What's new

Diversion Diversion 5.1.3 - the Router Ad-Blocker, May 09, 2024

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I did. And still failed.
You mind posting some of the output you're typing in and errors it's returning? Perhaps we can help figure out why?

Edit: perhaps create a new topic, so we can get this one back on topic. ;)
 
Last edited:
Had an odd issue over the last couple of days where the macOS and iOS mail clients on my network stopped showing inline images in emails and presented me with this message:

Your network preferences prevent content from loading privately.

(Pressing a "Load images" button then does the trick).

I had never encountered this message before. I do not have Apple Private Relay enabled on any of my devices, but I do have Mail Privacy Protection enabled, which has never caused an issue before with my Merlin/Diversion/Skynet setup.

Searching for solutions, I found this article, which explains the problem: https://robpickering.com/macos-monterey-and-mail-privacy/

The solution offered was to whitelist these two domains: mask.icloud.com and mask-h2.icloud.com.

As far as I could tell, neither site was blocked by my Diversion block list (I'm using the default Large list), but I added them to the allowlist and everything now appears to work again.

But I'm interested in learning why the problem surfaced in the first place. Did a Diversion or Skynet blocklist update mean these two domains were inadvertently added to the list of blocked domains?

I'm also interested to know if allowing these domains means my macOS and iOS devices will now bypass Diversion for all DNS queries (even though I don't use, and never have used, Apple Private Relay). This seems to be a concern for Pi Hole, which blocks these domains by default: https://docs.pi-hole.net/ftldns/configfile/?h=mask#icloud_private_relay
 
But I'm interested in learning why the problem surfaced in the first place. Did a Diversion or Skynet blocklist update mean these two domains were inadvertently added to the list of blocked domains?
Running an alpha version?

 
Running an alpha version?

You may have hit the nail on the head, dave14305! It's not technically an alpha, but I did just update to the beta of 386.13 for my RT-AC86U. I'm assuming that change is also in that firmware. I'll post in the thread and ask.

So what has that commit changed? And is adding those two domains to the Diversion allowlist the right way to go about fixing my problem? As I said, I don't use Apple Private Relay, but the Mail Privacy Protection appears to use the same servers.

EDIT: Kicking myself now for not realising this was a firmware problem. It's even mentioned in the change notes! Setting Prevent Client Auto DoH to disabled in the WAN DNS setting should do the trick.
 
Last edited:
Hi

Slowly converting and adjusting my denylists. Report: the sort and verify function doesn't recognize duplicates if line differs at all, like having a suffix comment.

Code:
au.download.windowsupdate.com
au.download.windowsupdate.com ## COMMENT
 
Hi

Slowly converting and adjusting my denylists. Report: the sort and verify function doesn't recognize duplicates if line differs at all, like having a suffix comment.

Code:
au.download.windowsupdate.com
au.download.windowsupdate.com ## COMMENT
It’s not a duplicate line if it differs, that’s how sort works.
You edited the list manually, and Diversion 5.x no longer allows comments in any of the files for simplicity.
 
It’s not a duplicate line if it differs, that’s how sort works.
You edited the list manually, and Diversion 5.x no longer allows comments in any of the files for simplicity.
Sure, but ...

This is the result of the first "verify and sort" step in the Edit Denylist menu, without processing.
Processing all lists then goes to remove the comments in the "denylist" as well, but if it's the "denylist.conf" that actually gets parsed by dnsmasq and diversion, where comments probably aren't even supported anyway and the ladder sign means something else, what's the point of removing the comments in the processed "denylist" as well?

Processing of the lists does this and more, what is the point of a separate pre-verification step then if it's not really needed necessairly? But ofcourse I do understand having extra use-case functionality, nothing wrong, just wondering what was the thinking behind it and perhaps how it could be useful in more use cases or improved.

