x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

Hi - I'm having issues with BBC iPlayer but not Netflix. Any ideas? Config is as follows (I'm using option 2 - GUI and IPSET):

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh NETFLIX AS2906 dir=/tmp/mnt/Transfer01/Backups

dnsmasq.conf.add
ipset=/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/NETFLIX

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh BBC_WEBAS2818 AS2818 dir=/tmp/mnt/Transfer01/Backups
sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh BBC_WEBAS31459 AS31459 dir=/tmp/mnt/Transfer01/Backups

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net,llnwd.net,bbciplayer.co.uk,bbciplayer.com,live.bbc.co.uk,api.bbc.co.uk

It is similar to what I use. I manually created BBC from ASNs AS28018 and AS31459 since the lists were small. I route to VPN Client 3. These script don't use the GUI though as they apply the routing automatically. You may want to try that.

/opt/tmp/BBC

132.185.112.0/20
132.185.224.0/20
132.185.128.0/20
132.185.0.0/16
212.58.224.0/19

Spoiler: BBC_WEB

create BBC_WEB hash:net family inet hashsize 1024 maxelem 65536
add BBC_WEB 54.229.190.214
add BBC_WEB 63.34.131.18
add BBC_WEB 212.58.249.136
add BBC_WEB 63.33.130.113
add BBC_WEB 212.58.244.92
add BBC_WEB 72.246.234.220
add BBC_WEB 54.72.83.235
add BBC_WEB 54.194.190.122
add BBC_WEB 212.58.233.253
add BBC_WEB 63.35.123.74
add BBC_WEB 54.194.175.185
add BBC_WEB 52.213.232.185
add BBC_WEB 34.242.236.185
add BBC_WEB 52.214.220.33
add BBC_WEB 212.58.233.252
add BBC_WEB 151.101.8.81
add BBC_WEB 212.58.244.17
add BBC_WEB 108.128.34.99
add BBC_WEB 52.214.166.17
add BBC_WEB 87.248.217.15
add BBC_WEB 3.248.88.128
add BBC_WEB 34.255.245.254
add BBC_WEB 54.154.186.47
add BBC_WEB 54.171.6.25
add BBC_WEB 54.76.73.5
add BBC_WEB 34.255.223.73
add BBC_WEB 52.18.106.141
add BBC_WEB 34.252.187.170
add BBC_WEB 54.76.87.36
add BBC_WEB 151.101.128.81
add BBC_WEB 117.121.250.156
add BBC_WEB 52.211.68.185
add BBC_WEB 54.77.244.193
add BBC_WEB 54.194.57.134
add BBC_WEB 34.240.32.214
add BBC_WEB 117.121.250.56
add BBC_WEB 34.248.71.206
add BBC_WEB 52.18.224.239
add BBC_WEB 212.58.249.200
add BBC_WEB 54.194.165.63
add BBC_WEB 52.16.25.235
add BBC_WEB 99.81.97.214
add BBC_WEB 151.101.64.81
add BBC_WEB 52.31.78.141
add BBC_WEB 54.194.173.2
add BBC_WEB 54.77.103.5
add BBC_WEB 199.232.36.81
add BBC_WEB 212.58.237.251
add BBC_WEB 99.86.181.33
add BBC_WEB 54.77.60.28
add BBC_WEB 54.171.253.13
add BBC_WEB 203.190.181.15
add BBC_WEB 212.58.244.214
add BBC_WEB 52.211.77.43
add BBC_WEB 96.17.255.189
add BBC_WEB 212.58.249.137
add BBC_WEB 34.253.19.112
add BBC_WEB 212.58.237.253
add BBC_WEB 63.32.192.12
add BBC_WEB 99.86.181.31
add BBC_WEB 52.215.52.31
add BBC_WEB 212.58.249.159
add BBC_WEB 117.121.250.0
add BBC_WEB 99.86.181.62
add BBC_WEB 52.214.36.215
add BBC_WEB 52.210.140.46
add BBC_WEB 23.42.144.242
add BBC_WEB 34.249.252.187
add BBC_WEB 54.171.27.54
add BBC_WEB 52.50.125.126
add BBC_WEB 212.58.244.39
add BBC_WEB 34.241.11.7
add BBC_WEB 23.43.168.155
add BBC_WEB 23.199.137.107
add BBC_WEB 52.213.162.50
add BBC_WEB 54.76.54.179
add BBC_WEB 151.101.0.81
add BBC_WEB 52.208.254.224
add BBC_WEB 54.246.136.199
add BBC_WEB 34.243.121.211
add BBC_WEB 34.251.111.98
add BBC_WEB 212.58.237.254
add BBC_WEB 99.86.181.27
add BBC_WEB 52.209.47.231
add BBC_WEB 52.48.197.8
add BBC_WEB 212.58.249.201
add BBC_WEB 212.58.233.254
add BBC_WEB 52.214.121.212
add BBC_WEB 52.48.171.188
add BBC_WEB 52.16.238.219
add BBC_WEB 52.31.254.196
add BBC_WEB 212.58.249.134
add BBC_WEB 34.242.113.206
add BBC_WEB 117.121.250.129
add BBC_WEB 63.33.177.98
add BBC_WEB 212.58.249.199
add BBC_WEB 96.16.28.159
add BBC_WEB 212.58.251.36
add BBC_WEB 212.58.244.16
add BBC_WEB 52.209.225.88
add BBC_WEB 87.248.217.132
add BBC_WEB 52.211.3.101
add BBC_WEB 54.77.78.83
add BBC_WEB 23.9.188.16
add BBC_WEB 212.58.249.135
add BBC_WEB 52.18.152.115
add BBC_WEB 54.154.159.119
add BBC_WEB 151.101.192.81
add BBC_WEB 203.190.181.16
add BBC_WEB 212.58.244.93
add BBC_WEB 212.58.237.252
add BBC_WEB 23.198.129.89
add BBC_WEB 212.58.244.80
add BBC_WEB 118.215.98.155
add BBC_WEB 212.58.244.215
add BBC_WEB 212.58.233.251

