Menu
What's new
By:
Filters Better Search

Diversion Diversion 5.1.3 - the Router Ad-Blocker, May 09, 2024

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

HorseCalledHorse said:
I did. And still failed.
Click to expand...
You mind posting some of the output you're typing in and errors it's returning? Perhaps we can help figure out why?

Edit: perhaps create a new topic, so we can get this one back on topic. ;)
 
Last edited:
Had an odd issue over the last couple of days where the macOS and iOS mail clients on my network stopped showing inline images in emails and presented me with this message:

Your network preferences prevent content from loading privately.

(Pressing a "Load images" button then does the trick).

I had never encountered this message before. I do not have Apple Private Relay enabled on any of my devices, but I do have Mail Privacy Protection enabled, which has never caused an issue before with my Merlin/Diversion/Skynet setup.

Searching for solutions, I found this article, which explains the problem: https://robpickering.com/macos-monterey-and-mail-privacy/

The solution offered was to whitelist these two domains: mask.icloud.com and mask-h2.icloud.com.

As far as I could tell, neither site was blocked by my Diversion block list (I'm using the default Large list), but I added them to the allowlist and everything now appears to work again.

But I'm interested in learning why the problem surfaced in the first place. Did a Diversion or Skynet blocklist update mean these two domains were inadvertently added to the list of blocked domains?

I'm also interested to know if allowing these domains means my macOS and iOS devices will now bypass Diversion for all DNS queries (even though I don't use, and never have used, Apple Private Relay). This seems to be a concern for Pi Hole, which blocks these domains by default: https://docs.pi-hole.net/ftldns/configfile/?h=mask#icloud_private_relay
 
HorseCalledHorse said:
But I'm interested in learning why the problem surfaced in the first place. Did a Diversion or Skynet blocklist update mean these two domains were inadvertently added to the list of blocked domains?
Click to expand...
Running an alpha version?

github.com

rc: disable the use of Apple's iCloud Private Relay when enabling "Pr… · RMerl/asuswrt-merlin.ng@b155542

…event client auto DoH" Reference: https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/
github.com github.com
 
dave14305 said:
Running an alpha version?

github.com

rc: disable the use of Apple's iCloud Private Relay when enabling "Pr… · RMerl/asuswrt-merlin.ng@b155542

…event client auto DoH" Reference: https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/
github.com github.com
Click to expand...
You may have hit the nail on the head, dave14305! It's not technically an alpha, but I did just update to the beta of 386.13 for my RT-AC86U. I'm assuming that change is also in that firmware. I'll post in the thread and ask.

So what has that commit changed? And is adding those two domains to the Diversion allowlist the right way to go about fixing my problem? As I said, I don't use Apple Private Relay, but the Mail Privacy Protection appears to use the same servers.

EDIT: Kicking myself now for not realising this was a firmware problem. It's even mentioned in the change notes! Setting Prevent Client Auto DoH to disabled in the WAN DNS setting should do the trick.
 
Last edited:
Hi

Slowly converting and adjusting my denylists. Report: the sort and verify function doesn't recognize duplicates if line differs at all, like having a suffix comment.

Code: 
au.download.windowsupdate.com
au.download.windowsupdate.com ## COMMENT
 
Aziron5 said:
Hi

Slowly converting and adjusting my denylists. Report: the sort and verify function doesn't recognize duplicates if line differs at all, like having a suffix comment.

Code: 
au.download.windowsupdate.com
au.download.windowsupdate.com ## COMMENT
Click to expand...
It’s not a duplicate line if it differs, that’s how sort works.
You edited the list manually, and Diversion 5.x no longer allows comments in any of the files for simplicity.
 
thelonelycoder said:
It’s not a duplicate line if it differs, that’s how sort works.
You edited the list manually, and Diversion 5.x no longer allows comments in any of the files for simplicity.
Click to expand...
Sure, but ...

This is the result of the first "verify and sort" step in the Edit Denylist menu, without processing.
Processing all lists then goes to remove the comments in the "denylist" as well, but if it's the "denylist.conf" that actually gets parsed by dnsmasq and diversion, where comments probably aren't even supported anyway and the ladder sign means something else, what's the point of removing the comments in the processed "denylist" as well?

Processing of the lists does this and more, what is the point of a separate pre-verification step then if it's not really needed necessairly? But ofcourse I do understand having extra use-case functionality, nothing wrong, just wondering what was the thinking behind it and perhaps how it could be useful in more use cases or improved.

The process I use right now is(and I'm not claiming I'm some linux expert with hotkeys and work environment all tuned up, I'm super busy with other chores atm and hurrying with this):

  1. 1. Local PC: denylist_description_comments_date_version-num.txt
  2. 2. Upload to Router
  3. 3. Delete "denylist"
  4. 4. Rename Uploaded "denylist_description_comments_date_version-num.txt" to "denylist"
  5. 5. SSH Login to Router, Diversion ...,... "Process All Lists"
  6. 6. SSH Diversion follow DNSMASQ to verify processing
  7. ... rinse repeat

Here's the idea, it would be a killer feature to have a multiple denylist stash saved on the router/jffs/usb-storage, aka profile banks, preloaded versions/editions of denylists, and then be able to switch via SSH which one to load/activate and do other actions. Whitelist stash as well!
Could possibly even be timed let's say "enable this whitelist stash for X minutes or Y hours, and switch back to stash 03", maybe I'm asking for too much, but I wouldn't be surprised if this idea was floated around in the community before, doesn't it make sense?