The process I use right now is(and I'm not claiming I'm some linux expert with hotkeys and work environment all tuned up, I'm super busy with other chores atm and hurrying with this):

  1. 1. Local PC: denylist_description_comments_date_version-num.txt
  2. 2. Upload to Router
  3. 3. Delete "denylist"
  4. 4. Rename Uploaded "denylist_description_comments_date_version-num.txt" to "denylist"
  5. 5. SSH Login to Router, Diversion ...,... "Process All Lists"
  6. 6. SSH Diversion follow DNSMASQ to verify processing
  7. ... rinse repeat

Here's the idea, it would be a killer feature to have a multiple denylist stash saved on the router/jffs/usb-storage, aka profile banks, preloaded versions/editions of denylists, and then be able to switch via SSH which one to load/activate and do other actions. Whitelist stash as well!
Could possibly even be timed let's say "enable this whitelist stash for X minutes or Y hours, and switch back to stash 03", maybe I'm asking for too much, but I wouldn't be surprised if this idea was floated around in the community before, doesn't it make sense?

This was something I had on my mind before the latest NXDOMAIN transition, didn't spoke about it yet until now.

Sometimes I want to just quickly disable/enable a particular domain (to let a specific update through, to get something that requires it) without touching other rules, and doing this process of dealing with upload/download/edit/rename and keep everything organized can become confusing and time consuming.

By the way, wasn't there a "Process Blacklist" previously in older versions, and the equivalent "Process Denylist" isn't there now anymore, not that's it's that of a big deal, just something I noticed.

Thanks
 
Sure, but ...

This is the result of the first "verify and sort" step in the Edit Denylist menu, without processing.
Processing all lists then goes to remove the comments in the "denylist" as well, but if it's the "denylist.conf" that actually gets parsed by dnsmasq and diversion, where comments probably aren't even supported anyway and the ladder sign means something else, what's the point of removing the comments in the processed "denylist" as well?

Processing of the lists does this and more, what is the point of a separate pre-verification step then if it's not really needed necessairly? But ofcourse I do understand having extra use-case functionality, nothing wrong, just wondering what was the thinking behind it and perhaps how it could be useful in more use cases or improved.

The process I use right now is(and I'm not claiming I'm some linux expert with hotkeys and work environment all tuned up, I'm super busy with other chores atm and hurrying with this):

  1. 1. Local PC: denylist_description_comments_date_version-num.txt
  2. 2. Upload to Router
  3. 3. Delete "denylist"
  4. 4. Rename Uploaded "denylist_description_comments_date_version-num.txt" to "denylist"
  5. 5. SSH Login to Router, Diversion ...,... "Process All Lists"
  6. 6. SSH Diversion follow DNSMASQ to verify processing
  7. ... rinse repeat

Here's the idea, it would be a killer feature to have a multiple denylist stash saved on the router/jffs/usb-storage, aka profile banks, preloaded versions/editions of denylists, and then be able to switch via SSH which one to load/activate and do other actions. Whitelist stash as well!
Could possibly even be timed let's say "enable this whitelist stash for X minutes or Y hours, and switch back to stash 03", maybe I'm asking for too much, but I wouldn't be surprised if this idea was floated around in the community before, doesn't it make sense?

This was something I had on my mind before the latest NXDOMAIN transition, didn't spoke about it yet until now.

Sometimes I want to just quickly disable/enable a particular domain (to let a specific update through, to get something that requires it) without touching other rules, and doing this process of dealing with upload/download/edit/rename and keep everything organized can become confusing and time consuming.

By the way, wasn't there a "Process Blacklist" previously in older versions, and the equivalent "Process Denylist" isn't there now anymore, not that's it's that of a big deal, just something I noticed.

Thanks
That‘s a lot of words and ideas. And I have reasons to do as I did and how I handle these lists and what features I am willing to add.
One wants this, the next wants that feature. I cannot satisfy all.

It takes a lot of time and requires recoding a lot to make a simple change in the deny and allow lists. It is as it is and it works AFAIK.
 
the deny list. i want to block some sites for my kids during certain hours of the day. i imagined i could use crontab to modify the denylist and trigger a re process...
I cannot do something like this shell command:
> diversion "el 3"

would the following trigger a re process of the deny/allow lists?
> diversion bu
 
Last edited:
Installed 386.13_0 on AC86U. Every other reboot appear to be back to the prior troubles. Forced diversion 5.1.1 to force update itself, will see how it goes!

