Diversion/Pixelserv: Just installed, but no adblocking at all

[gnoe]

Hi all,

I recently replaced my old n66u (always used Merlin FW) with the ac86u, primarily to continue Merlin support/updates, have better VPN speeds AND to enjoy good router level adblocking!

A few months ago I installed Entware/Diversion/Pixelserv on the n66u without a hassle and was impressed by the effective adblocking. After running the new AC86u for 2 weeks very stable and permanently connected to the VPN provider, I'd like to install again Entware/Diversion/Pixelserv. And try Skynet as well

So, I installed AMTM and succesfully used it to install entware, diversion and pixelserv, on an Ext2 formatted USB 3.0 thumbdrive partition. All seemed to install fine, without error messages. However, Ads are not blocked in my network and the servstats webpage of Pixelserv shows almost no statistics. Only the 2 upper sections have some counts and a f5 refresh of this page adds 1 to this line:

req 7 total # of requests (HTTP, HTTPS, success, failure etc) ​

I have no clue what the problem may be and where to look at. Some additional info:

* I have manual DNS's installed (Comodo DNS) in WAN settings
* The 'Accept DNS Configuration' parameter of the VPN client is set to 'Strict'
* AIProtection is enabled, so traffic is inspected by Trendmicro service. I don't know if this interferes with Diversion/Pixelserv?
* ipleak.net shows my VPN IP and only VPN DNS, so no leakage (except the devices excluded from the VPN tunnel obviously)

Any help is very appreciated!

 

[thelonelycoder]

* AIProtection is enabled, so traffic is inspected by Trendmicro service. I don't know if this interferes with Diversion/Pixelserv?

There's your problem. Trendmicro does the DNS resolving for you instead of the local Dnsmasq, effectively outmaneuvering Diversion.

 

[gnoe]

There's your problem. Trendmicro does the DNS resolving for you instead of the local Dnsmasq, effectively outmaneuvering Diversion.

Wow, thanks for your quick and helpful reply! I did suspect (parts of) AIProtection, hence my question mark above, but meant to understand after reading some topics here that it could co-oexist. Merlin even recommended enabling it (though did not mention adblocking is this context).

Well, I played with the settings of AIProtection. It has 3 options that can be en-/disabled:

1) Network Protection (which has 3 subs: Malicious sites blocking, 2-way IPS and Infected Device protection/blocking)
2) Parental controls
3) DNS filter

I had option 1&3 enabled and after disabling both, the Ads were effectively blocked in my network now. As I have the impression that option 1 is not for the primary DNS resolving, I suspected option 3 to cause the troubles (I had Comodo Secure DNS active here).
So I enabled option 1 again (with all 3 subs) and ads still seem to be blocked.

Can anyone confirm that only the DNS filter option causes the troubles and option 1 can remain enabled?

 

[M@rco]

Can anyone confirm that only the DNS filter option causes the troubles and option 1 can remain enabled?

Confirmed, it's the DNS Filter that puts Diversion and pixelserv-tls out of play.

 

[RMerlin]

Just for clarification, DNSFilter isn't part of the Trend Micro engine (it's my own implementation). To avoid any confusion, I've moved that page in 384.7.

 

[gnoe]

Just for clarification, DNSFilter isn't part of the Trend Micro engine (it's my own implementation). To avoid any confusion, I've moved that page in 384.7.

Good move to move; indeed it looked like an AIProtection feature but now I understand it isn't . Because it was placed a bit hidden in that last tab, I had forgotten it was enabled. I'd expect this somewhere in the WAN section.
And maybe good to add a note that this DNSFilter bites with Diversion/Pixelserv?

 

[M@rco]

And maybe good to add a note that this DNSFilter bites with Diversion/Pixelserv?

That seems out of place in router firmware like Asuswrt-Merlin. Maybe @thelonelycoder can add a check in Diversion to warn a user when DNSFilter is active?