/jffs/scripts/nat-start

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 3 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net
sh /jffs/scripts/x3mRouting/load_MANUAL_ipset_iface.sh 3 BBC

/jffs/configs/dnsmasq.conf.add

ipset=/www.bbc.co.uk/bbc.co.uk/bbc.com/bbc.gscontxt.net/bbci.co.uk/bbctvapps.co.uk/ssl-bbcsmarttv.2cnt.net/llnwd.net/BBC_WEB

Any error message when you try to access bbc? Try streaming using a streaming device and laptop or tablet. The other troubleshooting tips are on the GitHub page. Can also check the /opt/var/log/dnsmasq.log file to see if ipset entries are being added for BBC_WEB.

grep "ipset" "/opt/var/log/dnsmasq.log"

 

[vertigo888]

Thanks,

So I managed to fix BBC iPlayer but I now notice on Netflix that only some of the content loads fine. It's more the Hollywood blockbusters that don't load. Any ideas? This is my current configuration:

nat-start

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 BBC_WEBAS2818 AS2818
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 BBC_WEBAS31459 AS31459
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 NETFLIX amazonaws.com,netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-812 AS812
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-14618 AS14618
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-394406 AS394406
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-2906 AS2906
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 AMAZON-812 AS812
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 AMAZON-16509 AS16509

sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-GLOBAL GLOBAL

dnsmasq.conf.add

ipset=/amazonaws.com/netflix.com/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/NETFLIX
ipset=/bbc.co.uk/bbc.com/bbc.gscontxt.net/bbci.co.uk/bbctvapps.co.uk/ssl-bbcsmarttv.2cnt.net/BBC_WEB

 

[Torson]

@vertigo888 - try adding 'netflix.net' to the NETFLIX ipset.
Also, you don't need two AS812 on the same interface (call it AMA_FLIX) That being said the AS812 contains Rogers' user pools, hosting, business partners etc. What probably matters are the Akamai entries at the top on https://bgp.he.net/AS812#_prefixes.
Try removing AS394406 from the mix. Good luck!

 

[vertigo888]

Thanks but still having issues - anything but holywood movies are good. Any further ideas?