Code:
Apr 15 08:30:32 RT-AC86U-9988 dnsmasq[5555]: FAILED to start up
Apr 15 08:30:32 RT-AC86U-9988 dnsmasq[5584]: FAILED to start up
Apr 15 08:30:34 RT-AC86U-9988 dnsmasq[6658]: FAILED to start up
Apr 15 08:30:38 RT-AC86U-9988 dnsmasq[6852]: FAILED to start up
Apr 15 08:30:40 RT-AC86U-9988 dnsmasq[8805]: FAILED to start up
Apr 15 08:30:42 RT-AC86U-9988 dnsmasq[8918]: FAILED to start up
Apr 15 09:03:26 RT-AC86U-9988 dnsmasq[5122]: FAILED to start up
Apr 15 09:03:27 RT-AC86U-9988 dnsmasq[5704]: FAILED to start up
Apr 15 09:03:28 RT-AC86U-9988 dnsmasq[5780]: FAILED to start up
Apr 16 04:06:47 RT-AC86U-9988 dnsmasq[4257]: FAILED to start up
Apr 16 04:06:48 RT-AC86U-9988 dnsmasq[4292]: FAILED to start up
Apr 16 04:06:56 RT-AC86U-9988 dnsmasq[10874]: FAILED to start up
Apr 16 04:06:57 RT-AC86U-9988 dnsmasq[11150]: FAILED to start up
Apr 16 04:11:09 RT-AC86U-9988 dnsmasq[22860]: FAILED to start up
Apr 16 04:11:10 RT-AC86U-9988 dnsmasq[22898]: FAILED to start up
Apr 16 04:11:31 RT-AC86U-9988 dnsmasq[24256]: FAILED to start up
Apr 16 04:11:32 RT-AC86U-9988 dnsmasq[24286]: FAILED to start up
 
Just noticed this...

1713568315865.png


In Options the Blocking list is set to update at 2am every Sunday. Does it update or not? I'm confused.
 
@Rhialto Which list are you using? Does a manual update work? Have you tried swapping to a different one, then swapping back?
 
In Options the Blocking list is set to update at 2am every Sunday. Does it update or not? I'm confused.
I have seen this message posted here multiple times now. Don't know where it comes from but I will investigate.

In any case, re-selecting the list will fix this:
- Using the SSH UI (b, 1): Re-select the Large list
- Using the WebUI (In the Lists tab): Select the Standard blocking list type and click "Save type". Let it do its thing and then come back and select the Large blocking list type. The two steps are necessary as directly selecting the Large type will not offer the Save type option.
 
@Rhialto Which list are you using? Does a manual update work? Have you tried swapping to a different one, then swapping back?
Large list like shown in 1st column in original picture.

There is no manual update button.

1713622844456.png


1713622875744.png
 
- Using the WebUI (In the Lists tab): Select the Standard blocking list type and click "Save type". Let it do its thing and then come back and select the Large blocking list type. The two steps are necessary as directly selecting the Large type will not offer the Save type option.
Great, this has fixed it...

1713623064353.png


Merci! I see Blocked domains count is also much higher now...
 
Diversion 5.1.2 is now available

What's new in this patch update

- Fixes disappearing entries in the hostslist. Please run a manual update in the WebUI or SSH UI to check if this is the case for your installation after updating. Thanks @Rhialto and others for reporting.
- Now shows encountered blocking list update errors in the WebUI.
- A couple of logical corrections.
 
Last edited:
Well, it finally happened - I met a forum member and user of my scripts in real life here in my hometown Lucerne, Switzerland. @visortgw is in town for two days with his charming wife and friends for a trip across part of Europe. Thank you for dinner, I enjoyed the in person exchange after so many years of collaboration and discussions on this board.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top