What's new

x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The conflict may be due to Line 2 which makes all Netflix traffic on the LAN get routed to the WAN. That will get the first match. You should delete it as traffic will default to the WAN unless you have an exception rule as you do in line 3.

Code:
iptables -t mangle -D PREROUTING 2

Line 3 shows that 190 packets have traversed the iptables chain. What error msg do you get on Netflix? Do you get a proxy error? NF blocks many VPN services.

how do i delete it? I uninstall xm3Routing but line 2 is still there.
 
how do i delete it? I uninstall xm3Routing but line 2 is still there.
This command will delete the routing rule.
Code:
iptables -t mangle -D PREROUTING 2

Turning the VPN Client instance off should remove the rule. But it will get reinstated if you have an entry in the GUI. But I didn't see one in your screen snip.
 
Last edited:
Thank you. I managed to delete it but still no go on the netapp front. My netflix app get stuck on a black screen without loading. VPN provider should be working as I have another router connected by L2TP and netflix works when i connect to this router. How can i troubleshoot this further?

Should i be using option 3 instead as I am not sure if mine is a shared VPN. My VPN is setup on client 1 but the first few posts mention using interface 0? Should i change it to 1?

Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
 
Thank you. I managed to delete it but still no go on the netapp front. My netflix app get stuck on a black screen without loading. VPN provider should be working as I have another router connected by L2TP and netflix works when i connect to this router. How can i troubleshoot this further?

Should i be using option 3 instead as I am not sure if mine is a shared VPN. My VPN is setup on client 1 but the first few posts mention using interface 0? Should i change it to 1?

Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906
The "0" represents the WAN interface. Many add a rule to route the entire LAN over the VPN Client to take advantage of the option to block traffic if the VPN goes down. The second line is so the router can talk to the WAN at all times.
Code:
LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

The problem is Netflix blocks known VPN servers. So the script below will bypass the VPN for Netflix traffic and route it to the WAN interface.
Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

In the new version of x3mRouting, one must specify the source interface, destination interface and method (asnum=, aws_region=, dnsmasq=). If no method is specified, it defaults to the manual method.

This will route all Netflix traffic to the WAN.
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 0 NETFLIX asnum=AS2906

This will route all Netflix traffic to VPN Client 1.
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIX asnum=AS2906
 
Last edited:
The "0" represents the WAN interface. Many add a rule to route the entire LAN over the VPN Client to take advantage of the option to block traffic if the VPN goes down. The second line is so the router can talk to the WAN at all times.
Code:
LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

Sorry i don't understand this at all. Why does router need to talk to the WAN? So you can remote control the router from the internet or run the blocking script?

The problem is Netflix blocks known VPN servers. So the script below will bypass the VPN for Netflix traffic and route it to the WAN interface.
Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

In the new version of x3mRouting, one must specify the source interface, destination interface and method (asnum=, aws_region=, dnsmasq=). If no method is specified, it defaults to the manual method.

Does means your script will unblock netflix regionally without a VPN?

Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset.s
h NETFLIX AS2906
(load_ASN_ipset.sh): 26769 Starting Script Execution
ipset v6.32: Error in line 1: Syntax error: cannot parse create: resolving to IPv4 address failed
(load_ASN_ipset.sh): 26769 Ending Script Execution

By the way, i'm having another problem. :( Been getting this and i can't create an ipset anymore. I tried to uninstall and install x3mrouting and also tried to change the router DNS but still getting this error.
 
Sorry i don't understand this at all. Why does router need to talk to the WAN? So you can remote control the router from the internet or run the blocking script?



Does means your script will unblock netflix regionally without a VPN?

Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset.s
h NETFLIX AS2906
(load_ASN_ipset.sh): 26769 Starting Script Execution
ipset v6.32: Error in line 1: Syntax error: cannot parse create: resolving to IPv4 address failed
(load_ASN_ipset.sh): 26769 Ending Script Execution

By the way, i'm having another problem. :( Been getting this and i can't create an ipset anymore. I tried to uninstall and install x3mrouting and also tried to change the router DNS but still getting this error.
Configuring the router to use the WAN will allow the router to get NTP and other services if you have block traffic if the VPN connection goes down. I also had issues with policy routing when using more than one VPN client if I didn't have the entry.

The 0 entry routes NETFLIX traffic to the WAN interface, bypassing the VPN.

Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 NETFLIX AS2906

So, if you have your streaming device configured to use the VPN tunnel, all traffic except NETFLIX gets routed thru the VPN. NF gets routed to the WAN. Thereby bypassing the VPN.

Perhaps the script got corrupted? I can't reproduce the error. Do a force update - option 8 and try again.

