What's new

x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

@
[CODE]iptables -t mangle -D PREROUTING 1
[/CODE]
Xentrk
the script is working great for me but is there a way to temporarily disable it in order to perform some tests without deleting iptables nor the script repository itself?
There are several methods you can use. First one is to turn off the VPN Client. The routing rules will be removed.

If you are not using the custom GUI, you could run the openvpnX-route-pre-down script in the /jffs/scripts/x3mRouting folder. The VPN client will still be up and running but the iptables routing rules are no longer in effect.

To reinstate the rules, you can either restart the VPN Client (service restart_vpnclientX) or select the apply button on the GUI.

To remove a individual rule, you can use the command below to display the rules and chain number for each one:
Code:
iptables -nvL PREROUTING -t mangle --line

Then, use the chain number in the delete command. In this example, using Chain #1:
Code:
iptables -t mangle -D PREROUTING 1
 
There are several methods you can use. First one is to turn off the VPN Client. The routing rules will be removed.

If you are not using the custom GUI, you could run the openvpnX-route-pre-down script in the /jffs/scripts/x3mRouting folder. The VPN client will still be up and running but the iptables routing rules are no longer in effect.

To reinstate the rules, you can either restart the VPN Client (service restart_vpnclientX) or select the apply button on the GUI.

To remove a individual rule, you can use the command below to display the rules and chain number for each one:
Code:
iptables -nvL PREROUTING -t mangle --line

Then, use the chain number in the delete command. In this example, using Chain #1:
Code:
iptables -t mangle -D PREROUTING 1

That was exactly what I was looking for, thank you. You're the best script maker when talking about support and it is not even close. Not saying this to backlash any other script maker but just to show how appreciative I am of your work and support. Thanks a lot
 
That was exactly what I was looking for, thank you. You're the best script maker when talking about support and it is not even close. Not saying this to backlash any other script maker but just to show how appreciative I am of your work and support. Thanks a lot
Thank you. Happy to help.

I failed to mention another way to reinstate the routing rules - running the openvpnX-route-up script will reinstate the routing rules as well if you didn't take the client down. Otherwise, restart the client and the openvpn event route up script will run automatically.
 
Last edited:
Great tool, been using it for some time! really appreciate the time and effort you and all others have put in to this.
Seams that the clean-up script is not removing everything.

Also have a strange issue, I was hoping this script could support with.
I use vpn for all my traffic, also have some issues with my IPTV provider and they get solved by VPN connection.
But a few of the IPs from the VPN have issues, when I login to Netflix it only shows Netflix content.
Was thinking to push all data via VPN with this script, but don't know how set it up.
 
Great tool, been using it for some time! really appreciate the time and effort you and all others have put in to this.
Seams that the clean-up script is not removing everything.
Please provide the the syntax you are using to first create the script and what you are using to remove the script. This will allow me to test and check if something is not getting cleaned up properly. The VPN server to IPSET and VPN Server to VPN Client were the most challenging as they can share some of the same routing rules. Note the different usage examples based on the routing that is used. If you have a VPN server rule to remove, the usage is slightly different than removing a rule for IPSET routing.

Delete an IPSET List, Routing Rules, Script Entries and cru jobs
Delete a VPN Server to VPN Client Routing Rule
Delete a VPN Server to IPSET list Routing Rule


Also have a strange issue, I was hoping this script could support with.
I use vpn for all my traffic, also have some issues with my IPTV provider and they get solved by VPN connection.
But a few of the IPs from the VPN have issues, when I login to Netflix it only shows Netflix content.
Was thinking to push all data via VPN with this script, but don't know how set it up.
If you want to have all LAN traffic use the VPN, you just need an entry like the first one listed below in the Policy Routing table in the OpenVPN Client Screen The second entry allows the router to use the WAN for NTP and other services. I also recommend using it when routing to more than one OpenVPN Client.
Code:
LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

If you need to bypass the VPN for a service that blocks known VPN servers like Netflix, you need to specify the VPN client you want to bypass followed by the destination source, the WAN. Example below:

Code:
x3mRouting 1 0 NETFLIX asnum=AS2906

Other VPN Bypass examples are on the README, including how to specify the rule just for one device or a range of devices.

Did I answer your question?
 
