Diversion Diversion - the Router Ad-Blocker

[cmkelley]

Diversion is great for tailing and generating top 10 stats but I want greater retention and to use my lan remote log server gui to more easily search, specifically for checking outbound IP blocks logged by Skynet against the logged dns queries.

I hope someone can answer, is there a way to use the ASUS Remote Log Server feature to send dnsmasq.log in addition to syslog?

I don't think so. I don't think syslogd has that ability. syslog-ng (available thru Entware) does, but the learning curve is steep, and setting it up so it takes over on reboot and the router doesn't clobber it is not automatic. A few of us are mucking around with syslog-ng over in this thread.

 

[Dancing Lemur]

Okay, using .2.1 for the router seemed to work. I was able to access the internet via devices connecting to the repeater. (This did not work when I used .1.100 for the router -- not sure why) The repeater was getting assigned a random .2.x address that was hard to find so I tried statically assigning an address to .2.3 (pixelserv-tls uses .2.2) and that worked (again this wasn't working previously when the router was at .1.1 or .1.100). So now things look like they're working although I want to let it go for a week -- I was seeing reboots with the old repeater. Thanks for your help!

Lemur

When your repeater resets itself, it defaults to 192.168.1.1 or 192.168.0.1. Try setting your Router to a non default IP so that when the repeater defaults, It will not break your main router. 192.168.2.1 should work. I do the same with my main router for this reason. Whenever I reset one of my test routers it defaults to 192.168.1.1 and will therefore not cause havoc in my LAN.

Diversion is not the cause of the odd behavior of your repeater, AFAIK.
Just remember if pixelserv-tls is installed (Diversion Standard uses it) then the reserved IP may change when changing the routers IP. Adjust the IP Pool address range and change the pixelserv-tls IP in Diversion so that it can listen on the new IP.

 

[shark]

Trying to install diversion on a RT-AC68U but i am getting this:

The usb stick is using ext4.

 

[thelonelycoder]

Trying to install diversion on a RT-AC68U but i am getting this:

The usb stick is using ext4.

Re-format the device, an unknown error happened just before the Entware installer started.

 

[shark]

Re-format the device, an unknown error happened just before the Entware installer started.

Made it ext2 but now:

and when trying to install again:

nvm, fixed! It was a faulty usb stick!

 

[GGavan]

Hi @thelonelycoder,

I’m still using HGG 380.65.9 on AC87U and I would like to go back on last version of AB-solution which worked perfectly for me for a long time and many months (or more than a year) without restarts or any intervention need.
Diversion is creating to many memory problems in my case, especially after the upgrade to the last version 4.0.7
Example, now I have many “Failed to create conn_handler thread” and last night durring the weekly hosts refresh I received some errors like ‘Trying to vfree() nonexistent vm area“ then it restarted and now the ads ar back.
Problably there are some incompatibilities between the FW used by me and 4.0.7 (didn’t tried 4.0.6). I think that 4.0.5 worked for me but I used it for a short period.
I have 4.0.5 on AC88U with the same FW version and it seems to work without problems.
So, it is posible for me to go back to AB-solution? If not, at least to go back on diversion 4.0.5 which worked for AC87U if I remember well...

Thank you in advance!
Gabi

 

[Zonkd]

I don't think so. I don't think syslogd has that ability. syslog-ng (available thru Entware) does, but the learning curve is steep, and setting it up so it takes over on reboot and the router doesn't clobber it is not automatic. A few of us are mucking around with syslog-ng over in this thread.

Sounds like the best that can be done is to setup cron to periodically copy the dnsmasq log file to somewhere else for checking when necessary...

 

[Zonkd]

After reading the dnsmasq-man page I still have questions about the proper uses of ds options in Diversion.

Dnsmasq settings:

Option 2. log-async
Is this option useless to us? dnsmasq writes to the dnsmasq.log file. Reading the man it sounds like this option is could only be useful if dnsmasq was writing to the syslog.log file.

Spoiler: log-async man page description

Enable asynchronous logging and optionally set the limit on the number of lines which will be queued by dnsmasq when writing to the syslog is slow. Dnsmasq can log asynchronously: this allows it to continue functioning without being blocked by syslog, and allows syslog to use dnsmasq for DNS queries without risking deadlock. If the queue of log-lines becomes full, dnsmasq will log the overflow, and the number of messages lost. The default queue length is 5, a sane value would be 5-25, and a maximum limit of 100 is imposed. -- Source

Option 3. cache-size
No questions here, I see no reason to adjust cache-size since default 150 should be adequate.

