Diversion Diversion - the Router Ad-Blocker

[Zonkd]

Thanks for the reply. Why does Diversion need to use a web server at all? Why not just block the ads by IP or domain, similar to ad blocking in a browser? I'm not questioning it in a negative way, I just want to better understand it. It has always worked here flawlessly.

thanks, Bj

A general answer for anyone out there with similar question:

Diversion harnesses dnsmasq server to proactively filter dns requests. It does this by loading domains from a block-list and forcing them to resolve to 0.0.0.0. Diversion cannot block IP addresses, nor can it block ads delivered through an encrypted https session (without pixelserv). It also cannot block dns requests sent via DNS over HTTPS.

Skynet harnesses the firewall to filter inbound/outbound network traffic to IP addresses. It does this by loading IP addresses or IP ranges from a block list and forces sent/received packets to be dropped. Skynet cannot block domain names, nor can it inspect and filter network traffic for machines that are tunneling through their own VPN.

Skynet and Diversion are developed to compliment one-another. I use both. I don’t use pixelserv.

Browser based adblockers use differently formatted blocklists (more advanced rules for cosmetic filtering) and they are not compatible with Diversion. Browser based adblockers can filter traffic delivered via https because they are able to see the traffic as it is decrypted inside the browser. They do not proactively block domains like Diversion does, they are just reactive and filter web pages as they are loaded.

 

[martinr]

... I don’t use pixelserv......

Tantalising... you didn’t say why not.

There’s such a lot of good nfo in your post that I’ll have to read it a few times to get the best out of it.

 

[L&LD]

Zonkd, I too am interested in why you don't use pixelserv-tls!

Performance reasons? Resource reasons? I use it (through Diversion) and it seems very transparent to me.

Interested in your reasons.

 

[Zonkd]

Tantalising... you didn’t say why not.

There’s such a lot of good nfo in your post that I’ll have to read it a few times to get the best out of it.

Cant justify using pixelserv and installing certs on family devices. Sufficient for my needs just using Diversion for logging/statistics and light-to-medium filtering of ad/malware/pron domains (especially to cover IOT devices). I'd rather handle the more aggressive filtering directly on the client anyway.

 

[L&LD]

Cant justify using pixelserv and installing certs on family devices. Sufficient for my needs just using Diversion for logging/statistics and light-to-medium filtering of ad/malware/pron domains (especially to cover IOT devices). I'd rather handle the more aggressive filtering directly on the client anyway.

I can understand that!

My method? I teach the most 'geeky' person how to do it. Then they become the families first line of support.

And I'm off the hook!

 

[Zonkd]

Zonkd, I too am interested in why you don't use pixelserv-tls!

Performance reasons? Resource reasons? I use it (through Diversion) and it seems very transparent to me.

Interested in your reasons.

I haven't tested it on my spare router yet, so maybe I just don't fully understand what value it could add. There is no worries with web browsing on PC if you already use Firefox with the right addons (hello uBlock Origins, preferably with uMatrix and Noscript). Mobile devices also have apps available for browser and system-wide ad blocking. A good application and network firewall on PCs gives you granular control of what 3rd party apps are doing with internet access.

 

[keef]

Browser based adblockers use differently formatted blocklists (more advanced rules for cosmetic filtering) and they are not compatible with Diversion. Browser based adblockers can filter traffic delivered via https because they are able to see the traffic as it is decrypted inside the browser. They do not proactively block domains like Diversion does, they are just reactive and filter web pages as they are loaded.

I found this helpful explanation on https://paul.is-a-geek.org/

The basic idea of DNS based adblocking is this: any device on your network goes to a website and when that website has an advertisement on it, the ad is usually directed to a known advertising website for just that box/ad/display on the web page. With DNS based adblocking, your browser tries to look up the advertising site, but is instead presented with a special dead IP address and the advertisement does not load. This works network-wide across all devices including phones, tablets, computers, etc.

I also run Skynet, it's great it all works so well together and AMTM tops it off nicely. We are fortunate to have the benefit of such good programmers and all of their time.

Bj

 

[chewy74]

Anyone else noticing ads slipping through when watching twitch?

I started seeing ads about a week ago...

I use Amazon firestick, and the firetv to watch twitch and up until a week ago all of the ads were being blocked. I'm using the medium block list.

 

[unsynaps]

Anyone else noticing ads slipping through when watching twitch?

I started seeing ads about a week ago...

I use Amazon firestick, and the firetv to watch twitch and up until a week ago all of the ads were being blocked. I'm using the medium block list.

Ad's on Twitch are now directly injected into the stream. There is no... easy way to block them anymore.

 

[ZNP_83]

Apologies for the naive questions, but I've been trying to figure out how to get Diversion/Skynet/DNScrypt and possibly pixelserv running on an Asus 86U with the Merlin software, that is running a VPN at the router level. As far as I can tell, these are all installed and updated and enabled according to AMTM, but they do not seem to be working.

What am I missing in regards to the Strict/Exclusive settings, and do I need to add or remove DNS servers anywhere in the Merlin UI as well?

 

[chewy74]

Ad's on Twitch are now directly injected into the stream. There is no... easy way to block them anymore.