Last edited:
Please provide the the syntax you are using to first create the script and what you are using to remove the script. This will allow me to test and check if something is not getting cleaned up properly. The VPN server to IPSET and VPN Server to VPN Client were the most challenging as they can share some of the same routing rules. Note the different usage examples based on the routing that is used. If you have a VPN server rule to remove, the usage is slightly different than removing a rule for IPSET routing.

Delete an IPSET List, Routing Rules, Script Entries and cru jobs
Delete a VPN Server to VPN Client Routing Rule
Delete a VPN Server to IPSET list Routing Rule



If you want to have all LAN traffic use the VPN, you just need an entry like the first one listed below in the Policy Routing table in the OpenVPN Client Screen The second entry allows the router to use the WAN for NTP and other services. I also recommend using it when routing to more than one OpenVPN Client.
Code:
LAN_IPs    192.168.1.0/24    0.0.0.0    VPN
Router     192.168.1.1       0.0.0.0    WAN

If you need to bypass the VPN for a service that blocks known VPN servers like Netflix, you need to specify the VPN client you want to bypass followed by the destination source, the WAN. Example below:

Code:
x3mRouting 1 0 NETFLIX asnum=AS2906

Other VPN Bypass examples are on the README, including how to specify the rule just for one device or a range of devices.

Did I answer your question?

I think I am having the same issue.
One thing Uniken said was "But a few of the IPs from the VPN have issues, when I login to Netflix it only shows Netflix content." This is happening for me as well.

I am using the following:
Code:
x3mRouting 1 0 NETFLIX-AS2906 asnum=AS2906

Which does allow me to access Netflix, BUT, I cannot see any other content except for Netflix original content.
Meaning, when I apply the above code and launch Netflix, I cannot for example search for "Friends" in Netflix. It does not come up. If I disable routing, I can then see "Friends" in Netflix.

So far I have tried:
Code:
x3mRouting ipset_name=NETFLIX-AS2906 asnum=AS2906
x3mRouting 1 0 NETFLIX-AS2906 asnum=AS2906

x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
x3mRouting 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

As for how I have OpenVPN Client setup, please see the following:

Ps3dnKM


And here is the custom config for my OpenVPN client:
Code:
resolv-retry infinite
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
fast-io
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
comp-lzo no


Any ideas why this may be happening?
 
I think I am having the same issue.
One thing Uniken said was "But a few of the IPs from the VPN have issues, when I login to Netflix it only shows Netflix content." This is happening for me as well.

I am using the following:
Code:
x3mRouting 1 0 NETFLIX-AS2906 asnum=AS2906

Which does allow me to access Netflix, BUT, I cannot see any other content except for Netflix original content.
Meaning, when I apply the above code and launch Netflix, I cannot for example search for "Friends" in Netflix. It does not come up. If I disable routing, I can then see "Friends" in Netflix.

So far I have tried:
Code:
x3mRouting ipset_name=NETFLIX-AS2906 asnum=AS2906
x3mRouting 1 0 NETFLIX-AS2906 asnum=AS2906

x3mRouting ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
x3mRouting 1 0 NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net

As for how I have OpenVPN Client setup, please see the following:

Ps3dnKM


And here is the custom config for my OpenVPN client:
Code:
resolv-retry infinite
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
fast-io
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
pull-filter ignore "ifconfig-ipv6"
pull-filter ignore "route-ipv6"
comp-lzo no

Any ideas why this may be happening?
Thanks for clarifying the concern. That was a big help.

It looks like some changes may have occurred. In addition to AS2906, I see several new ASNs for Neftlix.

upload_2020-7-16_8-46-8.png


What is interesting is I don't see any traffic traversing AS2906 any longer. I created a separate IPSET list for each ASN. Only the AS40027 saw traffic traversing the chain when I watched Netflix on my laptop. But not when using a Firestick.

I then ran the autoscan.sh script and searched for netflix and nflx to see if there are any other domains.
Code:
sh autoscan.sh autoscan=netflix,nflx

netflix.com
nflxext.com
nflximg.com
nflximg.net
nflxso.net
nflxvideo.net
nflximg.com appears to be a new top level domain. I'll have to add it to the README.

What I looked at the IP addresses returned by some of the Netflix DNS lookup queries, many of them belong to AS16509 which is Amazon AWS in US rather than being owned by a Netflix ASN. Netflix hosts on Amazon servers.

From the testing I did this morning, it appears we may need to cast a wider net and also include one's local Amazon region or the GLOBAL region. I only used to use Amazon US region for my needs. But recently found a situation where I also needed to include the GLOBAL region as well. So far, it appears that if specifying GLOBAL region, there is no need to also specify the other regions like US.

