route traffic by domain with dnsmasq and ipset

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
nahdude
DD-WRT Novice


Joined: 01 Jul 2012
Posts: 21

PostPosted: Thu Jun 16, 2016 3:05    Post subject: route traffic by domain with dnsmasq and ipset Reply with quote
Hello,

Some dd-wrt users are looking for a solution to route traffic by domain name.
Most of these users want to route traffic for streaming services like netflix or youtube.
Since it's near impossible to keep track of all the IPs used by these types of services, creating static routes won't work.

A solution is to use the built-in ipset feature of dnsmasq.
This feature will add all the IPs resolved by the given domains to an ipset (list) that can be use by iptables.
Then with a simple policy based route, all traffic destined for those domains can be routed through an alternate gateway or vpn.

Here's an example based on the post 'DD-wrt, everything thru VPN accept Netflix' found here
http://dd-wrt.com/phpBB2/viewtopic.php?t=291005

You will need to have jffs enabled on your router.

To test, grab the following two files and extract them in /jffs/usr
These files have been tested to work on the arm based r7000 router running kernel 3.10

ipset_ipt_libmnl.K3.Arm.tar
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279586

dnsmasq_ipset.tar
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=302273

To directly download the files to your router, in a terminal window enter

Code:
mkdir /jffs/usr
cd /jffs/usr
wget -O ipset_ipt_libmnl.K3.Arm.tar http://www.dd-wrt.com/phpBB2/download.php?id=31626
wget -O dnsmasq_ipset.tar http://www.dd-wrt.com/phpBB2/download.php?id=35637
tar xf ipset_ipt_libmnl.K3.Arm.tar
tar xf dnsmasq_ipset.tar
rm ipset_ipt_libmnl.K3.Arm.tar
rm dnsmasq_ipset.tar


Next, load the module, create the ipset, and mount the needed version of dnsmasq

Code:
insmod /jffs/usr/lib/modules/xt_set.ko
ipset -N NETFLIX hash:ip
mount -o bind /jffs/usr/sbin/dnsmasq /usr/sbin/dnsmasq


Next, configure the domains for which all resolved IPs should be added to the NETFLIX set.
This can be done in the GUI in the 'Additional DNSMasq Options' box on the 'Services' tab.
The domains listed here are from the post mentioned above. Since I don't use netflix this might not cover all the domains needed.

Code:
ipset=/netflix.com/nflxext.com/nflximg.com/nflxvideo.net/amazonaws.com/whatsmyip.org/NETFLIX



Alternatively, nvram can be manually edited with

Code:
nvram set dnsmasq_options="ipset=/netflix.com/nflxext.com/nflximg.com/nflxvideo.net/amazonaws.com/whatsmyip.org/NETFLIX"
nvram commit


Next, restart dnsmasq

Code:
stopservice dnsmasq
startservice dnsmasq


Next, use iptables to mark the packets destined for the given domains

Code:
/jffs/usr/sbin/iptables -I PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 1


Now, set up the policy based route to send netflix traffic out the wan instead of the vpn

Code:
ip rule add prio 100 fwmark 1 lookup 100
ip route add table 100 default dev $(nvram get wan_ifname)


The device(s) connected to the router might need to have the dns cache flushed.
The IPs won't be added to the ipset unless dnsmasq resolves them first.

To see if it's working you can browse to

http://ipchicken.com

the vpn ip should display.

If you browse to

http://whatsmyip.org

your isp ip should display.


Last edited by nahdude on Fri Jul 01, 2016 9:25; edited 2 times in total
Sponsor
SmallvilleLA
DD-WRT Novice


Joined: 03 Jun 2016
Posts: 20

PostPosted: Tue Jun 21, 2016 2:44    Post subject: Interesting read and question Reply with quote
Thanks for your work on this. I ran across this link and thought it might be helpful. https://github.com/Netflix/eureka/wiki/Deploying-Eureka-Servers-in-EC2

Also, since Netflix communication is/or should be initiated by me or whoever, is there a way to only allow Netflix access to the designated port when/if the app or website is opened?
nahdude
DD-WRT Novice


Joined: 01 Jul 2012
Posts: 21

PostPosted: Tue Jun 21, 2016 22:18    Post subject: Re: Interesting read and question Reply with quote
SmallvilleLA wrote:
Thanks for your work on this. I ran across this link and thought it might be helpful. https://github.com/Netflix/eureka/wiki/Deploying-Eureka-Servers-in-EC2

Also, since Netflix communication is/or should be initiated by me or whoever, is there a way to only allow Netflix access to the designated port when/if the app or website is opened?