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 BBC_WEBAS2818 AS2818
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 BBC_WEBAS31459 AS31459
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-55095 AS55095
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-40027 AS40027
#sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-394406 AS394406
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-2906 AS2906
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-812 AS812
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 AMAZON-16509 AS16509

#sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-GLOBAL GLOBAL
#sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-EU EU
#sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-AP AP
#sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-CN CN
#sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-CA CA
#sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-SA SA

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 BBC_WEB bbc.co.uk,bbc.com,bbc.gscontxt.net,bbci.co.uk,bbctvapps.co.uk,ssl-bbcsmarttv.2cnt.net
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 NETFLIX_WEB amazonaws.com,netflix.com,netflix.net,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,dvd.netflix.com

 

[Torson]

There are many redundant NETFLIX lines. Just run:

iptables -nvL PREROUTING -t mangle --line

browse Netflix and then remove the ones that show 0 packets.
Also, try to add the ASN of your service provider. In all likelihood the CDNs that you need are there.

 

[TechTinkerer]

@Xentrk have you been sucessful in the testing of the new update and ready to rollout?

 

[vertigo888]

There are many redundant NETFLIX lines. Just run:

iptables -nvL PREROUTING -t mangle --line

browse Netflix and then remove the ones that show 0 packets.
Also, try to add the ASN of your service provider. In all likelihood the CDNs that you need are there.

Still no luck, even after add in my ISP ASNs via WAN (Starhub has multiple ASNs). Does the below look okay?

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-40027 AS40027
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-2906 AS2906
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-812 AS812
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-16509 AS16509
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-GLOBAL GLOBAL
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-EU EU
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-AP AP
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 STARHUB-55430 AS55430
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 NETFLIX_WEB amazonaws.com,netflix.com,netflix.net,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,dvd.netflix.com

 

[Torson]

Still no luck, even after add in my ISP ASNs via WAN (Starhub has multiple ASNs). Does the below look okay?

Have you checked @Xentrk's write-up at https://github.com/Xentrk/netflix-vpn-bypass, and the Torguard linked document?

 

[Xentrk]

@Xentrk have you been sucessful in the testing of the new update and ready to rollout?

I implemented the new x3mRouting.sh script on my router on Saturday and resolved what I hope was the final snag on Sunday. I did a lot of testing over the weekend under different scenarios. All is working good.

I finished a prototype conversion script yesterday to help ppl who execute the current version of the scripts from nat-start. I think the best approach is to take another week to finish the changes required to the installation menu and documentation. I will then place the new version in a separate branch for preliminary testing by members and to get feedback before merging into the master branch.

 

[Xentrk]

Still no luck, even after add in my ISP ASNs via WAN (Starhub has multiple ASNs). Does the below look okay?

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-40027 AS40027
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-2906 AS2906
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-812 AS812
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 1 NETFLIX-16509 AS16509
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-US US
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-GLOBAL GLOBAL
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-EU EU
sh /jffs/scripts/x3mRouting/load_AMAZON_ipset_iface.sh 1 AMAZON-AP AP
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 STARHUB-55430 AS55430
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 NETFLIX_WEB amazonaws.com,netflix.com,netflix.net,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net,dvd.netflix.com

I think you are casting too wide of a net. You shouldn't have to include all of the Amazon regions. See https://github.com/Xentrk/x3mRouting#iptables-chains for instructions on how to check the number of packets traversing the iptables chains.

Other items to check:

1. Policy Routing enabled on the VPN Client.
   
2. Check if you need to add the https://github.com/Xentrk/x3mRouting#dummyvpn entry
   
3. Do a grep "ipset" "/opt/var/log/dnsmasq.log" while streaming to make sure you see IPv4 entries are added to the IPSET list for NETFLIX_WEB.
   
4. The amazonaws.com should capture all of the amazon prime domains.
   
5. Experiment with the setting Wan: Use local caching DNS server as system resolver (default: No) in Tools->Other Settings tab. I have mine set to Yes.
   
6. What is Accept DNS Configuration set to on the VPN Client?
   
7. Use the liststats command to see if the ipset list is populated for NETFLIX_WEB.

 

[vertigo888]

Ok so I still cannot get it working completely. Any ideas - totally no clue what the issue is here I'm clearly missing something?:

Just to note, I'm on a Dual-WAN setup and have VPN client1 going through wan0 and I just installed stubby.