Alternatively, I found that adding nflximg.com and amazonaws.com domain works.
Code:
x3mRouting 1 0 NETFLIX_DOMAINS dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com
I will do some more research on the ASN method for Netflix.

As a reminder, using the 'ipset_name=' parm only creates the IPSET list but not routing rules. This method is used for people who want to use the modified OpenVPN Client screen to specify the routing rules.
 
Last edited:
Thanks for clarifying the concern. That was a big help.

It looks like some changes may have occurred. In addition to AS2906, I see several new ASNs for Neftlix.

View attachment 24711

What is interesting is I don't see any traffic traversing AS2906 any longer. I created a separate IPSET list for each ASN. Only the AS40027 saw traffic traversing the chain when I watched Netflix on my laptop. But not when using a Firestick.

I then ran the autoscan.sh script and searched for netflix and nflx to see if there are any other domains.
Code:
sh autoscan.sh autoscan=netflix,nflx

netflix.com
nflxext.com
nflximg.com
nflximg.net
nflxso.net
nflxvideo.net
nflximg.com appears to be a new top level domain. I'll have to add it to the README.

What I looked at the IP addresses returned by some of the Netflix DNS lookup queries, many of them belong to AS16509 which is Amazon AWS in US rather than being owned by a Netflix ASN. Netflix hosts on Amazon servers.

From the testing I did this morning, it appears we may need to cast a wider net and also include one's local Amazon region or the GLOBAL region. I only used to use Amazon US region for my needs. But recently found a situation where I also needed to include the GLOBAL region as well. So far, it appears that if specifying GLOBAL region, there is no need to also specify the other regions like US.

Alternatively, I found that adding nflximg.com and amazonaws.com domain works.
Code:
x3mRouting 1 0 NETFLIX_DOMAINS dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com
I will do some more research on the ASN method for Netflix.

As a reminder, using the 'ipset_name=' parm only creates the IPSET list but not routing rules. This method is used for people who want to use the modified OpenVPN Client screen to specify the routing rules.

Fantastic, thank you for the response!

I tried the dnsmasq method and it seems to be working correctly now.

As for your comment about adding the GLOBAL Amazon region, would this be used in conjunction with the dnsmasq method as well or is this to be used with the asnum method?
 
Hope someone can assist me...I have my old nat-start file saved from my previous set-up when I was using option 3 on the older script...is there a way for the new release x3mRouting (v2.0) to force convert the nat-start file into the new version?

I go into WinSCP and copy and paste the old 'nat-start' file into /jffs/scripts folder. I open amtm and install x3mRouting script. I then choose to install option 3 (Install OPENVPN event & x3mRouting.sh script). At this time, should the script automatically convert it into the version?


I was previously using the older script option 3, but I can't seem to setup it with the new script.

I'm setting from scratch and but I did keep a copy of my old nat-start file. Is there a simple way for me to setup with the new script or is there a way I can go back to the older script? Any info is greatly appreciated!
 
Last edited:
Thanks for clarifying the concern. That was a big help.

It looks like some changes may have occurred. In addition to AS2906, I see several new ASNs for Neftlix.

View attachment 24711

What is interesting is I don't see any traffic traversing AS2906 any longer. I created a separate IPSET list for each ASN. Only the AS40027 saw traffic traversing the chain when I watched Netflix on my laptop. But not when using a Firestick.

I then ran the autoscan.sh script and searched for netflix and nflx to see if there are any other domains.
Code:
sh autoscan.sh autoscan=netflix,nflx

netflix.com
nflxext.com
nflximg.com
nflximg.net
nflxso.net
nflxvideo.net
nflximg.com appears to be a new top level domain. I'll have to add it to the README.

What I looked at the IP addresses returned by some of the Netflix DNS lookup queries, many of them belong to AS16509 which is Amazon AWS in US rather than being owned by a Netflix ASN. Netflix hosts on Amazon servers.

From the testing I did this morning, it appears we may need to cast a wider net and also include one's local Amazon region or the GLOBAL region. I only used to use Amazon US region for my needs. But recently found a situation where I also needed to include the GLOBAL region as well. So far, it appears that if specifying GLOBAL region, there is no need to also specify the other regions like US.

Alternatively, I found that adding nflximg.com and amazonaws.com domain works.
Code:
x3mRouting 1 0 NETFLIX_DOMAINS dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com
I will do some more research on the ASN method for Netflix.