This was something I had on my mind before the latest NXDOMAIN transition, didn't spoke about it yet until now.

Sometimes I want to just quickly disable/enable a particular domain (to let a specific update through, to get something that requires it) without touching other rules, and doing this process of dealing with upload/download/edit/rename and keep everything organized can become confusing and time consuming.

By the way, wasn't there a "Process Blacklist" previously in older versions, and the equivalent "Process Denylist" isn't there now anymore, not that's it's that of a big deal, just something I noticed.

Thanks
 
Aziron5 said:
Sure, but ...

This is the result of the first "verify and sort" step in the Edit Denylist menu, without processing.
Processing all lists then goes to remove the comments in the "denylist" as well, but if it's the "denylist.conf" that actually gets parsed by dnsmasq and diversion, where comments probably aren't even supported anyway and the ladder sign means something else, what's the point of removing the comments in the processed "denylist" as well?

Processing of the lists does this and more, what is the point of a separate pre-verification step then if it's not really needed necessairly? But ofcourse I do understand having extra use-case functionality, nothing wrong, just wondering what was the thinking behind it and perhaps how it could be useful in more use cases or improved.

The process I use right now is(and I'm not claiming I'm some linux expert with hotkeys and work environment all tuned up, I'm super busy with other chores atm and hurrying with this):

  1. 1. Local PC: denylist_description_comments_date_version-num.txt
  2. 2. Upload to Router
  3. 3. Delete "denylist"
  4. 4. Rename Uploaded "denylist_description_comments_date_version-num.txt" to "denylist"
  5. 5. SSH Login to Router, Diversion ...,... "Process All Lists"
  6. 6. SSH Diversion follow DNSMASQ to verify processing
  7. ... rinse repeat

Here's the idea, it would be a killer feature to have a multiple denylist stash saved on the router/jffs/usb-storage, aka profile banks, preloaded versions/editions of denylists, and then be able to switch via SSH which one to load/activate and do other actions. Whitelist stash as well!
Could possibly even be timed let's say "enable this whitelist stash for X minutes or Y hours, and switch back to stash 03", maybe I'm asking for too much, but I wouldn't be surprised if this idea was floated around in the community before, doesn't it make sense?

This was something I had on my mind before the latest NXDOMAIN transition, didn't spoke about it yet until now.

Sometimes I want to just quickly disable/enable a particular domain (to let a specific update through, to get something that requires it) without touching other rules, and doing this process of dealing with upload/download/edit/rename and keep everything organized can become confusing and time consuming.

By the way, wasn't there a "Process Blacklist" previously in older versions, and the equivalent "Process Denylist" isn't there now anymore, not that's it's that of a big deal, just something I noticed.

Thanks
Click to expand...
That‘s a lot of words and ideas. And I have reasons to do as I did and how I handle these lists and what features I am willing to add.
One wants this, the next wants that feature. I cannot satisfy all.

It takes a lot of time and requires recoding a lot to make a simple change in the deny and allow lists. It is as it is and it works AFAIK.
 
ugandy said:
the deny list. i want to block some sites for my kids during certain hours of the day. i imagined i could use crontab to modify the denylist and trigger a re process...
Click to expand...
I cannot do something like this shell command:
> diversion "el 3"

would the following trigger a re process of the deny/allow lists?
> diversion bu
 
Last edited:
Installed 386.13_0 on AC86U. Every other reboot appear to be back to the prior troubles. Forced diversion 5.1.1 to force update itself, will see how it goes!

Code: 
Apr 15 08:30:32 RT-AC86U-9988 dnsmasq[5555]: FAILED to start up
Apr 15 08:30:32 RT-AC86U-9988 dnsmasq[5584]: FAILED to start up
Apr 15 08:30:34 RT-AC86U-9988 dnsmasq[6658]: FAILED to start up
Apr 15 08:30:38 RT-AC86U-9988 dnsmasq[6852]: FAILED to start up
Apr 15 08:30:40 RT-AC86U-9988 dnsmasq[8805]: FAILED to start up
Apr 15 08:30:42 RT-AC86U-9988 dnsmasq[8918]: FAILED to start up
Apr 15 09:03:26 RT-AC86U-9988 dnsmasq[5122]: FAILED to start up
Apr 15 09:03:27 RT-AC86U-9988 dnsmasq[5704]: FAILED to start up
Apr 15 09:03:28 RT-AC86U-9988 dnsmasq[5780]: FAILED to start up
Apr 16 04:06:47 RT-AC86U-9988 dnsmasq[4257]: FAILED to start up
Apr 16 04:06:48 RT-AC86U-9988 dnsmasq[4292]: FAILED to start up
Apr 16 04:06:56 RT-AC86U-9988 dnsmasq[10874]: FAILED to start up
Apr 16 04:06:57 RT-AC86U-9988 dnsmasq[11150]: FAILED to start up
Apr 16 04:11:09 RT-AC86U-9988 dnsmasq[22860]: FAILED to start up
Apr 16 04:11:10 RT-AC86U-9988 dnsmasq[22898]: FAILED to start up
Apr 16 04:11:31 RT-AC86U-9988 dnsmasq[24256]: FAILED to start up
Apr 16 04:11:32 RT-AC86U-9988 dnsmasq[24286]: FAILED to start up
 
Just noticed this...

