AB-Solution - The Ad Blocking Solution

[Alfred]

Can't tell for sure ATM, but pixelserv should only listen on port 443 on the ps IP.
Make sure OpenVPN does the same in its IP and see how it goes.
In my head it works...
There is also the harder way of doing it: The pixelserv switches, you can change the https port (443) in the AB UI, but you'll also have to add a firewall forwarding rule to make it work.
See kvic's pixelserv thread for how to do it.

Interesting. Thank you for coining that option.

 

[Supernova]

Hello-

I'm a newbie to Merlin and AB-Solution. I used the latest installer, but this morning when I rebooted the router it stopped blocking ads. I manually updated and it started blocking again. Obviously I'm missing something, but not sure what?

Also, is it recommend to use pixelserv-tls?

What I'm running is listed below.

 A B - S O L U T I O N        A D - B L O C K I N G

 AB-Solution 3.9                  by thelonelycoder
----------------------------------------------------
 RT-AC3200 (armv7l) fw-380.67 @ 192.168.1.1
----------------------------------------------------
 415,425  blocked domains  6  hosts files in use
 1,329 t  1,329 w  3 n ads since Aug 15 11:39
----------------------------------------------------

 i   AB-Solution     [/tmp/mnt/data]
 cu  check for updates
 un  updates notify  [off]
 bu  backup to email [off]

 a   ad-blocking     [on]
 l   logging         [on]
 rs  router stats    [off]

 cb  custom block IP [off] (0.0.0.0)
 ps  install pixelserv-tls

 b   blocking file   [AdsBeGone!] [Fri @ 2:00]
 u   update blocking file
 el  edit white or black list

 f   follow the logfile
 ac  update ads counter

 e   exit AB-Solution                   sm  sub menu
____________________________________________________

 Done  check for updates

 What do you want to do?

--NOTE: It seems if I turn on AI Protection it stops working and once I turn it off and restart it, it works. Is this normal?

 

[redhat27]

Don't ask as I don't know why I added it at the time.
This is completely removed now, users of your script look forward to your update to use the shared whitelist.

On closer look, I'm sad to say I'll pass on the shared whitelist for ya-malware-block. The reason being that the ya-malware-block solely uses IP regexes and discrete IPs for the whitelisting purposes. If I introduce a domain to IP lookup and then exclude from the block, it will add processing time which may not be needed (it anyway has to whitelist internal/non-routable IPs). I will, however implement that on the iblocklist-loader script in the next update.

 

[^Tripper^]

This is more to support the Streisand effect than the actual need to block a single domain, functionalclam.com in this case.
The company behind it, Admiral, owns the domains in the blacklist I posted.

We are all affected by brute force measures such as that silly DMCA takedown request Admiral threatened GitHub and possibly EasyList with.

So yes, unless Singapore is outside of the earthly internet DNS zone, this blacklist can be added to any ad-blocker using hosts file based blocking.
AB-Solution is one of them.

Noted. And domains gladly added.

 

[thelonelycoder]

Also, is it recommend to use pixelserv-tls?

Highly recommended: https://www.ab-solution.info/faq-reader/what-does-pixelserv-tls-do-and-do-i-need-it.html

--NOTE: It seems if I turn on AI Protection it stops working and once I turn it off and restart it, it works. Is this normal?

That depends what feature(s) is/are enabled in AI Protection.
For AI Protection to work, some or all local DNS requests are sent to an external resolver, bypassing the local resolving by Dnsmasq.

AB-Solution only works if the local Dnsmasq does the resolving.

 

[thelonelycoder]

On closer look, I'm sad to say I'll pass on the shared whitelist for ya-malware-block. The reason being that the ya-malware-block solely uses IP regexes and discrete IPs for the whitelisting purposes. If I introduce a domain to IP lookup and then exclude from the block, it will add processing time which may not be needed (it anyway has to whitelist internal/non-routable IPs). I will, however implement that on the iblocklist-loader script in the next update.

So I best re-add the /jffs/ipset_lists/ya-malware-block.urls if found to whitelist your required domains?

