What's new

Diversion Diversion 5.1.3 - the Router Ad-Blocker, May 09, 2024

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hey i keep getting this error when installing:

At the end of install it repeats

Waiting for blocking list entry...
Waiting for blocking list entry...

Then it times out

Also, i am not seeing the diversion tab in the UI anymore under the LAN tab like normal.

RT-AX86U
According to his code, it seems to have to do with the dnsmasq.conf file... specifically, if the entry "conf-dir=/opt/share/diversion/list,*" doesn't appear in your /etc/dnsmasq.conf file, it will wait and go through a loop to give you the "Waiting for blocking list entry" message.

I would focus on why dnsmasq.conf isn't accepting this modification... making sure you've met all the minimum requirements, uninstalled/reinstalled, etc.
 
Last edited:
Hey i keep getting this error when installing:

At the end of install it repeats

Waiting for blocking list entry...
Waiting for blocking list entry...

Then it times out

Also, i am not seeing the diversion tab in the UI anymore under the LAN tab like normal.

RT-AX86U
Check the routers SysLog, Dnsmasq will say what’s not compliant.
 
Which version of amtm are you running?
4.1. If no update is available your on the latest version. I released amtm 4.1 and Diversion 5.0 at the same time, hence the remark in the release threads for both amtm and Diversion.
 
Check the routers SysLog, Dnsmasq will say what’s not compliant.

This is the only logs I am seeing when i reinstall diverison:

Jan 5 13:49:18 dnsmasq[15986]: started, version 2.89 cache disabled
Jan 5 13:49:18 dnsmasq[15986]: asynchronous logging enabled, queue limit is 5 messages
Jan 5 13:49:18 dnsmasq-dhcp[15986]: DHCP, IP range 192.168.102.2 -- 192.168.102.254, lease time 1d
Jan 5 13:49:18 dnsmasq-dhcp[15986]: DHCP, IP range 192.168.101.2 -- 192.168.101.254, lease time 1d
Jan 5 13:49:18 dnsmasq-dhcp[15986]: DHCP, IP range 192.168.50.3 -- 192.168.50.254, lease time 1d
Jan 5 13:49:18 dnsmasq[15986]: using nameserver 127.0.0.1#5342
Jan 5 13:49:18 dnsmasq[15986]: read /etc/hosts - 22 names
Jan 5 13:49:18 custom_script: Running /jffs/scripts/service-event-end (args: restart dnsmasq)
Jan 5 13:52:32 Diversion: logging is disabled, cannot count ads
Jan 5 13:52:46 rc_service: service 19272:notify_rc restart_dnsmasq

Also, in the console this is what it is telling me as the error:

✖ blocking list entry timed out
 
Hi @thelonelycoder,

I have a problem with the weekly stats collection, specific to the top 10 blocked domains.
  1. The filter on is NXDOMAIN is catching DNSSEC lines like these:
    Jan 5 16:54:06 dnsmasq[21995]: 107425 192.168.1.187/64162 reply metadata.google.internal is NXDOMAIN (DNSSEC signed)
    and this is putting NXDOMAIN (NF-2) in the temporary list of blocked domains. Maybe config .* is NXDOMAIN$ is a more specific search string.
  2. The top 10 blocked domains includes a lot of NXDOMAIN results for my local domain (home.arpa), due to the dnsmasq config for local=/home.arpa/
  3. Blocked domains that are a sub-domain of a blocked wildcard domain aren't reported as being from the blockinglist.conf. See securepubads example below.
These are the initial top 10 blocked domains (running your awk commands from stats.div directly):
Code:
 778    wpad.home.arpa
 633    lb._dns-sd._udp.home.arpa
 606    _dns.resolver.arpa
 494    metrics.icloud.com
 404    b._dns-sd._udp.home.arpa
 403    db._dns-sd._udp.home.arpa
 150    app-measurement.com              
 143    wpad.<redacted>.local
 114    <redacted>.local
 113    securepubads.g.doubleclick.net
The resulting stats report shows only 2 domains in the report:
Code:
 The top 10 blocked ad domains were:
 --------------------------------------------------------
 778    wpad.home.arpa                            blocked
 633    lb._dns-sd._udp.home.arpa                 blocked
I see a couple issues: it detects 2 domains of the 10 as being in the blockinglist.conf, but it displays the wrong 2. metrics.icloud.com and app-measurement.com are direct matches from OISD Small. securepubads.g.doubleclick.net isn't a direct match, but is covered by g.doubleclick.net in the OISD Small list.

Congratulations on the big 5.0! This definitely swayed me in my decision to purchase a new Asus router (RT-AX88U PRO)!

Hope this report is helpful.
 