SmallvilleLA,

The netflix domains mentioned the github link are already covered in the op. Since I don't use netflix and can't test it, there still might be other domains netflix uses depending on the device and/or app used.

The solution in this thread should do what you are asking. Any traffic destined for these domains

netflix.com
nflxext.com
nflximg.com
nflxvideo.net
amazonaws.com

will route through the internet connection, not your vpn connection. It's my understanding that netflix blocks connections from certain vpn and proxy providers.

Have you had a chance to test it?
SmallvilleLA
DD-WRT Novice


Joined: 03 Jun 2016
Posts: 20

PostPosted: Wed Jun 22, 2016 20:28    Post subject: Reply with quote
Thanks. No I haven't yet. I have to choose and set up my VPN first. I thought I'd seen some sort of standard routing table, so once I find that again and get set up, I can test. From my experiences with Netflix, I got the proxy error even when the proxy was off. The DNS was the only part of the proxy left. They're monitoring the DNS traffic and/or resolved IPs for higher than normal volume, then flagging the IP as proxy.
I asked about filtering the access for Netflix only when I initiate communication because I don't trust them trying to fish around for whatever reason otherwise.
The proxy I have allows my MLB.com subscription to work, so I also need to get that working with/through or around the VPN. One step at a time.
plawlor
DD-WRT Novice


Joined: 26 Dec 2015
Posts: 19

PostPosted: Wed Jun 29, 2016 12:59    Post subject: Re: route traffic by domain with dnsmasq and ipset Reply with quote
nahdude wrote:
To test, grab the following two files and extract them in /jffs/usr
These files have been tested to work on the arm based r7000 router running kernel 3.10

ipset_ipt_libmnl.K3.Arm.tar
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=279586

dnsmasq_ipset.tar
http://www.dd-wrt.com/phpBB2/viewtopic.php?t=302273

nahdude,

This is exactly what I am looking for. However, I'm having trouble uploading the files. First of all, on my system, there is no usr subdirectory under jffs. jffs is just an empty directory. The usr directory is off of the root dir. If I try to upload them there instead, I get a warning that I am overwriting existing files. If I say yes, I get a read-only error.

Can you please provide me with some additional guidance? Sorry, but new to router commands.

Thanks,
Peter
plawlor
DD-WRT Novice


Joined: 26 Dec 2015
Posts: 19

PostPosted: Wed Jun 29, 2016 13:07    Post subject: Reply with quote
Also, if I try to create a new usr subdirectory under jffs, I also get a read-only error. I am logged in as root, but do not seem to have any write permissions to the file system.

Peter
plawlor
DD-WRT Novice


Joined: 26 Dec 2015
Posts: 19

PostPosted: Wed Jun 29, 2016 13:16    Post subject: Reply with quote
Sorry. I did a little web research and figured out how to enable JFFS2 support on my router. I can now upload the files to jffs/usr. I'll try the rest now. Assuming these are commands I just execute through a Telnet session?

Peter
nahdude
DD-WRT Novice


Joined: 01 Jul 2012
Posts: 21

PostPosted: Thu Jun 30, 2016 2:21    Post subject: Reply with quote
plawlor wrote:
Sorry. I did a little web research and figured out how to enable JFFS2 support on my router. I can now upload the files to jffs/usr. I'll try the rest now. Assuming these are commands I just execute through a Telnet session?

Peter


plawlor,

Good call, I will edit the op to mention having jffs enabled and also include instructions on how to download the files directly to the router.

Yes, you will need to enter the commands in a terminal window.