Spoiler: cache-size man page description

Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching. Note: huge cache size impacts performance. -- Source

Option 4. bogus-priv
Is this the ASUS DNS Rebind Protection feature? Or is it unrelated? It sounds like it serves the same function. At the very least, I wonder does enabling bogus-priv conflict with ASUS DNS Rebind Protection? Thinking further maybe this could impact clients not using DHCP which manually configured their DNS to something external eg. 8.8.8.8 ?

Spoiler: bogus-priv man page description

Bogus private reverse lookups. All reverse lookups for private IP ranges which are not found in hosts or the DHCP leases file are answered with no such domain rather than being forwarded upstream. The set of prefixes affected is the list given in RFC6303, for IPv4 and IPv6. -- Source

Option 5. domain-needed
Is there a reason not to enable this? In what situation would you need to send a dns request for a plain name upstream?

Spoiler: domain-needed man page description

Tells dnsmasq to never forward A or AAAA queries for plain names, without dots or domain parts, to upstream nameservers. If the name is not known from hosts or DHCP then a not found answer is returned. -- Source

Option 6. log-queries=extra
Is there a reason that when this is enabled Diversion can't do 2. Unfiltered log extra highlighted when following? It highlights blocked as red, but nothing else.

Spoiler: log-queries man page description

Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument extra is supplied then the log has extra information at the start of each line. This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor. -- Source

 

[elorimer]

Sounds like the best that can be done is to setup cron to periodically copy the dnsmasq log file to somewhere else for checking when necessary

If you are going to throw in the towel, do it over in the syslog-ng thread. There is something over there about setting up the dnsmasq log file as a source included in what syslog-ng does, and also about how you can send it around. Never tried.

 

[Zonkd]

If you are going to throw in the towel, do it over in the syslog-ng thread. There is something over there about setting up the dnsmasq log file as a source included in what syslog-ng does, and also about how you can send it around. Never tried.

Done As mentioned over there I realized the file size would become too large if I did include dnsmasq in syslog.

 

[Dancing Lemur]

I spoke too soon.

The repeater restarts some daemons and gets into a state where it may connect to the router but cannot access the Internet. I can (sometimes) see the repeater on my internal network (using the device discovery tool -- the webpage is not accessible that way) and it remains stuck on 192.168.1.1. Connecting directly to the repeater's SSID lets me see its webpage and system log. I see the following things:

** System log is on "reset time -- i.e. no NTP connection"
** System log has lots of messages like:
*** "dnsmasq-dhcp[529]: DHCP packet received on wl1-vxd which has no address"
*** "kernel: br0: received packet on wl0-vxd with own address as source address"

Previously, the repeater remaining on .1.1 would cause havoc; now at least the router is on 2.1 so things don't go to hell. But the repeater is still not functional. No error messages in the router logs still.

ASUS technical support has never given me an explanation for those messages.

Lemur

Okay, using .2.1 for the router seemed to work. I was able to access the internet via devices connecting to the repeater. (This did not work when I used .1.100 for the router -- not sure why) The repeater was getting assigned a random .2.x address that was hard to find so I tried statically assigning an address to .2.3 (pixelserv-tls uses .2.2) and that worked (again this wasn't working previously when the router was at .1.1 or .1.100). So now things look like they're working although I want to let it go for a week -- I was seeing reboots with the old repeater. Thanks for your help!

Lemur

 

[thelonelycoder]

So, it is posible for me to go back to AB-solution? If not, at least to go back on diversion 4.0.5 which worked for AC87U if I remember well...

No and no.

 

[thelonelycoder]

Option 2. log-async
Is this option useless to us? dnsmasq writes to the dnsmasq.log file. Reading the man it sounds like this option is could only be useful if dnsmasq was writing to the syslog.log file.

Diversion logs the Dnsmasq.logs to the attached USB device. Which can be busy reading/writing other stuff at the same time as Dnsmasq. To give the latter some room to breathe, the log-async is added for this reason.

Option 4. bogus-priv
Is this the ASUS DNS Rebind Protection feature? Or is it unrelated? It sounds like it serves the same function. At the very least, I wonder does enabling bogus-priv conflict with ASUS DNS Rebind Protection? Thinking further maybe this could impact clients not using DHCP which manually configured their DNS to something external eg. 8.8.8.8 ?

