x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Luizlp10]

Based on testing, this appears to be the best method to handle the routing rules for system restarts, firewall restarts and vpn client up/down events:

nat-start will be used to call the scripts at system boot and during a firewall restart. The iptables delete/append routing rules will get created and the appropriate entries stored in vpnclientX-route-up and vpnclientX-route-pre-down if they don't exist. This solves the issue of the routing rules being purged upon a firewall restart event.

The deletion of the iptables routing rules will be placed in vpnclientX-route-pre-down. This will purge the routing rules associated with the VPN Client if it is disabled.

The creation of the iptables routing rules will be placed in vpnclientX-route-up. This will create the routing rule for a VPN Client route-up event.

Thank you so much for your effort. Can't wait to test the new update!

 

[Salles]

Hmm.
When trying to install #3 Ipset Shell Scripts i am receiving:
Collected errors:
* opkg_install_pkg: Package size mismatch: jq is 121199 bytes, expecting 121183 bytes
* opkg_install_cmd: Cannot install package jq.
An error occurred installing jq

It seems like something is not working correctly or I am doing something wrong .
[Edit: Using RT-AC86U, Firmware 384:15]

 

[L&LD]

@Salles any reason you're not running 384.17_0 release final?

Have you fully updated your Entware install/packages (hopefully via amtm)?

 

[Salles]

@Salles any reason you're not running 384.17_0 release final?

Have you fully updated your Entware install/packages (hopefully via amtm)?

Just updated packages via amtm. That was the issue @L&LD.
It works now . Thank you very much.
I have not gotten the time to update the firmware just yet. Will do shortly.

 

[temocles0918]

Is there a way, depending on the domain, for example, to direct traffic to a specific VPN client. Let's say if it is netflix everyone goes the WAN, if it is hulu to client 1, it is disney to client 2.
Could I do that? or only to the specific LAN clients in each VPN client? I got tangled up in the concepts of how the settings work in merlin. The scripts work correctly for me.
I would like not to tie lan clients to a specific VPN client. I don't know if priority rules would work for me to divert traffic first before the vpn client. The scripts made are excellent .. Thank you very much ..

 

[Xentrk]

Is there a way, depending on the domain, for example, to direct traffic to a specific VPN client. Let's say if it is netflix everyone goes the WAN, if it is hulu to client 1, it is disney to client 2.
Could I do that? or only to the specific LAN clients in each VPN client? I got tangled up in the concepts of how the settings work in merlin. The scripts work correctly for me.
I would like not to tie lan clients to a specific VPN client. I don't know if priority rules would work for me to divert traffic first before the vpn client. The scripts made are excellent .. Thank you very much ..

That is the purpose of the script. Here is an example where VPN Client 1 is specified as the destination.

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 1 NETFLIX netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

However, the newer version is nearly done. Best to wait a few days as it has more features and does the setup for you.

 

[Luizlp10]

Placing the scripts in /jffs/scripts/nat-start using the example on the README page is the solution so the rules will get reinstated at boot or firewall restart. I will change the new version to do the same. I will still use the vpnclientX-route-pre-down to remove the routing rule if the client goes down.

I've performed the example and placed the rules on nat-start but could'nt solve the problem. I will wait for the next version of the script since I could be doing something wrong as well.

 

[Xentrk]

I've performed the example and placed the rules on nat-start but could'nt solve the problem. I will wait for the next version of the script since I could be doing something wrong as well.

Does the IPSET list and routing rules get created? Look at the Trouble Shooting tips.

 

[Xentrk]

[1]  Install x3mRouting for LAN Clients
[2]  Install x3mRouting OpenVPN Client GUI & IPSET Shell Scripts
[3]  Install x3mRouting IPSET Shell Scripts
[4]  Install route_all_vpnserver.sh
[5]  Install route_ipset_vpnserver.sh
[6]  Install x3mRouting OpenVPN Event
      ** Install Option 6 if you have installed Method 1 + Method 3
[7]  Check for updates to existing x3mRouting installation
[8]  Force update existing x3mRouting installation
[9]  Remove x3mRouting Repository
[e] Exit Script
Option ==> e
   https://github.com/Xentrk/Stubby-Installer-Asuswrt-Merlin
                      Have a Grateful Day!
           ____        _         _                       
          |__  |      | |       | |                      
    __  __  _| |_ _ _ | |_  ___ | | __    ____ ____  _ _ _
    \ \/ / |_  | ` ` \  __|/ _ \| |/ /   /  _//    \| ` ` \
     /  /  __| | | | |  |_ | __/|   <   (  (_ | [] || | | |
    /_/\_\|___ |_|_|_|\___|\___||_|\_\[] \___\\____/|_|_|_|

/opt/bin/x3mRouting: line 691: syntax error: unexpected "esac"

Furthermore, you still haven't fixed the 'hard-coded' error in post #255

I started encountering this issue consistently when testing the next generation code of x3mRouting this past weekend. I think the issue is due to executing the script /opt/bin/x3mRouting from within the same script.

