AB-Solution - The Ad Blocking Solution

[thelonelycoder]

ALCON,

Can anyone provide an assist in regards to emailing logs or saving logs locally of router stats? Any option I pick results with me receiving an error. Also, I can't seem to install pixelserv-tls. Attached are screenshots of my problems.

Any help is appreciated.


Cheers!

Look at this post, you might have a similar problem with your USB device.
As a first step, delete all files in /tmp/mnt/data/adblocking/addon/
You can do this in your SSH terminal with this command:

rm -f /tmp/mnt/data/adblocking/addon/*.add

Then start the AB UI and try to set the stats function and install ps.

 

[th0r]

Check your blacklist, is clients6.google.com blocked?
Also, the f option 2 shows what domains are blocked.
If you want to be sure, use f option 4, do exactly as the on screen description says, the url is drive.google.com

OK, just added docs.google.com on whitelist and situation is solved. Don't know why it appeared there? icloud.com was also on blacklist. Weird.

 

[thelonelycoder]

OK, just added docs.google.com on whitelist and situation is solved. Don't know why it appeared there? icloud.com was also on blacklist. Weird.

The blacklist is your personal file. Nothing is in it unless you add it yourself.
The blocking file is composed of several hosts file providers, one of them may contain the docs.google domain.

 

[skilledone]

Look at this post, you might have a similar problem with your USB device.
As a first step, delete all files in /tmp/mnt/data/adblocking/addon/
You can do this in your SSH terminal with this command:

rm -f /tmp/mnt/data/adblocking/addon/*.add

Then start the AB UI and try to set the stats function and install ps.

This worked perfectly!!! Amazing, thanks for your quick response !

 

[thelonelycoder]

This worked perfectly!!! Amazing, thanks for your quick response !

Glad it works now. And thanks for the feedback.

 

[Laonifaron]

Got a couple of questions:

- What's pixelserv kj? What's the difference to the "normal" pixelserv?

- How important is it to actually import the ca.crt certificates on each of my devices? Is there a guide for how to do it on linux? Or do I just double click and then import the certificate? I've also done it the same way on my mac, even though the github guide of pixelserv-tls was talking about an other way of doing it? How can I make sure it's actually working as intended?

- I have issues with websites using HSTS. This is an example of what happens when I try to access google docs:

Your connection is not private
Attackers might be trying to steal your information from docs.google.com (for example, passwords, messages, or credit cards).


NET::ERR_CERT_AUTHORITY_INVALID

 

[thelonelycoder]

- What's pixelserv kj? What's the difference to the "normal" pixelserv?

pixelserv version v35.HZ12.Kj is the incremental update version released by @kvic a little while ago, current being v.Ki. It is then entered into the Entware package repository by the Entware maintainers as soon as their time permits.
It is then available with the Entware update functions in AB or manually in the terminal with:

opkg update
or
opkg upgrade

- How important is it to actually import the ca.crt certificates on each of my devices? Is there a guide for how to do it on linux? Or do I just double click and then import the certificate? I've also done it the same way on my mac, even though the github guide of pixelserv-tls was talking about an other way of doing it? How can I make sure it's actually working as intended?

I seldom have problems with the certs, in most cases force reloading the page makes the error go away for me.
The browser import described ought to do the trick for most users.
Sites using HSTS, and all SSL ad-blocking domains for that matter, are presently a problem with pixelserv installed.
Browsers more and more rightly enforce strict standards. This problem is not new and I'm sure @kvic would immediately implement a solution to it. But that is, for the foreseeable future, nearly impossible.

Your connection is not private
Attackers might be trying to steal your information from docs.google.com (for example, passwords, messages, or credit cards).

The problem is likely NOT the docs.google domain but another domain blocked by AB that goes through pixelserv, as described above. Try reloading the page or import the certificate.

 

[Jack Yaz]

Can I use AB-Solution in combination with OpenDNS (which I've specified in WAN on the ASUS router)? Clients still use the ASUS as their DNS server, which is in turn using OpenDNS for connecting to WAN.

Or can I add the domains I block with OpenDNS in AB-Solution? e.g. blocking Facebook domains

 

[thelonelycoder]

Can I use AB-Solution in combination with OpenDNS (which I've specified in WAN on the ASUS router)? Clients still use the ASUS as their DNS server, which is in turn using OpenDNS for connecting to WAN.

