Diversion Diversion - the Router Ad-Blocker

[bluepoint]

I’ve recently been having TONS of connections to 117.18.237.29 which is being used for ocsp.digicert.com and cs9.wac.phicdn.net. That IP is apparently owned by Verizon. Pixelserv has banned it recently but it got me wondering as you can imagine.

Did you update to pixelserv-TLS v2.3.0? If you did, the only way to know for sure is to disable pixelserv or go back to v2.2.1 then try the sites.

 

[Greg72]

Hi guys,

Im facing a error where i cant seem to install Diversion.
Today i updated my ac68u from Johns fork to merlin 384.13.
Afterwards i did a factory reset and thought to delete the USB stick im using.
In Amtm it mentions it cant find a proper USB stick and error's out and stating i can format in amtm.
In amtm i enter 'fd' so the format utility starts and it sees the USB drive, i take all the steps and use the recommended settings of the script, so i give a name and format as ext4.
Afterwards the router reboots and i go back in trying to install Diversion but im seeying the same error again.
Tried ext2 but no difference in behaviour.
Looking at the systemlogs of the router webui i see the name of the USB brand coming by so i think the router is seeying the USB drive.
Any idea why this is happening?

Edit: Tried some more, when i place the USB stick in my laptop i can format it back so windows sees it again.
Trying to install Diversion it is unable to see the USB stick.
Seems like the router isnt mounting the USB stick or something.

The USB stick needs to be formatted ext4. Use the following to format the stick.
mke2fs -t ext4 /dev/sda1
tune2fs -O ^has_journal /dev/sda1

I am using a 120GB SSD in place of the stick due to sticks tend to go bad too early in their life.

 

[Greg72]

I’ve recently been having TONS of connections to 117.18.237.29 which is being used for ocsp.digicert.com and cs9.wac.phicdn.net. That IP is apparently owned by Verizon. Pixelserv has banned it recently but it got me wondering as you can imagine.

I am able to get into myVZ Wireless account on my iPad Pro running iPad OS 13.x. I do have the cert installed on it. Make sure that you have installed the Pixelserv cert and also flsuh cookies, etc from your browser.

 

[bluepoint]

I am able to get into myVZ Wireless account on my iPad Pro running iPad OS 13.x. I do have the cert installed on it. Make sure that you have installed the Pixelserv cert and also flsuh cookies, etc from your browser.

Can you click the verizon link I posted above and see if you can open the site? I assume you're using pixelserv-TLS v2.3.0 with diversion. And just for the record, I'm using Win10 using Chromium edge Dev so there's no cert requirement needed. Have I seen your post earlier I could have tried from my iPhone but it's too late I temporarily reinstalled pixelserv v2.2.1 until jack and/or thelonecoder look into this.

 

[Greg72]

117.18.237.29 is a part of the MCI block which VZ owns. It shows being a block in Taipei China. I had to go and redo my install of everything and changed my DNS to Quad9 for testing and have not had any issues.

 

[^Tripper^]

Did you update to pixelserv-TLS v2.3.0? If you did, the only way to know for sure is to disable pixelserv or go back to v2.2.1 then try the sites.

Amazingly I'm getting connection attempts without even going to any sites. I boot up my iPhone and in addition to the usual apple IPs, it attempts to connect to 117.18.237.29 as well. Noticed it on my Mac Pro too. Both these machines have had pixelserv-TLS v2.3.0 certs installed. Haven't tried without pixelserv yet. I've been thinking of reinstalling the whole firmware from scratch anyways as I've been seeing flakey behaviour recently; Pixelserv not running or skynet's login menu showing its own IP address as 0.0.0.0 or something else strange. I'll probably try a M&M setup later tonight after work and see whats what.

 

[Greg72]

That IP is a part of VZ streaming ie Edgecast. https://www.verizondigitalmedia.com/

Someone is probably streaming something that is on the VZ servers.

 

[^Tripper^]

That IP is a part of VZ streaming ie Edgecast. https://www.verizondigitalmedia.com/

Someone is probably streaming something that is on the VZ servers.

Doubt it considering what my iPhone was doing (refer to my post before yours).

 

[Jack Yaz]

Can you click the verizon link I posted above and see if you can open the site? I assume you're using pixelserv-TLS v2.3.0 with diversion. And just for the record, I'm using Win10 using Chromium edge Dev so there's no cert requirement needed. Have I seen your post earlier I could have tried from my iPhone but it's too late I temporarily reinstalled pixelserv v2.2.1 until jack and/or thelonecoder look into this.