To answer your question:

• Policy Routing as Strict Enabled
• Dummy VPN entry included
• NETFLIX_WEB is populated
• Local caching DNS server as system resolver is now set to Yes
• DNS configuration was exclusive with the DummyVPN entry but is now set to disabled because of Stubby

Liststats output

AMAZON-16509 - 3969
AMAZON-GLOBAL - 52
AMAZON-US - 481
BBC_WEB - 116
BBC_WEBAS31459 - 1
NETFLIX-14618 - 281
NETFLIX-2906 - 149
NETFLIX-812 - 569
NETFLIX_WEB - 165
STARHUB-55430 - 315
Skynet-Blacklist - 190637
Skynet-BlockedRanges - 1718
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 6057

dnsmasq output

ipset=/bbc.co.uk/bbc.com/bbc.gscontxt.net/bbci.co.uk/bbctvapps.co.uk/ssl-bbcsmarttv.2cnt.net/BBC_WEB
ipset=/amazonaws.com/netflix.com/netflix.net/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/dvd.netflix.com/NETFLIX_WEB

Routing table output

num   pkts bytes target     prot opt in     out     source               destination
1     8759 1956K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MARK and 0x0
2     2542  387K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.11-192.168.1.255 MARK set 0x1
3        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEBAS31459 dst MARK or 0x1000
4        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-812 dst MARK or 0x1000
5     1842  138K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-2906 dst MARK or 0x1000
6       49  5574 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-14618 dst MARK or 0x1000
7     1054 1069K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x1000
8     2296 1158K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-16509 dst MARK or 0x1000
9     1144 65903 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x1000
10       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000
11    1127 1089K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX_WEB dst MARK or 0x1000
12       1   132 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set STARHUB-55430 dst MARK or 0x8000

 

[Martineau]

Ok so I still cannot get it working completely. Any ideas - totally no clue what the issue is here I'm clearly missing something?:

Just to note, I'm on a Dual-WAN setup and have VPN client1 going through wan0 and I just installed stubby.

To answer your question:

• Policy Routing as Strict Enabled
• Dummy VPN entry included
• NETFLIX_WEB is populated
• Local caching DNS server as system resolver is now set to Yes
• DNS configuration was exclusive with the DummyVPN entry but is now set to disabled because of Stubby

Liststats output

AMAZON-16509 - 3969
AMAZON-GLOBAL - 52
AMAZON-US - 481
BBC_WEB - 116
BBC_WEBAS31459 - 1
NETFLIX-14618 - 281
NETFLIX-2906 - 149
NETFLIX-812 - 569
NETFLIX_WEB - 165
STARHUB-55430 - 315
Skynet-Blacklist - 190637
Skynet-BlockedRanges - 1718
Skynet-IOT - 0
Skynet-Master - 2
Skynet-Whitelist - 6057

dnsmasq output

ipset=/bbc.co.uk/bbc.com/bbc.gscontxt.net/bbci.co.uk/bbctvapps.co.uk/ssl-bbcsmarttv.2cnt.net/BBC_WEB
ipset=/amazonaws.com/netflix.com/netflix.net/nflxext.com/nflximg.net/nflxso.net/nflxvideo.net/dvd.netflix.com/NETFLIX_WEB

Routing table output

num   pkts bytes target     prot opt in     out     source               destination
1     8759 1956K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MARK and 0x0
2     2542  387K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.11-192.168.1.255 MARK set 0x1
3        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEBAS31459 dst MARK or 0x1000
4        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-812 dst MARK or 0x1000
5     1842  138K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-2906 dst MARK or 0x1000
6       49  5574 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-14618 dst MARK or 0x1000
7     1054 1069K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x1000
8     2296 1158K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-16509 dst MARK or 0x1000
9     1144 65903 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x1000
10       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000
11    1127 1089K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX_WEB dst MARK or 0x1000
12       1   132 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set STARHUB-55430 dst MARK or 0x8000

You need to show the Selective Routing RPDB rules...

ip rule

 

[vertigo888]