Hi @thelonelycoder,

I have a problem with the weekly stats collection, specific to the top 10 blocked domains.
  1. The filter on is NXDOMAIN is catching DNSSEC lines like these:
    Jan 5 16:54:06 dnsmasq[21995]: 107425 192.168.1.187/64162 reply metadata.google.internal is NXDOMAIN (DNSSEC signed)
    and this is putting NXDOMAIN (NF-2) in the temporary list of blocked domains. Maybe config .* is NXDOMAIN$ is a more specific search string.
  2. The top 10 blocked domains includes a lot of NXDOMAIN results for my local domain (home.arpa), due to the dnsmasq config for local=/home.arpa/
  3. Blocked domains that are a sub-domain of a blocked wildcard domain aren't reported as being from the blockinglist.conf. See securepubads example below.
These are the initial top 10 blocked domains (running your awk commands from stats.div directly):
Code:
 778    wpad.home.arpa
 633    lb._dns-sd._udp.home.arpa
 606    _dns.resolver.arpa
 494    metrics.icloud.com
 404    b._dns-sd._udp.home.arpa
 403    db._dns-sd._udp.home.arpa
 150    app-measurement.com             
 143    wpad.<redacted>.local
 114    <redacted>.local
 113    securepubads.g.doubleclick.net
The resulting stats report shows only 2 domains in the report:
Code:
 The top 10 blocked ad domains were:
 --------------------------------------------------------
 778    wpad.home.arpa                            blocked
 633    lb._dns-sd._udp.home.arpa                 blocked
I see a couple issues: it detects 2 domains of the 10 as being in the blockinglist.conf, but it displays the wrong 2. metrics.icloud.com and app-measurement.com are direct matches from OISD Small. securepubads.g.doubleclick.net isn't a direct match, but is covered by g.doubleclick.net in the OISD Small list.

Congratulations on the big 5.0! This definitely swayed me in my decision to purchase a new Asus router (RT-AX88U PRO)!

Hope this report is helpful.
Thanks Dave, it‘s observation like yours that help me most when fine-tuning.

I hope you are aware that 5.0 is also your brainchild. Your post back then triggered this massive rewrite. And I expected a few flaws and inconsistencies upon release. They all will be sorted out given some time and patience.
It’s software and nobody is perfect - though I strive to be very close to perfection.
 
I hope you are aware that 5.0 is also your brainchild. Your post back then triggered this massive rewrite. And I expected a few flaws and inconsistencies upon release. They all will be sorted out given some time and patience.
I tried a lot of other adblockers on other platforms in my "Prodigal Son" phase and was always wishing they worked more like Diversion, especially around logging and stats. I'm very happy to help improve things here in any way I can.
 
I tried a lot of other adblockers on other platforms in my "Prodigal Son" phase and was always wishing they worked more like Diversion, especially around logging and stats. I'm very happy to help improve things here in any way I can.
What can I say but “your a good man / lad” or some other variation therof.
I heard this a lot while troubleshooting one of our systems here on Gran Canaria. This one is again up and running since mid afternoon yesterday. A very happy customer and I will be flying home in a few hours. I fixed one bug and the next revealed itself and that game repeated itself about five times over the last three days.

Frustrating but not uncommon in the business we are in. There are local companies that do the first responding and I only get sent out to try and figure out the mess when they are at their wits end.
Persistence prevailed once again.
 
Hi! I did a hard reset and installed Diversion 5.0. I don't understand now how Entware works, because during the installation of Diversion you no longer have to enter the IP to assign to Entware.

Yesterday I had problems generating the certificate, because at the command:

Code:
openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca.crt -subj "/CN=Pixelserv CA"

It generated an error about v3_ca:

Code:
Error Loading extension section v3_ca
4144742400:error:22097069:lib(34):func(151):reason(105):NA:0:name=subjectAltName,section=@alt_names
4144742400:error:22098080:lib(34):func(152):reason(128):NA:0:name=subjectAltName, value=@alt_names

Once the certificate is generated, it says to go to http://pixelserv ip/ca.crt, which in my case was 192.168.2.2/ca.crt.

Now, of course, there isn't. How do I get the certificate? Via WinSCP?

Thank you and forgive these questions.

* By instead putting this command, found HERE, I can generate the certificate
Code:
openssl req -key ca.key -new -x509 -days 3650 -sha256 -extensions usr_cert -out ca.crt -subj "/CN=Pixelserv CA"
 
Last edited:
Now, of course, there isn't. How do I get the certificate? Via WinSCP?
Look at the very first post, there is a section called Diversion post-update notes. Look at the second line if it can help.
 
Look at the very first post, there is a section called Diversion post-update notes. Look at the second line if it can help.

Yes, following that guide (which always worked), I encountered this problem.
 
Yes, following that guide (which always worked), I encountered this problem.
pixelserv has been deprecated from Diversion 5.0.
 
Okay! You just need to remove the devices certificate. A thousand thanks! I thought that, after the update, it needed to be recreated.
Forgive me!
 
Reset your blocking files. then try one of the pre-selected blocking lists to see if that works. If it works, make sure that your lists are compatible with the new Diversion. Everything should work the same in the latest version, there is no reason to downgrade.
Yes do it like this and now seems working fine. Thanks.
 
Hello.
First of all thanks @thelonelycoder for such a great update. I believe this change in diversion helps both router capacity and browsing experience.

I’m having some issues with the whitelist. Especifically with this website tvx.adgrx.com. I’m unsure if other sites are being affected by this.

No matter if it’s included in the whitelist, diversion will block it in all devices. I have proceeded lists multiple times as well as rebooting router with no luck. I will appreciate your feedback on what could I be doing wrong.
 

Attachments

  • IMG_4557.png
    IMG_4557.png
    32.3 KB · Views: 41
  • IMG_4558.png
    IMG_4558.png
    77.3 KB · Views: 42
  • IMG_4559.png
    IMG_4559.png
    97.4 KB · Views: 42

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top