting/openvpn-event and adds a one line entry in /jffs/scripts/openvpn-event to call the one in x3mRouting (sh /jffs/scripts/x3mRouting/openvpn-event).

 

[Xentrk]

First of all I'd like to thank you for making this script/tool, much appreciated. I am only using the third - IPSET Shell Scripts - method and have some general suggestions for future improvements, I am new to ASUS-merlin so my suggestions may not necessarily be optimal for all situations, suggestions are purely based on my needs:

• Allow manual IPSET based routing through WAN for specific LAN clients only, or a range of clients - I understand, as a workaround, you've provided a manual way of doing this a couple of posts earlier already, thanks again. My request is this being a feature, built into the script natively
• If no domain names are harvested from dnsmasq.log, don't create an empty list, or ask user to confirm if they'd like to create an empty list. Perhaps there may be situations where a domain is expected to appear in dnsmasq later and the cron job will harvest it later so let the user decide.
• Allow the option to do nslookup instead of harvesting the dnsmasq for domains (bit like how Skynet does when you want to add a domain to whitelist, it does a nslookup automatically). I'm not sure if this may be relevant for other, definitely was relevant for me.
• Allow this functionality through the SSH terminal session interactively (through the script) instead of relying on manually running scripts to create forwarding rules and manually adding items to nat-start, openvpn events etc.
• For creation/deletion of manual IPSET list, allow adding comments in the file that contains list of IP addresses. Is this already possible perhaps, I just don't know about it?
• Finally, if the script functionality can be done through GUI, that would be perfect!

Thank you again.

Thanks for the ideas. Full integration with the GUI in the future would be ideal. But a huge effort as well.

You may want to look at pfSense firmware. It has all of the features available through the GUI us script writers have written addons for the Asuswrt-Merlin firmware. Especially if your use case requires Selective Routing. I first experimented with pfSense to get higher OpenVPN throughput from AES-NI. I then found the pfBlockerNG package and Firewall GUI have all of the features to support selective routing in addition to advertising and malicious host blocking. The equivalent to skynet are the snort and suricata packages.

The firewall as an "Alias" feature to create lists. For example, I can create an alias for LAN clients or host names. In the firewall GUI, I can then create a rule to route the alias to the tunnel I prefer or exceptions for domain names. I use pfBlockerNG to create a list of host names or IP addresses manually, from existing sources and using ASN. You then kick off a job in the GUI to populate the lists. Graphical reports are available in pfBlockerNG, similar to what pi-hole provides, along with dashboard stats.

I converted an Windows 7 PC to a pfSense appliance and use an RT-AC68U as the access point.

 

[mbekahs]

Thanks for the ideas. Full integration with the GUI in the future would be ideal. But a huge effort as well.

You may want to look at pfSense firmware. It has all of the features available through the GUI us script writers have written addons for the Asuswrt-Merlin firmware. Especially if your use case requires Selective Routing. I first experimented with pfSense to get higher OpenVPN throughput from AES-NI. I then found the pfBlockerNG package and Firewall GUI have all of the features to support selective routing in addition to advertising and malicious host blocking. The equivalent to skynet are the snort and suricata packages.

The firewall as an "Alias" feature to create lists. For example, I can create an alias for LAN clients or host names. In the firewall GUI, I can then create a rule to route the alias to the tunnel I prefer or exceptions for domain names. I use pfBlockerNG to create a list of host names or IP addresses manually, from existing sources and using ASN. You then kick off a job in the GUI to populate the lists. Graphical reports are available in pfBlockerNG, similar to what pi-hole provides, along with dashboard stats.

I converted an Windows 7 PC to a pfSense appliance and use an RT-AC68U as the access point.

Thanks for the pfsense suggestion, I'll take a look.

 

[Xentrk]

Thanks for the pfsense suggestion, I'll take a look.

This post has some references
Lawrence Systems has some nice video tutorials and demos of the features.

In pfBlockerNG, you can create IPv4 lists aka IPSET lists.

This list is generated from an ASN

You can also create lists by entering or pasting IPv4 or IPv6 addresses in a box.

Firewall allows you to define alias using IP addresses or domain names as well. You then create a rule in the GUI to route the traffic to the desired interface.

 

[Xentrk]

Here is an example of the next update planned for x3mRouting.

# route VPN Client 1 traffic from 192.168.22.152-192.168.22.157 matching IPSET list WIMIPCOM to the WAN        
x3mRouting.sh 1 0 WIMIPCOM src_range=192.168.22.152-192.168.22.157
                     
# route VPN Client 1 traffic from LAN client range 192.168.22.152-192.168.22.157 matching IPET list containing the US AWS region to the WAN
x3mRouting.sh 1 0 AMAZON_US aws_region=US src_range=192.168.22.152-192.168.22.157

# VPN Client Bypass: route VPN Client 1 traffic from 192.168.22.152 matching IPSET list WIMIPCOM to the WAN
x3mRouting.sh 1 0 WIMIPCOM src=192.168.22.152

# route all traffic matching IPSET list WIMIPCOM to VPN Client 1 (manually created list)
x3mRouting.sh ALL 1 WIMIPCOM

#  VPN Client Bypass: route all VPN Client 1 traffic matching IPSET list WIMIPCOM to the WAN
x3mRouting.sh 1 0 WIMIPCOM
     
# route all traffic matching IPSET list NETFLIX created from AS2906 to VPN Client1    
x3mRouting.sh ALL 1 NETFLIX asnum=AS2906

# route all traffic matching IPSET list NETFLIX created from domain names to VPN Client1
x3mRouting.sh ALL 1 NETFLIX domain=amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
                             
# route all traffic matching IPSET list SKY created from scanning dnsmasq for domains containing sky.com to VPN Client1                                
x3mRouting.sh ALL 1 SKY domain=sky.com autoscan

An added feature includes automatic configuration to run the x3mRouting script @ route-up event and to remove the routing rule @ route-pre-down event.

