x3mRouting x3mRouting ~ Selective Routing for Asuswrt-Merlin Firmware

[Xentrk]

Anyone have HBOMax working? I have apply these rules with no luck:
x3mRouting 1 0 AMAZON asnum=AS16509
x3mRouting 1 0 AMAZON asnum=AS14618
x3mRouting 1 0 HBOMAX dnsmasq=hbomax.com,play.hbomax.com

I tried these rules below and nothing things to work. It was working fine with the 384.19 beta2 fw.

service restart_firewall
service restart_dnsmasq
service restart_vpnclient1

I don't have HBO Max. I see they have a 7 day free trial though. So may be I can help if you get stuck.

You can remove play.hbomax.com. The first domain listed will cover it. I did a search for ".com" and found numerous references.

warnermediacdn.com
amazonaws.com

A search for ".net" come up with a few hits.

go-mpulse.net
akamaihd.net

I've been thinking of creating a Wiki on GitHub for the various streaming services.

 

[router_master]

As you know, Instagram blocks VPN. In my case, NordVPN. How can you unlock it. I applied such a rule, but to no avail.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 INSTAGRAM dnsmasq=cdninstagram.com,instagram.com,graph.instagram.com

 

[Xentrk]

As you know, Instagram blocks VPN. In my case, NordVPN. How can you unlock it. I applied such a rule, but to no avail.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 INSTAGRAM dnsmasq=cdninstagram.com,instagram.com,graph.instagram.com

First I heard Instagram blocks known VPN servers. No problems here.

For VPN Bypass, the source is the VPN you want to bypass and 0 is the WAN destination.

sh /jffs/scripts/x3mRouting/x3mRouting.sh 1 0 INSTAGRAM dnsmasq=cdninstagram.com,instagram.com,graph.instagram.com

What you posted routes ALL Instagram traffic (the source) to VPN Client 1 (destination).

 

[router_master]

First I heard Instagram blocks known VPN servers. No problems here.

It's interesting, I've noticed for about a month or two that after turning off the VPN on my router, I can browse the Instagram of "celebrities" without logging in. After turning on the VPN, it immediately tells you to log in. The website itself works for both. I expressed myself wrong.

 

[Xentrk]

It's interesting, I've noticed for about a month or two that after turning off the VPN on my router, I can browse the Instagram of "celebrities" without logging in. After turning on the VPN, it immediately tells you to log in. The website itself works for both. I expressed myself wrong.

That makes sense. A lot of the social media apps log your last geo location. If they see you coming from a new location (e.g. vpn server), then they will challenge you. You may also receive an email stating they noticed a logon from a different location for your account.

 

[Kingp1n]

I don't have HBO Max. I see they have a 7 day free trial though. So may be I can help if you get stuck.

You can remove play.hbomax.com. The first domain listed will cover it. I did a search for ".com" and found numerous references.

warnermediacdn.com
amazonaws.com

A search for ".net" come up with a few hits.

go-mpulse.net
akamaihd.net

I've been thinking of creating a Wiki on GitHub for the various streaming services.

Thanks man but no luck with HBOMAX & CBS All Access. I'm only using option 3 of your script. Anything else you think I can try? Netflix, Prime, Hulu and Disney all working without issues. Greatly appreciated!

 

[Xentrk]

Thanks man but no luck with HBOMAX & CBS All Access. I'm only using option 3 of your script. Anything else you think I can try? Netflix, Prime, Hulu and Disney all working without issues. Greatly appreciated!

CBS All Access is a tough one. I have some ipv4 addresses I mined from all of the domain names. It seems to work when combined with dnsmasq method.

sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_IPv4
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_Web dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com

Some of the difficulty may be in identifing the background domains the streaming device firmware is looking up vs the domains used by the streaming service. For mining domains, make sure Accept DNS Configuration is not set to Exclusive.

