Posted: Sat Jul 15, 2017 9:00 Post subject: ipset the easy way for Netgear R7000
For VPN users out there its becoming a more commonly asked question "how can I bypass specific websites going through a VPN tunnel?". The best way to achieve this is in my opinion is the dnsmasq+ipset combo, but with DD-WRT not including ipset and the dnsmasq binary built into the firmware not being compiled with ipset support, its a little challenging for some.
I've created a small Github repo that essentially provides all you need for ipset support on DD-WRT along with documentation and requirements, supporting both kernel 3.10 and 4.4 builds.
It requires you have opkg setup in some form so you can install additional .ipk packages to /opt, but you can also copy the contents of the /opt folder to get the binaries, but its not the recommended method or very maintainable.
It is tailored to the Netgear R7000 as that's my main router I use so I can 100% ensure compatibility with the packages and modules, it may also work for others that are also ARMv7 Broadcom based, but the main difference is likely to be the toolchain or kernel source used.
In addition there is wiki on how to compile the xt_set.ko module yourself if you do indeed need to use a specific toolchain and different kernel version compared to the Netgear R7000.
Hopefully in the future DD-WRT will have this built into firmware builds without having to use this route, for now though, I hope it helps people that want ipset support on their routers, in addition helps anyone who wishes to compile modules and such themselves with guidance. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Would you show me more details as stated "ipset itself is compiled using the build system in Entware-ng (which uses the OpenWRT buildroot) but with DD-WRT kernel sources to be compatible."?
Ah, I think I remember I had to edit the .config and change the following line to y as its not set by default:
Quote:
CONFIG_PACKAGE_ipset=y
Then compile as normal and an .ipk is generated to install via opkg.
Alternatively, you can download the source of ipset and cross-compile it with the appropriate DD-WRT toolchain for your router, but as I already have Entware setup, I just borrow the source from there instead as its already setup for cross-compiling.
One more question, should I need to change the Makefile of ipset "--with-kbuild=/path_to_dd-wrt_kernel" before compiling ipset? As you said "compile ipset with DD-WRT kernel sources to be compatible"?
Yes, to ensure compatibility, I point it to the kernel source dir of DD-WRT i.e. src/linux/universal/linux-4.4 or whatever kernel target you need.
Here's a quick script that will replace it for you.
My paths are /root/ because I actually compile on Windows Linux Subsystem, so the setup is a bit different.
Code:
#!/bin/bash
ENTWARE_NG_SOURCE_DIR="/root/Entware-ng" # Change to your local path
ENTWARE_NG_IPSET_MAKEFILE="${ENTWARE_NG_SOURCE_DIR}/package/network/utils/ipset/Makefile"
DD_WRT_SOURCE_DIR="/root/dd-wrt" # Change to the root of where the DD-WRT source tree is
DD_WRT_KERNEL_TARGET="linux-4.4" # Change if you need to use kernel 3.10
DD_WRT_KERNEL_SOURCE_DIR="${DD_WRT_SOURCE_DIR}/src/linux/universal/${DD_WRT_KERNEL_TARGET}"
echo "Replacing Entware-ng kernel source dir with DD-WRT kernel source dir"
sed -i "s@\$(LINUX_DIR)@${DD_WRT_KERNEL_SOURCE_DIR}@" "${ENTWARE_NG_IPSET_MAKEFILE}"
Change paths accordingly. _________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
What is it exactly that you want?
If you want simple Policy based routing it is possible wihtout ipset and if you want/have to use ipset there are other solutions available too
Right now I would just like to have ipset working properly.