Diversion Diversion - the Router Ad-Blocker v4.2.x (see new thread for 4.3.x)

[thelonelycoder]

Anywayz, Does Diversion work on firmware as old as 380.70?

Sure does, all functions work on it. One of my RT-AC66U test routers remains in perpetuity on that firmware. The other runs Johns fork.

 

[thelonelycoder]

Yea unfortunately the only way to dnsmasq the type 65 queries without the aid of the firewall is by query type per specific domain. Imagine a lot of domains using query type 65, this is why it was determined iptables are more sufficient.

If Dnsmasq would support wildcards it could have been a more elegant solution.

 

[dacotmeister]

Thanks so much

thelonelycoder​

 

[chongnt]

Type 65 blocking doesn’t appear to be working via IPv6.
Disabled IPv6 on router, type 65 is no more………

Usually I disabled ipv6. I just try enable ipv6 and use Google ipv6 DNS. From tcpdump, I can see both ipv6 source and destination ip. It appears type 65 DNS query has the same hex string. I have yet to configure ip6tables. I wonder why it doesn’t work.

 

[thelonelycoder]

Usually I disabled ipv6. I just try enable ipv6 and use Google ipv6 DNS. From tcpdump, I can see both ipv6 source and destination ip. It appears type 65 DNS query has the same hex string. I have yet to configure ip6tables. I wonder why it doesn’t work.

I only add IPv4 rules, currently. A fix comes as soon as time allows. Are v6 rules in iptables the same as v4?

 

[chongnt]

I only add IPv4 rules, currently. A fix comes as soon as time allows. Are v6 rules in iptables the same as v4?

I am not sure on this. It does not like ipv4 destionation ip $(nvram get lan_ipaddr). I skipped it and try with this ip6tables -I INPUT -p udp --dport 53 -m comment --comment "DNS_Type_65" -m string --hex-string "|0000410001|" --algo bm -j REJECT. It seems type 65 queries are hitting the rules. This may need more testing.

admin@RT-AC86U-DBA8:/jffs/scripts# ip6tables -nvL INPUT | grep 'pkts\|DNS_Type'
 pkts bytes target     prot opt in     out     source               destination         
   30  2693 REJECT     udp      *      *       ::/0                 ::/0                 udp dpt:53 /* DNS_Type_65 */ STRING match  "|0000410001|" ALGO name bm TO 65535 reject-with icmp6-port-unreachable

 

[Mutzli]

Just noticed that the block counter doubles after updating Diversion. It went from 371, 227 to 742,454 blocked domains.

742,454 blocked domains by 7 hosts file(s)

After running a block file update it goes back to normal:

371,227 blocked domains by 7 hosts file(s)

Not really a problem, just have to remember to run a block file update to sort it all out.

 

[thelonelycoder]

I am not sure on this. It does not like ipv4 destionation ip $(nvram get lan_ipaddr). I skipped it and try with this ip6tables -I INPUT -p udp --dport 53 -m comment --comment "DNS_Type_65" -m string --hex-string "|0000410001|" --algo bm -j REJECT. It seems type 65 queries are hitting the rules. This may need more testing.

admin@RT-AC86U-DBA8:/jffs/scripts# ip6tables -nvL INPUT | grep 'pkts\|DNS_Type'
pkts bytes target     prot opt in     out     source               destination        
   30  2693 REJECT     udp      *      *       ::/0                 ::/0                 udp dpt:53 /* DNS_Type_65 */ STRING match  "|0000410001|" ALGO name bm TO 65535 reject-with icmp6-port-unreachable

My best guess from an nvram dump is that the IPv6 LAN address is $(nvram get ipv6_ipaddr).
I cannot test it as I have no IPv6 service through my ISP.

 

[Makaveli]

Cats are so judgemental.

 

[chongnt]

My best guess from an nvram dump is that the IPv6 LAN address is $(nvram get ipv6_ipaddr).
I cannot test it as I have no IPv6 service through my ISP.

I have another brief test. For my environment with PPPoE, I use ipv6 connection type "native". There is no value from nvram get ipv6_ipaddr. From tcpdump, DNS queries destination ipv6 address matches the value from nvram get ipv6_rtr_addr. I add this in ip6tables rules and able to see the counter incrementing when hit. I am not able to test the behavior of other connection type.

