Diversion Diversion - the Router Ad-Blocker

[elorimer]

Doesn't it fail more gracefully than that? If you don't import the certificate, the browser doesn't accept the single pixel and displays a broken icon, after a time. So slower and uglier, but you don't get a browser warning.

e.g.:

Shutdown by clients after ServerHello

A client initiates a handshake, receives a response from server and then shuts down the connection unilaterally. The most likely reason is a client finds out the certificate in the server's response not matching its hard-coded fingerprint. Instead of notifying the server of unknown cert or CA, the client shuts down the connection silently. It's considered suspicious client activity worth more attention.

 

[Rhialto]

No. If all works well I'd stay on v2.2.1 until the Entware team releases the v2.3.1 update.

Just updated Diversion and still on v2.1.2, fine?

 

[elorimer]

Just updated Diversion and still on v2.1.2, fine?

Not fine. 2.1.2 is over 18 months out of date. Update pixelserv through ep.

Although, looking at your firmware it may not make a difference.

 

[Rhialto]

Not fine. 2.1.2 is over 18 months out of date. Update pixelserv through ep.

Although, looking at your firmware it may not make a difference.

From lonelycoder previous post he suggest to wait for v2.3.1

Also, all seems to work. It's getting harder to know which version works with which firmware. I know many update the router firmware as soon as a new one is available but I'm more into the classic if it ain't broke don't fix it. I know I cannot run uiDivStats because of that. I plan to update firmware later, there's already another one in the works.

 

[Jack Yaz]

From lonelycoder previous post he suggest to wait for v2.3.1

Also, all seems to work. It's getting harder to know which version works with which firmware. I know many update the router firmware as soon as a new one is available but I'm more into the classic if it ain't broke don't fix it. I just found out just by asking first that latest Skynet would not work with the firmware I use even thought it's not specified in Skynet's instructions. Maybe one day it will be the same for Diversion. I know I cannot run uiDivStats because of that. I plan to update firmware later, there's already another one in the works.

380 is dead and buried. Either use John's fork, or move to 384.XX if your router supports it.

Search for CVE in this: https://www.asuswrt-merlin.net/changelog-382
That alone should give you a reason to upgrade

 

[dave14305]

Doesn't it fail more gracefully than that? If you don't import the certificate, the browser doesn't accept the single pixel and displays a broken icon, after a time. So slower and uglier, but you don't get a browser warning.

e.g.:

Shutdown by clients after ServerHello

A client initiates a handshake, receives a response from server and then shuts down the connection unilaterally. The most likely reason is a client finds out the certificate in the server's response not matching its hard-coded fingerprint. Instead of notifying the server of unknown cert or CA, the client shuts down the connection silently. It's considered suspicious client activity worth more attention.

I use Firefox and it likes to complain about any certificate issues. I temporarily dis-trusted my Pixelserv CA in Firefox, and browsed to https://diversion-adblocking-ip.address/ and Firefox complained of an unknown issuer. Granted, I didn't browse to a site that contained a blocked ad, but I think the test demonstrates the potential issues of not importing AND trusting the Pixelserv CA for the cleanest experience.

Not trusting the Pixelserv CA would increment the uca counter in servstats.

 

[bluepoint]

In order for your browser to accept the https response from Pixelserv-tls, it must trust the certificate that signed the “phony” site certificate that Pixelserv generates for the blocked ad domain. Otherwise, you would see browser warnings every time an https ad request was answered by Pixelserv.

Okay, that makes sense but your second statement about getting a warning doesn't happen to devices that doesn't have the certificates. I do not have control of my wife and children's iOS devices to import the certs(otherwise I have to explain and I'm sure they don't care) and since diversion/pixelserv was installed "never" did I hear a single complain from them. It looks like pixelsev is silently dropping the requests. My question now is, does pixelserv still blocks the ads when these happens? My uca counter is still zero after a day and a half with imported certs in Win 10 Laptop and no certs for the rest of the network clients with 1 Win10, 4 iOS, 4 iPadOS, 3 Chromes, 2 Amazons.

uca 0 slu break-down: # of unknown CA reported by clients
ucb 0 slu break-down: # of bad certificate reported by clients
uce 37203 slu break-down: # of unknown cert reported by clients
ush 56024 slu break-down: # of shutdown by clients after ServerHello

 

[dave14305]

Okay, that makes sense but your second statement about getting a warning doesn't happen to devices that doesn't have the certificates. I do not have control of my wife and children's iOS devices to import the certs(otherwise I have to explain and I'm sure they don't care) and since diversion/pixelserv was installed "never" did I hear a single complain from them. It looks like pixelsev is silently dropping the requests. My question now is, does pixelserv still blocks the ads when these happens? My uca counter is still zero after a day and a half with imported certs in Win 10 Laptop and no certs for the rest of the network clients with 1 Win10, 4 iOS, 4 iPadOS, 3 Chromes, 2 Amazons.

uca 0 slu break-down: # of unknown CA reported by clients
ucb 0 slu break-down: # of bad certificate reported by clients
uce 37203 slu break-down: # of unknown cert reported by clients
ush 56024 slu break-down: # of shutdown by clients after ServerHello

OK, I'll accept that. It's been forever since I've run Pixelserv without the CA imported. I ran a test in Firefox with the CA distrusted again and browsed to the ad-heavy https://www.dailymail.co.uk/

The site loaded without ads, but to watch the page load in the F12 Developer Tools, many resources that Pixelserv was blocking had red errors due to the cert issue. Didn't break the page, but not a clean experience behind the scenes.

