Diversion Diversion - the Router Ad-Blocker

[Smokey613]

I have my WAN settings to use my ISP’s DNS and the NTP syncs pretty fast when booting up.

 

[Butterfly Bones]

SNB has started to give me the yellow banner to disable my ad blocker. All there is blocking is Diversion. There was a Safari update yesterday on my MacBook, but nothing came up then or earlier today. But banner is there now.

 

[SomeWhereOverTheRainBow]

Diversion 4.1.4 is now available

What's new in Diversion 4.1.4
- Now checks and sets to 'Yes' during installation: "Wan: Use local caching DNS server as system resolver (default: No)".
- New option in b to use a LAN blocking IP address instead of the local pixelserv-tls or NULL IP 0.0.0.0. This is for advanced users only.
- Correctly reverses IP in pointer record (ptr-record) added to Dnsmasq. Thanks @dave14305 for reporting.
- Checks for NPT date being synced before generating pixelserv-tls CA certificate.
- Option in ep to re-generate pixelserv-tls CA certificate (ca.crt, ca.key). New CA certificate has a 10 year validity and creates an EKU Extended Key Usage valid certificate.
- Expiry date is now shown in ep, 3 for the pixelserv-tls certificates.
- Option in ep, 6, 3 to install @Jack Yaz pixelserv-tls v2.3.0 which is compatible with new required security settings enforced by Apple and soon other companies.

For iOS 13 and MacOS 10.15 users: Requirements for trusted certificates changed: https://support.apple.com/en-us/HT210176
To be ready, the following steps are required if pixelserv-tls v2.2.1 or older is installed on your router.
1. Update Diversion to this latest version
2. Install Jack Yaz's pixelserv-tls v2.3.0 in ep, 6, 3
3. Re-generate the pixelserv-tls CA certificate in ep, 3, 2 (all domain certificates will be purged during that step)
4. Import the new pixelserv-tls CA certificate (ca.crt) into browsers and devices, replacing the previous certificate.
Open the certificate link in a browser with your pixelserv-tls IP address, typically this is 192.168.1.2/ca.crt and import it.

You may update pixelserv-tls to v2.3.0 even if you have no Apple devices. The steps above are still required if you do so.
As of now, there is no concrete feedback from the original developer of pixelserv-tls that an update through the regular Entware channel is in the works. I have had contact through a third party with the developer, but here we are. For this reason, Jack Yaz has taken on that challenge so we all can be compliant with Apples demands.

How to update Diversion
Use u or d and select Update.

The only thing holding me back from going to 4.1.4 is that it switches local cache to yes. I have noticed a good amount of users reporting this causing issues with internet connection, stubby, ntp-sync
, and skynet.

Does this skip doing this if you are only updating?

 

[thelonelycoder]

The only thing holding me back from going to 4.1.4 is that it switches local cache to yes. I have noticed a good amount of users reporting this causing issues with internet connection, stubby, ntp-sync
, and skynet.

Does this skip doing this if you are only updating?

It'll display a message during the INSTALL process. UPDATES are not affected by this change.
In any case, setting it back to the default 'No' value after INSTALLING Diversion will do it for those that need/prefer it the way Asus stock firmware does.

 

[thelonelycoder]

SNB has started to give me the ye llow banner to disable my ad blocker. All there is blocking is Diversion. There was a Safari update yesterday on my MacBook, but nothing came up then or earlier today. Be banner s now.

Clearing the cache probably does it.

 

[SomeWhereOverTheRainBow]

It'll display a message during the INSTALL process. UPDATES are not affected by this change.
In any case, setting it back to the default 'No' value after INSTALLING Diversion will do it for those that need/prefer it the way Asus stock firmware does.

One more question

Also, I use some of the more advanced aspects of diversion, what does this new feature benefit; when would it need to be used?

- New option in b to use a LAN blocking IP address instead of the local pixelserv-tls or NULL IP 0.0.0.0. This is for advanced users only.

 

[thelonelycoder]

One more question

Also, I use some of the more advanced aspects of diversion, what does this new feature benefit; when would it need to be used?

- New option in b to use a LAN blocking IP address instead of the local pixelserv-tls or NULL IP 0.0.0.0. This is for advanced users only.

This advanced feature is for those that, for example, decide to install pixelserv-tls on their NAS device, using its more powerful CPU to handle the domain cert generation.
Generally, you want pixelserv-tls to answer on that LAN blocking IP, anything else would be slower as the router can handle pixelserv-tls or the NULL IP blocking pretty good. Faster routers like the RT-AC86U and the RT-AX88U handle it probably much better than any external device.
Even the tried and trusted RT-AC68U is likely fast enough to NOT use the LAN blocking IP.

This feature was added for tinkerers and thinkers outside of the box. AB-Solution had that option but I decided at the time not to port it to Diversion.
It's built in now. The code changes to make it work with all the features Diversion offers were significant, much more than the required code changes for pixelserv-tls v2.3.0 compatibility. I'd say about 70% of the Diversion 4.1.4 code changes were for the LAN blocking IP feature.

