Diversion Diversion - the Router Ad-Blocker

[thelonelycoder]

Went ahead and joined...was even tempted to post just to be first.

"If you ain't first, you're last" - Ricky Bobby

Too late my friend.

 

[Rhialto]

BTW, there's also a Asuswrt-Merlin dedicated subreddit: https://www.reddit.com/r/Asus_Merlin/

I didn't know. But wish it was Eric who created and moderate it... I'll skip then.

 

[Butterfly Bones]

OK, my turn to be befuddled. Yesterday I tracked packages on ups.com. Today this is all I see.

(F)ollow log file " 3. Filtered by blocked domains" in Diversion shows no blocking. Empty, zip, nada.

(F)ollow log file "1. Unfiltered log" give this link to pastebin.com

What looks suspect to me are these three lines

Oct 21 19:21:03 dnsmasq[7508]: forwarded www.ups.com to 127.0.1.1
Oct 21 19:21:03 dnsmasq[7508]: forwarded gateway.foresee.com to 127.0.1.1
Oct 21 19:21:03 dnsmasq[7508]: forwarded ups.inq.com to 127.0.1.1

Usually I find what what is being blocked, but this has me stumped.

 

[bluepoint]

OK, my turn to be befuddled. Yesterday I tracked packages on ups.com. Today this is all I see.

(F)ollow log file " 3. Filtered by blocked domains" in Diversion shows no blocking. Empty, zip, nada.

(F)ollow log file "1. Unfiltered log" give this link to pastebin.com

What looks suspect to me are these three lines

Oct 21 19:21:03 dnsmasq[7508]: forwarded www.ups.com to 127.0.1.1
Oct 21 19:21:03 dnsmasq[7508]: forwarded gateway.foresee.com to 127.0.1.1
Oct 21 19:21:03 dnsmasq[7508]: forwarded ups.inq.com to 127.0.1.1

Usually I find what what is being blocked, but this has me stumped.

Did you just created the certs from pixelserv 2.3? That's my problem before with Verizon's website and I thought I got it solved however, it came back and it's reproduceable. My workaround for now is to uninstall/install diversion upgrade to pixelserv 2.3 but do not create new certs. Hope @thelonelycoder can check what's going on.

 

[thelonelycoder]

Did you just created the certs from pixelserv 2.3? That's my problem before with Verizon's website and I thought I got it solved however, it came back and it's reproduceable. My workaround for now is to uninstall/install diversion upgrade to pixelserv 2.3 but do not create new certs. Hope @thelonelycoder can check what's going on.

The outcome will be the same. Diversion creates a compliant ca.crt during the install and once you upgrade to pixelserv-tls v2.3 so will the domain certs.

It would be much faster to purge the domain certs instead of a reinstall of it all.
That way you don't have to re-import the ca.crt into browsers/devices.

 

[thelonelycoder]

OK, my turn to be befuddled. Yesterday I tracked packages on ups.com. Today this is all I see.

(F)ollow log file " 3. Filtered by blocked domains" in Diversion shows no blocking. Empty, zip, nada.

(F)ollow log file "1. Unfiltered log" give this link to pastebin.com

What looks suspect to me are these three lines

Oct 21 19:21:03 dnsmasq[7508]: forwarded www.ups.com to 127.0.1.1
Oct 21 19:21:03 dnsmasq[7508]: forwarded gateway.foresee.com to 127.0.1.1
Oct 21 19:21:03 dnsmasq[7508]: forwarded ups.inq.com to 127.0.1.1

Usually I find what what is being blocked, but this has me stumped.

What about Skynet?

 

[thelonelycoder]

OK, my turn to be befuddled. Yesterday I tracked packages on ups.com. Today this is all I see.

(F)ollow log file " 3. Filtered by blocked domains" in Diversion shows no blocking. Empty, zip, nada.