 

[quant88]

I have tried to exclude some clients from Diversion by following the faq in

https://www.ab-solution.info/faq-reader/how-to-exclude-a-client-from-ad-blocking.html

It works such that the added clients are not subjected to internal dns for ad screening. However I noticed all clients are allowed to resolve by external dns (1.1.1.1 in my case) when I added and removed only some clients from DNS filter.

Any advice and help is welcome.

 

[quant88]

I have tried to exclude some clients from Diversion by following the faq in

https://www.ab-solution.info/faq-reader/how-to-exclude-a-client-from-ad-blocking.html

It works such that the added clients are not subjected to internal dns for ad screening. However I noticed all clients are allowed to resolve by external dns (1.1.1.1 in my case) when I added and removed only some clients from DNS filter.

Any advice and help is welcome.

Just to add: My router ac88u is installed with merlin firmware 384.6 and the lately updated Diversion.

 

[thelonelycoder]

That seems out of place in router firmware like Asuswrt-Merlin. Maybe @thelonelycoder can add a check in Diversion to warn a user when DNSFilter is active?

AB-Solution has this built in in the router check rc function. I did not port it over to Diversion for lack of time.

 

[evrycard]

I am a bit confused. So in order for Diversion to work AiProtection needs to be disabled?

 

[Adamm]

I am a bit confused. So in order for Diversion to work AiProtection needs to be disabled?

No, just DNS filtering.

 

[Zonkd]

No, just DNS filtering.

It should be ok to enable DNS Filter "Router" mode and use Skynet/Diversion? Since it wouldn't be bypassing router dnsmasq and it would be forcing clients to use it.

 

[SMS786]

It should be ok to enable DNS Filter "Router" mode and use Skynet/Diversion? Since it wouldn't be bypassing router dnsmasq and it would be forcing clients to use it.

Yes, Diversion/pixelserv-tls/Skynet are all utilized for all connected clients when the DNSFilter is set to "Router." Just make sure to clear out the "Custom DNS" boxes and you should be good to go. You can whitelist individual MAC addresses for clients you wish to exclude.

 

[Zonkd]

Yes, Diversion/pixelserv-tls/Skynet are all utilized for all connected clients when the DNSFilter is set to "Router." Just make sure to clear out the "Custom DNS" boxes and you should be good to go. You can whitelist individual MAC addresses for clients you wish to exclude.

Thanks, since you know this, would you know if it can also be said for the DNSCrypt package? I’m keen to use DNSFilter Router to prevent any local queries being sent upstream.

 

[SMS786]

Thanks, since you know this, would you know if it can also be said for the DNSCrypt package? I’m keen to use DNSFilter Router to prevent any local queries being sent upstream.

Yes, dnscrpyt is also utilized for all clients when the DNSFilter is set to "Router." I actually was going to include dnscrypt in my original reply but figured it was out of the scope of your question. If you need any clients to utilize their own dns, or any other separate dns for whatever reason, whitelist their MAC's and fill in the custom dns boxes.

 

[Zonkd]

Thanks for the reply, great to hear dnsfilter “router” isn’t overridden by any of the packages incl dnscrypt, I’ll keep dnsfilter enabled!

Yes, dnscrpyt is also utilized for all clients when the DNSFilter is set to "Router." I actually was going to include dnscrypt in my original reply but figured it was out of the scope of your question. If you need any clients to utilize their own dns, or any other separate dns for whatever reason, whitelist their MAC's and fill in the custom dns boxes.

 

[slobodan]

Thanks for the reply, great to hear dnsfilter “router” isn’t overridden by any of the packages incl dnscrypt, I’ll keep dnsfilter enabled!

Technically, if the client has dnscrypt installed (my Android phone has), it is very difficult to stop it from working, since you would have to block by iptables every known dnscrypt server.

 

[Zonkd]

Dnscrypt is running directly on the router not the host devices

Technically, if the client has dnscrypt installed (my Android phone has), it is very difficult to stop it from working, since you would have to block by iptables every known dnscrypt server.

 

[M@rco]

Dnscrypt is running directly on the router not the host devices

Au contraire... DNSCrypt is available on many devices, including Android and iOS devices*.

*) Two random examples, I don't use either of them.