 

[Xentrk]

Here are the domains I collected from visiting the HBO Max website.

sh autoscan.sh autoscan=hbo

amazonaws.com
cutestat.com
hbo.com
hbomax.com
omtrdc.net
pubmatic.com
warnermediacdn.com

grep "query" "/opt/var/log/dnsmasq.log" | grep "max" | awk '{print $6}' | sort -u

hbomax-assets.s3.amazonaws.com
hbomax-images.warnermediacdn.com
hbomax.tv.cutestat.com
maxcdn.bootstrapcdn.com
play.hbomax.com
www.hbomax.com

 

[Teymur]

Hi there @Xentrk

Been using your script for a while now, wonderful work! I have a question:

I have an ipset that I wanted always to go through the VPN. So I did:

teymur88@router:/tmp/home/root# x3mRouting ALL 1 edemtvips

Now I can see that ip rule has been added and a mangle table rule as well:

teymur88@router:/tmp/home/root# ip rule
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
teymur88@router:/tmp/home/root#

-A PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-xmark 0x1000/0x1000

However when I deleted it, ip rule doesn't get cleaned. And moreover it looks like it's adding all again by itself after a reboot or firewall restart. I haven't noticed at what point it gets all the config back and I get that ipset over VPN again without me doing it.

teymur88@router:/tmp/home/root# x3mRouting ALL 1 edemtvips del
(x3mRouting): 8006 Starting Script Execution ALL 1 edemtvips del
(x3mRouting): 8006 Script entry for edemtvips deleted from /jffs/scripts/nat-start
(x3mRouting): 8006 ipset edemtvips entry deleted from /jffs/scripts/x3mRouting/vpnclient1-route-up


/jffs/scripts/x3mRouting/vpnclient1-route-up has 1 shebang entry and 0 empty lines.
Would you like to remove ?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
(x3mRouting): 8006 ipset edemtvips entry deleted from /jffs/scripts/x3mRouting/vpnclient1-route-pre-down


/jffs/scripts/x3mRouting/vpnclient1-route-pre-down has 1 shebang entry and 0 empty lines.
Would you like to remove ?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
(x3mRouting): 8006 IPSET edemtvips deleted!
(x3mRouting): 8006 Completed Script Execution
teymur88@router:/tmp/home/root# ip rule
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
teymur88@router:/tmp/home/root# m
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N BWDPI_FILTER
-A PREROUTING -i tun11 -j MARK --set-xmark 0x1/0x7
-A PREROUTING -i tun21 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x1/0x7
teymur88@router:/tmp/home/root#

Your input is appreciated!

 

[Kingp1n]

Here are the domains I collected from visiting the HBO Max website.

sh autoscan.sh autoscan=hbo

amazonaws.com
cutestat.com
hbo.com
hbomax.com
omtrdc.net
pubmatic.com
warnermediacdn.com

grep "query" "/opt/var/log/dnsmasq.log" | grep "max" | awk '{print $6}' | sort -u

hbomax-assets.s3.amazonaws.com
hbomax-images.warnermediacdn.com
hbomax.tv.cutestat.com
maxcdn.bootstrapcdn.com
play.hbomax.com
www.hbomax.com

Ok...I appreciate it alot. These domains got HBOMax working again.

As far as CBS where do I add these lines below and what do I do with CBS IPV4 addresses:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_IPv4
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_Web dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com

Also my "Accept DNS configuration" is set to disabled. Sorry for my ignorance!!!
UPDATE 1: I've manually created the CBS_IPV4 file under /opt/tmp and added all the addresses inside.

UPDATE 2: I kept trying to run your command above and I realized the "CBS_IPv4" should read CBS_IPV4" = 'v' should be capitalize. Finally figure why I kept seeing the error!!!

Did this the trick and all is good now. Thanks a lot for all your support! This is an awesome script.

 

[Xentrk]

Ok...I appreciate it alot. These domains got HBOMax working again.

