Diversion Diversion - the Router Ad-Blocker

[L&LD]

It only works locally for me. My bad, sorry.
I've pushed an update with the correct URL (https://pgl.yoyo.org/adservers/serv...&showintro=0&mimetype=plaintext&useip=0.0.0.0).

Use u to update, the new md5sum check will kick in.
Thanks for reporting!

Interesting. I wonder why I did not have any such messages when I updated (almost immediately after you announced it)?

I did do another update right now, but the output looked all the same, with no errors at all.

 

[thelonelycoder]

Interesting. I wonder why I did not have any such messages when I updated (almost immediately after you announced it)?

I did do another update right now, but the output looked all the same, with no errors at all.

You'll only see it when manually updating the blocking file(s) in b.
Worst case with my .test domain as URL is that the memory usage will not be lowered during the update.

 

[thelonelycoder]

I've been getting a recurring error message whenever lists reload. It has evidently to do with the way a few entries, perhaps all of them coming from winhelp2002.mvps.org-hosts.txt, are getting parsed. I can manually remove these but they are always re-added, and look like this:

192.168.1.2-0-0-0-0-0-0-0-0-0-10-0-0-0-0-0-0-0-0-0-0-0-0-0.info
192.168.1.2-0-0-0-0-0-0-0-0-0-18-0-0-0-0-0-0-0-0-0-0-0-0-0.info
192.168.1.2-0-0-0-0-0-0-0-0-0-33-0-0-0-0-0-0-0-0-0-0-0-0-0.info
192.168.112.2o7.net
192.168.122.2o7.net

Are these in the blocking file? I don't see anything in the winhelp hosts file that would do that, nor in any other common hosts file.
Can you post the list of hosts files you are using in b, 1. Change composition, 2. Customize hosts list

 

[thelonelycoder]

Looks like the old dns.msftncsi.com probing is back, even if the setting is disabled in Administration/Network Monitoring.
This glitch has to be fixed by Asus.

You would see repeated entries in the dnsmasq.log file for:

query[A] dns.msftncsi.com from 127.0.0.1

This is nothing new, good old AB-Solution even had an option to disable this. Diversion does not and I hope I will not have to add it.

For the time being, you can paste this one liner in the terminal and press [Enter] to disable it, it will stop probing immediately:
See edit below.

nvram set dns_probe=0;nvram set dns_probe_content=;nvram set dns_probe_host=dns.msftncsi.com;nvram set wandog_delay=0;nvram set wandog_enable=1;nvram set wandog_fb_count=4;nvram set wandog_interval=5;nvram set wandog_maxfail=12;nvram commit

To undo the change and reset to default, use this and probing will start again:
See edit below.

nvram set dns_probe=0;nvram set dns_probe_content='131.107.255.255 112.4.20.71 fd3e:4f5a:5b81::1';nvram set dns_probe_host=dns.msftncsi.com;nvram set wandog_delay=0;nvram set wandog_enable=0;nvram set wandog_fb_count=4;nvram set wandog_interval=5;nvram set wandog_maxfail=12;nvram commit

Edit: Looks like this will do just fine:

nvram set dns_probe=0;nvram set dns_probe_content=;nvram commit

To reset to default use:

nvram set dns_probe=0;nvram set dns_probe_content='131.107.255.255 112.4.20.71 fd3e:4f5a:5b81::1';nvram commit

 

[L&LD]

@thelonelycoder, just wondering if the option to install the pixelserv-tls beta version is still an option that is required for the RT-AC86U routers, considering that version 2.2.1 is automatically installed?

Should that just be ignored, or should the statically linked beta version be installed instead, ps, 2, armv8, in the main amtm menu (after showing 'i')?

 

[thelonelycoder]

@thelonelycoder, just wondering if the option to install the pixelserv-tls beta version is still an option that is required for the RT-AC86U routers, considering that version 2.2.1 is automatically installed?

Should that just be ignored, or should the statically linked beta version be installed instead, ps, 2, armv8, in the main amtm menu (after showing 'i')?

No need to use a beta version when it is the same as the release version, right?
Some may prefer the hard linked pixelserv-tls version available as beta in amtm and they have their reasons to do it. The version is still the same.

 

[L&LD]

No need to use a beta version when it is the same as the release version, right?
Some may prefer the hard linked pixelserv-tls version available as beta in amtm and they have their reasons to do it. The version is still the same.

Oh, so the regular install is the dynamically linked version then. I vaguely remember the dynamically linked version being superior, but can't remember why right now.