In the other thread you mentioned that you are running an Asus AC3100 router loaded with build v3.0-r29974M. This router has an arm processor so the files should work, but the xt_set module was compiled from the 3.10 kernel. I didn't check, is r29974 compiled from kernel 4.4? If so, the module might not load.
plawlor
DD-WRT Novice


Joined: 26 Dec 2015
Posts: 19

PostPosted: Thu Jun 30, 2016 19:56    Post subject: Reply with quote
nahdude wrote:
In the other thread you mentioned that you are running an Asus AC3100 router loaded with build v3.0-r29974M. This router has an arm processor so the files should work, but the xt_set module was compiled from the 3.10 kernel. I didn't check, is r29974 compiled from kernel 4.4? If so, the module might not load.

You're correct, the module does not load. In fact, the first command just hangs forever - prompt never comes back and terminal session eventually times out.

My VPN service actually resolved the Netflix issue finally after four months, so I am good for now. However, I'm going to keep this post bookmarked as I'm pretty sure the Netflix woes will return.

I'm not sure how to tell which build my version is from, but here is the full version info:

DD-WRT v3.0-r29974M std (06/20/16)

Thanks for your work on this.

Peter
plawlor
DD-WRT Novice


Joined: 26 Dec 2015
Posts: 19

PostPosted: Thu Jun 30, 2016 19:59    Post subject: Reply with quote
I think I found it. Yes, looks like 4.4.

Linux 4.4.13 #964 SMP Mon Jun 20 05:56:36 CEST 2016 armv7l

Any chance you could produce a 4.4. version?

Thanks,
Peter
NightHawkR7000
DD-WRT Novice


Joined: 24 Sep 2016
Posts: 1

PostPosted: Sat Sep 24, 2016 17:04    Post subject: Re: route traffic by domain with dnsmasq and ipset Reply with quote
nahdude wrote:


Next, use iptables to mark the packets destined for the given domains

Code:
/jffs/usr/sbin/iptables -I PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 1




@nahdude

After this command I get this message:

sh: eval: line 1: /jffs/usr/sbin/iptables: not found

Do you have any idea what I did wrong?

I've followed all the previous commands on my R7000

Thx already
xilraazz
DD-WRT Novice


Joined: 27 Sep 2016
Posts: 2

PostPosted: Tue Sep 27, 2016 2:57    Post subject: Reply with quote
I followed the steps in the OP and didn't receive any error messages, however, everything still routes out the VPN gateway.
DD-WRT v24-sp2 (06/23/14) std
nahdude
DD-WRT Novice


Joined: 01 Jul 2012
Posts: 21

PostPosted: Wed Sep 28, 2016 2:53    Post subject: Reply with quote
NightHawkR7000 wrote:
After this command I get this message:
sh: eval: line 1: /jffs/usr/sbin/iptables: not found
Do you have any idea what I did wrong?


NightHawkR7000,

Which firmware/revision are you using?
What's the output of
Code:
ls -l /jffs/usr/sbin


xilraazz wrote:
I followed the steps in the OP and didn't receive any error messages, however, everything still routes out the VPN gateway.
DD-WRT v24-sp2 (06/23/14) std


xilraazz,

What router are you testing this on?
Do you know if it has an arm processor?
xilraazz
DD-WRT Novice


Joined: 27 Sep 2016
Posts: 2

PostPosted: Wed Sep 28, 2016 4:23    Post subject: Reply with quote
nahdude wrote:


xilraazz,

What router are you testing this on?
Do you know if it has an arm processor?

Buffalo WZR-1750DHP
ARMv7 Processor rev 0 (v7l)
JonnyBoy333
DD-WRT Novice


Joined: 02 Oct 2016
Posts: 2

PostPosted: Mon Oct 17, 2016 4:31    Post subject: Reply with quote
Anyone know why when I get to this step:

Code:
/jffs/usr/sbin/iptables -I PREROUTING -t mangle -m set --match-se
t NETFLIX dst -j MARK --set-mark 1


I'm getting an error of
Code:
iptables: No chain/target/match by that name.


?
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum