Lan client Route from ip address and port

[Salvora]

Love your script so far.
I know this can be done using iptables and manually arranging things but it is difficult this way so I am just curious;
Is there a way to specify the lan ip and port for routing using x3m?

I mean:
Route to VPNX, If a connection comes from Lan Client X with port XXXX?

I have a server that runs some specific applications using predefined ports. I don't want my whole server to be on VPN connections. Just those specific applications.

[Xentrk]

I don't have the feature for port routing at the moment. I will look into it. Since you are using x3mRouting, you can use the instructions https://github.com/RMerl/asuswrt-merlin.ng/wiki/Policy-based-Port-routing-(manual-method) for port routing and place the iptables command in /jffs/scripts/x3mRouting/vpnclient1-route-up and /jffs/scripts/x3mRouting/vpnclient1-route-pre-down

vpnclient1-route-up (have a -D entry to prevent duplicates before creating the rule)
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.99 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x2000/0x2000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.99 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x2000/0x2000

vpnclient1-route-pre-down
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.99 -p tcp -m multiport --dport 80,443 -j MARK --set-mark 0x2000/0x2000 2> /dev/null

[Xentrk]

The above assumes you have a rule already created using x3mRouting that uses the VPN iface so the fwmark gets created.

[Salvora]

Hmm,
I understand. I will test this. It is great that you can integrate this feature by using /jffs/scripts/x3mRouting/vpnclient1-route-up and /jffs/scripts/x3mRouting/vpnclient1-route-pre-down instead of creating a second vpn client.
Thanks for the assistance.
It would be even better if a future update of x3m integrates this natively instead of manually entering commands.
Anyway, thanks for the help again.
One question though:
I use dnsmasq method for x3m
x3mRouting ALL 1 ILIST dnsmasq_file=/jffs/scripts/x3mRouting/Hosts
"Hosts" is the file that contains top level domain names. This works globally for every client. The whole network uses VPN for the domains in the "Hosts" file.
If I add this port routing method on top of my current settings, will it break anything?
I mean:
dnsmasq method globally + port routing for a specific client with port that will ignore the domain names and use VPN everywhere

[Salvora]

A little bit clarification for my previous question:
If I add these rules to
vpnclient1-route-up
and
vpnclient1-route-pre-down

will it work together with my preexisting rules?

Currently my vpnclient1-route-up looks is:
#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000

and vpnclient1-route-pre-down is:
#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null

so if I add this newly created 2 lines
vpnclient1-route-up is:

#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -A PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.41 -p tcp -m multiport --dport 54333,6881 -j MARK --set-mark 0x1000/0x1000 2> /dev/null
iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.41 -p tcp -m multiport --dport 54333,6881 -j MARK --set-mark 0x1000/0x1000

vpnclient1-route-pre-down is:

#!/bin/sh
iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null
iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.41 -p tcp -m multiport --dport 54333,6881 -j MARK --set-mark 0x1000/0x1000 2> /dev/null

Will it break anything?

[Xentrk]

Sorry for the delayed reply. I primarily monitor the x3mRouting support thread on snbforums rather than email. I just started working to add port routing. Here is how you can use x3mRouting features to implement the solution. http://www.snbforums.com/threads/x3mrouting-selective-routing-for-asuswrt-merlin-firmware-1-nov-2020.67388/post-630297 (http://www.snbforums.com/threads/x3mrouting-selective-routing-for-asuswrt-merlin-firmware-1-nov-2020.67388/post-630297) November 1, 2020 5:07 AM, "Salvora" <[email protected] (mailto:[email protected]?to=%22Salvora%22%20<[email protected]>)> wrote: A little bit clarification for my previous question: If I add these rules to vpnclient1-route-up and vpnclient1-route-pre-down will it work together with my preexisting rules? Currently my vpnclient1-route-up looks is: #!/bin/sh iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null iptables -t mangle -A PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 and vpnclient1-route-pre-down is: #!/bin/sh iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null so if I add this newly created 2 lines vpnclient1-route-up is: #!/bin/sh iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null iptables -t mangle -A PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.41 -p tcp -m multiport --dport 54333,6881 -j MARK --set-mark 0x1000/0x1000 2> /dev/null iptables -t mangle -A PREROUTING -i br0 -m iprange --src-range 192.168.1.41 -p tcp -m multiport --dport 54333,6881 -j MARK --set-mark 0x1000/0x1000 vpnclient1-route-pre-down is: #!/bin/sh iptables -t mangle -D PREROUTING -i br0 -m set --match-set GULIBU dst -j MARK --set-mark 0x1000/0x1000 2>/dev/null iptables -t mangle -D PREROUTING -i br0 -m iprange --src-range 192.168.1.41 -p tcp -m multiport --dport 54333,6881 -j MARK --set-mark 0x1000/0x1000 2> /dev/null Will it break anything? — You are receiving this because you commented. Reply to this email directly, view it on GitHub (#40 (comment)), or unsubscribe (https://github.com/notifications/unsubscribe-auth/AGI3Y5GOIJUSF3V3CKJA23LSNSDDFANCNFSM4S4BES6A).[ { "@context": "http://schema.org (http://schema.org)", "@type": "EmailMessage", "potentialAction": { "@type": "ViewAction", "target": "#40 (comment) (#40 (comment))", "url": "#40 (comment) (#40 (comment))", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { "@type": "Organization", "name": "GitHub", "url": "https://github.com (https://github.com)" } } ] -- This message has been scanned for viruses and dangerous content by MailScanner (http://www.mailscanner.info/), and is believed to be clean.

…

-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.