 

[w7gt]

I have an Asus RT-AC86U router, which I have flashed with AsusWrt Merlin 384.15 firmware. I have set it up to run an OpenVPN client, connected to a NordVPN server. That part works fine. But there are certain websites that discriminate against VPNs by blocking connections -- sites like macys.com, for example. This makes my wife mad, and she tells me to turn off the VPN.

Using the Merlin firmware I can successfully enter an IP address and tell the router to bypass the VPN for that address and go straight to the website over the WAN. The frustrating thing is that some sites, like Macy's, use many servers and dynamic load balancing, so you don't know what IP address "macys.com" will resolve to. So sometimes the VPN bypass works, and sometimes not.

What I'd like to be able to do is to enter the destination of "www.macys.com" into the Merlin routing rules instead of "23.204.249.0/24" (plus who-knows how many other macy's addresses). But I don't believe that functionality exists in Merlin. Is it possible to accomplish what I want using scripts to deal with the problem of different website names having multiple (and perhaps changing) IP addresses from time to time?

UPDATE -- I see the following example from the post prior to mine, posted by Xentrk. Is this routing example related to what I am wanting to do?

# route all traffic matching IPSET list NETFLIX created from domain names to VPN Client1
x3mRouting.sh ALL 1 NETFLIX domain=amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Thanks for any help or suggestions,
Tom

 

[Xentrk]

I have an Asus RT-AC86U router, which I have flashed with AsusWrt Merlin 384.15 firmware. I have set it up to run an OpenVPN client, connected to a NordVPN server. That part works fine. But there are certain websites that discriminate against VPNs by blocking connections -- sites like macys.com, for example. This makes my wife mad, and she tells me to turn off the VPN.

Using the Merlin firmware I can successfully enter an IP address and tell the router to bypass the VPN for that address and go straight to the website over the WAN. The frustrating thing is that some sites, like Macy's, use many servers and dynamic load balancing, so you don't know what IP address "macys.com" will resolve to. So sometimes the VPN bypass works, and sometimes not.

What I'd like to be able to do is to enter the destination of "www.macys.com" into the Merlin routing rules instead of "23.204.249.0/24" (plus who-knows how many other macy's addresses). But I don't believe that functionality exists in Merlin. Is it possible to accomplish what I want using scripts to deal with the problem of different website names having multiple (and perhaps changing) IP addresses from time to time?

UPDATE -- I see the following example from the post prior to mine, posted by Xentrk. Is this routing example related to what I am wanting to do?

# route all traffic matching IPSET list NETFLIX created from domain names to VPN Client1
x3mRouting.sh ALL 1 NETFLIX domain=amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

Thanks for any help or suggestions,
Tom

That example I posted is not available yet. It is in development for the next release.

This is the usage example for the current version of x3mRouting:

Create IPSET NETFLIX via WAN and auto populate IPs for multiple Netflix domains

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

You can also look in dnsmasq.log to see what domains Macy's queries. The getdomainnames.sh script helps with the effort.

Or, view the website source code and search for ".com" and ".net" to see what domains are being referenced. Then, do an nslookup on the domain to get the IP addresses associated with the domain name. Then, do a search on the IP address on the Hurricane Electric BGP Toolkit to see what ASN the IP is associated with and use the ASN method.

Rerfer to the GitHub page for usage examples.

 

[Olivier L]

Here is an example of the next update planned for x3mRouting.

# route VPN Client 1 traffic from 192.168.22.152-192.168.22.157 matching IPSET list WIMIPCOM to the WAN       
x3mRouting.sh 1 0 WIMIPCOM src_range=192.168.22.152-192.168.22.157
                    
# route VPN Client 1 traffic from LAN client range 192.168.22.152-192.168.22.157 matching IPET list containing the US AWS region to the WAN
x3mRouting.sh 1 0 AMAZON_US aws_region=US src_range=192.168.22.152-192.168.22.157

# VPN Client Bypass: route VPN Client 1 traffic from 192.168.22.152 matching IPSET list WIMIPCOM to the WAN
x3mRouting.sh 1 0 WIMIPCOM src=192.168.22.152

# route all traffic matching IPSET list WIMIPCOM to VPN Client 1 (manually created list)
x3mRouting.sh ALL 1 WIMIPCOM

#  VPN Client Bypass: route all VPN Client 1 traffic matching IPSET list WIMIPCOM to the WAN
x3mRouting.sh 1 0 WIMIPCOM
    
# route all traffic matching IPSET list NETFLIX created from AS2906 to VPN Client1   
x3mRouting.sh ALL 1 NETFLIX asnum=AS2906

# route all traffic matching IPSET list NETFLIX created from domain names to VPN Client1
x3mRouting.sh ALL 1 NETFLIX domain=amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
                            
# route all traffic matching IPSET list SKY created from scanning dnsmasq for domains containing sky.com to VPN Client1                               
x3mRouting.sh ALL 1 SKY domain=sky.com autoscan

An added feature includes automatic configuration to run the x3mRouting script @ route-up event and to remove the routing rule @ route-pre-down event.

Looks GREAT !!!!