x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[TechTinkerer]

Either one should work fine. But I do suspect that dnsmasq method may work best for streaming services that use Content Delivery Networks to cache content closer to the users geolocation.

Thanks again @Xentrk haven't actually setup vpn client yet i'm doing pre-research on how it all works using your scripts, got all the main things like mining script and whob etc - cool stuff though if it all works out

 

[Xentrk]

My router is connected to a VPN server all the time. I'd like to exclude certain IP addresses from being routed through the VPN. Example like Google, as Youtube content may have certain country restrictions and I'm unable to watch my usual content when connected to the VPN.

Is there a way x3mrouting can help me out?

Yes it can. The work is finding the domain names or IP addresses to use. Sometimes, you can find some hints using a web search. Here is one post for YT. A few posts back, I list how to mine domain names. Another trick is to view the website source code and search for .com and .net references. Sometimes it is easier than others.

 

[TechTinkerer]

@Xentrk is the json file parser needing to be installed and is dummyvpn1 needed if i install with option 3 of your install script for vpn + wan routing?

 

[ghostivv]

is there a fool proof idiot guide on how to do this thing ? Gone back to last 10 pages and now my head is hurting. I've installed option 2 and can't add any client using GUI. I can see the client list on Source IP dropdown but nothing happens on click. If i manually input Source IP then it does add to the client list.

Just a simple setup for traffic from nvidia Sheild at 192.168.1.12 to go through VPN incl Netflix except amazon prime and BBC through WAN.

Thanks.

Edit: Asus AC88U 384.15

 

[TechTinkerer]

@Xentrk is the dummyvpn table entry actually needed with installing option 3 from the install script as im really unsure?

 

[Kingp1n]

@Xentrk is the dummyvpn table entry actually needed with installing option 3 from the install script as im really unsure?

I'm using option 3 and currently don't use a dummyvpn, however, I am using the following rules for routing traffic:
All Traffic: 192.168.1.0/24 0.0.0.0 VPN
Router :192.168.1.1 0.0.0.0 WAN

 

[Diegoweb]

For troubleshooting, you can use the getdomainnames.sh utility to mine domain names from dnsmasq. You can nslookup the domain name to get the IPv4 address. Then, use whob package to lookup the IP address to see what ASN it belongs to. You will need to edit the script to reflect the proper location and name for the dnsmasq.log file.

#ipset -L NETFLIX
<snip>
45.57.47.0/24
45.57.78.0/24
45.57.80.0/24
23.246.50.0/24
23.246.31.0/24

#whob 23.246.50.0/24

IP: 23.246.50.0
Origin-AS: 2906
Prefix: 23.246.50.0/24
AS-Path: 18106 4657 6762 2906
AS-Org-Name: Netflix Streaming Services Inc.
Org-Name: Netflix Streaming Services Inc.
Net-Name: NETFLIX-SS-3
Cache-Date: 1584431995

Also, refer to the troubleshooting tips section on the GitHub page. How are you creating your routing rules?

I've an IPSet called netflix as you can see here:

Then I have this in my MWAN which will load balance:

But what I could see is:
When I start browsing netflix with this settings, I can easily browse everything in netflix.
But when I try to playback a video, it just sends me an error message (basically saying the title is unavailable or netflix server is not available).
When I just disable MWAN3 (load balance) and use 1 modem only and start to sniffer the packets with Wireshark, I could see that after pressing play in a video, Netflix call a Amazonws domain (ec2) to play the video. So it looks like I need to filter some of those servers (from Amazon) to netflix policy in MWAN (which involves WAN2 interface).

Unfortunately I can't just use all the Amazon AWS IP block range and send to this WAN2 interface because this simcard has only Netflix unmetered. If I send all Amazon traffic to this modem, all packages that are not related to netflix will get dropped.

So I'm kind trying to understand the best way to sniff as many AWS servers related to Netflix as possible. Perhaps like loading a video and reload as many time as possible to get a bunch of ips.
As I could see, when Netflix can't retrieve one of their IP's, they try another one. So I could use Windows Hosts file to block each of their IP's until I get a pretty good list where I wouldn't be able to play any videos, so I could use this IP's and send to WAN2 (and delete those ips from windows hosts file).

