Diversion Diversion 5.3 - the Router Ad-Blocker, August 11, 2024

[Aziron5]

Hi, I remember there was a word or what I read somewhere on the possibility of per-client or static lease (MAC?, IP? both?) specific blocklists.

Perhaps the idea was floated by other users before, but does it have chances happening anytime soon, it be really helpful in my case.

Thanks

 

[JimbobJay]

I'm hoping this is the right thread to post this issue I'm trying to get to the bottom of - apologies if it's not. I don't know where else to post it at the moment as I'm still troubleshooting.

I have Diversion 5.2 installed and running on my home router, using the OISD Large blocking list. This is working all well and good.

However, I started noticing that whenever I was remotely connected to the router via OpenVPN whilst out and about, Apple News was not working on any of my devices (both iPhone and MacBook).

As it was clearly linked to being connected to the router via VPN (the second I disconnect from the VPN, Apple News starts working again), I naturally assumed the OISD blocking list might be blocking something necessary for Apple News to work. So started troubleshooting.

However, I could not find any blocks appearing in the Diversion logs when trying to access Apple News.
Furthermore, devices on the LAN at home, connected directly to the same router, can access Apple News just fine. So I'm really struggling to figure out what might be the issue. Even disabling Diversion entirely doesn't work, as Apple News is still saying it isn't connected to the internet whilst I am using OpenVPN to remotely connect to my ASUS router. So yeah, this is a bit of a head scratcher for me. It seems like it's being connected to the router's VPN that causes Apple News to fail, but the router isn't overtly blocking Apple News that I can see?



As an aside, I noticed whilst troubleshooting this that Diversion does not allow you to use the IP addresses of remotely connected devices to follow its log, even though when you follow the unfiltered log you can see the DNS requests come in from the remote devices (the remote devices connected to the router's OpenVPN server are all in the 10.16.0.0/24 subnet). When I tried to follow the Diversion log for Blocked requests from the 10.16.0.4 IP address, it wouldn't allow it and said this "is not a router address".

Perhaps Diversion's logic could be updated in future to take into account that it is also blocking remote devices connected to the router's VPN servers, and perhaps lookup the relevant subnet's to allow IP's in those subnet's to be followed? Especially as they appear in the unfiltered DNS query log.

 

[thelonelycoder]

Diversion 5.3 is now available

What's new

• Moves Diversion (and uiDivStats) tab(s) to end on LAN WebUI page for routers supporting VLANs (BE9x routers) after a reboot.
• Corrects screen scrolling issue introduced in firmware 386.14 on AC-x models. Thanks to @dave14305 for finding the simple fix. This fix does not affect the abandoned Asuswrt-Merlin LTS fork by @john9527.
• Allows to follow Dnsmasq log file by VPN device IP when connected through OpenVPN server. Thanks to @JimbobJay for the suggestion.

 

[bibikalka]

@thelonelycoder

I was staying on version 5.1.1 - everything was rock solid. Last week did an update to entware packages, and got a hardcore dnsmasq issue a couple of days later. Could not fix it with the power off button. Had to fully unplug, and re-plug. That's the same issue we were chasing a while ago:

dnsmasq[88561]: failed to create listening socket for 192.168.1.1: Address already in use

Now, the question is which of these updated packages messed things up:

admin@RT-AC86U-9988:/tmp/mnt/ac86u/entware/lib/opkg/info# ls -lta |more
drwxr-xr-x    2 admin    root         12288 Aug 26 17:12 .
-rw-rw-rw-    1 admin    root            15 Aug 26 17:12 iftop.list
-rw-rw-rw-    1 admin    root            49 Aug 26 17:12 libedit.list
-rw-rw-rw-    1 admin    root            45 Aug 26 17:12 libopenssl.list
-rw-rw-rw-    1 admin    root            91 Aug 26 17:12 libattr.list
-rw-rw-rw-    1 admin    root            90 Aug 26 17:12 libtirpc.list
-rw-rw-rw-    1 admin    root            64 Aug 26 17:12 ntp-utils.list
-rw-rw-rw-    1 admin    root            25 Aug 26 17:12 unbound-anchor.list
-rw-rw-rw-    1 admin    root            50 Aug 26 17:12 libexpat.list
-rw-rw-rw-    1 admin    root            13 Aug 26 17:12 bind-dig.list
-rw-rw-rw-    1 admin    root            61 Aug 26 17:12 ca-bundle.list
-rw-rw-rw-    1 admin    root            14 Aug 26 17:12 htop.list
-rw-rw-rw-    1 admin    root            45 Aug 26 17:12 findutils.list
-rw-rw-rw-    1 admin    root           288 Aug 26 17:12 libncursesw.list
-rw-rw-rw-    1 admin    root            68 Aug 26 17:12 libevent2-core.list
-rw-rw-rw-    1 admin    root            70 Aug 26 17:12 libjpeg-turbo.list
-rw-rw-rw-    1 admin    root            25 Aug 26 17:12 libopenssl-conf.list
-rw-rw-rw-    1 admin    root            62 Aug 26 17:12 libuv.list
-rw-rw-rw-    1 admin    root           298 Aug 26 17:12 libncurses.list
-rw-rw-rw-    1 admin    root            48 Aug 26 17:12 libintl-full.list
-rw-rw-rw-    1 admin    root            25 Aug 26 17:12 entware-release.list
-rw-rw-rw-    1 admin    root           334 Aug 26 17:12 bind-libs.list
-rw-rw-rw-    1 admin    root            58 Aug 26 17:12 libsmartcols.list
-rw-rw-rw-    1 admin    root            46 Aug 26 17:12 libffi.list
-rw-rw-rw-    1 admin    root            48 Aug 26 17:12 libuuid.list
-rw-rw-rw-    1 admin    root           398 Aug 26 17:12 libwebp.list
-rw-rw-rw-    1 admin    root            55 Aug 26 17:12 libunbound.list
-rw-rw-rw-    1 admin    root            78 Aug 26 17:12 logrotate.list
-rw-rw-rw-    1 admin    root           247 Aug 26 17:12 nmap.list
-rw-rw-rw-    1 admin    root            93 Aug 26 17:12 libpng.list
-rw-rw-rw-    1 admin    root            76 Aug 26 17:12 libevent2-pthreads.list
-rw-rw-rw-    1 admin    root            58 Aug 26 17:12 libevent2.list
-rw-rw-rw-    1 admin    root            26 Aug 26 17:12 unbound-control.list
-rw-rw-rw-    1 admin    root           114 Aug 26 17:12 ntpd.list
-rw-rw-rw-    1 admin    root            35 Aug 26 17:12 screen.list
-rw-rw-rw-    1 admin    root            57 Aug 26 17:12 libnghttp2.list
-rw-rw-rw-    1 admin    root           169 Aug 26 17:12 unbound-daemon.list
-rw-rw-rw-    1 admin    root            28 Aug 26 17:12 unbound-checkconf.list
-rw-rw-rw-    1 admin    root            48 Aug 26 17:12 libcurl.list
-rw-rw-rw-    1 admin    root           546 Aug 26 17:12 glib2.list
-rw-rw-rw-    1 admin    root            73 Aug 26 17:11 diffutils.list
-rw-rw-rw-    1 admin    root            14 Aug 26 17:11 opkg.list
-rw-rw-rw-    1 admin    root           236 Aug 26 17:11 sysstat.list
-rw-rw-rw-    1 admin    root            16 Aug 26 17:11 column.list
-rw-rw-rw-    1 admin    root           494 Aug 26 17:11 terminfo.list
-rw-rw-rw-    1 admin    root          6188 Aug 26 17:11 syslog-ng.list
-rw-r--r--    1 admin    root           349 Jul 18 18:42 entware-release.control
...

 

[andyg]

Has anyone here successfully restricted access for kids' devices via this option:

7. Restricted access for devices (Kids mode)

Attempting to get a couple of devices on restricted access, and only want a few hand-picked sites accessible from the kid's device while keeping the awesome ad-blocking.

Alternative blocklist (Option 5) requires an IP address
Restricted access for devices (Option 7) requires an IP address

Any help is appreciated

 

[trixt]

Alternative blocklist (Option 5) requires an IP address
Restricted access for devices (Option 7) requires an IP address

Any help is appreciated

the ip addr you need is just another addr in your lan that's reserved and not available for other clients to take via dhcp, so it will be occupied by new dnsmasq instance. e.g.: you router ip is 192.168.0.1 and in your lan/dhcp settings you specified 192.168.0.10 as starting pool addr. Then you can enter any ip between 192.168.0.2 and 192.168.0.9 for the kids mode.

 

[andyg]

I must be doing something that's causing all devices to lose connection to internet when I enable this for only one kid's device.
@thelonelycoder I followed steps at https://diversion.ch/diversion/manual/exclude-devices-from-ad-blocking.html which appear to be similar to my situation but no luck yet.

 

[bibikalka]

Everything moved to this post here:

Entware - Where is Entware started upon reboot?

