Diversion Diversion 5.3 - the Router Ad-Blocker, August 11, 2024

[Aziron5]

Hi, I remember there was a word or what I read somewhere on the possibility of per-client or static lease (MAC?, IP? both?) specific blocklists.

Perhaps the idea was floated by other users before, but does it have chances happening anytime soon, it be really helpful in my case.

Thanks

 

[JimbobJay]

I'm hoping this is the right thread to post this issue I'm trying to get to the bottom of - apologies if it's not. I don't know where else to post it at the moment as I'm still troubleshooting.

I have Diversion 5.2 installed and running on my home router, using the OISD Large blocking list. This is working all well and good.

However, I started noticing that whenever I was remotely connected to the router via OpenVPN whilst out and about, Apple News was not working on any of my devices (both iPhone and MacBook).

As it was clearly linked to being connected to the router via VPN (the second I disconnect from the VPN, Apple News starts working again), I naturally assumed the OISD blocking list might be blocking something necessary for Apple News to work. So started troubleshooting.

However, I could not find any blocks appearing in the Diversion logs when trying to access Apple News.
Furthermore, devices on the LAN at home, connected directly to the same router, can access Apple News just fine. So I'm really struggling to figure out what might be the issue. Even disabling Diversion entirely doesn't work, as Apple News is still saying it isn't connected to the internet whilst I am using OpenVPN to remotely connect to my ASUS router. So yeah, this is a bit of a head scratcher for me. It seems like it's being connected to the router's VPN that causes Apple News to fail, but the router isn't overtly blocking Apple News that I can see?



As an aside, I noticed whilst troubleshooting this that Diversion does not allow you to use the IP addresses of remotely connected devices to follow its log, even though when you follow the unfiltered log you can see the DNS requests come in from the remote devices (the remote devices connected to the router's OpenVPN server are all in the 10.16.0.0/24 subnet). When I tried to follow the Diversion log for Blocked requests from the 10.16.0.4 IP address, it wouldn't allow it and said this "is not a router address".

Perhaps Diversion's logic could be updated in future to take into account that it is also blocking remote devices connected to the router's VPN servers, and perhaps lookup the relevant subnet's to allow IP's in those subnet's to be followed? Especially as they appear in the unfiltered DNS query log.

 

[thelonelycoder]

Diversion 5.3 is now available

What's new

• Moves Diversion (and uiDivStats) tab(s) to end on LAN WebUI page for routers supporting VLANs (BE9x routers) after a reboot.
• Corrects screen scrolling issue introduced in firmware 386.14 on AC-x models. Thanks to @dave14305 for finding the simple fix. This fix does not affect the abandoned Asuswrt-Merlin LTS fork by @john9527.
• Allows to follow Dnsmasq log file by VPN device IP when connected through OpenVPN server. Thanks to @JimbobJay for the suggestion.

 

[bibikalka]

@thelonelycoder

I was staying on version 5.1.1 - everything was rock solid. Last week did an update to entware packages, and got a hardcore dnsmasq issue a couple of days later. Could not fix it with the power off button. Had to fully unplug, and re-plug. That's the same issue we were chasing a while ago:

dnsmasq[88561]: failed to create listening socket for 192.168.1.1: Address already in use

Now, the question is which of these updated packages messed things up:

admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/lib/opkg/info# ls -lta |more
drwxr-xr-x    2 admin    root         12288 Aug 26 17:12 .
-rw-rw-rw-    1 admin    root            15 Aug 26 17:12 iftop.list
-rw-rw-rw-    1 admin    root            49 Aug 26 17:12 libedit.list
-rw-rw-rw-    1 admin    root            45 Aug 26 17:12 libopenssl.list
-rw-rw-rw-    1 admin    root            91 Aug 26 17:12 libattr.list
-rw-rw-rw-    1 admin    root            90 Aug 26 17:12 libtirpc.list
-rw-rw-rw-    1 admin    root            64 Aug 26 17:12 ntp-utils.list
-rw-rw-rw-    1 admin    root            25 Aug 26 17:12 unbound-anchor.list
-rw-rw-rw-    1 admin    root            50 Aug 26 17:12 libexpat.list
-rw-rw-rw-    1 admin    root            13 Aug 26 17:12 bind-dig.list
-rw-rw-rw-    1 admin    root            61 Aug 26 17:12 ca-bundle.list
-rw-rw-rw-    1 admin    root            14 Aug 26 17:12 htop.list
-rw-rw-rw-    1 admin    root            45 Aug 26 17:12 findutils.list
-rw-rw-rw-    1 admin    root           288 Aug 26 17:12 libncursesw.list
-rw-rw-rw-    1 admin    root            68 Aug 26 17:12 libevent2-core.list
-rw-rw-rw-    1 admin    root            70 Aug 26 17:12 libjpeg-turbo.list
-rw-rw-rw-    1 admin    root            25 Aug 26 17:12 libopenssl-conf.list
-rw-rw-rw-    1 admin    root            62 Aug 26 17:12 libuv.list
-rw-rw-rw-    1 admin    root           298 Aug 26 17:12 libncurses.list
-rw-rw-rw-    1 admin    root            48 Aug 26 17:12 libintl-full.list
-rw-rw-rw-    1 admin    root            25 Aug 26 17:12 entware-release.list
-rw-rw-rw-    1 admin    root           334 Aug 26 17:12 bind-libs.list
-rw-rw-rw-    1 admin    root            58 Aug 26 17:12 libsmartcols.list
-rw-rw-rw-    1 admin    root            46 Aug 26 17:12 libffi.list
-rw-rw-rw-    1 admin    root            48 Aug 26 17:12 libuuid.list
-rw-rw-rw-    1 admin    root           398 Aug 26 17:12 libwebp.list
-rw-rw-rw-    1 admin    root            55 Aug 26 17:12 libunbound.list
-rw-rw-rw-    1 admin    root            78 Aug 26 17:12 logrotate.list
-rw-rw-rw-    1 admin    root           247 Aug 26 17:12 nmap.list
-rw-rw-rw-    1 admin    root            93 Aug 26 17:12 libpng.list
-rw-rw-rw-    1 admin    root            76 Aug 26 17:12 libevent2-pthreads.list
-rw-rw-rw-    1 admin    root            58 Aug 26 17:12 libevent2.list
-rw-rw-rw-    1 admin    root            26 Aug 26 17:12 unbound-control.list
-rw-rw-rw-    1 admin    root           114 Aug 26 17:12 ntpd.list
-rw-rw-rw-    1 admin    root            35 Aug 26 17:12 screen.list
-rw-rw-rw-    1 admin    root            57 Aug 26 17:12 libnghttp2.list
-rw-rw-rw-    1 admin    root           169 Aug 26 17:12 unbound-daemon.list
-rw-rw-rw-    1 admin    root            28 Aug 26 17:12 unbound-checkconf.list
-rw-rw-rw-    1 admin    root            48 Aug 26 17:12 libcurl.list
-rw-rw-rw-    1 admin    root           546 Aug 26 17:12 glib2.list
-rw-rw-rw-    1 admin    root            73 Aug 26 17:11 diffutils.list
-rw-rw-rw-    1 admin    root            14 Aug 26 17:11 opkg.list
-rw-rw-rw-    1 admin    root           236 Aug 26 17:11 sysstat.list
-rw-rw-rw-    1 admin    root            16 Aug 26 17:11 column.list
-rw-rw-rw-    1 admin    root           494 Aug 26 17:11 terminfo.list
-rw-rw-rw-    1 admin    root          6188 Aug 26 17:11 syslog-ng.list
-rw-r--r--    1 admin    root           349 Jul 18 18:42 entware-release.control
...

 

[andyg]

Has anyone here successfully restricted access for kids' devices via this option:

7. Restricted access for devices (Kids mode)

Attempting to get a couple of devices on restricted access, and only want a few hand-picked sites accessible from the kid's device while keeping the awesome ad-blocking.

Alternative blocklist (Option 5) requires an IP address
Restricted access for devices (Option 7) requires an IP address

Any help is appreciated

 

[trixt]

Alternative blocklist (Option 5) requires an IP address
Restricted access for devices (Option 7) requires an IP address

Any help is appreciated

the ip addr you need is just another addr in your lan that's reserved and not available for other clients to take via dhcp, so it will be occupied by new dnsmasq instance. e.g.: you router ip is 192.168.0.1 and in your lan/dhcp settings you specified 192.168.0.10 as starting pool addr. Then you can enter any ip between 192.168.0.2 and 192.168.0.9 for the kids mode.

 

[andyg]

I must be doing something that's causing all devices to lose connection to internet when I enable this for only one kid's device.
@thelonelycoder I followed steps at https://diversion.ch/diversion/manual/exclude-devices-from-ad-blocking.html which appear to be similar to my situation but no luck yet.