As a reminder, using the 'ipset_name=' parm only creates the IPSET list but not routing rules. This method is used for people who want to use the modified OpenVPN Client screen to specify the routing rules.

Spoke too soon. Seems to no longer be working :/
I'll see if I can investigate this further.
 
Fantastic, thank you for the response!

I tried the dnsmasq method and it seems to be working correctly now.

As for your comment about adding the GLOBAL Amazon region, would this be used in conjunction with the dnsmasq method as well or is this to be used with the asnum method?
With the ASN method is where I needed to add it. I was using the Amazon US region for my routing rules trying to get an Amazon Echo working over the VPN and was having issues. When I added the Global region, I saw traffic. I have a VPN that works with service that block VPNs, including Prime. But for some reason, the Echo just can't connect to WiFi over a VPN tunnel. It may need access to some location services on the router that it can't get when connected to the VPN.
 
Hope someone can assist me...I have my old nat-start file saved from my previous set-up when I was using option 3 on the older script...is there a way for the new release x3mRouting (v2.0) to force convert the nat-start file into the new version?

I go into WinSCP and copy and paste the old 'nat-start' file into /jffs/scripts folder. I open amtm and install x3mRouting script. I then choose to install option 3 (Install OPENVPN event & x3mRouting.sh script). At this time, should the script automatically convert it into the version?


I was previously using the older script option 3, but I can't seem to setup it with the new script.

I'm setting from scratch and but I did keep a copy of my old nat-start file. Is there a simple way for me to setup with the new script or is there a way I can go back to the older script? Any info is greatly appreciated!
The update process will convert the nat-start x3mRouting entries. Did you remove the old version before installing the new version? Do you have an backup of jffs partition you can restore the old x3mRouting folder from? If so, then you can redo the installation and conversion to have x3mRouting clean up old entries and create the conversion file as noted in the Version 2.2.0 Update Process.

If not, I would have to clone the conversion code so you can run it standalone to convert your nat-start entries. But, I have to go on a road trip in a two hours and won't have time to work on it until Monday.
 
Spoke too soon. Seems to no longer be working :/
I'll see if I can investigate this further.
I had the same issue this morning. It worked yesterday. I added AS2906 and it is working now. For me, I am routing to my private VPN. Just change the "ALL 1" to "1 0" for your use case.

Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIX-DNS dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIX_AS2906 asnum=AS2906

I'll do some more analysis when I return on Monday to better understand what is going on. If you still have issues, create a routing rule for Amazon GLOBAL region.
 
Last edited:
The update process will convert the nat-start x3mRouting entries. Did you remove the old version before installing the new version? Do you have an backup of jffs partition you can restore the old x3mRouting folder from? If so, then you can redo the installation and conversion to have x3mRouting clean up old entries and create the conversion file as noted in the Version 2.2.0 Update Process.

If not, I would have to clone the conversion code so you can run it standalone to convert your nat-start entries. But, I have to go on a road trip in a two hours and won't have time to work on it until Monday.
I did remove the old version due to router replacement and formatting my USB drive. No backups of anything except the nat-start file. I would appreciated if I could run as a standalone. I'll go thru Readme info to get smarter as well. Thanks again and no rush!
 
I had the same issue this morning. It worked yesterday. I added AS2906 and it is working now. For me, I am routing to my private VPN. Just change the "ALL 1" to "1 0" for your use case.

Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIX-DNS dnsmasq=netflix.com,nflxext.com,nflximg.com,nflximg.net,nflxso.net,nflxvideo.net,amazonaws.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 NETFLIX_AS2906 asnum=AS2906

I'll do some more analysis when I return on Monday to better understand what is going on. If you still have issues, create a routing rule for Amazon GLOBAL region.

Thanks again. It seems to be working now. I didn't have to add the rule for Amazon (yet) but I'll keep an eye out. Enjoy the trip!
 
I did remove the old version due to router replacement and formatting my USB drive. No backups of anything except the nat-start file. I would appreciated if I could run as a standalone. I'll go thru Readme info to get smarter as well. Thanks again and no rush!
The conversion code is in the menu code as a function. I will be able to use that code to create a stand alone script for you.

Sent from my SM-C710F using Tapatalk
 
Hi,

I'm trying to change to using TorGuard as my VPN provider because, so far, it seems to work so much better than either of the other two providers I've been using.