 

[thelonelycoder]

Oh, so the regular install is the dynamically linked version then. I vaguely remember the dynamically linked version being superior, but can't remember why right now.

The hard linked version uses newer libraries that are supposedly faster and add the tls 1.3 protocol.
Can't remember, but Entware maintainers or Merlin now uses updated libssl libraries that support the tls1_3 protocol.
It is enabled on my routers that don't run pixelserv-tls beta so we all should be good.

 

[Marin]

@thelonelycoder and @Xentrk, do you have any thoughts on what the Accept DNS Configuration setting should be with new DOT Merlin FW so they don’t interfere with Diversion? I know Disabled was recommended to work well with Stubby and Diversion. Also, adding the dhcp option IP in Custom configuration when using Strict profile was also recommended.

Any thoughts on what setting would be more appropriate so it doesn’t interfere with Diversion? Is using Exclusive another option now that Stubby is no longer installed separately?

 DNS Behavior

“Accept DNS Configuration” set to “Exclusive”

When combined with Policy Rules based routing, all clients configured to use the VPN will use the DNS servers provided by the VPN tunnel. LAN Clients configured to go through the WAN will use the DNS configured in the WAN Settings Screen.

The disadvantage of setting “Accept DNS configuration” to “Exclusive” is that DNSMASQ will be bypassed since the VPN tunnel will exclusively use the DNS of the VPN Provider. The popular Diversion ad blocker program, written for the Asuswrt-Merlin firmware, will not work since Diversion requires the features of DNSMASQ. Diversion will work over the VPN tunnel when “Accept DNS configuration” is set to “Exclusive” and Policy Rules are disabled by setting “Redirect Internet Traffic” to “All”.

There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting “Accept DNS Configuration” to either “Strict” or “Disabled”.

“Accept DNS Configuration” set to “Strict” 

If you set Accept DNS Configuration to “Strict”, you must then specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configuration section per the example below.

dhcp-option DNS 1.1.1.1
“Accept DNS Configuration” set to “Disabled”

My preferred recommendation is to set “Accept DNS Configuration” to “Disabled” and install Stubby DNS over TLS. Stubby DNS over TLS will encrypt DNS queries for all devices on the network.

Accept DNS Configuration Definitions

For reference, the definition of the Accept DNS Configuration field values are as follows:

Disabled: DNS servers pushed by VPN provided DNS server are ignored.
Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order. Existing DNS servers are only used if VPN provided ones don’t respond.
Exclusive: Only the pushed VPN provided DNS servers are used.

Sent from my iPhone using Tapatalk

 

[Davidncali001]

I am on the latest stable version of Asus Merlin 384.10_2 and I just updated to the newest version of Diversion, however now whenever I am using the router I can no longer log onto Chase bank. This was never a problem before the update to the newest Diversion. Maybe I did something wrong, I don't know.... Any help would be appreciated.

ps on my mobile connection Chase bank allows me to log on just fine.

 

[martinr]

I am on the latest stable version of Asus Merlin 384.10_2 and I just updated to the newest version of Diversion, however now whenever I am using the router I can no longer log onto Chase bank. This was never a problem before the update to the newest Diversion. Maybe I did something wrong, I don't know.... Any help would be appreciated.

ps on my mobile connection Chase bank allows me to log on just fine.

You need to whitelist the Chase Bank. Have a look at:

https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-69#post-446586

 

[martinr]

I am on the latest stable version of Asus Merlin 384.10_2 and I just updated to the newest version of Diversion, however now whenever I am using the router I can no longer log onto Chase bank. This was never a problem before the update to the newest Diversion. Maybe I did something wrong, I don't know.... Any help would be appreciated.

ps on my mobile connection Chase bank allows me to log on just fine.

I really should have also asked if you use Skynet. If so, these links might also prove useful:

https://www.snbforums.com/threads/skynet-asus-firewall-addition.16798/#post-115872

https://github.com/Adamm00/IPSet_ASUS/wiki#applicationexe-or-websitecom-is-blocked

https://www.snbforums.com/threads/a-few-concerns.54278/#post-458826

 

[thelonelycoder]

I am on the latest stable version of Asus Merlin 384.10_2 and I just updated to the newest version of Diversion, however now whenever I am using the router I can no longer log onto Chase bank. This was never a problem before the update to the newest Diversion. Maybe I did something wrong, I don't know.... Any help would be appreciated.