1713568315865.png


In Options the Blocking list is set to update at 2am every Sunday. Does it update or not? I'm confused.
 
@Rhialto Which list are you using? Does a manual update work? Have you tried swapping to a different one, then swapping back?
 
Rhialto said:
In Options the Blocking list is set to update at 2am every Sunday. Does it update or not? I'm confused.
Click to expand...
I have seen this message posted here multiple times now. Don't know where it comes from but I will investigate.

In any case, re-selecting the list will fix this:
- Using the SSH UI (b, 1): Re-select the Large list
- Using the WebUI (In the Lists tab): Select the Standard blocking list type and click "Save type". Let it do its thing and then come back and select the Large blocking list type. The two steps are necessary as directly selecting the Large type will not offer the Save type option.
 
Ripshod said:
@Rhialto Which list are you using? Does a manual update work? Have you tried swapping to a different one, then swapping back?
Click to expand...
Large list like shown in 1st column in original picture.

There is no manual update button.

1713622844456.png


1713622875744.png
 
thelonelycoder said:
- Using the WebUI (In the Lists tab): Select the Standard blocking list type and click "Save type". Let it do its thing and then come back and select the Large blocking list type. The two steps are necessary as directly selecting the Large type will not offer the Save type option.
Click to expand...
Great, this has fixed it...

1713623064353.png


Merci! I see Blocked domains count is also much higher now...
 
Diversion 5.1.2 is now available

What's new in this patch update
- Fixes disappearing entries in the hostslist. Please run a manual update in the WebUI or SSH UI to check if this is the case for your installation after updating. Thanks @Rhialto and others for reporting.
- Now shows encountered blocking list update errors in the WebUI.
- A couple of logical corrections.
 
Last edited:
Well, it finally happened - I met a forum member and user of my scripts in real life here in my hometown Lucerne, Switzerland. @visortgw is in town for two days with his charming wife and friends for a trip across part of Europe. Thank you for dinner, I enjoyed the in person exchange after so many years of collaboration and discussions on this board.
 
You must log in or register to reply here.

Similar threads

thelonelycoder
Diversion Diversion 4.3.3 - the Router Ad-Blocker, released April 02 2023
15 16 17
Replies
323
Views
60K
thelonelycoder
thelonelycoder
Viktor Jaep
RTRMON RTRMON v2.1.3 -Oct 19, 2024- Monitor your Router's Health (New: AMTM, Network Conn/Bandwidth/Diag + Port Scanner + Speedtest)
11 12 13
Replies
252
Views
25K
Martinski
M
thelonelycoder
Diversion Diversion - the Router Ad-Blocker v4.2.x (see new thread for 4.3.x)
23 24 25
Replies
499
Views
111K
Treadler
Treadler
Viktor Jaep
TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (THREAD #1 CLOSED)
26 27 28
Replies
556
Views
62K
XIII
XIII
Viktor Jaep
BACKUPMON BACKUPMON v1.8.20 -Oct 12, 2024- Backup/Restore your Router: JFFS + NVRAM + External USB Drive! CIFS/SMB/NFS! (Now available in AMTM!)
23 24 25
Replies
487
Views
60K
ExtremeFiretop
ExtremeFiretop
Similar threads
Thread starter Title Forum Replies Date
thelonelycoder Diversion Diversion 5.3 - the Router Ad-Blocker, August 11, 2024 Asuswrt-Merlin AddOns 40
J Diversion [SOLVED] DNS Director with Diversion 5.0+? Asuswrt-Merlin AddOns 2
D Diversion AMTM / Diversion stopped working (USB Drive?) Asuswrt-Merlin AddOns 10
J Diversion Diversion won't start Asuswrt-Merlin AddOns 2
M Diversion Diversion 5.3 Dnsmasq log file location Asuswrt-Merlin AddOns 2
F Diversion slow down troubleshooting Asuswrt-Merlin AddOns 3
heysoundude Manifest v2 and diversion Asuswrt-Merlin AddOns 4
F Diversion Diversion and Breezeline Customer Portal Asuswrt-Merlin AddOns 5
D Entware Asus RT-AC86U (386.13_2) on AMTM 4.9 - Unable to update Entware Packages and Diversion (4.3.3 to 5.1 or 5.2) Asuswrt-Merlin AddOns 4
L Is Diversion better than NextDNS, PiHole or AdGuard Home? Asuswrt-Merlin AddOns 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 996 (members: 35, guests: 961)
Top