Literally all that was changed was the validity length of the certificate (10 to 2 years) and the addition of an EKU: https://github.com/jackyaz/pixelserv-tls/commits/master

I'd be suprised if this is responsible

 

[DonnyJohnny]

Literally all that was changed was the validity length of the certificate (10 to 2 years) and the addition of an EKU: https://github.com/jackyaz/pixelserv-tls/commits/master

I'd be suprised if this is responsible

By the way, someone mentioned that the iOS 13 with 10 year cert still workable, so Long as using 2048 bit. Is that true?
Are u able to test that?

 

[bluepoint]

Literally all that was changed was the validity length of the certificate (10 to 2 years) and the addition of an EKU: https://github.com/jackyaz/pixelserv-tls/commits/master

I'd be suprised if this is responsible

That's what I understand, your fork has to do with cert, so what would change the behaviour? Pixelserv became too aggressive that it blocks some of the sites(blank). Once I reverted back to v2.2.1 sites that I experience blocks from v2.3.0 came back to normal being opened and ads blocked.

 

[Jack Yaz]

That's what I understand, your fork has to do with cert, so what would change the behaviour? Pixelserv became too aggressive that it blocks some of the sites(blank). Once I reverted back to v2.2.1 sites that I experience blocks from v2.3.0 came back to normal being opened and ads blocked.

Are you purging certificates and ca in between versions? Otherwise you're not doing a true test

 

[XIII]

By the way, someone mentioned that the iOS 13 with 10 year cert still workable, so Long as using 2048 bit. Is that true?
Are u able to test that?

I believe the consensus was that the pixelserv CA certificate can indeed be 10 years, but the certificates generated by pixelcert should be 2 years.

 

[DonnyJohnny]

I believe the consensus was that the pixelserv CA certificate can indeed be 10 years, but the certificates generated by pixelcert should be 2 years.

Ah.... So cert generated cannot be more than the 2 yr+ based on the new iOS ?

I read in this thread at this point of time, diversion will not have auto delete of cert that expired. But it has the feature of showing when expiring.

 

[thelonelycoder]

Ah.... So cert generated cannot be more than the 2 yr+ based on the new iOS ?

I read in this thread at this point of time, diversion will not have auto delete of cert that expired. But it has the feature of showing when expiring.

I have about two years left to code that part. Better hurry

 

[Asad Ali]

I believe the consensus was that the pixelserv CA certificate can indeed be 10 years

Assuming the certificate is 2048 Bits SHA2.

 

[bluepoint]

Are you purging certificates and ca in between versions? Otherwise you're not doing a true test

When you create the cert and ca from v2.3.0 in diversion(ep, 3, 2) it purges the old cert and keys then create the new one. When downgrading to v2.2.1, I did the extreme, uninstall diversion and entware then install diversion, entware packages that includes pixelserv.
I started this thread not because of the certificates, it's fine I actually use it to access the router securely from a Win10, but because pixelserv is not functioning as it should, it's too aggressive that it causes some sites to get blocked and resulting sites to come up blank, instead of blocking a portion of the site(the ad part), it blocks everything. If you have time please click this https://www.verizon.com/home/myverizon/ while using diversion/pixelserv v2.3.0. I've been wondering if I'm the only one experiencing the results, I've ask two members to do but there are no responses yet.

 

[L&LD]

@bluepoint, I have no issues clicking that link and connecting to the login page. There are possibly other issues on your end.

 

[Butterfly Bones]

When you create the cert and ca from v2.3.0 in diversion(ep, 3, 2) it purges the old cert and keys then create the new one. When downgrading to v2.2.1, I did the extreme, uninstall diversion and entware then install diversion, entware packages that includes pixelserv.
I started this thread not because of the certificates, it's fine I actually use it to access the router securely from a Win10, but because pixelserv is not functioning as it should, it's too aggressive that it causes some sites to get blocked and resulting sites to come up blank, instead of blocking a portion of the site(the ad part), it blocks everything. If you have time please click this https://www.verizon.com/home/myverizon/ while using diversion/pixelserv v2.3.0. I've been wondering if I'm the only one experiencing the results, I've ask two members to do but there are no responses yet.

Works for me. AC86U, AIProtection, DNS over TLS, Diversion Small+, Pixlserv 2.3.0 all new certs imported into all devices, Skynet, MacBook Air OSX Mojave, iPad iPadOS 13.1, iPhone 11 Pro max iOS 13.1.

MacBook capture.

 

[bluepoint]

@bluepoint, I have no issues clicking that link and connecting to the login page. There are possibly other issues on your end.

Can you purge your browser cache then try it again? I assume you're using diversion standard+/pixelserv v2.3.0.