Posted: Thu Jun 16, 2016 3:05 Post subject: route traffic by domain with dnsmasq and ipset
Hello,
Some dd-wrt users are looking for a solution to route traffic by domain name.
Most of these users want to route traffic for streaming services like netflix or youtube.
Since it's near impossible to keep track of all the IPs used by these types of services, creating static routes won't work.
A solution is to use the built-in ipset feature of dnsmasq.
This feature will add all the IPs resolved by the given domains to an ipset (list) that can be use by iptables.
Then with a simple policy based route, all traffic destined for those domains can be routed through an alternate gateway or vpn.
You will need to have jffs enabled on your router.
To test, grab the following two files and extract them in /jffs/usr
These files have been tested to work on the arm based r7000 router running kernel 3.10
Next, configure the domains for which all resolved IPs should be added to the NETFLIX set.
This can be done in the GUI in the 'Additional DNSMasq Options' box on the 'Services' tab.
The domains listed here are from the post mentioned above. Since I don't use netflix this might not cover all the domains needed.
nvram set dnsmasq_options="ipset=/netflix.com/nflxext.com/nflximg.com/nflxvideo.net/amazonaws.com/whatsmyip.org/NETFLIX"
nvram commit
Next, restart dnsmasq
Code:
stopservice dnsmasq
startservice dnsmasq
Next, use iptables to mark the packets destined for the given domains
Code:
/jffs/usr/sbin/iptables -I PREROUTING -t mangle -m set --match-set NETFLIX dst -j MARK --set-mark 1
Now, set up the policy based route to send netflix traffic out the wan instead of the vpn
Code:
ip rule add prio 100 fwmark 1 lookup 100
ip route add table 100 default dev $(nvram get wan_ifname)
The device(s) connected to the router might need to have the dns cache flushed.
The IPs won't be added to the ipset unless dnsmasq resolves them first.
Also, since Netflix communication is/or should be initiated by me or whoever, is there a way to only allow Netflix access to the designated port when/if the app or website is opened?
Also, since Netflix communication is/or should be initiated by me or whoever, is there a way to only allow Netflix access to the designated port when/if the app or website is opened?
SmallvilleLA,
The netflix domains mentioned the github link are already covered in the op. Since I don't use netflix and can't test it, there still might be other domains netflix uses depending on the device and/or app used.
The solution in this thread should do what you are asking. Any traffic destined for these domains
will route through the internet connection, not your vpn connection. It's my understanding that netflix blocks connections from certain vpn and proxy providers.
Thanks. No I haven't yet. I have to choose and set up my VPN first. I thought I'd seen some sort of standard routing table, so once I find that again and get set up, I can test. From my experiences with Netflix, I got the proxy error even when the proxy was off. The DNS was the only part of the proxy left. They're monitoring the DNS traffic and/or resolved IPs for higher than normal volume, then flagging the IP as proxy.
I asked about filtering the access for Netflix only when I initiate communication because I don't trust them trying to fish around for whatever reason otherwise.
The proxy I have allows my MLB.com subscription to work, so I also need to get that working with/through or around the VPN. One step at a time.
Posted: Wed Jun 29, 2016 12:59 Post subject: Re: route traffic by domain with dnsmasq and ipset
nahdude wrote:
To test, grab the following two files and extract them in /jffs/usr
These files have been tested to work on the arm based r7000 router running kernel 3.10
This is exactly what I am looking for. However, I'm having trouble uploading the files. First of all, on my system, there is no usr subdirectory under jffs. jffs is just an empty directory. The usr directory is off of the root dir. If I try to upload them there instead, I get a warning that I am overwriting existing files. If I say yes, I get a read-only error.
Can you please provide me with some additional guidance? Sorry, but new to router commands.
Also, if I try to create a new usr subdirectory under jffs, I also get a read-only error. I am logged in as root, but do not seem to have any write permissions to the file system.
Sorry. I did a little web research and figured out how to enable JFFS2 support on my router. I can now upload the files to jffs/usr. I'll try the rest now. Assuming these are commands I just execute through a Telnet session?
Sorry. I did a little web research and figured out how to enable JFFS2 support on my router. I can now upload the files to jffs/usr. I'll try the rest now. Assuming these are commands I just execute through a Telnet session?
Peter
plawlor,
Good call, I will edit the op to mention having jffs enabled and also include instructions on how to download the files directly to the router.
Yes, you will need to enter the commands in a terminal window.
In the other thread you mentioned that you are running an Asus AC3100 router loaded with build v3.0-r29974M. This router has an arm processor so the files should work, but the xt_set module was compiled from the 3.10 kernel. I didn't check, is r29974 compiled from kernel 4.4? If so, the module might not load.
In the other thread you mentioned that you are running an Asus AC3100 router loaded with build v3.0-r29974M. This router has an arm processor so the files should work, but the xt_set module was compiled from the 3.10 kernel. I didn't check, is r29974 compiled from kernel 4.4? If so, the module might not load.
You're correct, the module does not load. In fact, the first command just hangs forever - prompt never comes back and terminal session eventually times out.
My VPN service actually resolved the Netflix issue finally after four months, so I am good for now. However, I'm going to keep this post bookmarked as I'm pretty sure the Netflix woes will return.
I'm not sure how to tell which build my version is from, but here is the full version info:
I followed the steps in the OP and didn't receive any error messages, however, everything still routes out the VPN gateway.
DD-WRT v24-sp2 (06/23/14) std
After this command I get this message:
sh: eval: line 1: /jffs/usr/sbin/iptables: not found
Do you have any idea what I did wrong?
NightHawkR7000,
Which firmware/revision are you using?
What's the output of
Code:
ls -l /jffs/usr/sbin
xilraazz wrote:
I followed the steps in the OP and didn't receive any error messages, however, everything still routes out the VPN gateway.
DD-WRT v24-sp2 (06/23/14) std
xilraazz,
What router are you testing this on?
Do you know if it has an arm processor?