Diversion Diversion - the Router Ad-Blocker

[cmkelley]

By default we get a large Entware filesystem that will not have a full check until the twentieth boot (check tune2fs). When that full check happens, users do not know what has happened to the router after the reboot. What is the absolute worst thing you can do to a filesystem? Yes, power cycle during an fsck. But that is what the default leads to.

So my suggestion is to make a 3 GB Entware filesystem which always gets full checked and does so within a few seconds. Disable automatic e2fsck on the filesystem(s) which use the rest of the USB drive space.

Meh, I just use the disk check script provided by amtm, so it gets checked every boot. I've never had it be an issue with ext4 w/journaling - yes, sometimes it has to recover from the journal, but I've never experienced any delays in the router rebooting.

Different strokes I guess.

 

[EmeraldDeer]

The amtm disk check runs every boot, but by default will do 19 superficial checks on reboot but a full check the twentieth boot.

 

[L&LD]

The amtm disk check runs every boot, but by default will do 19 superficial checks on reboot but a full check the twentieth boot.

Isn't that still better than 19 non-checks and a full check on the twentieth boot?

 

[sentinelvdx]

You gotta love fd amtm The only remaining issue is sometimes amtm can’t format due to resource busy error and tells user to fix it It happened to me recently. Instead of trying to manually find and kill the processes utilising the disk, the easiest brute-force solution I found is to unmount from the web GUI, follow wiki guide to zero the disk, reboot router, then amtm fd will work!

That's what I did. Unmounted the USB drive from WebGUI and then applied fd. I was unable to find and kill the process haha

 

[Zonkd]

That's what I did. Unmounted the USB drive from WebGUI and then applied fd. I was unable to find and kill the process haha

Niiiiice! I recently edited the wiki guide to include this workaround. Maybe lonelycoder will edit his script to include the option.

 

[thelonelycoder]

Niiiiice! I recently edited the wiki guide to include this workaround. Maybe lonelycoder will edit his script to include the option.

I’ll add a note to the pre- install screen.

 

[Xentrk]

Is there any value in starting a similar commonly whitelisted Domains list for Diversion uses? The AsusWRT Merlin wiki would probably be the best location as I believe anyone can make updates to the wiki.

https://discourse.pi-hole.net/t/commonly-whitelisted-domains/212

 

[Zonkd]

I’ll add a note to the pre- install screen.

Sounds good To anyone searching the forum for help with this, here is the link for your convenience. It may break if the wiki header is changed by someone.

 

[Adamm]

Is there any value in starting a similar commonly whitelisted Domains list for Diversion uses? The AsusWRT Merlin wiki would probably be the best location as I believe anyone can make updates to the wiki.

https://discourse.pi-hole.net/t/commonly-whitelisted-domains/212

Efforts are better spend contacting the list maintainers imo (most use the git issue tracker for this). Everyone's opinion of a common domain differs, better to target the issue at the source.

 

[spiff72]

Hello all - just installed Diversion this weekend, and just had a question about the pixelserv-tls options. I see some info about adding a certificate for this, but I am not clear how that works or what it is for. When I go to 192.168.1.5/servstats I get the following:
(the section about HTTPS requests is the part I wonder is problematic)

pixelserv-tls 2.2.0 (compiled: Dec 9 2018 14:17:29 flags: no_tls1_3) options: 192.168.1.5

uts    1d 10:54    process uptime
log    1    critical (0) error (1) warning (2) notice (3) info (4) debug (5)
kcc    2    number of active service threads
kmx    35    maximum number of service threads
kvg    1.00    average number of requests per service thread
krq    75    max number of requests by one service thread
req    44611    total # of requests (HTTP, HTTPS, success, failure etc)
avg    5955 bytes    average size of requests
rmx    81392 bytes    largest size of request(s)
tav    13 ms    average processing time (per request)
tmx    116 ms    longest processing time (per request)
slh    26    # of accepted HTTPS requests
slm    131    # of rejected HTTPS requests (missing certificate)
sle    0    # of rejected HTTPS requests (certificate available but not usable)
slc    9052    # of dropped HTTPS requests (client disconnect without sending any request)
slu    35212    # of dropped HTTPS requests (other TLS handshake errors)
v13    0    slh/slc break-down: TLS 1.3
v12    26    slh/slc break-down: TLS 1.2
v10    0    slh/slc break-down: TLS 1.0
uca    124    slu break-down: # of unknown CA reported by clients
ucb    0    slu break-down: # of bad certificate reported by clients
uce    29743    slu break-down: # of unknown cert reported by clients
ush    4809    slu break-down: # of shutdown by clients after ServerHello
sct    50    cert cache: # of certs in cache
sch    43532    cert cache: # of reuses of cached certs
scm    154    cert cache: # of misses to find a cert in cache
scp    141    cert cache: # of purges to give room for a new cert
sst    0    sess cache: # of cached TLS sessions (for older non-RFC5077 clients)
ssh    528    sess cache: # of reuses of cached TLS sessions
ssm    2677    sess cache: # of misses to find a TLS session in cache
ssp    0    sess cache: # of purges to give room for a new TLS session
nfe    114    # of GET requests for server-side scripting
gif    0    # of GET requests for GIF
ico    0    # of GET requests for ICO
txt    3    # of GET requests for Javascripts
jpg    0    # of GET requests for JPG
png    0    # of GET requests for PNG
swf    0    # of GET requests for SWF
sta    3    # of GET requests for HTML stats
stt    0    # of GET requests for plain text stats
ufe    2    # of GET requests /w unknown file extension
opt    0    # of OPTIONS requests
pst    88    # of POST requests
hed    0    # of HEAD requests (HTTP 501 response)
rdr    0    # of GET requests resulted in REDIRECT response
nou    0    # of GET requests /w empty URL
pth    0    # of GET requests /w malformed URL
204    0    # of GET requests (HTTP 204 response)
bad    1    # of unknown HTTP requests (HTTP 501 response)
tmo    2    # of timeout requests (client connect w/o sending a request in 'select_timeout' secs)
cls    9056    # of dropped requests (client disconnect without sending any request)
cly    0    # of dropped requests (client disconnect before response sent)
clt    0    # of dropped requests (reached maximum service threads)
err    0    # of dropped requests (unknown reason)