 

[vk2him]

Open the certificate link in a browser with your pixelserv-tls IP address, typically this is 192.168.1.2/ca.crt and import it.

On a few of my devices the ca.crt certificate isn't downloaded when I go to that url. It works on one Mac but not on another, and it won't work on a Windows10 PC or an iPhone. Any ideas why it won't download?

 

[thelonelycoder]

On a few of my devices the ca.crt certificate isn't downloaded when I go to that url. It works on one Mac but not on another, and it won't work on a Windows10 PC or an iPhone. Any ideas why it won't download?

See if that helps, look in the section "Import Pixelserv CA on client devices".

 

[martinr]

On a few of my devices the ca.crt certificate isn't downloaded when I go to that url. It works on one Mac but not on another, and it won't work on a Windows10 PC or an iPhone. Any ideas why it won't download?

on the Windows PC did you try a different browser eg Edge or IE? When you you say it isn’t downloaded, do you get anything or are you looking at a totally blank page?

 

[vk2him]

See if that helps, look in the section "Import Pixelserv CA on client devices".

I'm following these instructions - it downloads fine on one Mac but not on another .. and it won't download on Win10 or iPhone?

https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices

 

[vk2him]

on the Windows PC did you try a different browser eg Edge or IE? When you you say it isn’t downloaded, do you get anything or are you looking at a totally blank page?

Yes I tried Chrome and Edge on the Win10 and Chrome and Safari on the Mac. The screen is blank but the Favicon seems to be set - here's a screenshot:

 

[Jack Yaz]

Yes I tried Chrome and Edge on the Win10 and Chrome and Safari on the Mac. The screen is blank but the Favicon seems to be set - here's a screenshot:

View attachment 19376

/ca.crt - you're using the wrong URL

 

[martinr]

/ca.crt - you're using the wrong URL

Well spotted!!! Just shows: you see what you’re expecting to see, not what’s on the page!

Good job vk2him attached the screenshot.

 

[vk2him]

/ca.crt - you're using the wrong URL

Wow, how embarassment

Well spotted!

 

[nick_max]

Hi,

I would greatly appreciate it if some could help me figure out why Pixelserv-tls doesn't seem to work on my router.
I have Diversion 4.1.4 with pixelserv-tls 2.2.1 installed and running:

I have also generates the Pixelserv CA certificate and I have installed it in the Windows Trusted cert store.

But the servstats page always show very little number of requests and many zeroes.

Any help is much appreciated, thank you.

 

[thelonelycoder]

Hi,

I would greatly appreciate it if some could help me figure out why Pixelserv-tls doesn't seem to work on my router.
I have Diversion 4.1.4 with pixelserv-tls 2.2.1 installed and running:
View attachment 19379

I have also generates the Pixelserv CA certificate and I have installed it in the Windows Trusted cert store.

But the servstats page always show very little number of requests and many zeroes.

Any help is much appreciated, thank you.

See that your clients use the routers DNS. In Tools/Other Settings on the router WebUI is "Wan: Use local caching DNS server as system resolver (default: No)" set to "Yes"?

 

[nick_max]

See that your clients use the routers DNS. In Tools/Other Settings on the router WebUI is "Wan: Use local caching DNS server as system resolver (default: No)" set to "Yes"?

Indeed it was the default setting (No):

I have set it to "Yes" - will see how it goes.

Thank you!

 

[Mutzli]

Hi,

I would greatly appreciate it if some could help me figure out why Pixelserv-tls doesn't seem to work on my router.
I have Diversion 4.1.4 with pixelserv-tls 2.2.1 installed and running:
View attachment 19379

I have also generates the Pixelserv CA certificate and I have installed it in the Windows Trusted cert store.

But the servstats page always show very little number of requests and many zeroes.

Any help is much appreciated, thank you.

Is your IP 192.168.1.20 reserved for pixelserv -tls in your LAN DHCP Server settings? Just asking because default value is 192.168.1.2

 

[SomeWhereOverTheRainBow]

This advanced feature is for those that, for example, decide to install pixelserv-tls on their NAS device, using its more powerful CPU to handle the domain cert generation.
Generally, you want pixelserv-tls to answer on that LAN blocking IP, anything else would be slower as the router can handle pixelserv-tls or the NULL IP blocking pretty good. Faster routers like the RT-AC86U and the RT-AX88U handle it probably much better than any external device.
Even the tried and trusted RT-AC68U is likely fast enough to NOT use the LAN blocking IP.

This feature was added for tinkerers and thinkers outside of the box. AB-Solution had that option but I decided at the time not to port it to Diversion.
It's built in now. The code changes to make it work with all the features Diversion offers were significant, much more than the required code changes for pixelserv-tls v2.3.0 compatibility. I'd say about 70% of the Diversion 4.1.4 code changes were for the LAN blocking IP feature.

I will give this a whirl on and let you know how it goes.