As follows, public ip anonymised

0:      from all lookup local
15:     from 192.168.1.10 lookup ovpnc1
148:    from all fwmark 0x1 lookup wan1
149:    from all lookup wan0
150:    from all fwmark 0x80000000/0xf0000000 lookup wan0
150:    from all fwmark 0x90000000/0xf0000000 lookup wan1
200:    from someip lookup wan1
200:    from 192.168.1.1 lookup wan0
200:    from 8.8.8.8 lookup wan1
200:    from 8.8.4.4 lookup wan1
400:    from all to someip lookup wan0
400:    from all to someip lookup wan1
400:    from all to 192.168.1.1 lookup wan0
400:    from all to 8.8.8.8 lookup wan1
400:    from all to 8.8.4.4 lookup wan1
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 192.0.2.0 lookup ovpnc1
10102:  from 192.168.1.10 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

 

[vertigo888]

Interesting enough, Google DNS was still showing in the GUI which meant it was still showing in the rpdb table. Fixed this but still doesn't make a difference to Netflix

 

[Xentrk]

As follows, public ip anonymised

0:      from all lookup local
15:     from 192.168.1.10 lookup ovpnc1
148:    from all fwmark 0x1 lookup wan1
149:    from all lookup wan0
150:    from all fwmark 0x80000000/0xf0000000 lookup wan0
150:    from all fwmark 0x90000000/0xf0000000 lookup wan1
200:    from someip lookup wan1
200:    from 192.168.1.1 lookup wan0
200:    from 8.8.8.8 lookup wan1
200:    from 8.8.4.4 lookup wan1
400:    from all to someip lookup wan0
400:    from all to someip lookup wan1
400:    from all to 192.168.1.1 lookup wan0
400:    from all to 8.8.8.8 lookup wan1
400:    from all to 8.8.4.4 lookup wan1
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 192.0.2.0 lookup ovpnc1
10102:  from 192.168.1.10 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

I don't see the fwmark/bitmask for the WAN interface. It should look like this:

9990:   from all fwmark 0x8000/0x8000 lookup main

Rerun the script for your ISP to see if that fixes things.

Also, I don't have the RPDB rules above the fwmark/bitmask for the WAN and OpenVPN interfaces. There is always a possibility that a rule in the 15 to 400 range may take a higher priority but I'm not spotting a conflict. Your dual WAN use case may be causing a conflict though. But lets see if you can get your ISP AS number routed to the WAN to see if that fixes things first. @Martineau has prior experience on dual WAN and was a big help to another dual WAN user. What router model and fw version are you using?

 

[Martineau]

I don't see the fwmark/bitmask for the WAN interface. It should look like this:

9990:   from all fwmark 0x8000/0x8000 lookup main

Isn't the OP trying to route the IPSETs via VPN Client 1?

@Martineau has prior experience on dual WAN and was a big help to another dual WAN user.

You mean this OpenVPN Server and Dual-WAN help? to show how RPDB rule 15 got inserted.

Surely the misplaced low priority VPN Client 1 rules (9995,10101) need to be moved to the higher priority 15? as was performed for rule 10102.

 

[vertigo888]

Isn't the OP trying to route the IPSETs via VPN Client 1?

You mean this OpenVPN Server and Dual-WAN help? to show how RPDB rule 15 got inserted.

Surely the misplaced low priority VPN Client 1 rules (9995,10101) need to be moved to the higher priority 15? as was performed for rule 10102.

Martineau has been extremely helpful . So i did some tweaks to the ip rules and still no better

But these are what they are now:

0:      from all lookup local
15:     from 192.168.1.10 lookup ovpnc1
15:     from 192.0.2.0 lookup ovpnc1
15:     from all fwmark 0x1000/0x1000 lookup ovpnc1
18:     from all fwmark 0x1 lookup wan1
19:     from all lookup wan0
150:    from all fwmark 0x80000000/0xf0000000 lookup wan0
150:    from all fwmark 0x90000000/0xf0000000 lookup wan1
200:    from someip lookup wan1
200:    from 192.168.1.1 lookup wan0
200:    from 192.168.1.1 lookup wan1
400:    from all to someip lookup wan0
400:    from all to someip lookup wan1
400:    from all to 192.168.1.1 lookup wan0
400:    from all to 192.168.1.1 lookup wan1
32766:  from all lookup main
32767:  from all lookup default