As far as CBS where do I add these lines below and what do I do with CBS IPV4 addresses:

sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_IPv4
sh /jffs/scripts/x3mRouting/x3mRouting.sh ipset_name=CBS_Web dnsmasq=cbs.com,cbsaavideo.com,cbsi.com,cbsig.net,cbsnews.com,cbsstatic.com,irdeto.com,omtrdc.net,syncbak.com

Also my "Accept DNS configuration" is set to disabled. Sorry for my ignorance!!!
UPDATE 1: I've manually created the CBS_IPV4 file under /opt/tmp and added all the addresses inside.

UPDATE 2: I kept trying to run your command above and I realized the "CBS_IPv4" should read CBS_IPV4" = 'v' should be capitalize. Finally figure why I kept seeing the error!!!

Did this the trick and all is good now. Thanks a lot for all your support! This is an awesome script.

The manual method is being used for CBS_IPv4. The name you save the file to in /opt/tmp needs to be the same as the IPSET name.

The getdomainnames.sh script gives one a big picture view of all domains being quiered when accessing a site. But it can also include domains not used by the streaming service itself but by the device as all devices manufacturers are collecting data too. Using the autoscan.sh script would not show the Netflix domains that start with "nflx" if you only search for the word "netflix". Using getdomainnames.sh script would reveal the domains with the "nflx" reference. So sometimes both scripts are required to analyze the traffic.

 

[Xentrk]

[

Hi there @Xentrk

Been using your script for a while now, wonderful work! I have a question:

I have an ipset that I wanted always to go through the VPN. So I did:

teymur88@router:/tmp/home/root# x3mRouting ALL 1 edemtvips

Now I can see that ip rule has been added and a mangle table rule as well:

teymur88@router:/tmp/home/root# ip rule
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
teymur88@router:/tmp/home/root#

-A PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-xmark 0x1000/0x1000

However when I deleted it, ip rule doesn't get cleaned. And moreover it looks like it's adding all again by itself after a reboot or firewall restart. I haven't noticed at what point it gets all the config back and I get that ipset over VPN again without me doing it.

teymur88@router:/tmp/home/root# x3mRouting ALL 1 edemtvips del
(x3mRouting): 8006 Starting Script Execution ALL 1 edemtvips del
(x3mRouting): 8006 Script entry for edemtvips deleted from /jffs/scripts/nat-start
(x3mRouting): 8006 ipset edemtvips entry deleted from /jffs/scripts/x3mRouting/vpnclient1-route-up


/jffs/scripts/x3mRouting/vpnclient1-route-up has 1 shebang entry and 0 empty lines.
Would you like to remove ?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
(x3mRouting): 8006 ipset edemtvips entry deleted from /jffs/scripts/x3mRouting/vpnclient1-route-pre-down


/jffs/scripts/x3mRouting/vpnclient1-route-pre-down has 1 shebang entry and 0 empty lines.
Would you like to remove ?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
(x3mRouting): 8006 IPSET edemtvips deleted!
(x3mRouting): 8006 Completed Script Execution
teymur88@router:/tmp/home/root# ip rule
0:      from all lookup local
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default
teymur88@router:/tmp/home/root# m
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N BWDPI_FILTER
-A PREROUTING -i tun11 -j MARK --set-xmark 0x1/0x7
-A PREROUTING -i tun21 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x1/0x7
teymur88@router:/tmp/home/root#

Your input is appreciated!

I can't duplicate the issue. When the script is run, it creates the entry in /jffs/scripts/nat-start so it can run at system boot. The message above confirms it got deleted. Did you manually add the entry to firewall-start?

See if you have any files with references to edemtvips IPSET list in /jffs/scripts:

grep -Rw edemtvips /jffs/scripts/*

Otherwise, download an updated copy of x3mRouting.sh. I see you are on an earlier version of asuswrt-merlin that is not compatible with the x3mRouting version currently posted on GitHub. For now, download the 384.18 and below compatible version of x3mRouting.sh and try agian.

/usr/sbin/curl --retry 3 https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/x3mRouting.sh)" -o "/jffs/scripts/x3mRouting/x3mRouting.sh

 

[mister]

Let's focus on getting it working for one VPN Client for now.