I have no idea what Asus uses.

Is there a reason not to enable this? In what situation would you need to send a dns request for a plain name upstream?

That's why the option is there. I also see no reason for an external resolver to look up the IP for a local device.
It's not in the default dnsmasq.conf so this option was added in AB-Solution and now Diversion.

Is there a reason that when this is enabled Diversion can't do 2. Unfiltered log extra highlighted when following? It highlights blocked as red, but nothing else.

That would be a small bug, I'll look into it.

 

[Ken Firch]

Here's an idea...How about an option to pause the blocking for a set about of time. Currently I use Terminus on my iPhone to login and disable blocking, do something on the web that is normally blocked (for some reason the standard file blocks Citi services to pay my Home Depot card), then re-enable blocking afterwards. Yeah, I know, I could whitelist it. But an option to turn blocking off for 60 minutes and automatically turn it back on would be awesome. I searched this thread but didn't find any other request for such, maybe I missed it. Just a thought.

 

[Zonkd]

Here's an idea...How about an option to pause the blocking for a set about of time. Currently I use Terminus on my iPhone to login and disable blocking, do something on the web that is normally blocked (for some reason the standard file blocks Citi services to pay my Home Depot card), then re-enable blocking afterwards. Yeah, I know, I could whitelist it. But an option to turn blocking off for 60 minutes and automatically turn it back on would be awesome. I searched this thread but didn't find any other request for such, maybe I missed it. Just a thought.

Another idea for you, Why not just create a Siri shortcut on your iPhone? Then you can enable/disable Diversion with a voice command rather than relying on a timer.

 

[thelonelycoder]

Another idea for you, Why not just create a Siri shortcut on your iPhone? Then you can enable/disable Diversion with a voice command rather than relying on a timer.

Isn't that possible with the iOS Shortcut app? Run an SSH command like 'diversion disable'?

 

[thelonelycoder]

Here's an idea...How about an option to pause the blocking for a set about of time. Currently I use Terminus on my iPhone to login and disable blocking, do something on the web that is normally blocked (for some reason the standard file blocks Citi services to pay my Home Depot card), then re-enable blocking afterwards. Yeah, I know, I could whitelist it. But an option to turn blocking off for 60 minutes and automatically turn it back on would be awesome. I searched this thread but didn't find any other request for such, maybe I missed it. Just a thought.

Instead of disabling Diversion you could use the fast switch fs option to use a smaller blocking list while doing your thing.
fs can be enabled in b.
Switching between the blocking lists is then as simple as entering this into the SSH terminal:

diversion fs

 

[thelonelycoder]

Another idea for you, Why not just create a Siri shortcut on your iPhone? Then you can enable/disable Diversion with a voice command rather than relying on a timer.

Here's an idea...How about an option to pause the blocking for a set about of time. Currently I use Terminus on my iPhone to login and disable blocking, do something on the web that is normally blocked (for some reason the standard file blocks Citi services to pay my Home Depot card), then re-enable blocking afterwards. Yeah, I know, I could whitelist it. But an option to turn blocking off for 60 minutes and automatically turn it back on would be awesome. I searched this thread but didn't find any other request for such, maybe I missed it. Just a thought.

I just tested it, the iOS Shortcuts app works as expected with Diversion. I should probably throw a set of commands together and make that available for download/install on iOS. Will get to it as soon as I find the time.

 

[martinr]

I just tested it, the iOS Shortcuts app works as expected with Diversion. I should probably throw a set of commands together and make that available for download/install on iOS. Will get to it as soon as I find the time.

I’d be bothered that I’d be driving along the motorway and suddenly find it closed with a 10 mile detour. Saying “damned diversion” little do I realise Siri has just fiddled with the router and turned off Diversion.

 

[thelonelycoder]

I’d be bothered that I’d be driving along the motorway and suddenly find it closed with a 10 mile detour. Saying “damned diversion” little do I realise Siri has just fiddled with the router and turned off Diversion.

You're saying I should rename Diversion to something else, like maybe AB-Solution?
I should have dips on Diversion with a capital D, really.
Or should I regret that moment I had just before falling asleep back then when the word diversion popped into my mind while thinking of a better pronounceable name for AB-Solution. I decided on it right then and there after doing some frantic google searches for that name and found it was not tainted by other apps or software products. Of course I was unable to sleep after that and had to do the renaming on the current development version right then and there. The rest is history.