 

[Xentrk]

@Xentrk is the json file parser needing to be installed and is dummyvpn1 needed if i install with option 3 of your install script for vpn + wan routing?

The jq package is from entware and is required if using the script specifically created for downloading the Amazon AWS ip addresses.

Having the DummyVPN entry is needed if you require the ability to exploit the Accept DNS Configuration=Exclusive option that only creates the appropriate DNSVPN iptable chain if the Policy Routing table above isn't empty. Even if you don't require the DummyVPN entry, it won't cause any issues if you add it.

 

[Xentrk]

I've an IPSet called netflix as you can see here:

Then I have this in my MWAN which will load balance:

But what I could see is:
When I start browsing netflix with this settings, I can easily browse everything in netflix.
But when I try to playback a video, it just sends me an error message (basically saying the title is unavailable or netflix server is not available).
When I just disable MWAN3 (load balance) and use 1 modem only and start to sniffer the packets with Wireshark, I could see that after pressing play in a video, Netflix call a Amazonws domain (ec2) to play the video. So it looks like I need to filter some of those servers (from Amazon) to netflix policy in MWAN (which involves WAN2 interface).

Unfortunately I can't just use all the Amazon AWS IP block range and send to this WAN2 interface because this simcard has only Netflix unmetered. If I send all Amazon traffic to this modem, all packages that are not related to netflix will get dropped.

So I'm kind trying to understand the best way to sniff as many AWS servers related to Netflix as possible. Perhaps like loading a video and reload as many time as possible to get a bunch of ips.
As I could see, when Netflix can't retrieve one of their IP's, they try another one. So I could use Windows Hosts file to block each of their IP's until I get a pretty good list where I wouldn't be able to play any videos, so I could use this IP's and send to WAN2 (and delete those ips from windows hosts file).

Your list of domains looks complete. You shouldn't have to add amazonaws.com to the list of domains. When dnsmasq does a lookup on netflix.com, it will return IP addresses associated with the domain.

nslookup netflix.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      netflix.com
Address 1: 2a01:578:3::34d4:ac6a
Address 2: 52.48.35.66 ec2-52-48-35-66.eu-west-1.compute.amazonaws.com
Address 3: 52.210.202.149 ec2-52-210-202-149.eu-west-1.compute.amazonaws.com
Address 4: 52.214.178.75 ec2-52-214-178-75.eu-west-1.compute.amazonaws.com
Address 5: 52.30.238.17 ec2-52-30-238-17.eu-west-1.compute.amazonaws.com
Address 6: 52.214.223.236 ec2-52-214-223-236.eu-west-1.compute.amazonaws.com
Address 7: 52.19.113.209 ec2-52-19-113-209.eu-west-1.compute.amazonaws.com
Address 8: 52.51.252.111 ec2-52-51-252-111.eu-west-1.compute.amazonaws.com
Address 9: 52.18.96.227 ec2-52-18-96-227.eu-west-1.compute.amazonaws.com

Those IP addresses are added to the IPSET list. However, if you still have issues, try adding amazonaws.com to the ipset list and see if it works.

I can't help much more since you are on a OS and firmware I don't support. I suspect it is the policy rules that route the traffic that may be the issue. There are some threads on the openwrt forum site that may be of help.

https://forum.openwrt.org/t/mwan3-and-openvpn/35408
https://forum.openwrt.org/t/vpn-policy-based-routing-web-ui-discussion/10389

GitHub: https://github.com/stangri/openwrt_packages/blob/master/vpn-policy-routing/files/README.md

 

[TechTinkerer]

I'm using option 3 and currently don't use a dummyvpn, however, I am using the following rules for routing traffic:
All Traffic: 192.168.1.0/24 0.0.0.0 VPN
Router :192.168.1.1 0.0.0.0 WAN

@Kingp1n Thanks for the advice, appreciate it

 

[TechTinkerer]

@Xentrk if i dont define my lan to either route through wan or vpn will my traffic default going through wan?

 

[Xentrk]

@Xentrk if i dont define my lan to either route through wan or vpn will my traffic default going through wan?

Correct. The default interface is the WAN. Here is a summary of how the Policy Rules work.

