Diversion Diversion - the Router Ad-Blocker

[GGavan]

No and no.

 

[thelonelycoder]

Yes I’m same as you, I also wouldn’t be worried to allow password authentication for ssh connections inside my trusted LAN especially since webui already allows it anyway. On my workstation I do use key authentication for ssh but I set that up only because I could, to learn how, and I turned off password authentication for ssh simply because I didn’t need it. If there was a compelling use for Siri shortcuts with the router I would allow it.

Honestly key based authentication isn’t any more convenient nor passwordless when you follow the best practice of creating an encrypted key that requires a password to use. That way if .ssh directory gets copied nobody could use it anyway. It was just a learning experience.

Accessing a remote server with key is standard, I would not leave password login enabled on my servers at the hosting center. But that's not what I meant with the Workstation. If it's a Windows or even Linux machine, one logs into it with a username and password, not a key on a USB stick to authenticate. There are exceptions of course. I'm sure RMS uses a similar way to unlock his Laptop.

 

[elradix]

The commands are very limited in Shortcuts. AFAIK there are no direct commands like rm -rf / or such devastating things.
I just use the Diversion commands available with 'diversion help', and maybe extend it for the iOS app use.

I'm using home-assistant to control my router remotely - should work with Alexa/Google Assistant integration as well.
It's just a switch to enable/disable firewall, adbock or vpn.

https://community.home-assistant.io/t/asuswrt-control-your-router-with-custom-switches/82351

 

[thelonelycoder]

Progress my friend.
Apart from that, Diversion uses the exact same hooks to enable ad-blocking as AB-Solution did. A few extra lines in dnsmasq.conf. That's all. I see no reason why Diversion would be different in any way than its predecessor was.

 

[thelonelycoder]

I'm using home-assistant to control my router remotely - should work with Alexa/Google Assistant integration as well.
It's just a switch to enable/disable firewall, adbock or vpn.



View attachment 16268
https://community.home-assistant.io/t/asuswrt-control-your-router-with-custom-switches/82351

That involves a Giant I would not trust in my home. Certainly not when listening for voice commands. Siri is deactivated on all devices I have.

 

[elradix]

That involves a Giant I would not trust in my home. Certainly not when listening for voice commands. Siri is deactivated on all devices I have.

As I said should work.... I'm not using it for voice

Just a simple local web interface to simply activate/de-activate switches together with other smarthome switches

 

[Zonkd]

@thelonelycoder thanks entirely to your Diversion script I noticed a Mac was frequently contacting strange domains never before seen on the internet. It turned out to be very very infected with malware. No wonder it had slowed down. As I always say Macs are not immune if you’re reckless. The kid had installed python wine mono, then adobe flash-player stupid auto-clickers pirated-rom-emulators and other random pointless things which resided in a ton of buried clearly maliciously named directories (getfukt) and processes running at boot-time which refuse to be killed. They had tried and failed to secretly remove the viruses by themself.

So thank you Diversion, along with Skynet for its logs and IP blocking.

 

[Zonkd]

Accessing a remote server with key is standard, I would not leave password login enabled on my servers at the hosting center. But that's not what I meant with the Workstation. If it's a Windows or even Linux machine, one logs into it with a username and password, not a key on a USB stick to authenticate. There are exceptions of course. I'm sure RMS uses a similar way to unlock his Laptop.

Oh sorry I misunderstood you, I thought you asked if I login to the router from my workstation with a key. No I don’t login to my workstation with a physical key such as Yubikey or similar. I use password and also have fingerprint reader.

 

[thelonelycoder]

@thelonelycoder, thought you may find this interesting:
Chrome API update will kill a bunch of other extensions, not just ad blockers
https://www.zdnet.com/article/chrom...nch-of-other-extensions-not-just-ad-blockers/

Looks like Google based that decision on assumptions instead of facts. They just dropped that API update:
https://www.zdnet.com/article/googl...cations-that-would-have-crippled-ad-blockers/

 

[martinr]

@thelonelycoder thanks entirely to your Diversion script I noticed a Mac was frequently contacting strange domains never before seen on the internet. It turned out to be very very infected with malware. No wonder it had slowed down. As I always say Macs are not immune if you’re reckless. The kid had installed python wine mono, then adobe flash-player stupid auto-clickers pirated-rom-emulators and other random pointless things which resided in a ton of buried clearly maliciously named directories (getfukt) and processes running at boot-time which refuse to be killed. They had tried and failed to secretly remove the viruses by themself.

So thank you Diversion, along with Skynet for its logs and IP blocking.

Wow. Proof that Macs do indeed need anti-virus. You’ve prompted me to properly explore the logging facilities.

You wrote, “I noticed a Mac was frequently contacting strange domains never before seen on the internet.” Was the malware actually making contact or was the request being intercepted thanks to the blocklist?

 

[cmkelley]

Accessing a remote server with key is standard, I would not leave password login enabled on my servers at the hosting center. But that's not what I meant with the Workstation. If it's a Windows or even Linux machine, one logs into it with a username and password, not a key on a USB stick to authenticate. There are exceptions of course. I'm sure RMS uses a similar way to unlock his Laptop.

