I saw a other forum where you where talking about the same thing, i also experience freezes in the console when do a create commando.
I will follow that one for new information.
After doing manually the command "insmod ip_set_hash_ip" ipset works.
In your script i changed "ipset -N $IPSET iphash -q" to "ipset -N $IPSET hash:ip -q" and the script is up and running.
Ipchicken give isp ip and netflix stream
Only thing is that after a router reboot i have to log in manually to give the "insmod ip_set_hash_ip" command, is there a way to do this automatically, i have tried to but it in the firewall or INT script but no luck, the log still shows some errors (but it works) dont know if they are imported http://pastebin.com/xsi9T5hb
One other question, all streams from netflix.com are working perfectly, but when using the windows 8.1/10 app (only with the app you can get 5.1 sound) i still get a proxy error so the app is maybe connecting to a other domain/ip? is there a way to trace this? funny thing is that the ips are stored in the table when opening a serie in the app, but it won’t play.
After doing manually the command "insmod ip_set_hash_ip" ipset works.
In your script i changed "ipset -N $IPSET iphash -q" to "ipset -N $IPSET hash:ip -q" and the script is up and running.
Ipchicken give isp ip and netflix stream
Only thing is that after a router reboot i have to log in manually to give the "insmod ip_set_hash_ip" command, is there a way to do this automatically, i have tried to but it in the firewall or INT script but no luck, the log still shows some errors (but it works) dont know if they are imported http://pastebin.com/xsi9T5hb
One other question, all streams from netflix.com are working perfectly, but when using the windows 8.1/10 app (only with the app you can get 5.1 sound) i still get a proxy error so the app is maybe connecting to a other domain/ip? is there a way to trace this? funny thing is that the ips are stored in the table when opening a serie in the app, but it won’t play.
After opening the serie in the webbrowser and closing it, it will play in the app.
My use case is that I'm running DD-WRT v3 with OpenVPN for all traffic in my network and Netflix is blocking me even though I'm a US user and connecting to Netflix through US vpn gateways. So I needed a solution to selectively route Netflix traffic over my regular ISP cable modem network (non-vpn), while still sending all other traffic over the vpn tunnel.
Thanks so much @eibgrad for your instruction and script. This has worked out beautifully for me. I have modified your script so it can be used for...
---- Multiple Netflix (and other) server domains
---- Class C routes ... to catch a wider net of IPs
---- With a startup delay at boot time to allow network connections to complete
As noted by before, it is absolutely necessary to remove any 'Policy Based Routing' commands (including comments!) from the VPN setup page in DD-WRT.
I have put the below script in my DD-WRT Startup Commands. You can also download the attached .txt file for your use. I hope it helps!
# dd-wrt selective domain routing
WAN_GW="$(nvram get wan_gateway)"
# list domains for selective routing
for domain in \
"netflix.com" \
"ichnaea.netflix.com" \
"movies.netflix.com" \
"www.netflix.com" \
"nflxext.com" \
"cdn1.nflxext.com" \
"nflximg.com" \
"nflxvideo.net" \
"ipv4_1.cxl0.c145.sjc002.ix.nflxvideo.net" \
"amazonaws.com" \
"whatsmyip.org"
do
# extract ip addresses
for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
# add class c route for each ip address to wan gateway
ip route add `echo $ip | cut -d . -f 1,2`.0.0/16 via $WAN_GW
done
done
# flush cache
ip route flush cache
EOF
chmod +x $SCRIPT
sleep 60
$SCRIPT
I copy and pasted this script in the commands section and saved clicked "Saved Startup" then rebooted my R7000. For some reason this script is not working for me. Still getting netflix proxy errors. I'm not using any policy based routing. Any ideas?
Works! one last thing, any idea why the netflix metroapp doesnt add "all" the ips? and the webbrowser does?
it looks lik it cant be any "forgotten" Dnsmasq domain because the webbrowser works.
