Diversion Diversion - the Router Ad-Blocker v4.2.x (see new thread for 4.3.x)

[thelonelycoder]

@thelonelycoder
Is it possible to enable pixelservr filter only devices that have the certificate installed and the rest with 0.0.0.0? Would nice to have the function and GUI that select the device to filter with. At least could target the device that we could get the benefit of faster web browsing and 1 pixel feature.

Diversion is extremely configurable, I would venture so far as to stating that there's no other Router based DNS Ad-Blocker as versatile as mine.
And you are correct in assuming that such a two tier blocking approach could be possible in Diversion.
The ground work certainly has been done and it's all there to make this work - with some brainstorming, keyboard time and actual free time availability (meaning I would have to have a good reason to invest time into it) I could tie it all together.

You or anyone else interested in this feature give me good reason(s) to sit down and do it.
The feature request is for Diversion standard to divert certain clients to use the NULL IPv4 blocking addresses - and IPv6 equivalent if so configured - instead of the regular pixelserv-tls IP.

 

[SomeWhereOverTheRainBow]

What useful thing would this accomplish? It would just slow the other devices down.

Use dns filter or Yazfi guest networks to send these Chatty clients to a different dns service than the one pixelservtls is on. Or simply define a secondary block file that uses a much smaller blocklist than the main. Diversion has the functionality to setup two separate blocking instances, you just simply point these Chatty clients that do not use pixelserv tls certificates to use the secondary block list using the webui dnsfilter. I wonder if @thelonelycoder could bake in a method to modify the type of blocking the secondary list uses, for example such as 0.0.0.0 while the other uses pixelserv tls.

 

[elorimer]

Use dns filter or Yazfi guest networks to send these Chatty clients to a different dns service than the one pixelservtls is on.

You mean an ip address, don't you? The blocked clients aren't going to a dns.

But I still don't see the advantage. It's not like pixelserv is groaning under a load. My average processing time is still 54 ms, and that is with one request taking 5 seconds.

 

[thelonelycoder]

The iOS Shortcuts app for Diversion v1.4 is now available. See this post for what's new.

Edit: Unfortunately, this needs an unreleased Diversion update to work, ignore this post.

 

[iTyPsIDg]

Thanks for asking this question. It prompted me to look into my own environment. I discovered that I could import the certificate to my FireTV (which I finally did), I forgot to enable trust explicitly on my iOS devices, and I had the wrong (old) certificate on a few devices.

I'll have to wait a while to see if things are better. This is my output immediately after those changes:

slh    5650    # of accepted HTTPS requests
slm    993     # of rejected HTTPS requests (missing certificate)
sle    0       # of rejected HTTPS requests (certificate available but not usable)
slc    2005    # of dropped HTTPS requests (client disconnect without sending any request)
slu    2966283 # of dropped HTTPS requests (other TLS handshake errors)

Update post after making the above changes and upgrading to 386.7:

slh	16688	# of accepted HTTPS requests
slm	92	# of rejected HTTPS requests (missing certificate)
sle	0	# of rejected HTTPS requests (certificate available but not usable)
slc	311	# of dropped HTTPS requests (client disconnect without sending any request)
slu	6508	# of dropped HTTPS requests (other TLS handshake errors)

This looks like a significant improvement.

 

[SomeWhereOverTheRainBow]

Update post after making the above changes and upgrading to 386.7:

slh	16688	# of accepted HTTPS requests
slm	92	# of rejected HTTPS requests (missing certificate)
sle	0	# of rejected HTTPS requests (certificate available but not usable)
slc	311	# of dropped HTTPS requests (client disconnect without sending any request)
slu	6508	# of dropped HTTPS requests (other TLS handshake errors)

This looks like a significant improvement.

You should see some of the improvements when you use your pixelserv-tls on like an RPI, using diversions lan based blocking method. @thelonelycoder can fill you in, but from my experience with it, it eliminates the possibility of the middle box instigating problems..

 

[thelonelycoder]

Diversion 4.3.0 is now available

What's new
- All WebUI external links now use the https protocol, thanks to @kernol.
- Asuswrt-Merlin 386.7 Dropbear $PATH change compatibility fixes.
- Now uses https for new Entware installation downloads, thanks to GitHub user ar3thien.
- Fixes openssl issue with pixelserv-tls certificate creation.
- Diversion iOS Shurtcuts app compatibility fixes.
- Fixes coding error that set wrong ptr-record values for Dnsmasq when IPv6 service is disabled.

The iOS Diversion Shortcuts app v1.4 is now also available for this Diversion release.

How to update Diversion
Use u or the WebUI function to update to this latest version.

 

[Smokey613]

Will this new version remain compatible with 386.5_2 ?

 

[dave14305]

The Boss is back!

- Fixes coding error that set wrong ptr-record values for Dnsmasq when IPv6 service is disabled.

Nerds want to know what this was about. I didn’t detect any related change in post-conf.div.

 

[SomeWhereOverTheRainBow]

The Boss is back!


Nerds want to know what this was about. I didn’t detect any related change in post-conf.div.

yep, I definitely was curious about this as well because I don't ever recall this being the case when using Diversion. Maybe it was in regards to using the fabled secondary block list.

 

[thelonelycoder]

Will this new version remain compatible with 386.5_2 ?

It runs great on one of my test routers running firmware 380.70.

 

[thelonelycoder]

The Boss is back!


Nerds want to know what this was about. I didn’t detect any related change in post-conf.div.

Nerd hour:

[[ "$brackets" -gt "1" ]] && badcode=1 || badcode=0

 

[underdose]

Release date in the installer needs an update too @thelonelycoder

Diversion 4.3.0 is now available!
Released on: February 12 2022

Thanks for your hard work.

 

[thelonelycoder]

Release date in the installer needs an update too @thelonelycoder

Thanks, updated the update info file.

 

[wbennett77]

Good day! Just wondering if there is any performance difference between using a USB2 and USB3 drive?
Thanks!

 

[L&LD]

You can search for a lot more responses to this question, but the answer is no. A USB 2.0 drive or a USB 3.0 drive used in USB 2.0 mode or USB 3.0 mode offers the same performance. Once all scripts and the swap file have been created and installed.

What is recommended though is using a small/cheap/cheerful M.2 SSD in an inexpensive (UGreen) enclosure.

Not so much for the speed, but rather the reliability of the better flash used in the SSD.

 

[Ellenswamy]

How do you configure diversion with unbound? I am using AdGuard and haven’t used diversion in awhile, and want to tinker.

also before i was having an issue with diversion not blocking https quires, is this still an issue?

 

[thelonelycoder]

How do you configure diversion with unbound? I am using AdGuard and haven’t used diversion in awhile, and want to tinker.

They don't work well together, Diversion uses Dnsmasq to block which Unbound replaces for queries.
Edit: I wanted to say that using both Diversion and Unbound blocker don‘t work well together

also before i was having an issue with diversion not blocking https quires, is this still an issue?

Diversion always blocks http and https queries for Domains that are in the blocking and blacklist. As long as clients use the routers Dnsmasq and not somehow circumvent it - deliberately or not.

 

[elorimer]

They don't work well together, Diversion uses Dnsmasq to block which Unbound replaces for queries.

Really? I'll guess I'll have to look at this. I'm using both and they seem to be doing fine.

 

[thelonelycoder]

Really? I'll guess I'll have to look at this. I'm using both and they seem to be doing fine.

Yeah, I wanted to say that using both Diversion and Unbound blocker don‘t work well together.
Thanks.