 

[TechTinkerer]

Correct. The default interface is the WAN. Here is a summary of how the Policy Rules work.

What im looking to do probably is have my media streamer (shield tv) on wan, but have certain traffic e.g. netfix, amazon, disney+ traverse a vpn with use of your script hopefully doable

 

[Xentrk]

What im looking to do probably is have my media streamer (shield tv) on wan, but have certain traffic e.g. netfix, amazon, disney+ traverse a vpn with use of your script hopefully doable

Shouldn't be a problem. Here is the example for routing Netflix traffic using the ASN method to VPN Client 1:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

 

[TechTinkerer]

Shouldn't be a problem. Here is the example for routing Netflix traffic using the ASN method to VPN Client 1:

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX AS2906

Main thing is capturing the ip's\hostnames so netfix,amazon,bbc,disney etc im guessing i will have to run all traffic of router through vpn?

its also the auto populate ips scan in scripts like how i set it up to make sure everything is current - setup routing clients table etc

 

[Wisiwyg]

Hi @Xentrk and all,

Firstly -I apologize if this is spamming your thread. I've asked this similar question over in the YazFi thread related to Guest Network usage.

I'm trying to create a routing redirection between a VPN Server instance on my Asus and route incoming VPN connections to a Guest network instance on the same router. Can this script support that?
Long story short - trying to set up a way for teenage kids to VPN into our home network running a minecraft server on the guest network, but don't want to give them access to the internal network. So my question is whether an incoming VPN connection can be redirected to the Guest network. TIA

 

[Xentrk]

Main thing is capturing the ip's\hostnames so netfix,amazon,bbc,disney etc im guessing i will have to run all traffic of router through vpn?

its also the auto populate ips scan in scripts like how i set it up to make sure everything is current - setup routing clients table etc

You don't need to use the autoscan feature. The beauty of the dnsmasq feature is it will resolve the IPv4 address based on any domains that match the high level domain name. For harvesting domains, you can use the getdomainnames.sh script. I think the scripts provides better results as the streaming services don't always use a domain name you would expect.

I had gathered the disney+ domains when I tried it for one month but didn't keep a copy. I think I went to the disney plus webpage and viewed the source code. Then, did a search for .com and .net.

I have BBC, Netflix and Amazon listed on the GitHub page.

 

[Xentrk]

Hi @Xentrk and all,

Firstly -I apologize if this is spamming your thread. I've asked this similar question over in the YazFi thread related to Guest Network usage.

I'm trying to create a routing redirection between a VPN Server instance on my Asus and route incoming VPN connections to a Guest network instance on the same router. Can this script support that?
Long story short - trying to set up a way for teenage kids to VPN into our home network running a minecraft server on the guest network, but don't want to give them access to the internal network. So my question is whether an incoming VPN connection can be redirected to the Guest network. TIA

I'll have to research when the weekend rolls around. It is similar to the solution here where the person used YazFi Guest Network with a VPN Client. They wanted Netflix traffic on the Guest Network to egress to the WAN interface.

 

[TechTinkerer]

You don't need to use the autoscan feature. The beauty of the dnsmasq feature is it will resolve the IPv4 address based on any domains that match the high level domain name. For harvesting domains, you can use the getdomainnames.sh script. I think the scripts provides better results as the streaming services don't always use a domain name you would expect.

I had gathered the disney+ domains when I tried it for one month but didn't keep a copy. I think I went to the disney plus webpage and viewed the source code. Then, did a search for .com and .net.

I have BBC, Netflix and Amazon listed on the GitHub page.

Thanks, for sonething like slingtv will i need vpn active to use dnsmasq script as was just thinking to do it i would need all media streamer traffic going through vpn?

 

[Wisiwyg]

I'll have to research when the weekend rolls around. It is similar to the solution here where the person used YazFi Guest Network with a VPN Client. They wanted Netflix traffic on the Guest Network to egress to the WAN interface.

Thank you, @Xentrk - I'll widen my search to vpn specific forums to see if there are existing solutions. I'd be surprised if I was the first to make this request. Going forward, I suspect more people will want to do something like this with more people working and schooling from home over the next few months.