(F)ollow log file "1. Unfiltered log" give this link to pastebin.com

What looks suspect to me are these three lines

Oct 21 19:21:03 dnsmasq[7508]: forwarded www.ups.com to 127.0.1.1
Oct 21 19:21:03 dnsmasq[7508]: forwarded gateway.foresee.com to 127.0.1.1
Oct 21 19:21:03 dnsmasq[7508]: forwarded ups.inq.com to 127.0.1.1

Usually I find what what is being blocked, but this has me stumped.

Ah, same here. Let me investigate.

 

[thelonelycoder]

@Butterfly Bones for ups.com try whitelisting ups.tt.omtrdc.net
If that still does not help, add these one by one until brown shows up:

c.go-mpulse.net
cdn5.userzoom.com
dpm.demdex.net

What else can brown (thelonelycoder) do for you?

 

[bluepoint]

The outcome will be the same. Diversion creates a compliant ca.crt during the install and once you upgrade to pixelserv-tls v2.3 so will the domain certs.

It would be much faster to purge the domain certs instead of a reinstall of it all.
That way you don't have to re-import the ca.crt into browsers/devices.

I really do not understand the mechanics of how certs are created. Installing diversion also installs pixelserv 2.2(kvics) which is now not compliant with safari. Because of that reason is the need to update to pixelserv 2.3 and recreate the certs to be compliant. This is were diversion breaks some websites I'm seeing. I thought by moving diversion from a 68P to AX88U was the reason of some sites not rendering the whole page but I realize everytime I create a cert from pixelserv 2.3 it breaks Diversion rendering some sites blank, in my case, Verizon FIOS homepage.

 

[thelonelycoder]

Because of that reason is the need to update to pixelserv 2.3 and recreate the certs to be compliant. This is were diversion breaks some websites I'm seeing.

At this point, you only purge the domain certificates. You do not need to recreate the ca.crt as it is already compliant. The ca.crt is created by Diversion during the install and is independent of the installed pixelserv-tls version.
The domain certificates are created by pixelserv-tls off of the ca.crt.
Hence the need to purge the domain certificates after upgrading pixelserv-tls to v2.3, but no need to recreate the ca.crt as this would have to be re-imported into browsers/devices.

To find out if and what domain is blocked while browsing, use the f function in Diversion and make a good guess which of the domains is causing sites to be blank.

 

[Xentrk]

Hello. Would someone be willing to share their settings for Diversion under OpenVPN? I'd really appreciate it. I tried and tried with only bad luck as the result. Currently I use Astrill VPN and they recently went to $20/month (USD). While it works great, and allows me to stick with Skynet and Diversion, being from Canada it is too expensive anymore.

thanks, Bj

(Accept DNS Configuration = Exclusive) + (Policy Rules enabled) = dnsmasq is bypassed and Diversion will not work. More details in the links below including work around solutions:

https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/
https://www.snbforums.com/threads/o...-and-other-basic-questions.59175/#post-520566

 

[Butterfly Bones]

What about Skynet?

When I disabled Diversion with Skynet running, the UPS tracking shows.

Ah, same here. Let me investigate.

@Butterfly Bones for ups.com try whitelisting ups.tt.omtrdc.net
If that still does not help, add these one by one until brown shows up:

c.go-mpulse.net
cdn5.userzoom.com
dpm.demdex.net

What else can brown (thelonelycoder) do for you?

Whitelisting ups.tt.omtrdc.net solved it, thank you.

For future reference, how did you find that? That domain did not show up in filtering by blocked sites or unfiltered for me; it is not in the paste I recorded either. As stated, when I have an issue, I usually find by by (F)ollow log file.

 

[Butterfly Bones]

Did you just created the certs from pixelserv 2.3? That's my problem before with Verizon's website and I thought I got it solved however, it came back and it's reproduceable. My workaround for now is to uninstall/install diversion upgrade to pixelserv 2.3 but do not create new certs. Hope @thelonelycoder can check what's going on.

No, I have pixelserv 2.3 and new iOS compliant certs for over a month. When you posted the Verizon issue, I checked it here and it showed fine for me. I normally test all those blocked sites when user post here, just a learning / test exercise for me.