 

[Butterfly Bones]

Hello all - just installed Diversion this weekend, and just had a question about the pixelserv-tls options. I see some info about adding a certificate for this, but I am not clear how that works or what it is for. When I go to 192.168.1.5/servstats I get the following:
(the section about HTTPS requests is the part I wonder is problematic)

Here are the instructions to generate and import certs.
https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

 

[PeterR]

Hello all - just installed Diversion this weekend, and just had a question about the pixelserv-tls options. I see some info about adding a certificate for this, but I am not clear how that works or what it is for. When I go to 192.168.1.5/servstats I get the following:
(the section about HTTPS requests is the part I wonder is problematic)

Pixelsrv-tls has it's own thread https://www.snbforums.com/threads/pixelserv-a-better-one-pixel-webserver-for-adblock.26114/ started by the developer provides a lot of information. The OP gives several useful links that will answer your questions.

Diversion installs the version of pixelsrv-tls from the entware repository. If you install amtm (by the same developer as diversion), you can easily install the most recent version of pixelsrv-tls.

 

[spiff72]

Here are the instructions to generate and import certs.
https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate

Thanks. I have gone through and installed it on my two windows machines, will be doing it for my Ubuntu machine, but I am not sure I am following the install instructions that show up at the end of that link where the link for installing on ChromeOS. That set of instructions refers to a certificate that shows up at the end of the instructions, specifically for the Securly cert. I tried to use the instructions, replacing the ca.crt that i had downloaded, but the instructions don't match up with the images shown. I do have one shown under my certs for Pixelserv CA, but it shows as "Not Trusted".

EDIT: I just restarted the Chromebook - the "Not Trusted" doesn't show anymore.

 

[Xentrk]

Efforts are better spend contacting the list maintainers imo (most use the git issue tracker for this). Everyone's opinion of a common domain differs, better to target the issue at the source.

What triggered this for me is several of the streaming services I use have acted up on occasion due to domains being blocked. It was hard to pinpoint exactly what domain was the culprit due to the ad blocker also blocking many other domains used by the services. A lot of time was spent doing the "trial and error" method was spent trying to figure out the culprit. A search on the net lead me to a reddit post that helped me pinpoint the domain on SlingTV. That is how I came across the pi-hole list.

 

[keef]

Can somebody please help me understand how Diversion works? The typical browser-based blocker uses a list of domains to block ads from. Diversion uses a similar list however I do not understand the ad-blocking to an IP ('ad-blocking to IP 192.168.1.3').

thanks, Bj

 

[Xentrk]

Can somebody please help me understand how Diversion works? The typical browser-based blocker uses a list of domains to block ads from. Diversion uses a similar list however I do not understand the ad-blocking to an IP ('ad-blocking to IP 192.168.1.3').

thanks, Bj

The use of the IP is for the pixelserv-tls tiny web server for blocking https ads. These links should answer your question.

https://diversion.ch/faq-reader/what-does-pixelserv-tls-do.html
https://github.com/kvic-z/pixelserv-tls

 

[Adamm]

During clean installs on my AX88U I seem to always run into the same issue where Diversion gets stuck on "Waiting for Dnsmasq to restart..", times out, then gets stuck in a loop continuously spawning processes.

https://pastebin.com/raw/vb0xeMpe

https://pastebin.com/raw/hyifsavm

 

[Xentrk]

During clean installs on my AX88U I seem to always run into the same issue where Diversion gets stuck on "Waiting for Dnsmasq to restart..", times out, then gets stuck in a loop continuously spawning processes.

https://pastebin.com/raw/vb0xeMpe

https://pastebin.com/raw/hyifsavm

I saw the same issue on my AC88U recently.

 

[keef]

The use of the IP is for the pixelserv-tls tiny web server for blocking https ads. These links should answer your question.

https://diversion.ch/faq-reader/what-does-pixelserv-tls-do.html
https://github.com/kvic-z/pixelserv-tls

Thanks for the reply. Why does Diversion need to use a web server at all? Why not just block the ads by IP or domain, similar to ad blocking in a browser? I'm not questioning it in a negative way, I just want to better understand it. It has always worked here flawlessly.

thanks, Bj

 

[Xentrk]

Thanks for the reply. Why does Diversion need to use a web server at all? Why not just block the ads by IP or domain, similar to ad blocking in a browser? I'm not questioning it in a negative way, I just want to better understand it. It has always worked here flawlessly.

thanks, Bj

It will respond to ads with “nothing” and speed up browsing. I should have given you this link too as it explains how it works and the benefits in more detail.

https://github.com/kvic-z/pixelserv-tls/wiki/FAQ