 

[thelonelycoder]

I have another brief test. For my environment with PPPoE, I use ipv6 connection type "native". There is no value from nvram get ipv6_ipaddr. From tcpdump, DNS queries destination ipv6 address matches the value from nvram get ipv6_rtr_addr. I add this in ip6tables rules and able to see the counter incrementing when hit. I am not able to test the behavior of other connection type.

I'm adding these two rules for IPv4:

iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT

Since I cannot test it, it would be great if you could check that out for me for IPv6 ip6tables. I do not add the comment part in iptables -m comment --comment "DNS_Type_65" as some routers require an extra command to be able add that cosmetic info.

 

[dave14305]

I'm adding these two rules for IPv4:

iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT

Since I cannot test it, it would be great if you could check that out for me for IPv6 ip6tables. I do not add the comment part in iptables -m comment --comment "DNS_Type_65" as some routers require an extra command to be able add that cosmetic info.

Is there value to include the router LAN IP in the INPUT chain? At that point we already know the traffic is destined for the router, not the Internet.

 

[thelonelycoder]

Is there value to include the router LAN IP in the INPUT chain? At that point we already know the traffic is destined for the router, not the Internet.

Copy/paste is the reason, as posted multiple times in other threads.

 

[chongnt]

I'm adding these two rules for IPv4:

iptables -I INPUT -p udp --dport 53 -d $(nvram get lan_ipaddr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
iptables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT

Since I cannot test it, it would be great if you could check that out for me for IPv6 ip6tables. I do not add the comment part in iptables -m comment --comment "DNS_Type_65" as some routers require an extra command to be able add that cosmetic info.

I able to add these two rules for ipv6. In my environment, all hits happen at INPUT table for both ipv4 and ipv6.

ip6tables -I INPUT -p udp --dport 53 -d $(nvram get ipv6_rtr_addr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
ip6tables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT

Perhaps @Treadler can help to test this in your ipv6 environment? Can use

ip6tables -nvL INPUT | grep 'pkts\|0041'
ip6tables -nvL FORWARD | grep 'pkts\|0041'

to check if packet count increases when it hits the rules.

​

 

[Makaveli]

Question folks i've notice as of late i'm getting a high slu count in Pixel serv where I have the ca.crt installed on my main browser on my desktop, also on my Cell phone and all other laptops in the network. However this still seems to be high any suggestions?

No iOS devices on my network except for when the woman is over with her Iphone and that device is not on the network currently.

 

[iTyPsIDg]

Question folks i've notice as of late i'm getting a high slu count in Pixel serv where I have the ca.crt installed on my main browser on my desktop, also on my Cell phone and all other laptops in the network. However this still seems to be high any suggestions?

No iOS devices on my network except for when the woman is over with her Iphone and that device is not on the network currently.

View attachment 42660

Did you see this post? https://www.snbforums.com/threads/diversion-the-router-ad-blocker-v4-2-x-and-4-3-x.74941/post-770509

 

[thelonelycoder]

Is there value to include the router LAN IP in the INPUT chain? At that point we already know the traffic is destined for the router, not the Internet.

As we want to block all type 65 queries to everywhere from within the LAN I see this could be set to anywhere instead of the routers IP address.

 

[thelonelycoder]

I able to add these two rules for ipv6. In my environment, all hits happen at INPUT table for both ipv4 and ipv6.

ip6tables -I INPUT -p udp --dport 53 -d $(nvram get ipv6_rtr_addr) -m string --hex-string "|0000410001|" --algo bm -j REJECT
ip6tables -I FORWARD -p udp --dport 53 -m string --hex-string "|0000410001|" --algo bm -j REJECT

Perhaps @Treadler can help to test this in your ipv6 environment? Can use

ip6tables -nvL INPUT | grep 'pkts\|0041'
ip6tables -nvL FORWARD | grep 'pkts\|0041'

to check if packet count increases when it hits the rules.

​

I'm seeing that the FORWARD rule is never hit, only the INPUT. If I let my iOS army loose I get for example 32000 packets to the INPUT chain while FORWARD has 0.
Just an observation.

 

[Makaveli]

Did you see this post? https://www.snbforums.com/threads/diversion-the-router-ad-blocker-v4-2-x-and-4-3-x.74941/post-770509

yes I have I have updated the Cert on all device recently. And as noted no IOS devices on the network.

 

[chongnt]

I'm seeing that the FORWARD rule is never hit, only the INPUT. If I let my iOS army loose I get for example 32000 packets to the INPUT chain while FORWARD has 0.
Just an observation.

I think I had the ipv4 rule for almost a year now, never see any hit in the Forward rule too.