Code:
sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh TESTIT AS2906
(load_ASN_ipset.sh): 12753 Starting Script Execution
(load_ASN_ipset.sh): 12753 IPSET created: TESTIT hash:net family inet hashsize 1024 maxelem 65536
(load_ASN_ipset.sh): 12753 Ending Script Execution

Code:
ipset -L TESTIT

Name: TESTIT
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 7932
References: 0
Number of entries: 148
Members:
45.57.28.0/24
45.57.83.0/24
37.77.184.0/21
<snip>

Policy Routing Resources
Policy Routing Wiki
Policy Routing Blog Post
 
Last edited:
Hi Xentrk!

Thanks a lot for the script! I use the
Code:
load_MANUAL_ipset.sh
and it does the job for me. Let me tell you about my case. I have a NordVPN subscription and my vpn client 1 is always connected. I use the vpn to only route my IPTV traffic through the tunnel, because my ISP is blocking all the IPTV traffic except their own. Anyways, the IPTV provider that I use constantly changes IPs and I made a little script triggered by a cron job everyday at 4 am to fetch the playlist and all the IPs from it then turn these IPs (around 2000) to CIDR's and write that to a file. My script then calls your script to make the ipset from that file with CIDRs. Then I have that same ipset routed through vpn. All works OK, but what I've been noticing is that to route that ipset through vpn a mangle table rule is created which is right, but that rule is gone at each firewall restart because the tables are cleaned. As a workaround I added that rule into firewall-start script. Do you think there could be a better solution for this?
 
Hi Xentrk!

Thanks a lot for the script! I use the
Code:
load_MANUAL_ipset.sh
and it does the job for me. Let me tell you about my case. I have a NordVPN subscription and my vpn client 1 is always connected. I use the vpn to only route my IPTV traffic through the tunnel, because my ISP is blocking all the IPTV traffic except their own. Anyways, the IPTV provider that I use constantly changes IPs and I made a little script triggered by a cron job everyday at 4 am to fetch the playlist and all the IPs from it then turn these IPs (around 2000) to CIDR's and write that to a file. My script then calls your script to make the ipset from that file with CIDRs. Then I have that same ipset routed through vpn. All works OK, but what I've been noticing is that to route that ipset through vpn a mangle table rule is created which is right, but that rule is gone at each firewall restart because the tables are cleaned. As a workaround I added that rule into firewall-start script. Do you think there could be a better solution for this?
The new version coming out soon will automatically perform the configuration. With the current version, you'll have to take some manual steps. Remove the entry from firewall-start.
  • Select Option 6 - Install x3mRouting OpenVPN Event from the x3mRouting installation menu.
  • In the project directory /jffs/scripts/x3mRouting, create a corresponding script called vpnclientX-route-up for each OpenVPN Client used for x3mRouting, where the "X" is the OpenVPN Client number 1, 2, 3, 4 or 5.
  • Then, add the required entry for each x3mRouting script that requires routing through the OpenVPN Client.
/jffs/scripts/x3mRouting/vpnclient1-route-up
Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset.sh 1 AMAZON-US US

Set the script to be executable (e.g. cmhod 755 vpnvlient1-route-up). If using the GUI method, the routing rule will be deleted when the VPN Client gets disabled. Otherwise, there is an iptables entry required in vpnclient1-route-pre-down.

If you have no policy rules for LAN clients in the GUI, create a Dummy VPN entry.
 
@Xentrk there's been a few reports of mislabelling on the ASP page for VPN clients - are you aware of this and do you have a patch in the works?

EDIT: e.g. https://www.snbforums.com/threads/a..._4-vpnclient-page-shows-incorrect-menu.62649/
I have not seen any reports. I looked at the post and couldn't tell if it was the x3mRouting screen version since it didn't go far enough down the page. I should add a banner at the top of the screen. I currently have 384.16 alpha and can't duplicate. Last update was on Nov 25, 2019 to update for 384.15.

I wish people would put their router model, firmware version and add-ons in their signature file, or put the info in the post, so we can be of better assistance.
 
The new version coming out soon will automatically perform the configuration. With the current version, you'll have to take some manual steps. Remove the entry from firewall-start.
  • Select Option 6 - Install x3mRouting OpenVPN Event from the x3mRouting installation menu.
  • In the project directory /jffs/scripts/x3mRouting, create a corresponding script called vpnclientX-route-up for each OpenVPN Client used for x3mRouting, where the "X" is the OpenVPN Client number 1, 2, 3, 4 or 5.
  • Then, add the required entry for each x3mRouting script that requires routing through the OpenVPN Client.
/jffs/scripts/x3mRouting/vpnclient1-route-up
Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset.sh 1 AMAZON-US US

Set the script to be executable (e.g. cmhod 755 vpnvlient1-route-up). If using the GUI method, the routing rule will be deleted when the VPN Client gets disabled. Otherwise, there is an iptables entry required in vpnclient1-route-pre-down.

If you have no policy rules for LAN clients in the GUI, create a Dummy VPN entry.

Hi Xentrk,

I'll give it a try!

