Okay. I restarted the openWRT without stubby.
Internet access works, DNS is Cloudflare.
Whats next?
von-pbr is still not working.
root@OpenWrt:~# ipset list lan
Name: lan
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 344
References: 4
Number of entries: 0
Members:
Hmmm. Now the ipset list lan has 3 entries at once...
root@OpenWrt:~# ipset list lan
Name: lan
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 632
References: 4
Number of entries: 3
Members:
52.28.125.65
35.157.134.147
52.29.58.77
That's good, it means that when you try to connect to these IPs the lan interface will be used.
Verify with iptables-save -c -t mangle
The -A VPR_PREROUTING -m set --match-set lan line must not have zero hits.
One thing to mention is that after a few minutes of inactivity the ipset will be emptied. Upon the next query for resolving of the hostname it will be added again.
Okay. I have added 91.123.0.0/16 to rules.
Now I am waiting for the magic...
For now it shows me the real IP.
Do I have to restart dnsmasq after restarting vpn-pbr or just to wait some time?
Hmm. okay, Zattoo works now! That is great!
But wimi is not set? Why?
root@OpenWrt:~# ipset list lan
Name: lan
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 478
References: 4
Number of entries: 1
Members:
91.123.0.0/16 comment "Zattoo: 91.123.0.0/16"
Adding IP ranges as rules starts right away. Great!
I was easly able to bypass Amazon Prime Video and Zattoo!
Thanks for your help trendy!!
What doesn’t work is entering domains.
I tried to add speedtest.net instead of wieistmeineip.de and it still doesn’t bypass...
It starts working if a do an nslookup. Shouldn’t this simply work if I browse to the webpage? Do I have to do ans nslookup for every webpage when I restart the service first?
It really seems that stubby hold off vpn-pbr from working.
Do you have any idea why?
And is there an alternative to stubby to use DNS over TLS without holding up vpn-pbr from working?
Any query to the dnsmasq should do the job. The problem is that if the lan hosts keep the address in cache and don't ask again the dnsmasq, it will not be renewed. Maybe there is some way to prolong the lifetime of the ipset.
wimi.de works fine for me. speedtest won't work, do a source view of the page and you'll see how many more sites you need to bypass apart from the main one.
Because dnsmasq needed to be working to create the ipsets.
Not that I know of, you'll have better luck opening a new topic for that.
The traffic that is not matching any rule uses the default gateway configured.
It is marked with the tick