 

[bluepoint]

No, I have pixelserv 2.3 and new iOS compliant certs for over a month. When you posted the Verizon issue, I checked it here and it showed fine for me. I normally test all those blocked sites when user post here, just a learning / test exercise for me.

When you posted your UPS issue, I checked it and there was no issue using standard+ definition for me. Unless you have a tighter blocking list there is inconsistency there. Now that it looks like you solved your problem that's what's importatnt.

 

[bluepoint]

At this point, you only purge the domain certificates. You do not need to recreate the ca.crt as it is already compliant. The ca.crt is created by Diversion during the install and is independent of the installed pixelserv-tls version.
The domain certificates are created by pixelserv-tls off of the ca.crt.
Hence the need to purge the domain certificates after upgrading pixelserv-tls to v2.3, but no need to recreate the ca.crt as this would have to be re-imported into browsers/devices.

To find out if and what domain is blocked while browsing, use the f function in Diversion and make a good guess which of the domains is causing sites to be blank.

That's what it is, not understanding the mechanics of the certificates on my part. An excellent script that easily leads me to complacency. Thanks for the simple explanation on what's going on there. One last question, so with what I understood from your explanantion, ep,3,2 is there to use if the certs are expiring soon? As in my case, in the tenth year? As of now, these are the options that breaks diversion if you mistakenly use it like what happened to me. Is it possible to warn newbies?

 

[martinr]

....
Whitelisting ups.tt.omtrdc.net solved it, thank you.
For future reference, how did you find that? That domain did not show up in filtering by blocked sites or unfiltered for me; it is not in the paste I recorded either. As stated, when I have an issue, I usually find by by (F)ollow log file.

Like you, I’m intrigued. (Ups.com works fine for me, by the way.) And presumably, removing ups.tt.omtrdc.net from your whitelist (and clearing the briwser cache?) would prevent the site displaying again. So why does ups.tt.omtrdc.net not show when you follow the log?

 

[Butterfly Bones]

When you posted your UPS issue, I checked it and there was no issue using standard+ definition for me. Unless you have a tighter blocking list there is inconsistency there. Now that it looks like you solved your problem that's what's importatnt.

Yes, I have Standard+ as well. This gets more mysterious. This UPS tracking was the first time I could not solve what was blocking a site I use regularly.

 

[Butterfly Bones]

Like you, I’m intrigued. (Ups.com works fine for me, by the way.) And presumably, removing ups.tt.omtrdc.net from your whitelist (and clearing the briwser cache?) would prevent the site displaying again. So why does ups.tt.omtrdc.net not show when you follow the log?

Good questions. When I added ups.tt.omtrdc.net, Diversion showed an exact match in blocking file. I will test removing it, clear cache and try again later today. It worked Sunday, then Monday was blank white, likely due to the fact I have my Diversion blocking list (Standard+) update Sunday at 0200 my local time.

 

[thelonelycoder]

Like you, I’m intrigued. (Ups.com works fine for me, by the way.) And presumably, removing ups.tt.omtrdc.net from your whitelist (and clearing the briwser cache?) would prevent the site displaying again. So why does ups.tt.omtrdc.net not show when you follow the log?

Because it is cached, by the router, OS and browser.
Clear your caches for such actions.
It used to be that when one CTRL-F5es in Firefox that would request all sources new. Not anymore in my experience. I don't know what the FF devs are on but this browser is getting on my nerves lately. And I've been a steadfast user and supporter since the early beginnings.

 

[donbru]

Because it is cached, by the router, OS and browser.
Clear your caches for such actions.
It used to be that when one CTRL-F5es in Firefox that would request all sources new. Not anymore in my experience. I don't know what the FF devs are on but this browser is getting on my nerves lately. And I've been a steadfast user and supporter since the early beginnings.

After doing a "Refresh Firefox..." am able to load both UPS and Verizon sites successfully.

Edit: Well that didn't work. Had to import the pixelserv-tls CA certificate again after which both sites are not working.