Damn that's disappointing news. I hope that changes in the future.... Thanks for the reply

 

[keef]

[QUOTE=" an Asus 86U with the Merlin software, that is running a VPN at the router level. As far as I can tell, these are all installed and updated and enabled according to AMTM, but they do not seem to be working.?[/QUOTE]

Hi. No apologies needed. I'm far from an expert however we all had to learn at some time. My first thought would be to shut off the VPN and get the easy stuff working first. It is remarkably painless to get everything working well together. Does the router work normally with the VPN off?

Bj

 

[ZNP_83]

[QUOTE=" an Asus 86U with the Merlin software, that is running a VPN at the router level. As far as I can tell, these are all installed and updated and enabled according to AMTM, but they do not seem to be working.?

Hi. No apologies needed. I'm far from an expert however we all had to learn at some time. My first thought would be to shut off the VPN and get the easy stuff working first. It is remarkably painless to get everything working well together. Does the router work normally with the VPN off?

Bj[/QUOTE]

Thanks keep. And yes, indeed it does. I'm uncertain if there's any kind of comprehensive way to test these different tools, but they are all appearing green and good to go in AMTM.

I am also curious if running a VPN on the machine being used is possibly overriding the Diversion setup on the router itself. I wouldn't doubt that it is, but I'll have to wait until later on to test it. I prefer having VPN active on both the router and the client side.

 

[Butterfly Bones]

Thanks keep. And yes, indeed it does. I'm uncertain if there's any kind of comprehensive way to test these different tools, but they are all appearing green and good to go in AMTM.

I am also curious if running a VPN on the machine being used is possibly overriding the Diversion setup on the router itself. I wouldn't doubt that it is, but I'll have to wait until later on to test it. I prefer having VPN active on both the router and the client side.

Not in my experience here. I have an AC86U with full time OpenVPN client using Strict Policy rules, all devices use VPN except smart TV because Netflix, Amazon Prime and YouTube TV hate proxies.

Also a full time IPSec VPN server, amtm, Diversion, Skynet, Stubby DNS over TLS, Entware, ChkWAN and VPN_Failover scripts.

It all works runs well and communicates with each other. One note is that I have the OpenVPN client "Accept DNS Configuration" set to Disabled so that Stubby works even for all the VPN tunneled clients.

 

[IT Guy]

Not currently, why????

Would be a use full feature. For me

 

[ZNP_83]

Not in my experience here. I have an AC86U with full time OpenVPN client using Strict Policy rules, all devices use VPN except smart TV because Netflix, Amazon Prime and YouTube TV hate proxies.

Also a full time IPSec VPN server, amtm, Diversion, Skynet, Stubby DNS over TLS, Entware, ChkWAN and VPN_Failover scripts.

It all works runs well and communicates with each other. One note is that I have the OpenVPN client "Accept DNS Configuration" set to Disabled so that Stubby works even for all the VPN tunneled clients.

I *think* it is working when the host device is not running a VPN on itself. Is this to be expect, or should Diversion be doing its thing even when running a VPN on the client side.

 

[skeal]

I *think* it is working when the host device is not running a VPN on itself. Is this to be expect, or should Diversion be doing its thing even when running a VPN on the client side.

To enjoy Diversion you need to set the "Accept DNS Setting" to disabled.

 

[ZNP_83]

To enjoy Diversion you need to set the "Accept DNS Setting" to disabled.

If that is the case, then I am confused then about the part in the documentation that mentions To resolve the DNS and routing issues when using Policy Rules with Asuswrt-Merlin, set Accept DNS Configuration to “Strict”and specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configurationsection. Without the dhcp-option command, AB-Solution updates will fail, the AB-Solution email function will no longer work and the wget command will not able to resolve the domain name. The downside with these settings is that DNS will leak.

 

[skeal]

If that is the case, then I am confused then about the part in the documentation that mentions To resolve the DNS and routing issues when using Policy Rules with Asuswrt-Merlin, set Accept DNS Configuration to “Strict”and specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configurationsection. Without the dhcp-option command, AB-Solution updates will fail, the AB-Solution email function will no longer work and the wget command will not able to resolve the domain name. The downside with these settings is that DNS will leak.

If you set to disabled you use the defined DNS off the router globally. If you use Stubby on the router it would use it as well, Diversion is included in this. If you use Strict then yes you have to specify an order of server list. The only settings I ever use are Exclusive to use the VPN provider DNS or Disabled to use the router.

 

[Butterfly Bones]

If that is the case, then I am confused then about the part in the documentation that mentions To resolve the DNS and routing issues when using Policy Rules with Asuswrt-Merlin, set Accept DNS Configuration to “Strict”and specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configurationsection. Without the dhcp-option command, AB-Solution updates will fail, the AB-Solution email function will no longer work and the wget command will not able to resolve the domain name. The downside with these settings is that DNS will leak.

Yes, I can understand your confusion. I used the recommendation on the wiki to use Accept DNS Configuration set to Strict before I ran Stubby, and that worked as the wiki states. When Stubby was introduced here that changed the way DNS resolution works. As stated in this message from @Xentrk then Accept DNS Configuration for VPN clients needs to be set to Disabled or it not work correctly. Xentrik is one of the Stubby script contributors and is very knowledgeable in networking and especially VPN use. Since the Stubby script and use is much newer than that wiki information about using DNS with a VPN, one has to learn the new methods.

@skeal and I run Stubby DNS over TLS with a VPN and our experience shows that setting Accept DNS Configuration in the VPN client needs to be set to Disabled. At least try it and see if your ip leaks are solved.