But to do that I need to use x3mrouting to route Prime Video to the WAN, and when doing that everything else I have works fine as does Prime.

On my AX88U (running the latest Merlin 384.19 alpha, since I'm having some other wireless problems) I have create 3 ipsets with:
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=DISNEY dnsmasq=demdex.net,disney-plus.net,disney.com,disney.io,disneyplus.com,footprint.net,go.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=AMAZON aws_region=AP,GLOBAL
for use with the modified VPN client screen but found I only need to use the AMAZON set.

The problem I'm seeing is that in less than 24 hours Prime Video gets blocked.

Sometimes restarting the VPN client fixes it for a while but often only a reboot helps.
It's possible the wireless problems are at play here too but, due to the nature of those, I'm not convinced it's related.
 
I did remove the old version due to router replacement and formatting my USB drive. No backups of anything except the nat-start file. I would appreciated if I could run as a standalone. I'll go thru Readme info to get smarter as well. Thanks again and no rush!
This code will only convert old VPN client routing entries in nat-start. It does not convert VPN Server to VPN Client entries as I was not sure if you have those. I didn't want to put in the effort unless I knew you had the requirement. It also does not perform the clean-up of the openvpn-event route-up and route-pre-down files if you have entries in those files. If you have any, then a manual removal is suggested.

Download:
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/Asuswrt-Merlin-Linux-Shell-Scripts/master/nat-start-conv.sh" -o "/jffs/scripts/nat-start-conv.sh" && chmod 755 /jffs/scripts/nat-start-conv.sh

Please edit the files references for your old nat-start file as appropriate. Also note the location of the conversion file.
Code:
# This is the old nat-start file that contains references to the prior version of x3mRouting scripts
NAT_START=/jffs/scripts/nat-start

# This is the conversion file. After running this script, review the file, make any necessary edits, save, and run to create the new nat-start file
# and routing rules
CONV_FILE=/jffs/scripts/x3mRouting/x3mRouting_Conversion.sh
 
Hi,

I'm trying to change to using TorGuard as my VPN provider because, so far, it seems to work so much better than either of the other two providers I've been using.

But to do that I need to use x3mrouting to route Prime Video to the WAN, and when doing that everything else I have works fine as does Prime.

On my AX88U (running the latest Merlin 384.19 alpha, since I'm having some other wireless problems) I have create 3 ipsets with:
Code:
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=DISNEY dnsmasq=demdex.net,disney-plus.net,disney.com,disney.io,disneyplus.com,footprint.net,go.com
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=NETFLIX dnsmasq=netflix.com,nflxext.com,nflximg.net,nflxso.net,nflxvideo.net
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=AMAZON aws_region=AP,GLOBAL
for use with the modified VPN client screen but found I only need to use the AMAZON set.

The problem I'm seeing is that in less than 24 hours Prime Video gets blocked.

Sometimes restarting the VPN client fixes it for a while but often only a reboot helps.
It's possible the wireless problems are at play here too but, due to the nature of those, I'm not convinced it's related.
Are you using one of TG's shared VPN servers or a Dedicated IP? The later is required for Amazon Prime.

There is one issue with the GUI method you should be aware of. A firewall restart (service restart_firewall) will clear the routing rules.

Run the command below to see the routing rules for the IPSET lists:
Code:
iptables -nvL PREROUTING -t mangle --line

If you are using a dedicated IP and you get blocked, run the command above to see if the routing rules are still in effect. You can also check the system log file to see if a firewall restart event occurred. This problem does not exist when you specify the source and destination interface to the x3mRouting script. The current work around is to add the command below to /jffs/scripts/nat-start file on the last line. The "1" is the VPN client number. 1,2,3,4 and 5 are valid values.

Code:
service restart_vpnclient1

/jffs/scripts/nat-start will run at boot or after a firewall event. Restarting the VPN Client will recreate the missing routing rules.
 
@Xentrk tried your detailed instruction in your blog to set DNS with VPN to work with diversion. It works great. I have only one minor thing that I couldn't figure out. Main DNS is 1.1.1.1 connecting under WAN to the closest servers to my location. When activating VPN at different geo-location, the client uses the same location as the main DNS, not the closest to VPN server. Is it possible to allow the VPN client to use the nearest Cloudflare server to the VPN location instead of the same location of WAN DNS? I'm thinking this could effect browsing performance and I could be wrong. Thank you.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top