 

[Supernova]

Highly recommended: https://www.ab-solution.info/faq-reader/what-does-pixelserv-tls-do-and-do-i-need-it.html

That depends what feature(s) is/are enabled in AI Protection.
For AI Protection to work, some or all local DNS requests are sent to an external resolver, bypassing the local resolving by Dnsmasq.

AB-Solution only works if the local Dnsmasq does the resolving.

Thank you, I appreciate the response. Installed it tonight and have AI protection off.

 

[Rimmel]

My test routers have only one purpose: I develop and test the scripts I code on them.
Them having their own IP range helps to simulate real world conditions.

My test routers have only one purpose: I develop and test the scripts I code on them.
Them having their own IP range helps to simulate real world conditions.

But do they work? e.g. behind the main router and still accessing the outside world (the tinterweb)? Or does it just work for the subnet they are on?


thanks

 

[thelonelycoder]

But do they work? e.g. behind the main router and still accessing the outside world (the tinterweb)? Or does it just work for the subnet they are on?


thanks

Why would it not work?
They receive a LAN IP from my main router which is the WAN IP on the test routers.
Just as you main router receives an IP from your ISP.

 

[Rimmel]

Why would it not work?
They receive a LAN IP from my main router which is the WAN IP on the test routers.
Just as you main router receives an IP from your ISP.

Couldn't get it to work here - that why I ask.

 

[thelonelycoder]

Couldn't get it to work here - that why I ask.

Set WAN Connection Type to Automatic IP. For the main router this is just another device that connects to its LAN side.

 

[Rimmel]

Set WAN Connection Type to Automatic IP. For the main router this is just another device that connects to its LAN side.

Yeah did that.

Main Lan 192.168.1.x (router connected to tintierweb)

second lan 192.168.2.x (ab-solution on it)

Static route set up so 192.168.1.x can access 192.168.2.x

192.168.1.x can not resolve dns when pointed to the ab-solution router.

thanks

 

[thelonelycoder]

Yeah did that.

Main Lan 192.168.1.x (router connected to tintierweb)

second lan 192.168.2.x (ab-solution on it)

Static route set up so 192.168.1.x can access 192.168.2.x

192.168.1.x can not resolve dns when pointed to the ab-solution router.

thanks

You have to allow access to the service from the WAN side on that downstream router, generally not a good idea but the only way to make it work.

 

[Rimmel]

You have to allow access to the service from the WAN side on that downstream router, generally not a good idea but the only way to make it work.

I have disable the firewall on the downstream router, do you mean create a port forward? If so which ports specifically?


thanks

 

[thelonelycoder]

I have disable the firewall on the downstream router, do you mean create a port forward? If so which ports specifically?


thanks

Port 80 and 443 for pixelserv, 53 I believe for dnsmasq

 

[Rimmel]

Port 80 and 443 for pixelserv, 53 I believe for dnsmasq

Great thanks - I will give it a try.

 

[Rimmel]

If the downstream router IP is 192.168.2.1 and the pixelserv-tls is running on 192.168.2.2 ...

Which IP do I make the rule for?

80 and 443 to pixelserv x.x.x.2 and 53 to router x.x.x.1 ????

What about the router interface on 80?


thanks

 

[redhat27]

So I best re-add the /jffs/ipset_lists/ya-malware-block.urls if found to whitelist your required domains?

Only raw.githubusercontent.com is used there. I do not suppose it will be blocked. If it is blocked by AB-Solution, there'll probably be bigger issues. Almost all script code (even from other scripters) are hosted there.

 

[Rimmel]

If the downstream router IP is 192.168.2.1 and the pixelserv-tls is running on 192.168.2.2 ...

Which IP do I make the rule for?

80 and 443 to pixelserv x.x.x.2 and 53 to router x.x.x.1 ????

What about the router interface on 80?


thanks

Could you let me know what you have set in your router please?

thanks

 

[mstombs]

pixelserv listens on ip address and port, but all other serrvices must do this as well to re-use port nos.
We used to have an issue with the router web gui listening on all ip addresses and port 80, but I believe this was fixed many revs ago. There is still an issue with AiCloud on port 443? The adblock install script optionally moves this to 9443 to free up 443 for use by pixelserv.

pixelserv can be configured to listen on different ports, but browsers will use 80 for http and 443 for https by default, so you would need iptables rules to dnat the requests to different ports.