Chain PREROUTING (policy ACCEPT 33221 packets, 33M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    19833 3445K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MARK and 0x0
2     2744  349K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.11-192.168.1.255 MARK set 0x1
3        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEBAS2818 dst MARK or 0x1000
4        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEBAS31459 dst MARK or 0x1000
5        1    93 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-812 dst MARK or 0x1000
6    13131  850K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-2906 dst MARK or 0x1000
7       70  5574 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-14618 dst MARK or 0x1000
8     1954 2019K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-16509 dst MARK or 0x1000
9     1790 1998K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x1000
10     128 13470 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x1000
11       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000
12    1716 1991K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX_WEB dst MARK or 0x1000
13      50  4927 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-AP dst MARK or 0x1000
14       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-EU dst MARK or 0x1000

 

[Torson]

A couple of observations on the topic:
1. I know it's a bit time consuming, but, if possible, turn of the second WAN - that would eliminate some of the complexities of your scenario.
2. Is your VPN provider TOR or someone that clearly states Netflix access will work over the VPN?
3. I just came across this script by @Adamm00 (as in Skynet) - updated yesterday - https://github.com/Adamm00/misc/blob/master/vpnflix.sh. Post a question in separate thread, make sure that Netflix works to your expectations over the VPN and then start looking at selective routing again.

 

[Xentrk]

Martineau has been extremely helpful . So i did some tweaks to the ip rules and still no better

But these are what they are now:

0:      from all lookup local
15:     from 192.168.1.10 lookup ovpnc1
15:     from 192.0.2.0 lookup ovpnc1
15:     from all fwmark 0x1000/0x1000 lookup ovpnc1
18:     from all fwmark 0x1 lookup wan1
19:     from all lookup wan0
150:    from all fwmark 0x80000000/0xf0000000 lookup wan0
150:    from all fwmark 0x90000000/0xf0000000 lookup wan1
200:    from someip lookup wan1
200:    from 192.168.1.1 lookup wan0
200:    from 192.168.1.1 lookup wan1
400:    from all to someip lookup wan0
400:    from all to someip lookup wan1
400:    from all to 192.168.1.1 lookup wan0
400:    from all to 192.168.1.1 lookup wan1
32766:  from all lookup main
32767:  from all lookup default

Chain PREROUTING (policy ACCEPT 33221 packets, 33M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    19833 3445K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            MARK and 0x0
2     2744  349K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.1.11-192.168.1.255 MARK set 0x1
3        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEBAS2818 dst MARK or 0x1000
4        0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEBAS31459 dst MARK or 0x1000
5        1    93 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-812 dst MARK or 0x1000
6    13131  850K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-2906 dst MARK or 0x1000
7       70  5574 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX-14618 dst MARK or 0x1000
8     1954 2019K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-16509 dst MARK or 0x1000
9     1790 1998K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-US dst MARK or 0x1000
10     128 13470 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-GLOBAL dst MARK or 0x1000
11       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set BBC_WEB dst MARK or 0x1000
12    1716 1991K MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set NETFLIX_WEB dst MARK or 0x1000
13      50  4927 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-AP dst MARK or 0x1000
14       0     0 MARK       all  --  br0    *       0.0.0.0/0            0.0.0.0/0            match-set AMAZON-EU dst MARK or 0x1000

Packets are traversing the IPTABLES chain. But I I still don't see the WAN routing rule for the ISP AS Number you listed in a prior post.

sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 STARHUB-55430 AS55430

You can use the "ip rule del prio xxxx" command to delete the RPDB rules above the RPDB rules for the fwmark/bitmask to see if those rules are causing a conflict. If so, we'll have to make an edit to the script to have the priority numbers listed higher so it works for your use case.

I agree with @Torson tips about trying to find the root cause. Please try to turn off dual WAN and route all traffic thru the VPN. If it works, then we can eliminate the VPN as an issue. Then, turn Policy Routing rules back on and see if it works. After that, turn dual WAN back on and test again.

 

[Xentrk]

Isn't the OP trying to route the IPSETs via VPN Client 1?

Correct. But a few members had issues with getting NF routing to work. The suspect root cause is the way Neftlix may be using CDN at the ISP. Some have found that routing the ISP ASN to the WAN was the solution to work around the issue.