Alright, I was chasing the mysterious error I was getting from dnsmasq - link. And it took me down this rabbit hole below. I've taken this from Diversion thread, for better visibility. The story is below. But the key question is where are different Entware related things are launched, given...

www.snbforums.com

 

[mcd]

After getting Diversion set up using Large list, I was able to achieve 93% ad block in test: here.

Zero ads in twitter, instagram, etc. for all users on the network, life was good.

Very next day, 24 hours later, got ads again. OK, I will manually see the few ads passing through and add them.

I tried to manually use el in Diversion, then this happened.

lock file found, basic-menu option sh-hl-process active

What do I do?

 

[thelonelycoder]

View attachment 61760
After getting Diversion set up using Large list, I was able to achieve 93% ad block in test: here.

Zero ads in twitter, instagram, etc. for all users on the network, life was good.

Very next day, 24 hours later, got ads again. OK, I will manually see the few ads passing through and add them.

I tried to manually use el in Diversion, then this happened.

lock file found, basic-menu option sh-hl-process active

What do I do?

Another process is active. That can either be an action you do in the WebUI or in another terminal window.
Close out of both and try again.

 

[mcd]

Another process is active. That can either be an action you do in the WebUI or in another terminal window.
Close out of both and try again.

Okay so: I wasn't logged into the WebUI and SSH simultaneously. Logged out of everything AFAIK. Retried and same error via SSH. Waited 3 hours, still same error. On a whim, I just fired it up and no more errors. I can add some denylist sites manually again. Yay!

That being said, any idea how my Diversion blocking ability nuked everything the first day, and then ads came back after 24 hours?

 

[Kingp1n]

Okay so: I wasn't logged into the WebUI and SSH simultaneously. Logged out of everything AFAIK. Retried and same error via SSH. Waited 3 hours, still same error. On a whim, I just fired it up and no more errors. I can add some denylist sites manually again. Yay!

That being said, any idea how my Diversion blocking ability nuked everything the first day, and then ads came back after 24 hours?

Are you using a USB or SSD? You might have to reset it and reinstall Diversion & restest.

 

[mcd]

Are you using a USB or SSD? You might have to reset it and reinstall Diversion & restest.

I'm using a spare tiny m.2 SSD in a USB enclosure. My old USB got too hot and died months ago.

So I need to uninstall all scripts, disable JFFS, and then wipe the SSD; redo everything again? Is Diversion usually this unstable??

 

[Kingp1n]

I'm using a spare tiny m.2 SSD in a USB enclosure. My old USB got too hot and died months ago.

So I need to uninstall all scripts, disable JFFS, and then wipe the SSD; redo everything again? Is Diversion usually this unstable??

I doubt it has to do with Diversion. I used the latest version of Diversion for months without issues. I do only use the default list. Something probably got corrupt along the way and it's best to start from scratch.... install one script at time i.e Diversion and test it & slowly start adding additional scripts if you use anything else. Best of luck.

 

[mcd]

I doubt it has to do with Diversion. I used the latest version of Diversion for months without issues. I do only use the default list. Something probably got corrupt along the way and it's best to start from scratch.... install one script at time i.e Diversion and test it & slowly start adding additional scripts if you use anything else. Best of luck.

Yeah, I've got a bunch of scripts installed, do you have a recommended order to try them in? Or what scripts are you running currently on your Asus router?

 

[Treadler]

Nothing “unstable” about Diversion……

 

[Kingp1n]

Yeah, I've got a bunch of scripts installed, do you have a recommended order to try them in? Or what scripts are you running currently on your Asus router?

What other scripts are you running? You can see my signature to see my current setup.

 

[Ripshod]

Yeah, I've got a bunch of scripts installed, do you have a recommended order to try them in? Or what scripts are you running currently on your Asus router?

I just install them in the order they appear in the list. Habit more than anything.

 

[mcd]

What other scripts are you running? You can see my signature to see my current setup.

Diversion
Skynet
Scribe
connmon
vnStat
RTMON
scMerlin
spMerlin
uiDivStats
uiScribe
Entware
LED Control

I have tried to reinstall Diversion without nuking the rest of these scripts. I will test again before redoing the entire process... I don't see how any of these would interfere with Diversion...

UPDATE:
Switched to LOCAL list for additional denylist sites:
ad.doubleclick.net
adservice.google.com
browser.sentry-cdn.com
google-analytics.com
pagead2.googlesyndication.com
ssl.google-analytics.com

the above still cannot be blocked, ads are back for network users in Twitter and other social media (they were gone for 24 hours upon first install of diversion).

I'm at a loss. Unsure how to proceed. Test sites like d3ward always show smaximum of 93%, whereas my in-browser yields 99%.

 

[Ripshod]

Factory reset, basic setup, add a swapfile, install Diversion and test.