Mwan3 and ipset

trumee · March 4, 2020, 9:51am

Hello,

I tried to set ipset alias in /etc/dnsmasq.conf file and my dhcp server stopped working. Are the instructions on the wiki out of date? Can somebody post on where to set the ipset aliases?

Thanks

ulmwind · March 4, 2020, 12:59pm

Please, give log after restarting of dnsmasq. Maybe you should remove dnsmasq, and install dnsmasq-full.

eduperez · March 4, 2020, 1:33pm

Also, it would be interesting to see your config files.

trumee · March 5, 2020, 6:08pm

I have installed the full dnsmasq package. My dnsmasq file looks like so

$cat /etc/dnsmasq.conf

ipset=/youtube.com/youtube

I have defined the youtube ipset rule in mwan3 to go out wan1,


# cat /etc/config/mwan3

config rule 'youtube'
        option proto 'all'
        option sticky '0'
        option ipset 'youtube'
        option use_policy 'wan1_wan'

config rule 'https'
        option sticky '1'
        option dest_port '443'
        option proto 'tcp'
        option use_policy 'wan_wan1'

config rule 'default_rule'
        option dest_ip '0.0.0.0/0'
        option proto 'all'
        option sticky '0'
        option use_policy 'wan_wan1'

config globals 'globals'
        option mmx_mask '0x3F00'
        option rtmon_interval '5'

config interface 'wan'
        option enabled '1'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '2'
        option count '1'
        option timeout '2'
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'
        option recovery_loss '5'
        option interval '5'
        option down '3'
        option up '8'

config interface 'wan1'
        option enabled '1'
        list track_ip '8.8.4.4'
        list track_ip '8.8.8.8'
        list track_ip '208.67.222.222'
        list track_ip '208.67.220.220'
        option family 'ipv4'
        option reliability '1'
        option count '1'
        option timeout '2'
        option failure_latency '1000'
        option recovery_latency '500'
        option failure_loss '20'
        option recovery_loss '5'
        option interval '5'
        option down '3'
        option up '8'

config member 'wan_m1_w3'
        option interface 'wan'
        option metric '1'
        option weight '3'

config member 'wan_m2_w3'
        option interface 'wan'
        option metric '2'
        option weight '3'

config member 'wan1_m1_w2'
        option interface 'wan1'
        option metric '1'
        option weight '2'

config member 'wan1_m2_w2'
        option interface 'wan1'
        option metric '2'
        option weight '2'

config policy 'wan_only'
        list use_member 'wan_m1_w3'
        list use_member 'wan6_m1_w3'

config policy 'wan1_only'
        list use_member 'wan1_m1_w2'
        list use_member 'wan16_m1_w2'

config policy 'balanced'
        list use_member 'wan_m1_w3'
        list use_member 'wan1_m1_w2'
        option last_resort 'unreachable'

config policy 'wan_wan1'
        option last_resort 'unreachable'
        list use_member 'wan_m1_w3'
        list use_member 'wan1_m2_w3'

config policy 'wan1_wan'
        list use_member 'wan_m2_w3'
        list use_member 'wan1_m1_w2'
        option last_resort 'unreachable'

config member 'wan1_m2_w3'
        option interface 'wan1'
        option metric '2'
        option weight '3'

However mwan3 rules does not show my rule,

# mwan3 rules
Active ipv4 user rules:
   32  2003 S https  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 0:65535 multiport dports 443 
  192 17107 - wan_wan1  all  --  *      *       0.0.0.0/0            0.0.0.0/0            

Active ipv6 user rules:
    0     0 S https  tcp      *      *       ::/0                 ::/0                 multiport sports 0:65535 multiport dports 443 
    9  1387 - wan_wan1  all      *      *       ::/0                 ::/0

Any idea why mwan3 does not use my rule?