The fix appears to be the method you are using for unbound_manager. I created a link to the menu file in /opt/bin called x3mRouting and installed the menu in /jffs/addons/repo directory under the name x3mRouting_Menu.sh. After the update, I run the menu directly from the /jffs/addons/repo directly rather than from /opt/bin. I have not encountered the erroneous messages since making the change.

You took on a lot with the unbound project. It is much appreciated and has been working very good for me.

 

[Xentrk]

@SomeWhereOverTheRainBow

Responding here as it may help others:

I am experiencing issues with Yazfi, I installed option 1 for x3mrouting and I set it up per client. Today I tried to connect to my guest network that I had pointed at OVPN 1 and i had no internet connection.

So far, have not had any reports of incompatibility issues to date.

Did you have no internet connection at all on the router? Or just the device connected to the Guest Network configured to use YazFi? Here are some troubleshooting tips.

I configured YazFi to use client 2.

ip route | grep wl

192.168.7.0/24 dev wl1.3  proto kernel  scope link  src 192.168.7.1

I see the entry in the GUI screen:

5GHz1 Guest 3    192.168.7.0/24    0.0.0.0    VPN

I see the RPDB rule fjor 192.168.7.0/24 when typing ip rule command

0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 10.8.0.0/24 lookup ovpnc1
10102:  from 192.168.22.100 lookup ovpnc1
10103:  from 192.168.22.101 lookup ovpnc1
10301:  from 192.168.7.0/24 lookup ovpnc2
10302:  from 192.168.22.149 lookup ovpnc2
<snip>

See if there are any messages in the system log for clues too.

 

[SomeWhereOverTheRainBow]

@SomeWhereOverTheRainBow

Responding here as it may help others:



So far, have not had any reports of incompatibility issues to date.

Did you have no internet connection at all on the router? Or just the device connected to the Guest Network configured to use YazFi? Here are some troubleshooting tips.

I configured YazFi to use client 2.

ip route | grep wl

192.168.7.0/24 dev wl1.3  proto kernel  scope link  src 192.168.7.1

I see the entry in the GUI screen:

5GHz1 Guest 3    192.168.7.0/24    0.0.0.0    VPN

I see the RPDB rule fjor 192.168.7.0/24 when typing ip rule command

0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9991:   from all fwmark 0x3000/0x3000 lookup ovpnc5
9993:   from all fwmark 0x4000/0x4000 lookup ovpnc3
9994:   from all fwmark 0x2000/0x2000 lookup ovpnc2
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
10101:  from 10.8.0.0/24 lookup ovpnc1
10102:  from 192.168.22.100 lookup ovpnc1
10103:  from 192.168.22.101 lookup ovpnc1
10301:  from 192.168.7.0/24 lookup ovpnc2
10302:  from 192.168.22.149 lookup ovpnc2
<snip>

See if there are any messages in the system log for clues too.

just devices connecting to the guest network that was pointed at the VPN.

 

[Xentrk]

just devices connecting to the guest network that was pointed at the VPN.

Since YazFi is using a different subnet than LAN clients, there shouldn't be any conflict in RPDB rules.

Please confirm the Guest Wifi using a different subnet than the router IP. Check is the POSTROUTING rules for the client you are routing the Guest WiFi too using YazFi. For example, for client 2, use tun12:

iptables -nvL POSTROUTING -t nat --line | grep tun12

Pinging @Jack Yaz in case he has ideas.

 

[SomeWhereOverTheRainBow]

Since YazFi is using a different subnet than LAN clients, there shouldn't be any conflict in RPDB rules.

Please confirm the Guest Wifi using a different subnet than the router IP. Check is the POSTROUTING rules for the client you are routing the Guest WiFi too using YazFi. For example, for client 2, use tun12:

iptables -nvL POSTROUTING -t nat --line | grep tun12

Pinging @Jack Yaz in case he has ideas.

yes all subnets are different.

 

[SomeWhereOverTheRainBow]

Since YazFi is using a different subnet than LAN clients, there shouldn't be any conflict in RPDB rules.

Please confirm the Guest Wifi using a different subnet than the router IP. Check is the POSTROUTING rules for the client you are routing the Guest WiFi too using YazFi. For example, for client 2, use tun12:

iptables -nvL POSTROUTING -t nat --line | grep tun12

Pinging @Jack Yaz in case he has ideas.

I am going to take another look at it later on this week, I will update you if the same issue occurs again.