Thanks!
 
I have not seen any reports. I looked at the post and couldn't tell if it was the x3mRouting screen version since it didn't go far enough down the page. I should add a banner at the top of the screen. I currently have 384.16 alpha and can't duplicate. Last update was on Nov 25, 2019 to update for 384.15.

I wish people would put their router model, firmware version and add-ons in their signature file, or put the info in the post, so we can be of better assistance.

Xentrk,

That's my post and I do use x3mRouting. I'm routing ipset through vpn. I think this issue happened after I updated the x3mRouting repository last time. Not that it does any harm all works as expected it's just sometimes confusing the fact that you have to remember that "Previous" means "Yes" and "Next" means "No". Any ideas how to fix this? Thanks!

Teymur
 
@Xentrk Thankyou for all the work you've done :)

I wonder if a split-tunneling feature could be used for an apps linked list to their apns to either vpn or wan, so basically an app list that is set to go over vpn, guess those apps traffic\data will have to be marked to be routed just no idea that would be implemented
 
Last edited:
The new version coming out soon will automatically perform the configuration. With the current version, you'll have to take some manual steps. Remove the entry from firewall-start.
  • Select Option 6 - Install x3mRouting OpenVPN Event from the x3mRouting installation menu.
  • In the project directory /jffs/scripts/x3mRouting, create a corresponding script called vpnclientX-route-up for each OpenVPN Client used for x3mRouting, where the "X" is the OpenVPN Client number 1, 2, 3, 4 or 5.
  • Then, add the required entry for each x3mRouting script that requires routing through the OpenVPN Client.
/jffs/scripts/x3mRouting/vpnclient1-route-up
Code:
#!/bin/sh
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset.sh 1 AMAZON-US US

Set the script to be executable (e.g. cmhod 755 vpnvlient1-route-up). If using the GUI method, the routing rule will be deleted when the VPN Client gets disabled. Otherwise, there is an iptables entry required in vpnclient1-route-pre-down.

If you have no policy rules for LAN clients in the GUI, create a Dummy VPN entry.
@Xentrk, I've been using option 3 for the longest time without issues...will the new update change anything for me or this only affects those who used the other options? Thanks!
 
Hi all new here. Can someone dumb this down for me the process. I have Merlin installed and have my IP addresses for devices mapped to open VPN. I don’t understand where all these lines are to be entered. Thank you.
 
Xentrk,

That's my post and I do use x3mRouting. I'm routing ipset through vpn. I think this issue happened after I updated the x3mRouting repository last time. Not that it does any harm all works as expected it's just sometimes confusing the fact that you have to remember that "Previous" means "Yes" and "Next" means "No". Any ideas how to fix this? Thanks!

Teymur
I have to update the customized screen at times to conform with firmware updates. The issue is the changes may not be backward compatible with older firmware versions. I suspect that may be the case here. The last changes were made on Nov 25, 2019.

I know the current version of the screen works with 384.15 and 384.16 alpha. The good news is GitHub keeps a history of all changes. So, if you are on an earlier version, I'll need to give you a link to download the screen for an earlier version of the repository where the screen matches the firmware version. Or, updating to 384.15 may resolve the issue. What is your firmmare version and router model?
 
@Xentrk, I've been using option 3 for the longest time without issues...will the new update change anything for me or this only affects those who used the other options? Thanks!
There is nothing to force you to use the newer version when it comes out. But it is recommended.

The difference is I am combining all of the different scripts into one script. The source interface now has to be specified to support the new automatic configuration feature. You only have to run the script at the command line one time and all of the setup gets created automatically to support VPN up/down events and system boot up. The only other changes is you must specify the method in the command line:

dnsmasq=whatismyip.com, ip=x.x.x.x, asnum=AS2906, aws_region=US

You can also specify a src IP or src-range of IP address for exceptions. For example, if I specify that all traffic use VPN Client 1 with the entry 192.168.1.0/24 but need to create an exception for one IP address for Netflix traffic:

Code:
sh /jffs/scripts/x3mRouting/x3mRouting 1 0 NETFLIX asnum=AS2906 src=192.168.1.50

I have an idea for a script to help with the conversion.
 
Hi all new here. Can someone dumb this down for me the process. I have Merlin installed and have my IP addresses for devices mapped to open VPN. I don’t understand where all these lines are to be entered. Thank you.
You have to enable SSH access on the router. The guide is a little dated but should be of help. Then, you need to select a client to access the SSH session. I recommend you use diversion or amtm to install entware. diversion will also provide some tools if you need to troubleshoot dnsmasq.log file. I use the MobaXterm client. There are many to choose from. The SFTP gives a windows explorer type view of the file system and has a good editor built in. To use SFTP, you need to install openssh-sftp-client.
Code:
opkg install openssh-sft-client

A Google search can list out the basic linux commands you may require.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top