Last time I worked with NASA folks, they had to insert their common access card into a card reader on their laptops, and supply a username/password combination in order to log in.

 

[Zonkd]

Wow. Proof that Macs do indeed need anti-virus. You’ve prompted me to properly explore the logging facilities.

You wrote, “I noticed a Mac was frequently contacting strange domains never before seen on the internet.” Was the malware actually making contact or was the request being intercepted thanks to the blocklist?

In my opinion you generally do not need antivirus software installed on MacOS, there are plenty of better ways and firewall softwares to lock down MacOS and enhance security.

It was making contact with the domains freely. I manually blacklisted them. I was just lucky they contacted frequently enough to appear in the stats and get my attention.

 

[martinr]

In my opinion you generally do not need antivirus software installed on MacOS, there are plenty of better ways and firewall softwares to lock down MacOS and enhance security.

It was making contact with the domains freely. I manually blacklisted them. I was just lucky they contacted frequently enough to appear in the stats and get my attention.

Many thanks. Yes, I see: you were indeed lucky to spot them, having, myself, seen how quickly such log entries can flash by. And all the more credit that you investigated and didn’t merely assume that, because they didn’t get blocked, they must be benign and non-malicious.

“there are plenty of better ways and firewall softwares to lock down macOS and enhance security.” eg not letting your kids within a mile of them?

 

[GGavan]

Progress my friend.
Apart from that, Diversion uses the exact same hooks to enable ad-blocking as AB-Solution did. A few extra lines in dnsmasq.conf. That's all. I see no reason why Diversion would be different in any way than its predecessor was.

Yes, dnsmasq seems to create problem on 4.0.7 probably from higher resources need. I created SWAP. I hope that now, it will work. Never needed SWAP before (from AB-Solution until Diversion 4.0.5)
If it is still creating problems I will migrate the version 4.0.5 from other router AC88U which is not updated yet to 4.0.7
Thank you anyway for your work!

 

[Zonkd]

Many thanks. Yes, I see: you were indeed lucky to spot them, having, myself, seen how quickly such log entries can flash by. And all the more credit that you investigated and didn’t merely assume that, because they didn’t get blocked, they must be benign and non-malicious.

“there are plenty of better ways and firewall softwares to lock down macOS and enhance security.” eg not letting your kids within a mile of them?

Haha but nooooo, far better that (young) people use computers as often as possible to get experience... only so long as they’re prepared to learn how to keep safe. Yes it might be frustrating. The time to remove network access is when they protest and refuse to listen and learn or change their behaviors. Some people genuinely do not care or comprehend consequences. I recall one person wishing to ignore numerous antivirus scan results and keep a half dozen detected malwares on their PC because they “have everything set up the way they like it”. Unacceptable considering it was used to work at home after-hours on spreadsheets for a large business.

 

[sentinelvdx]

Hi,

I'm getting today this error when trying to access diversion.
Strange because everything was working just perfect, and amtm as well as diversion are up to date

Update: I've pasted the install command for diversion and now I can access it but pixelserv-tls now is not starting up at all.

Sent from S.G. S9+ Duos

 

[Mutzli]

Hi,

I'm getting today this error when trying to access diversion.
Strange because everything was working just perfect, and amtm as well as diversion are up to date

Sent from S.G. S9+ Duos

Did you do a disk check on your USB drive? Looks like something is corrupted. If there is nothing wrong with the file system try to reinstall diversion again.

 

[L&LD]

Did you try rebooting the router via the GUI? How about a hard reboot (pull the power plug and wait a few minutes before plugging it back in).

 

[dvaz]

Hi, reading thru the FAQ, there seems to be conflicting info?

In question 4)

• Diversion is installed and I still see ads, it says at the end that "Ad-blocking WILL NOT work when your device uses an upstream DNS Server, like Google's 8.8.8.8 or 8.8.4.4"

But in question 0)

• How to use an upstream DNS Server like 8.8.8.8 from Google, it says that you CAN use google DNS and still get Adblock.

Kinda confused, not sure which one to set ( leave WAN / DNS Blank or use custom DNS. )

Thanks!

 

[martinr]

Hi, reading thru the FAQ, there seems to be conflicting info?

In question 4)

• Diversion is installed and I still see ads, it says at the end that "Ad-blocking WILL NOT work when your device uses an upstream DNS Server, like Google's 8.8.8.8 or 8.8.4.4"

But in question 0)

• How to use an upstream DNS Server like 8.8.8.8 from Google, it says that you CAN use google DNS and still get Adblock.

Kinda confused, not sure which one to set ( leave WAN / DNS Blank or use custom DNS. )

Thanks!

In the LAN section you should set DNS Filtering to On and the Router as the Global Filter. That way, it doesn’t matter what the devices’ DNS settings are: such settings will be overridden and the device will be forced to go to the router to find out which DNS server it is to use. That way the device is also forced to have all its DNS requests “vetted” by Diversion.