When opening the iphone app, is still gives a proxy error with some series/movies, some will play
Realize I did this on the fly and only did some brief testing. It may require some refinement depending on your results.
The script goes into the firewall script and shouldn't require any modifications. But you will have to modify DNSMasq to include the appropriate ipset command for the domains you want routed over the WAN. I threw in ipchicken.com in my example because it just made it easier to see if it was working.
Anytime you're interested in what IPs have been stored in the ipset hash table, you can dump it w/ the following command.
ipset -L lan2wan
Remember folks, this is a tomato script, not dd-wrt. AFAIK, dd-wrt doesn't support ipset.
I have VPN set up in the router so everything runs through the VPN but i want to use different servers for different uses.
What i want is to have 3 connections:
1. Create a Virtual Interfaces with a SSID for non VPN use
2. Create a VI SSID for netflix VPN USA use
3. Create a VI SSID for netflix VPN local use
I take it all you have to do is copy the script to the start up cmd, and it will work no other setting need to added in additional places, cause i can't get it to work, still get netflix proxy error. Im in the UK using openvpn:- IPVANISH on R3000 router with build 31520m.
If some one could explain this advancing routing thing put me in the right direction, with few example comes of adding netflix pls
I tried the script you posted above save as startup, but changing the domains to:
plex.tv
www.plex.tv
whatsmyip.org
amazonaws.com
Also before I tried it I removed the VPN blocking script from my firewall, and also removed "dev tun0" from the additional config in the openvpn client.
So the script worked for whatsmyip.org, showing my ISPs IP, but plex would not connect. As soon as I put "dev tun0" back in then plex connects through my ISP but browsers have no connection over vpn.
If I add to the firewall:
#Vpn incoming traffic blocker
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I INPUT -i tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i tun0 -m state --state NEW -j DROP
Same result.
Then when I add the additional:
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
plex no longer connects but now the browser works over the vpn.
Also, in every scenario listed above, whatsmyip.org showed my ISPs IP.
I've tried adding various port forwarding rules which seem to work but then not so much after a while.
Was wondering if there is anything you could change or add to the blocking script to make it work as I would prefer to have that in place.
I know, special case. Still here's what I've tried today. I tried a few different builds of dd-wrt. Not sure if that has had any effect on things or perhaps just the multiple resets to factory defaults. Anyway, using your pastebin script from a few posts back saved in my startup, and one of your other scripts saved in my firewall I seem to have plex connecting through my ISP. I say "seem" because it's only been for a couple of hours so far.
Now for the "but", and it's a rather big but, (almost as big as mine!). With the killswitch in place it cuts connection to plex whether the VPN is up or down. I have attached my firewall script if you can take a quick look and tell me if you can see an obvious reason why, or if just another one in the long list of gremlins plaguing my setup?
Okay, seems to be all set now, made a change to the killswitch and all is working well together. Plex has been connected for over 12 hours now with no drops. I guess time will tell if it will last. Thanks for all your help.
eibgrad, I have added your script to my jffs dir and even added a few extra domains. I've verified everything is working. There are close to 150 routes being pushed to my wan. The issue is that netflix is still saying I'm using a proxy/vpn and not allowing me to watch a video. The goal of course was to route all traffic on my network over the VPN except netflix which was blocking me and this is sadly become more difficult than I thought it would be. If anyone has any fixes or any ideas I can try I would greatly appreciate it.
Posted: Sun Mar 26, 2017 3:16 Post subject: Testing in March 2017
dahosepipe wrote:
My use case is that I'm running DD-WRT v3 with OpenVPN for all traffic in my network and Netflix is blocking me even though I'm a US user and connecting to Netflix through US vpn gateways. So I needed a solution to selectively route Netflix traffic over my regular ISP cable modem network (non-vpn), while still sending all other traffic over the vpn tunnel.
Thanks so much @eibgrad for your instruction and script. This has worked out beautifully for me. I have modified your script so it can be used for...
