help needed, how to set a particular lan device to go through SS only

[kevin11334]

great software! setp up on my ac86u and its working. however I would like to specify some device in my lan to go through ss and others not, is there a way to do that? fore example, my ps4 is at 192.168.0.1 Mac: xx:xx:xx:xx:13 and my pc is at 192.168.0.2, Mac: xx:xx:xx:xx:14 and I would like to let my ps4 to go through ss only. much appreciate your help!

[Acris]

Not supported yet, but I'll see if I can implement it.

[soliujing]

this can be managed by iptables setting a number of IP address to the 'source address' and REDIRECT to ss port inside iptables

[Acris]

this can be managed by iptables setting a number of IP address to the 'source address' and REDIRECT to ss port inside iptables

The same idea with me, I'll add a configuration when I'm free.

[KinseyWang]

this can be managed by iptables setting a number of IP address to the 'source address' and REDIRECT to ss port inside iptables

I found my Google Home doesn't work, it that the same solution can solve this? For example, I add the dns 8.8.8.8 into the iptable and redirect to ss prot? How to do this right now?

[soliujing]

@KinseyWang Before Acris deploy new configurations, you can add below iptables configuration manually.

Please change 192.168.x.x to your GoogleHome's IP & 1080 to your local ss port

iptables -t nat -A PREROUTING -p tcp -s 192.168.x.x -j REDIRECT --to-ports 1080

[Acris]

@KinseyWang You can try redirect DNS query from Google Home to port 15253 with the command below, which is listened by unbound, all DNS query through unbound will be forward to rubyfish DNS. Replace 192.168.x.x to your Google Home's internal IP. iptables -t nat -A PREROUTING -p udp -s 192.168.x.xt --dport 53 -j REDIRECT --to-ports 15253

[soliujing]

@KinseyWang You can try redirect DNS query from Google Home to port 15253 with the command below, which is listened by unbound, all DNS query through unbound will be forward to rubyfish DNS. Replace 192.168.x.x to your Google Home's internal IP.

iptables -t nat -A PREROUTING -p udp -s 192.168.x.xt --dport 53 -j REDIRECT --to-ports 15253

Does Google home force DNS server to something else or using DHCP feeds? If so, I suggest to REDIRECT to router's 53 (dnsmasq listening) , then ipset gfwlist can be reflected as well in case server was blocked.

[Acris]

@KinseyWang @soliujing Maybe DNS hijacking is enough, it's fancyss for koolshare merlin's chromecast mode implementation: https://github.com/hq450/fancyss/blob/master/fancyss_arm/shadowsocks/ss/ssconfig.sh#L1867

And I recommend using this rule to replace the previous one:

iptables -t nat -A PREROUTING -p udp -s 192.168.x.x --dport 53 -j DNAT --to-destination 127.0.0.1:15253

[kevin11334]

thanks all. look forward to the configuration.

[Acris]

@kevin11334 Now you can upgrade the software to the latest version by ss-merlin upgrade and configure lan_ips in your ss-merlin.conf to assign a LAN IP. https://github.com/Acris/shadowsocks-asuswrt-merlin/blob/master/etc/ss-merlin.sample.conf#L16

[Acris]

Issue closed, feel free to re-open it if needed.

[kevin11334]

@Acris Hi many thanks for setting this up. However I tried today, it still doesn't work even I followed instruction and set lan_ips in ss-merlin.conf file. all of my lan devices will still go through proxy as before. I have tried to uninstall ss-merlin and installed again, the problem still exisits.

ss-merlin config file(hided ip):

# Route mode
## 0: GFW list.
## 1: Bypass mainland China.
## 2: Global mode.
mode=1

# UDP support
## 0: Disable UDP.
## 1: Enable UDP, require server side support.
udp=0

# LAN IPs
## Configure which LAN IP will pass transparent proxy.
## Default is 0.0.0.0/0, means all LAN devices will affected.
## You can assign a LAN IP like 192.169.1.125 means only this device can pass transparent proxy.
lan_ips=xxxxxxxxxxxx

# China DNS IP
## Default is 119.29.29.29
china_dns_ip=119.29.29.29

[Acris]

Can you run iptables -t nat -L on your router and paste the output here?

[kevin11334]

thanks! below run results:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
VSERVER    all  --  anywhere             192.168.1.3

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.50.0/24      anywhere             policy match dir out pol ipsec
PUPNP      all  --  anywhere             anywhere
MASQUERADE  all  -- !192.168.1.3          anywhere
MASQUERADE  all  --  192.168.50.0/24      192.168.50.0/24

Chain DNSFILTER (0 references)
target     prot opt source               destination

Chain LOCALSRV (0 references)
target     prot opt source               destination

Chain PCREDIRECT (0 references)
target     prot opt source               destination

Chain PUPNP (1 references)
target     prot opt source               destination

Chain VSERVER (1 references)
target     prot opt source               destination
VUPNP      all  --  anywhere             anywhere

Chain VUPNP (1 references)
target     prot opt source               destination

[Acris]

Thanks, but you need start shadowsocks-asuswrt-merlin first, then execute iptables -t nat -L to copy the output.

[kevin11334]

sure. thanks! please see below run results:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
VSERVER    all  --  anywhere             192.168.1.3
SS_PREROUTING  all  --  anywhere             anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
SS_OUTPUT  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.50.0/24      anywhere             policy match dir out pol ipsec
PUPNP      all  --  anywhere             anywhere
MASQUERADE  all  -- !192.168.1.3          anywhere
MASQUERADE  all  --  192.168.50.0/24      192.168.50.0/24

Chain DNSFILTER (0 references)
target     prot opt source               destination

Chain LOCALSRV (0 references)
target     prot opt source               destination

Chain PCREDIRECT (0 references)
target     prot opt source               destination

Chain PUPNP (1 references)
target     prot opt source               destination

Chain SHADOWSOCKS_TCP (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             match-set localips dst
RETURN     all  --  anywhere             anywhere             match-set whitelist dst
RETURN     all  --  anywhere             anywhere             match-set userwhitelist dst
RETURN     all  --  anywhere             anywhere             match-set chinaips dst
REDIRECT   tcp  --  anywhere             anywhere             redir ports 1080
REDIRECT   tcp  --  anywhere             anywhere             match-set usergfwlist dst redir ports 1080

Chain SS_OUTPUT (1 references)
target     prot opt source               destination
SHADOWSOCKS_TCP  tcp  --  192.168.50.231       anywhere

Chain SS_PREROUTING (1 references)
target     prot opt source               destination
SHADOWSOCKS_TCP  tcp  --  192.168.0.0/16       anywhere

Chain VSERVER (1 references)
target     prot opt source               destination
VUPNP      all  --  anywhere             anywhere

Chain VUPNP (1 references)
target     prot opt source               destination

[Acris]

Try upgrade to the latest version with ss-merlin upgrade and try again.

[kevin11334]

just tried and its working perfect! thank you very much! I have now closed the issue.

[ghost]

Solved, thanks