Diversion does it's ad-blocking by using hosts files and combining them into the blocking file. That means, whatever is blocked is caused by the hosts files you are using.
Nothing's wrong what you did, it's just that some required api's or website's domain is newly blocked in your blocking file.

 

[thelonelycoder]

I've pushed a Diversion update, no version change
- Automatic swap file error correction when opening Diversion
- Road beautification project: Swap file creation is now consistent with the overall Diversion experience

Use u to update Diversion.

 

[Xentrk]

@thelonelycoder and @Xentrk, do you have any thoughts on what the Accept DNS Configuration setting should be with new DOT Merlin FW so they don’t interfere with Diversion? I know Disabled was recommended to work well with Stubby and Diversion. Also, adding the dhcp option IP in Custom configuration when using Strict profile was also recommended.

Any thoughts on what setting would be more appropriate so it doesn’t interfere with Diversion? Is using Exclusive another option now that Stubby is no longer installed separately?

 DNS Behavior

“Accept DNS Configuration” set to “Exclusive”

When combined with Policy Rules based routing, all clients configured to use the VPN will use the DNS servers provided by the VPN tunnel. LAN Clients configured to go through the WAN will use the DNS configured in the WAN Settings Screen.

The disadvantage of setting “Accept DNS configuration” to “Exclusive” is that DNSMASQ will be bypassed since the VPN tunnel will exclusively use the DNS of the VPN Provider. The popular Diversion ad blocker program, written for the Asuswrt-Merlin firmware, will not work since Diversion requires the features of DNSMASQ. Diversion will work over the VPN tunnel when “Accept DNS configuration” is set to “Exclusive” and Policy Rules are disabled by setting “Redirect Internet Traffic” to “All”.

There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting “Accept DNS Configuration” to either “Strict” or “Disabled”.

“Accept DNS Configuration” set to “Strict”

If you set Accept DNS Configuration to “Strict”, you must then specify the DNS server for the VPN tunnel to use by adding the dhcp-option DNS command in the Custom Configuration section per the example below.

dhcp-option DNS 1.1.1.1
“Accept DNS Configuration” set to “Disabled”

My preferred recommendation is to set “Accept DNS Configuration” to “Disabled” and install Stubby DNS over TLS. Stubby DNS over TLS will encrypt DNS queries for all devices on the network.

Accept DNS Configuration Definitions

For reference, the definition of the Accept DNS Configuration field values are as follows:

Disabled: DNS servers pushed by VPN provided DNS server are ignored.
Relaxed: DNS servers pushed by VPN provided DNS server are prepended to the current list of DNS servers, of which any can be used.
Strict: DNS servers pushed by the VPN provided DNS server are prepended to the current list of DNS servers, which are used in order. Existing DNS servers are only used if VPN provided ones don’t respond.
Exclusive: Only the pushed VPN provided DNS servers are used.

Sent from my iPhone using Tapatalk

Sorry for the delay in reply. I replied to the post in the beta thread earlier . But for the VPN to use DoT, set Accept DNS Configuration to Disabled. This will also tell the VPN tunnel to use dnsmasq so Diversion will still block ads when connected to the VPN tunnel.

More info on new blog post here:
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

 

[elorimer]

I vaguely remember the dynamically linked version being superior, but can't remember why right now.

Two reasons originally for the static version. One was early adoption of 1.3, and that is no longer true. The other was that the static version was compiled with a buffer setting that reduced memory usage. That also is no longer true, and both version use about the same amount of memory when running. So no longer any reason for the beta version.

 

[nlurker]

So no longer any reason for the beta version.

How do I uninstall the beta version then, and revert to the normal release version?

 

[EmeraldDeer]

How do I uninstall the beta version then, and revert to the normal release version?

My guess:

• Remove beta via amtm
• opkg install pixelserv-tls

 

[thelonelycoder]

My guess:

• Remove beta via amtm
• opkg install pixelserv-tls

• Remove via amtm ps by selecting "4. restore - revert back to prod version and clean up test directory"
• In terminal enter

  opkg install pixelserv-tls --force-reinstall

• Then in Diversion ep "4. Restart pixelserv-tls"

 

[cmkelley]

• Remove via amtm ps by selecting "4. restore - revert back to prod version and clean up test directory"

Huh? In amtm, ps only gives me two options.

• In terminal enter

  opkg install pixelserv-tls --force-reinstall

• Then in Diversion ep "4. Restart pixelserv-tls"