 

[Xentrk]

I am going to take another look at it later on this week, I will update you if the same issue occurs again.

I've installed and tested with it on and off without any issues. Most recently, a member wanted to use x3mRouting to bypass the Guest WiFi VPN for a netflix traffic using an IPSET list. Let us know what you find out.

 

[Jack Yaz]

Since YazFi is using a different subnet than LAN clients, there shouldn't be any conflict in RPDB rules.

Please confirm the Guest Wifi using a different subnet than the router IP. Check is the POSTROUTING rules for the client you are routing the Guest WiFi too using YazFi. For example, for client 2, use tun12:

iptables -nvL POSTROUTING -t nat --line | grep tun12

Pinging @Jack Yaz in case he has ideas.

Off the top of my head the only nat rules YazFi uses is for DNSFILTER and masquerade on the VPN client.

 

[Kingp1n]

Anyone's Disney plus no longer working? I'm using option 3 and with following rule inside the nat-start file:

sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset_iface.sh 0 DISNEYPLUS disneyplus.com,thewaltdisneycompany.com,disney-plus.net
sh /jffs/scripts/x3mRouting/load_ASN_ipset_iface.sh 0 DISNEYPLUS AS16509

Does this look correct? HULE & Netflix are still working so I'm not sure what might the issue.

UPDATE: It seems changing this option to yes from default under tools,, got it working again!

WAN: use local caching DNS server as system resolver = YES

Not sure how but I thought I read Xntrek applying this method previously!

 

[temocles0918]

Hi, I am excellent with this scripts for my Netflix for WAn and DisneyPlus for vpnclient(1). I dont understand why not function with Hulu.
I have dedicated Ip with Torguard and configured in asus merlin. Always my block Hulu. But if make test with my computer using your TorguardClient work fine.

i have tried with dhcp-option in custom configuration and nothing
dhcp-option DNS 9.9.9.9
dhcp-option DNS 9.9.9.10

o with the torguard ip dns, Nothing
Using Local Cache dns server esolver : Yes

DNS in Wan configuration, i have tried with Cloudfare,Google, Ibm and DNS-over-TLS not work
The ipleak test is correct, but Hulu not work with VPn in Asus merlin. My version is ac86u with last firmware.

I dont know what has happened. I have hulu con dnsmasq and asn ipset

Regards.

 

[Xentrk]

Hi, I am excellent with this scripts for my Netflix for WAn and DisneyPlus for vpnclient(1). I dont understand why not function with Hulu.
I have dedicated Ip with Torguard and configured in asus merlin. Always my block Hulu. But if make test with my computer using your TorguardClient work fine.

i have tried with dhcp-option in custom configuration and nothing
dhcp-option DNS 9.9.9.9
dhcp-option DNS 9.9.9.10

o with the torguard ip dns, Nothing
Using Local Cache dns server esolver : Yes

DNS in Wan configuration, i have tried with Cloudfare,Google, Ibm and DNS-over-TLS not work
The ipleak test is correct, but Hulu not work with VPn in Asus merlin. My version is ac86u with last firmware.

I dont know what has happened. I have hulu con dnsmasq and asn ipset

Regards.

With the TG Private IP, you can use any DNS, your DNS can leak. It doesn't matter. On the router, the first thing to try is to route all traffic to the Private IP. Then check if streaming works okay. It should based on the fact the client works.

My streaming device is routed to LA, which Hulu blocks. But I route Hulu to my Private IP. The underlying traffic is still in US. I would need to test if the rules for Hulu still work if the streaming device is routed to the WAN.

On my pfSense appliance, I use both AS23286 and the IP addresses I collected using the dnsmasq method on the Asus router. There must have been a reason why. But on the Asus router, I only use theh dnsmasq method.

sh /jffs/scripts/x3mRouting/load_ASN_ipset.sh 1 HULU AS23286
sh /jffs/scripts/x3mRouting/load_DNSMASQ_ipset.sh 1 HULU_WEB hulu.com,hulustream.com,akamaihd.net

If you don't have any entries in the Policy Routing section on the GUI, you need to create the DummyVPN entry in the screen.

If you still have issues, you may have to analyze the domains that are being looked up when you access Hulu in dnsmasq.log file to see if there are more domains that need to be specified.

 

[Kingp1n]

Anyone's Disney plus no longer working? I'm using option 3 and with following rule inside the nat-start file:



Does this look correct? HULE & Netflix are still working so I'm not sure what might the issue.

UPDATE: It seems changing this option to yes from default under tools,, got it working again!

WAN: use local caching DNS server as system resolver = YES

Not sure how but I thought I read Xntrek applying this method previously!

Update #2: I spoke too early, still having issues only with Disney. We'll keep looking into it!