More analysis will be required. Download the utility scripts in option 4. On the router, configure a client to use the VPN that works with the streaming service and route all traffic to it. Run the getdomainnames.sh script. A separate log file will get created to see what domain are being referenced. Then, go to the site and generate traffic by watching some videos and selecting different options. When done, go back to the SSH session and press ctrl-c to exit out of getdomainnames.sh script. You will be present with a full list of domains accessed during this time. See usage instructions on the readme.

Before doing all that, you may want to try AS43354 based on the nslookup and whob I did on one of the domain names.

# nslookup zdfmediathek.de
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      zdfmediathek.de
Address 1: 91.197.29.49 shapira-shapira.de

# whob 91.197.29.49
IP: 91.197.29.49
Origin-AS: 43354
Prefix: 91.197.29.0/24
AS-Path: 34224 6453 55002 43354
AS-Org-Name: ZDF-AS
Org-Name: ZDF-Net
Net-Name: ZDF-Net
Cache-Date: 1596958184
Latitude: 49.984190
Longitude: 8.279100
City: Mainz
Region: Rheinland-Pfalz
Country: Germany
Country-Code: DE

Dear Xentrk,
I have made a lot of tests for my problem and I did not found a good solution, only a workaround. But maybe you have an idea.

I found, that the stream is working if my vpn5 network is a german server.

the reason for this seems to be in my configuration:


Is there a possibility to check, which domains are routed via vpn5 instead of vpn1 or vpn3. Normally all traffic should be routed on vpn3 - only the traffic which fits to manual rules in the natstart file should be routed through vpn1.

And this is not working correctly. Any advise for me?

I attached the results of the getdomainnames.sh with german and no german server as well as entries of the nat-start.
As you can see all collected domainnames of the getdomainnames script should be included in the configuration. But is doesn´t work.... Mysterious...

Thanks a lot for your support.

Hugo

 

[Xentrk]

Version 2.2.0 (22 August, 2020)
The x3mRouting.sh script has been updated!

FIX for ASN Method!
Updated grep command option no longer supported. Error may result in empty save/restore files and IPSET lists.

dnsmasq Method with 'dnsmasq_file=' parameter

Rather than specifying the domain names in a list, you can specify a file location using the 'dnsmasq_file=' parameter. The format of the file is one top level domain name per line.

domain1.com
domain2.com
domain3.com

Only the top level domain name is used in the dnsmasq.conf.add entry. We can have some discussion on this. For example, if you enter www.domain.com, the www will get dropped when entered in dnsmasq.conf.add.

x3mRouting 2 0 MYDOMAINS dnsmasq_file=/jffs/scripts/mydomains

 

[Torson]

Great change - simplifies the domains' addition / removal process. What is the impact on the existing nat-start statements format?

 

[mister]

Version 2.2.0 (22 August, 2020)
The x3mRouting.sh script has been updated!

FIX for ASN Method!
Updated grep command option no longer supported. Error may result in empty save/restore files and IPSET lists.

dnsmasq Method with 'dnsmasq_file=' parameter

Rather than specifying the domain names in a list, you can specify a file location using the 'dnsmasq_file=' parameter. The format of the file is one top level domain name per line.

domain1.com
domain2.com
domain3.com

Only the top level domain name is used in the dnsmasq.conf.add entry. We can have some discussion on this. For example, if you enter www.domain.com, the www will get dropped when entered in dnsmasq.conf.add.

x3mRouting 2 0 MYDOMAINS dnsmasq_file=/jffs/scripts/mydomains

Is it only an additional way for configuration or is there a difference between this new way and the old way with the "," sequence?

 

[Xentrk]

Is it only an additional way for configuration or is there a difference between this new way and the old way with the "," sequence?

Only one path and file can be specified. I can always update to allow more than one file if the community would like me to.

 

[Xentrk]

Great change - simplifies the domains' addition / removal process. What is the impact on the existing nat-start statements format?

Shouldn't impact any existing nat-start entries. But one item worth pointing out is how I handle the dnsmasq.conf.add entry.