ulmwind · March 5, 2020, 6:10pm

ipset list

trumee · March 5, 2020, 6:15pm

I have banip as well as e2guardian packages installed. So 'ipset list' shows up a huge list. However following yields nothing

root@OpenWrt:~# ipset list|grep youtube
root@OpenWrt:~# 
# ipset list|grep Name
Name: mwan3_connected_v4
Name: mwan3_connected_v6
Name: mwan3_dynamic_v4
Name: mwan3_dynamic_v6
Name: mwan3_custom_v4
Name: mwan3_custom_v6
Name: whitelist
Name: mwan3_sticky_v4_https
Name: threat
Name: mwan3_sticky_v6_https
Name: mwan3_connected
Name: mwan3_sticky_https

#  ipset --list youtube
ipset v7.3: The set with the given name does not exist

I dont understand why dnsmasq is trying to get an dhcp lease when starting it,

# /etc/init.d/dnsmasq restart
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.30.1
udhcpc: sending discover
udhcpc: no lease, failing

Anything particular i should look out for?

ulmwind · March 5, 2020, 6:56pm

Sorry, were it you, who asked me the same question a month ago?

trumee · March 6, 2020, 2:02am

No, but was there a resolution for that.

ulmwind · March 6, 2020, 10:10am

No, we've stuck at the same point: dnsmasq doesn't fill ipset. Could you try to go to web-sites in ipset, and see, whether dnsmasq fills it?

That thread: https://forum.openwrt.org/t/mwan3-rules-with-ipset

trumee · March 6, 2020, 5:05pm

Tried it, no dnsmasq doesnt do it.

trumee · March 6, 2020, 5:07pm

There is bug filed for dnsmasq https://bugs.openwrt.org/index.php?do=details&task_id=1575

ulmwind · March 6, 2020, 7:08pm

OK, thank you, we are not first ones. Question to developers.

Dark-Fox · April 28, 2020, 4:41pm

Hello! Perhaps my answer is not entirely about your problem. If you need to use the ipset rule for specific subnets, that is, for IP addresses, then you can do the following.

Put the setting in / etc / config / firewall

config ipset
	option name 'namev4'
	option family 'ipv4'
	option match 'dest_net'
	option storage 'hash'
	option enabled '1'
	option loadfile '/etc/namev4'

You will also need to create a subnet set file. It looks as follows:

ххх.ххх.ххх.ххх/18
ххх.ххх.ххх.ххх/18
ххх.ххх.ххх.ххх/21
ххх.ххх.ххх.ххх/32

In the file, each subnet begins with a new line.

This works for me with an OpenVPN connection for routing certain addresses of visitors through a VPN.

Configuration / etc / config / mwan3

config rule 'vpn_ipv4'
	option proto 'all'
	option src_ip '192.168.0.0/16'
	option ipset 'namev4'
	option use_policy 'balanced_vpnv4'

ulmwind · May 15, 2020, 5:36pm

OK, but the question is how to create ipset by name, not just by list of IP's.

eduperez · May 15, 2020, 8:11pm

DNSMASQ can add IP addresses to an IPSET when certain domain names are queried:
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls

ulmwind · May 21, 2020, 1:41pm

OK, thank you.

dl12345 · May 21, 2020, 2:24pm

dnsmasq's ipsets work fine for me. The key is that the ipset must be manually added (/etc/rc.local for example). dnsmasq will not create the ipset itself.

--ipset=/[/...]/[,...]
Places the resolved IP addresses of queries for one or more domains in the specified Netfilter IP set. If multiple setnames are given, then the addresses are placed in each of them, subject to the limitations of an IP set (IPv4 addresses cannot be stored in an IPv6 IP set and vice versa). Domains and subdomains are matched in the same way as --address. These IP sets must already exist. See ipset(8) for more details.

ipset create <ipset-name> hash:net

eduperez · May 21, 2020, 3:55pm

Also, ipsets can be created automatically from "/etc/config/network".

hoatienii · September 14, 2020, 4:42am

could you give a command for domain matched?
ex: ipset=/pandora.com/usvpn

vgaetera · September 14, 2020, 5:21am

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset