hi I have a problem with this package. my apple tv uses vpn interface and other clients use wan. when i watch a movie online with iphone the traffic goes through wan correctly but when i stream from iphone to apple tv it uses vpn interface. in this situation traffic is local and come through wan to iphone but it goes through vpn also . I appreciate help me
thanks
Hi all,
I am having an issue where the service does not recognise 'wan' as a valid interface.
/etc/config/vpn-policy-routing:
config policy
option interface 'wan'
option comment 'Local Traffic'
option local_addresses '192.168.52.1/24'
option remote_addresses '192.168.51.1/24'
config policy
option interface 'wan'
option comment 'Der XBOX'
option local_addresses '192.168.52.95'
option local_ports '0-65535'
option remote_addresses '0.0.0.0/0'
option remote_ports '0-65535'
config policy
option comment 'Internet Traffic'
option local_addresses '192.168.52.1/24'
option remote_addresses '0.0.0.0/0'
option interface 'nordvpntun'
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option strict_enforcement '1'
option enabled '1'
option dnsmasq_enabled '1'
/etc/init.d/vpn-policy-routing support:
vpn-policy-routing 0.0.1-25 running on LEDE 17.01.4. WAN (IPv4): lan/dev/192.168.51.254. WAN (IPv6): lan/dev6/::/0.
============================================================
Dnsmasq version 2.78 Copyright (c) 2000-2017 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify
============================================================
Routes/IP Rules
default 10.8.8.1 128.0.0.0 UG 0 0 0 tun0
default 192.168.51.254 0.0.0.0 UG 0 0 0 br-wan
32748: from all fwmark 0x20000 lookup 202
32749: from all fwmark 0x10000 lookup 201
IPv4 Table 201: default via 192.168.51.254 dev br-wan
IPv4 Table 202: default via 10.8.8.1 dev tun0
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.52.0/24 -m comment --comment Internet_Traffic -c 103998 50208846 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set nordvpntun dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set lan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create lan hash:net family inet hashsize 1024 maxelem 65536 comment
create nordvpntun hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [✓]
/etc/init.d/vpn-policy-routing reload
Creating table 'lan/br-lan/192.168.51.254' [✓]
Creating table 'nordvpntun/tun0/10.8.8.1' [✓]
Routing 'Local Traffic' via wan [✗]
Routing 'Der XBOX' via wan [✗]
Routing 'Internet Traffic' via nordvpntun [✓]
vpn-policy-routing 0.0.1-25 started on lan/br-lan/192.168.51.254 nordvpntun/tun0/10.8.8.1 with errors [✗]
ERROR: policy 'Local Traffic' has an unknown interface: wan!
ERROR: policy 'Der XBOX' has an unknown interface: wan!
vpn-policy-routing 0.0.1-25 monitoring interfaces: lan nordvpntun [✓]
In ifconfig, I have a br-wan interface, and under the interfaces section in LEDE, WAN appears as a network along with LAN and NORDVPNTUN. I have tried manually editing the config file changing 'wan' to 'br-wan', but that does not solve the issue.
Any advice appreciated.
Thanks.
Last few posters -- I'm not ignoring you guys (and girls, as the case may be), but May turned out to be very eventful for me.
People with the br-wan and other not properly identified interfaces -- please post more about your devices/configurations and the output of ifconfig and ip -4 route.
I could be mistaken, but afaik, the phone doesn't stream to apple tv. the phone sends an URL to the apple tv, so that apple tv would start its own stream. Hence, the VPN interface.
It's a Linksys WRT1900AC running LEDE Reboot 17.01.4 r3560-79f57e422d / LuCI lede-17.01 branch (git-17.290.79498-d3f0685). WAN is connected through the 'Internet' (ethernet) port.
ifconfig:
br-lan Link encap:Ethernet HWaddr 94:10:3E:18:65:0E
inet addr:192.168.52.254 Bcast:192.168.52.255 Mask:255.255.255.0
inet6 addr: fe80::9610:3eff:fe18:650e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:671762 errors:0 dropped:0 overruns:0 frame:0
TX packets:582673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:362855157 (346.0 MiB) TX bytes:206603684 (197.0 MiB)
br-wan Link encap:Ethernet HWaddr 94:10:3E:18:65:0E
inet addr:192.168.51.246 Bcast:192.168.51.255 Mask:255.255.255.0
inet6 addr: fe80::9610:3eff:fe18:650e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:648502 errors:0 dropped:0 overruns:0 frame:0
TX packets:684236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:230737905 (220.0 MiB) TX bytes:407024539 (388.1 MiB)
eth0 Link encap:Ethernet HWaddr 94:10:3E:18:65:0E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:692926 errors:0 dropped:0 overruns:0 frame:0
TX packets:581763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:373263482 (355.9 MiB) TX bytes:205876159 (196.3 MiB)
Interrupt:27
eth1 Link encap:Ethernet HWaddr 94:10:3E:18:65:0E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:648503 errors:0 dropped:0 overruns:0 frame:0
TX packets:684236 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:239816987 (228.7 MiB) TX bytes:407024539 (388.1 MiB)
Interrupt:28
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:1893 (1.8 KiB) TX bytes:1893 (1.8 KiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.8.171 P-t-P:10.8.8.171 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:580172 errors:0 dropped:0 overruns:0 frame:0
TX packets:685727 errors:0 dropped:4053 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:197674015 (188.5 MiB) TX bytes:361362822 (344.6 MiB)
wlan0 Link encap:Ethernet HWaddr 94:10:3E:18:65:0F
inet6 addr: fe80::9610:3eff:fe18:650f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1604 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:307878 (300.6 KiB)
wlan1 Link encap:Ethernet HWaddr 94:10:3E:18:65:10
inet6 addr: fe80::9610:3eff:fe18:6510/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1053 errors:0 dropped:0 overruns:0 frame:0
TX packets:2598 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:306866 (299.6 KiB) TX bytes:1068971 (1.0 MiB)
ip -4 route
0.0.0.0/1 via 10.8.8.1 dev tun0
default via 192.168.51.254 dev br-wan proto static src 192.168.51.246
10.8.8.0/24 dev tun0 proto kernel scope link src 10.8.8.171
45.248.79.132 via 192.168.51.254 dev br-wan
128.0.0.0/1 via 10.8.8.1 dev tun0
192.168.51.0/24 dev br-wan proto kernel scope link src 192.168.51.246
192.168.51.254 dev br-wan proto static scope link src 192.168.51.246
192.168.52.0/24 dev br-lan proto kernel scope link src 192.168.52.254
I have been using this service for more than a year with great success. However my ISP has started throttling UDP traffic to fight VoIP and has affected OPENVPN. To bypass this throttling I have moved openvpn to tcp and the speed was dramatically reduced. To improve speed, I modified openvpn configuration:
- Protocol: from udp to tcp
- Cyper: from AES-256 to none
Then I have tunneled the openvpn link over shadowsocks proxy to maintain encrypted secured communications. This configuration has improved my speed noticeably and now it is even faster that the speed I had with UDP only. Now I want to have 3 routes:
- Route #1: devices that use openvpn over shadowsocks (VoIP devices)
- Route #2: shadosocks only (only bypass geolocation services for some devices)
- Route #3: direct WAN.
I managed to get this working by starting the services in order:
(1) shadowsocks - witch implements its own access control and policy routing. It will route through shadowsocks or directly to interned based on the cofigured policies.
(2) VPN policy routing, including on the policies ONLY those devices that will be routed via openvpn.
The problem comes when shadowsocks server restarts and rewrites the ip tables. the devices that were routed using vpn-policy-routing loose internet connection until I manually restart the service.
Is there a way add dependencies to other services (like shadowsocks) so that when this service is restarted, vpn-policy-routing is also restarted?.
Similar to openvpn restart, that will trigger a vpn-policy router restart right afterwards.
It is also not ideal to manage policies via two services/luci interfaces. so any idea that could help to define clearer routing policies would be welcome.
Khm, the br-wan part is intriguing. Can you please post your /etc/config/network?
I'm not familiar with shadowsocks, I'm guessing it doesn't create its own interface -- does it?
Maybe ucitrack could help, sadly I don't have time to look into it.
Surely.
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde6:4fb7:e5c8::/48'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option dns '192.168.52.252'
option ipaddr '192.168.52.254'
option gateway '192.168.51.254'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option delegate '0'
option type 'bridge'
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
option reqaddress 'none'
option reqprefix 'no'
option auto '0'
option delegate '0'
option defaultroute '0'
option peerdns '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 2 3 5'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6'
config interface 'nordvpntun'
option proto 'none'
option ifname 'tun0'
option delegate '0'
option auto '1'
If you think it would help, I can try deleting the extant configuration and try setting that interface up again.
Thanks.
Are you really bridging multiple ifnames for WAN? If not, try removing the quoted line from WAN interface and rebooting the router.
I wasn't - I suspect that's the default configuration to support IPv6 traffic. I added the 'wan' interface under advanced settings, so I have managed to change the errors I'm getting.
A reload command now gives:
Creating table 'lan/br-lan/192.168.51.254' [✓]
Creating table 'wan/eth1/0.0.0.0' [✗]
Creating table 'nordvpntun/tun0/10.8.8.1' [✓]
Routing 'Der XBOX' via wan [✓]
Routing 'Internet Traffic' via nordvpntun [✓]
vpn-policy-routing 0.0.1-25 started on lan/br-lan/192.168.51.254 nordvpntun/tun0/10.8.8.1 with errors [✗]
ERROR: Failed to set up 'wan/eth1/0.0.0.0'
vpn-policy-routing 0.0.1-25 monitoring interfaces: lan wan nordvpntun [✓]
That said, everything appears to be working.
Looks like VPR is detecting your LAN interface as WAN. Probably due to having gateway manually configured for that interface.
I have updated the gateway and WAN detection logic in 0.0.2-1, that build might work better for you.
I'm trying to get a simple setup working, and have used vpn-policy-routing instead of mwan3 since it seems to be the future.
My goal is to have a network with VPN for some devices for Amazon Prime US and Netflix US, whilst another network will go directly via the WAN port.
I've got the network going via VPN working ok, however the non-VPN network then cannot access Netflix? Is this a known problem? I want both networks to be able to access Netflix, one via the VPN (US) and one without (local Netflix library).
Is this a known issue? Are there workarounds for my situation?
/etc/config/vpn-policy-routing
config vpn-policy-routing 'config'
option verbosity '2'
option ipv6_enabled '0'
option strict_enforcement '1'
option dnsmasq_enabled '1'
option udp_proto_enabled '1'
option enabled '1'
config policy
option interface 'wan'
option local_addresses '192.168.50.0/24'
option comment 'default'
config policy
option local_addresses '192.168.55.0/24'
option interface 'nordvpn_us'
option comment 'vpn_us'
ip -4 route
default via 187.X.X.X dev pppoe-wan proto static metric 10
187.X.X.X dev pppoe-wan proto kernel scope link src 191.X.X.X
192.168.50.0/24 dev br-lan proto kernel scope link src 192.168.50.1
192.168.55.0/24 dev wlan0-1 proto kernel scope link src 192.168.55.1
I also have difficulty connecting to Amazon.com on the non-VPN network.
Could there be some issue with DNS leaking?
Awesome, I appreciate that - any idea of when you will have it in your repo?
For reference, a factory reset of the router and reconfiguration of everything has fixed all my issues.
Thanks all.
Hi, can someone produce a full guide for someone who has no understanding of networking on how to set up two wifi networks, one with a OpenVPN client and one without, on LEDE? I will gladly pay someone to help me with setup.
I just pushed the vpn-policy-routing 0.0.2-3 to my repo, where you can specify a "physical device" (like wlan1 or wlan0-1) as the "local address/device". I haven't tested it yet tho.
Anyone on 18.06 (either snapshot or rc1) has tested this with the flow_offloading (either sw or hw) enabled?
No sorry mate, essential app you've created though, really, amazing!!!
Thank you
Hi, I hope this is the right place to ask this. Please direct me the right discussion if I'm wrong.
First, thanks for this add-on. It was what I was looking for a long time without having to setup my own routing rules.
I have, perhaps, an unique network setup for which I'm trying to expand its functionality. I have two VPN tunnels: an OpenVPN and a tinc. OpenVPN interface is what allows me to tunnel to remote office. Tinc, on the other hand, is what links a bunch other local networks together such that we can all see each other as if we are all local.
I have one computer locally that needs to be connected to the office all the time. Using this "VPN Policy-Based Routing" add-on, all traffic from this computer is directed to the OpenVPN interface (which works great!). However, this severs the computer from accessing the tinc interface (understandably). I tried adding a policy to direct traffic to certain IP range to go through tinc interface (since this add-on seems to detect it) from this computer's IP, but it did not work.
One clue perhaps is that that is no "Table" created for the tinc interface?
If I didn't set policy to direct all traffic from this computer to OpenVPN, then this computer can see all other hosts from other networks. So, I know the tinc and the route I set for it is working. Is the trick perhaps getting this application to recognize tinc? I'm not sure what the problem is. Sorry for my basic network knowledge. I hope someone can enlighten me.
rebels is the name of the tinc interface.
tun0 is the name of the OpenVPN interface.
192.168.1.102 is the IP address of the computer in question.
192.168.0.1/24 is the IP range of the hosts through tinc.
ifconfig
br-lan Link encap:Ethernet HWaddr 62:38:E0:D8:D0:11
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31556187 errors:0 dropped:0 overruns:0 frame:0
TX packets:37448738 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6403573097 (5.9 GiB) TX bytes:63278764418 (58.9 GiB)
eth0 Link encap:Ethernet HWaddr 62:38:E0:D8:D0:11
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27021179 errors:0 dropped:0 overruns:0 frame:0
TX packets:32906113 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:6833664273 (6.3 GiB) TX bytes:47159364955 (43.9 GiB)
Interrupt:37
eth0.1 Link encap:Ethernet HWaddr 62:38:E0:D8:D0:11
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26789812 errors:0 dropped:94 overruns:0 frame:0
TX packets:32905736 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6337828729 (5.9 GiB) TX bytes:47027714051 (43.7 GiB)
eth1 Link encap:Ethernet HWaddr 60:38:E0:D8:D0:11
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:137933046 errors:0 dropped:0 overruns:0 frame:0
TX packets:38260432 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:532
RX bytes:71628657396 (66.7 GiB) TX bytes:8498547982 (7.9 GiB)
Interrupt:36
eth1.2 Link encap:Ethernet HWaddr 60:38:E0:D8:D0:11
inet addr:xxx.xxx.xxx.150 Bcast:xxx.xxx.xxx.255 Mask:255.255.254.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107701787 errors:0 dropped:0 overruns:0 frame:0
TX packets:38250207 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67598057626 (62.9 GiB) TX bytes:8344831148 (7.7 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:69025 errors:0 dropped:0 overruns:0 frame:0
TX packets:69025 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11565429 (11.0 MiB) TX bytes:11565429 (11.0 MiB)
rebels Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.1 P-t-P:192.168.1.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:973 errors:0 dropped:0 overruns:0 frame:0
TX packets:151716 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:552697 (539.7 KiB) TX bytes:4941500 (4.7 MiB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.36.0.14 P-t-P:10.36.0.13 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:14351913 errors:0 dropped:0 overruns:0 frame:0
TX packets:8370470 errors:0 dropped:443 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:17307236251 (16.1 GiB) TX bytes:549450947 (523.9 MiB)
wlan0 Link encap:Ethernet HWaddr 62:38:E0:D8:D0:22
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3081450 errors:0 dropped:0 overruns:0 frame:0
TX packets:7110371 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:415870005 (396.6 MiB) TX bytes:9821893232 (9.1 GiB)
wlan1 Link encap:Ethernet HWaddr 62:38:E0:D8:D0:33
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2212578 errors:0 dropped:0 overruns:0 frame:0
TX packets:5300067 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:178657630 (170.3 MiB) TX bytes:7670412847 (7.1 GiB)
ip -4 route
default via xxx.xxx.xxx.1 dev eth1.2 proto static src xxx.xxx.xxx.150
10.36.0.13 dev tun0 proto kernel scope link src 10.36.0.14
xxx.xxx.xxx.0/23 dev eth1.2 proto kernel scope link src xxx.xxx.xxx.150
192.168.0.0/24 dev rebels scope link
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
/etc/init.d/vpn-policy-routing support
vpn-policy-routing 0.0.2-3 running on Lede SNAPSHOT. WAN (IPv4): wan/dev/xxx.xxx.xxx.1.
============================================================
Dnsmasq version 2.80test2 Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC no-ID loop-detect inotify dumpfile
============================================================
Routes/IP Rules
default xxx.xxx.xxx.1 0.0.0.0 UG 0 0 0 eth1.2
32736: from all fwmark 0x30000 lookup 203
32737: from all fwmark 0x20000 lookup 202
32738: from all fwmark 0x10000 lookup 201
IPv4 Table 201: default via xxx.xxx.xxx.1 dev eth1.2
IPv4 Table 202: default via 192.168.1.1 dev br-lan
IPv4 Table 203: default via 10.36.0.13 dev tun0
============================================================
IP Tables PREROUTING
-N VPR_PREROUTING
-A VPR_PREROUTING -s 192.168.1.102/32 -m comment --comment Naboo-Office -c 50035 4339908 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -s 192.168.1.102/32 -d 192.168.0.0/24 -m comment --comment Naboo-Tinc -c 5 420 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set openvpn dst -c 0 0 -j MARK --set-xmark 0x30000/0xff0000
-A VPR_PREROUTING -m set --match-set rebels dst -c 0 0 -j MARK --set-xmark 0x20000/0xff0000
-A VPR_PREROUTING -m set --match-set wan dst -c 0 0 -j MARK --set-xmark 0x10000/0xff0000
============================================================
Current ipsets
create wan hash:net family inet hashsize 1024 maxelem 65536 comment
create rebels hash:net family inet hashsize 1024 maxelem 65536 comment
create openvpn hash:net family inet hashsize 1024 maxelem 65536 comment
============================================================
Your support details have been logged to '/var/vpn-policy-routing-support'. [â]
Did you manually configure VPR to support the rebels/tinc interface or did it auto-detect it?
I'm far from being an expert on routing in general, but I find it confusing that tinc interface has IP/PTP of 192.168.1.1. I wonder what IP range do you have configured in network.lan.ipaddr?
But i digress, judging by the counters some traffic is being marked for Naboo-Tinc (-c 5 420).