Thanks for the guide, it helped me implement some ipset policies via Dnsmasq which need to bypass a VPN connection.
I've noticed with Netflix however that it appears the initial domain list provided is enough to prevent the dreaded "VPN/Proxy error", but streaming errors can still occur with the following error codes Q8226 and Q8227 respectively.
I observed streams getting past the 7% stage (usually when any proxy or VPN detection occurs), hang on 20% and then error with the above codes (mostly Q8226), labelled as "Unknown error has occurred". I contacted Netflix and they informed me that error is specific to routing, which makes sense. They aren't in a position to troubleshoot knowing a VPN is in use (though I did explain I am ensuring traffic DOES NOT use the VPN), but they did confirm that my WAN IP was visible on my account/connection logs, so the traffic was being routed through the WAN. Though a traceroute will confirm this also.
What appears to be the problem is there are some netflix domains that may not initially be part of the policy but subsequently get added after the error occurs, as IP addresses get added as requests are made in some cases. It seems that Netflix might be seeing that, some connections are from my WAN IP, while others are not (initially), and that's probably why the app detects something strange is going on.
Streaming another item immediately after the error again works no problem, likely because the ipset policy now has the IPv4 address that was previously not going through the WAN, I guess the initial domain policy might need to be expanded to prevent this error completely.
- All mips references will need to be replaced by arm equivalents, as this was written for a MIPSEL ASUS RT-N66U.
You'll ideally need a Linux machine to checkout the SVN source for the Linux kernel source and go from there in order to compile the module. You then need move the compiled module onto your router, usually JFFS is a good place and then insmod, unfortunately, DD-WRT doesn't have modprobe so it gets tricky to debug if the module fails or crashes. _________________ James
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Router Model: Dlink-DIR880L
Firmware Version: DD-WRT v3.0-r29837 std (06/06/16)
Kernel Version: Linux 4.4.12 #883 SMP Fri Jun 3 13:48:18 CEST 2016 armv7l
I also support some ASUS RT-AC88U routers running Merlin’s Firmware 380.64_2 release. Swetoast in snbforums.com has written some malware-filter and privacy-filter scripts using ipset that I want to run on the DD-WRT router listed above. But I need ipset to run the scripts. On an attempt to run the malware-filter script, I did see this error:
insmod: ip_set.ko: module not found
insmod: ip_set_hash_net.ko: module not found
insmod: ip_set_hash_ip.ko: module not found
insmod: xt_set.ko: module not found
I did follow the instructions in the OP and had mixed results. The first and subsequent attempts stopped DHCP Service from running. I have some ad blocking files in the Additional DNSMasq Options as follows:
command, It would hang at the command prompt. Sometimes, I would then lose access to the webgui too, as others have described. I found the DHCP service had stopped. I then had to set a static IP in my client to reconnect. If I lost webgui, I would issue the command in a SSH session:
httpd -p 80 or httpd -h /www and sometimes the command reboot at the command prompt.
What I found is many strange (hex?) characters where inserted into one or both of the .conf files when trying to insmod xt_set.ko. When I removed the reference to the files in Additional DNSMasq Options, I could get DHCP service back up. Sometimes, I would have to do a restore of configuration and restore the .conf files from backup.
I wonder if the xt_set module contained in ipset_ipt_libmnl.K3.Arm.tar is not compatible with my kernel?
lsmod | grep "xt_set"
returns nothing on DD-WRT. On my ASUS RT-AC88U running Merlin Firmware 380.64_2, it returns
When I issue the command on DD-WRT
ipset –v, it returns: ipset v6.21.1, protocol version: 6
On Merlin FW:
ipset v6.29, protocol version: 6
So ipset appears to work on DD-WRT.
I am hesitant to try any further attempts as I have brought down internet for a many users on my several attempts.
Any suggestions are greatly appreciated. Thank you!
Sadly this doesn't work for me. The traffic that should be bypassing the VPN is going nowhere (I get a lot of connection timed out messages). I follow all the steps without getting any error messages. I can see that ip addresses are being added using ipset -L.
Beyond that, I don't really know enough to find where the packets are going astray.
my prerouting mangle table looks like this
Chain PREROUTING (policy ACCEPT 10536 packets, 4960K bytes)
pkts bytes target prot opt in out source destination
578 98066 MARK all -- any any anywhere anywhere match-set NETFLIX dst MARK set 0x1
40 15060 MARK all -- !vlan2 any anywhere XXXXXXXXXXXXXXX MARK or 0x80000000
19905 8231K CONNMARK all -- any any anywhere anywhere CONNMARK and 0x0