An example VPN Bypass client 2 nat-start entry will be:

sh /jffs/scripts/x3mRouting/x3mRouting.sh 2 0 MYSET dnsmasq_file=/jffs/scripts/myfiles

If the 'dnsmasq_file=' parm is specified, I first remove the dnsmasq entry for the IPSET list in dnsmasq.conf.add before creating the new one. For example, let's say I have a list of files in the domain_file:

domain1.com
domain2.com
domain3.com

The dnsmasq.conf.add entry will be

ipset=/domain1.com/domain2.com/domain3.com/MYDOMS

If you remove domain3.com from the file, the dnsmasq.conf.add now becomes

ipset=/domain1.com/domain2.com/MYDOMS

In the other methods, the domain name is appended in dnsmasq.conf.add to allow people to append domains.

ipset=/domain1.com/domain2.com/domain3.com/IPSETLIST
ipset=/domain4/IPSETLIST

I am considering changing this so only one entry in dnsmasq.conf.add is allowed and a subsequent entry would override the existing one.

Two commands people may want to become familiar with when using the dnsmasq_file parm are the ipset del and ipset flush command.

ipset flush SETNAME command will empty the contents of an IPSET list. For example, If I remove a domain name from the file, the IPv4 address will still in the IPSET list and the save/backup file. Knowing what IPv4 address to delete is the difficult part. The command ipset flush [ipset list] will empty the IPSET list in memory. dnsmasq will now start loading the IPv4 addresses dynamically using the domains specified. The save/restore file will get updated from the 2 am cron job.

If one knows the IPv4 addrress of the domain that was removed, type ipset del SETNAME ENTRY, for example

ipset del MYLIST 123.24.7.89

 

[Xentrk]

Dear Xentrk,
I have made a lot of tests for my problem and I did not found a good solution, only a workaround. But maybe you have an idea.

I found, that the stream is working if my vpn5 network is a german server.

the reason for this seems to be in my configuration:


Is there a possibility to check, which domains are routed via vpn5 instead of vpn1 or vpn3. Normally all traffic should be routed on vpn3 - only the traffic which fits to manual rules in the natstart file should be routed through vpn1.

And this is not working correctly. Any advise for me?

I attached the results of the getdomainnames.sh with german and no german server as well as entries of the nat-start.
As you can see all collected domainnames of the getdomainnames script should be included in the configuration. But is doesn´t work.... Mysterious...

Thanks a lot for your support.

Hugo

The redundant RPDB rules may be an issue. Do you have duplicate rules set up for VPN failover purposes?
RPDB rules are top down with the higher the number getting the higher priority.

OpenVPN Client can be configured to use different servers if the primary can't be reached. See http://www.snbforums.com/threads/vpn-failover-script.55635/post-610460.

I posted this a few posts ago, but for some of my selective routing, the underlying device needs to be in the same country as the service. It depends on how deep you go in analyzing the domains used. CBS All Access is one example. I can route CBS all access to a city in US as long as the device itself is assigned to a server in US. I would have to get more granular in my analysis to fix it. But it really does not create a problem.

 

[Teymur]

[

I can't duplicate the issue. When the script is run, it creates the entry in /jffs/scripts/nat-start so it can run at system boot. The message above confirms it got deleted. Did you manually add the entry to firewall-start?

See if you have any files with references to edemtvips IPSET list in /jffs/scripts:

grep -Rw edemtvips /jffs/scripts/*

Otherwise, download an updated copy of x3mRouting.sh. I see you are on an earlier version of asuswrt-merlin that is not compatible with the x3mRouting version currently posted on GitHub. For now, download the 384.18 and below compatible version of x3mRouting.sh and try agian.

/usr/sbin/curl --retry 3 https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/x3mRouting.sh)" -o "/jffs/scripts/x3mRouting/x3mRouting.sh

Hi @Xentrk

I've updated the router to 384.13_10. I installed the script following the link you gave me. I added that ipset to go over vpn and then deleted it

teymur88@router:/tmp/home/root# /usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/Xentrk/x3mRouting/x3mRouting-384.18/x3mRoutin
g.sh" -o "/jffs/scripts/x3mRouting/x3mRouting.sh"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 60643  100 60643    0     0  46612      0  0:00:01  0:00:01 --:--:-- 55130


teymur88@router:/tmp/home/root# x3mRouting ALL 1 edemtvips
(x3mRouting): 27072 Starting Script Execution ALL 1 edemtvips
(x3mRouting): 27072 IPSET created: edemtvips
(x3mRouting): 27072 Selective Routing Rule via VPN Client 1 created for edemtvips fwmark 0x1000/0x1000
(x3mRouting): 27072 iptables -t mangle -D PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 27072 iptables -t mangle -A PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-mark 0x1000/0x1000 added to /jffs/scripts/x3mRouting/vpnclient1-route-up
(x3mRouting): 27072 iptables -t mangle -D PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null added to /jffs/scripts/x3mRouting/vpnclient1-route-pre-down
(x3mRouting): 27072 sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 edemtvips added to /jffs/scripts/nat-start
(x3mRouting): 27072 Completed Script Execution


teymur88@router:/tmp/home/root# more /jffs/scripts/nat-start
#!/bin/sh
xxxxxxxxxxxxxx
xxxxxxxxxxxxxx
sh /jffs/scripts/x3mRouting/x3mRouting.sh ALL 1 edemtvips
teymur88@router:/tmp/home/root#


teymur88@router:/tmp/home/root# m
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N BWDPI_FILTER
-A PREROUTING -i tun11 -j MARK --set-xmark 0x1/0x7
-A PREROUTING -i tun21 -j MARK --set-xmark 0x1/0x7
-A PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-xmark 0x1000/0x1000
-A FORWARD -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -o br0 -j MARK --set-xmark 0x1/0x7



teymur88@router:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1
32766:  from all lookup main
32767:  from all lookup default

Now deleting:

teymur88@router:/tmp/home/root# x3mRouting ALL 1 edemtvips del
(x3mRouting): 27928 Starting Script Execution ALL 1 edemtvips del
(x3mRouting): 27928 Script entry for edemtvips deleted from /jffs/scripts/nat-start
(x3mRouting): 27928 ipset edemtvips entry deleted from /jffs/scripts/x3mRouting/vpnclient1-route-up


/jffs/scripts/x3mRouting/vpnclient1-route-up has 1 shebang entry and 0 empty lines.
Would you like to remove ?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
(x3mRouting): 27928 ipset edemtvips entry deleted from /jffs/scripts/x3mRouting/vpnclient1-route-pre-down


/jffs/scripts/x3mRouting/vpnclient1-route-pre-down has 1 shebang entry and 0 empty lines.
Would you like to remove ?
[1]  --> Yes
[2]  --> No

[1-2]: 1
file deleted
(x3mRouting): 27928 IPSET edemtvips deleted!
(x3mRouting): 27928 Completed Script Execution
teymur88@router:/tmp/home/root#


teymur88@router:/tmp/home/root# ip rule
0:      from all lookup local
9990:   from all fwmark 0x8000/0x8000 lookup main
9995:   from all fwmark 0x1000/0x1000 lookup ovpnc1 >>>>> NOT DELETED STILL HERE
32766:  from all lookup main
32767:  from all lookup default

teymur88@router:/tmp/home/root# m
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N BWDPI_FILTER
-A PREROUTING -i tun11 -j MARK --set-xmark 0x1/0x7
-A PREROUTING -i tun21 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p udp -m udp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -p tcp -m tcp --dport 5060 -j MARK --set-xmark 0x1/0x7
-A FORWARD -s 10.10.10.0/24 -d 10.10.10.0/24 -o br0 -j MARK --set-xmark 0x1/0x7


teymur88@router:/tmp/home/root# more /jffs/scripts/nat-start
#!/bin/sh
xxxxxxxxxxxxxx
xxxxxxxxxxxxxx
NO edemtvips here.
teymur88@router:/tmp/home/root#