Or can I add the domains I block with OpenDNS in AB-Solution? e.g. blocking Facebook domains

OpenDNS in WAN settings works just fine with AB, as long as the clients use the built in dnsmasq to resolve domains locally.
Make sure all clients are set to manually or automatically obtain IP and DNS from your router.
The LAN/DHCP Server must be set to enabled and 'Forward local domain queries to upstream DNS' set to no.
During the AB installation it will warn you if any of the relevant settings are not compatible and suggest a resolution.

Give it a go, you'll find AB will work just fine for you. I'm sure of it.

 

[Jack Yaz]

Cool, thanks. Now if I could figure out how to just bind AB-Solution to the SSID for Wifi rather than the desktops, which use uBlock (which is easy enough to disable, I'm a sucker for cashback sites like TopCashBack, which most adblockers play havoc with!)

 

[thelonelycoder]

Cool, thanks. Now if I could figure out how to just bind AB-Solution to the SSID for Wifi rather than the desktops, which use uBlock (which is easy enough to disable, I'm a sucker for cashback sites like TopCashBack, which most adblockers play havoc with!)

There's a FAQ:
https://www.ab-solution.info/faq-reader/how-to-exclude-a-client-from-ad-blocking.html

 

[Jack Yaz]

I might try something with dnsmasq postconf to add ranges and such, rather than per client in ui

 

[thelonelycoder]

I might try something with dnsmasq postconf to add ranges and such, rather than per client in ui

Whatever you do and it works, post it here so we all can profit from your findings.

 

[Jack Yaz]

Hm, it seems DNS filtering does it by MAC via iptables. My concern is, if using AB, and then adding exceptions, by forcing a client to use upstream DNS, will that then mean that they are unable to perform local lookups, since they're not talking to the router anymore?

Chain DNSFILTER (2 references)
pkts bytes target     prot opt in     out     source               destination
    1    57 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           to:8.8.8.8

 

[thelonelycoder]

Hm, it seems DNS filtering does it by MAC via iptables. My concern is, if using AB, and then adding exceptions, by forcing a client to use upstream DNS, will that then mean that they are unable to perform local lookups, since they're not talking to the router anymore?

Chain DNSFILTER (2 references)
pkts bytes target     prot opt in     out     source               destination
    1    57 DNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0           to:8.8.8.8

As I said earlier, clients must resolve domains directly through dnsmasq. This is how AB works. No way around this.

 

[Jack Yaz]

Yeah, which is why I was wondering if I could use dnsmasq postconf to give certain clients a different DNS, rather than the router. It'd probably have to be on a different subnet/vlan though. I'll dabble and report back.

 

[redhat27]

My concern is, if using AB, and then adding exceptions, by forcing a client to use upstream DNS, will that then mean that they are unable to perform local lookups, since they're not talking to the router anymore?

I use AB solution and it works great (I use it with pixelserv-tls) I also use Cisco OpenDNS with dnscrypt for dnsmasq's upstream

I do not use any dns on the UI:

and I also make sure the clients on theLAN use router for dns:
iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to-destination $(nvram get lan_ipaddr)

My dnscrypt service runs on 127.0.0.1:65053 and the ones that are not ads (not blocked by AB) are sent upstream SSL encrypted:

admin@RT-AC66R-D700:/jffs/scripts# cat /etc/dnsmasq.conf | grep server
server=127.0.0.1#65053

 

[thelonelycoder]

Yeah, which is why I was wondering if I could use dnsmasq postconf to give certain clients a different DNS, rather than the router. It'd probably have to be on a different subnet/vlan though. I'll dabble and report back.

Thats certainly doable with dnsmasq.
I have played with a second instance of dnsmasq, for more or less the same reason.
Wish I had more time to test and code, this would be another killer feature for AB.

 

[Jack Yaz]

I'm rather new to Merlin, and not that much more experienced with Bash, so I doubt I'll get very far.

Is it the hosts file or the resolve file AB uses to block things? Happy to move this convo to PM or something if we're getting offtopic for this thread

 

[Jack Yaz]

I would guess you'd need a second dnsmasq listening on another subnet, which would require a VLAN, I think. One would use AB, the other not. Would then need a way of assigning clients to a VLAN as to whether or not they get AB? I'm truly out of my depth here!