---- Multiple Netflix (and other) server domains
---- Class C routes ... to catch a wider net of IPs
---- With a startup delay at boot time to allow network connections to complete
As noted by before, it is absolutely necessary to remove any 'Policy Based Routing' commands (including comments!) from the VPN setup page in DD-WRT.
I have put the below script in my DD-WRT Startup Commands. You can also download the attached .txt file for your use. I hope it helps!
# dd-wrt selective domain routing
WAN_GW="$(nvram get wan_gateway)"
# list domains for selective routing
for domain in \
"netflix.com" \
"ichnaea.netflix.com" \
"movies.netflix.com" \
"www.netflix.com" \
"nflxext.com" \
"cdn1.nflxext.com" \
"nflximg.com" \
"nflxvideo.net" \
"ipv4_1.cxl0.c145.sjc002.ix.nflxvideo.net" \
"amazonaws.com" \
"whatsmyip.org"
do
# extract ip addresses
for ip in $(nslookup $domain | awk '/^Name:/,0{if (/^Addr/)print $3}'); do
# add class c route for each ip address to wan gateway
ip route add `echo $ip | cut -d . -f 1,2`.0.0/16 via $WAN_GW
done
done
# flush cache
ip route flush cache
EOF
chmod +x $SCRIPT
sleep 60
$SCRIPT
Ok so a year after the OP... here were my results.. null
No sorry I can't help with any logs. It has been many days of troubleshooting and I am exhausted. So technically a rather useless post sorry. Here is what I got...
I have dd-wrt on a tp-link Archer C7 AC1750 v2 router using OpenVPN and PIA is my VPN provider.
I used the script above and fired up my roku.. netflix. No go.
I checked whatsmyip.org and it did show my correct ip address. So I know that aspects of the script are in fact working. I did read this whole thread before posting. I think it is a case of chasing after load balancing and huge distributed data centers. They also purposefully obfuscate their DNS record etc. Alas this means I will have to write Netflix a letter at their corporate office asking them to please offer a proxy service to bypass ISP spying.
I know this is not technical and political but if you would like to write netflix a letter the corporate office is as follows
Netflix inc
100 Winchester Circle
Los Gatos, CA 95032
I also wrote a form letter you can cut and paste to save your fingers. Lets flood their mailbox with this. It really pisses me off. I have spent several days trying to get passed these restrictions. Trying several different VPNs. PIA is the best for work.. So I am sticking with it. However, for my home network? It just blows the ISP (who is in direct compete with the freaking Netflix) show see my data to and from their servers. Tisk tisk netflix.
To whom it may concern,
I have been a Netflix subscriber since your early DVD only days. For many years I have supported EFF.org and other organizations in the interest of keeping the Internet free and open. I have advocated for you company and countless others by volunteering and donating. Please think where Netflix would be today if Comcast and Time Warner were to ask for a large fee to offer a service that competes with them in the entertainment industry? I know Netflix could afford to pay the fee today, but I ask you to think back.. Would Netflix as a streaming content provider exist if such fees would have been in place during your early days?
In the interest of privacy and net neutrality I am writing to request that you add a proxy server to your rack. I know this is asking a lot. I am a network administrator. I would be willing, for an additional fee to connect to a proxy in order to maintain my privacy when using the Netflix streaming service.
I understand your reasons for blocking VPN and Proxies. Netflix inc. have to assure creators that upload their content that location restrictions are being met.
However, if a user connects to a proxy server under a Netflix domain then Netflix can handle authentication. My only interest is to maintain privacy from my ISP. I am located in the US and wish for only netflix to know what I do on Netflix.
I thank you for your consideration in this matter. Congratulations on your many years of growth. I am happy to have been one of millions helping you get there.
A long time subscriber,
If there be any solution someone has found to track all the changes in a nice little script? That would be beyond fabularrrrr.
Sorry for the rant and the long post. And to any dev's who might read this. dd-wrt is a true gift, thank you sooo much for working on the project.