 

[bluepoint]

OK, I'll accept that. It's been forever since I've run Pixelserv without the CA imported. I ran a test in Firefox with the CA distrusted again and browsed to the ad-heavy https://www.dailymail.co.uk/

The site loaded without ads, but to watch the page load in the F12 Developer Tools, many resources that Pixelserv was blocking had red errors due to the cert issue. Didn't break the page, but not a clean experience behind the scenes.

View attachment 20488

So I can conclude diversion/pixelserv does the job even certs was not imported not unless someone else does not agree.

 

[Dee dee]

I have a error after I upgraded to AMTM 3.0

My diversion all of a sudden broke.
I can't open the interface to diversion to start or even uninstall.

Im getting the following errors:

 amtm 3.0                  by thelonelycoder
 RT-AC68U (armv7l) FW-384.13 @ 192.168.2.1
 The SNBForum Asuswrt-Merlin Terminal Menu

 1  open     Diversion                 v4.1.6
 2  open     Skynet                    v7.0.2

 6  open     x3mRouting                v1.0.4

 j5 open     uiDivStats                v1.2.3

 ep manage   Entware packages

 dc manage   Disk check script   dcl show log
 fd run      Format disk         fdl show log
 sw manage   Swap file /mnt/usbdrive 2.0G

 i  show     all available scripts or tools
 u  check    for script updates

    amtm options
 e  exit      t  theme   r  remove   a  about
_____________________________________________

 Enter option  1
/opt/bin/diversion: /opt/share/diversion/file/theme.div: line 127: syntax error: bad substitution

When trying to update Diversion, I get the following error(s):

 amtm 3.0                  by thelonelycoder
 RT-AC68U (armv7l) FW-384.13 @ 192.168.2.1
 The SNBForum Asuswrt-Merlin Terminal Menu

 1  open     Diversion     v4.1.6   -> v4.1.8
 2  open     Skynet        v7.0.2  -> min upd

 6  open     x3mRouting    v1.0.4      no upd

 j5 open     uiDivStats    v1.2.3  -> min upd

Segmentation fault
Segmentation fault
 ep manage   Entware packages          no upd

 e  exit     amtm          v3.0        no upd
_____________________________________________

 Script update(s) available!
_____________________________________________

 Enter option

oddly also my skynet is erroring... is my usb stick bad?

Router Model; RT-AC68U
Skynet Version; v7.0.2 (22/12/2019) (dd1d5c5d4c13aebe626a173365a7c21f)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
IP Address; (192.168.1.4)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/usbdrive/skynet (11.3G / 14.3G Space Available)
SWAP File; /tmp/mnt/usbdrive/myswap.swp (2.0G)

IPTables Rules                      | [Failed]

Also failed via update

ASUSWRT-Merlin RT-AC68U 384.14-0 Sat Dec 14 00:39:28 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# curl -Os https://diversion.ch/install && sh
install
curl: error while loading shared libraries: /opt/lib/libcrypto.so.1.1: ELF file OS ABI invalid
admin@RT-AC68U-1340:/tmp/home/root#

 

[thelonelycoder]

I have a error after I upgraded to AMTM 3.0

My diversion all of a sudden broke.
I can't open the interface to diversion to start or even uninstall.

Im getting the following errors:

 amtm 3.0                  by thelonelycoder
 RT-AC68U (armv7l) FW-384.13 @ 192.168.2.1
 The SNBForum Asuswrt-Merlin Terminal Menu

 1  open     Diversion                 v4.1.6
 2  open     Skynet                    v7.0.2

 6  open     x3mRouting                v1.0.4

 j5 open     uiDivStats                v1.2.3

 ep manage   Entware packages

 dc manage   Disk check script   dcl show log
 fd run      Format disk         fdl show log
 sw manage   Swap file /mnt/usbdrive 2.0G

 i  show     all available scripts or tools
 u  check    for script updates

    amtm options
 e  exit      t  theme   r  remove   a  about
_____________________________________________

 Enter option  1
/opt/bin/diversion: /opt/share/diversion/file/theme.div: line 127: syntax error: bad substitution

When trying to update Diversion, I get the following error(s):

 amtm 3.0                  by thelonelycoder
 RT-AC68U (armv7l) FW-384.13 @ 192.168.2.1
 The SNBForum Asuswrt-Merlin Terminal Menu

 1  open     Diversion     v4.1.6   -> v4.1.8
 2  open     Skynet        v7.0.2  -> min upd

 6  open     x3mRouting    v1.0.4      no upd

 j5 open     uiDivStats    v1.2.3  -> min upd

Segmentation fault
Segmentation fault
 ep manage   Entware packages          no upd

 e  exit     amtm          v3.0        no upd
_____________________________________________

 Script update(s) available!
_____________________________________________

 Enter option

oddly also my skynet is erroring... is my usb stick bad?

Router Model; RT-AC68U
Skynet Version; v7.0.2 (22/12/2019) (dd1d5c5d4c13aebe626a173365a7c21f)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
IP Address; (192.168.1.4)
FW Version; 384.13_0 (Jul 31 2019) (2.6.36.4brcmarm)
Install Dir; /tmp/mnt/usbdrive/skynet (11.3G / 14.3G Space Available)
SWAP File; /tmp/mnt/usbdrive/myswap.swp (2.0G)

IPTables Rules                      | [Failed]

Also failed via update

ASUSWRT-Merlin RT-AC68U 384.14-0 Sat Dec 14 00:39:28 UTC 2019
admin@RT-AC68U-1340:/tmp/home/root# curl -Os https://diversion.ch/install && sh
install
curl: error while loading shared libraries: /opt/lib/libcrypto.so.1.1: ELF file OS ABI invalid
admin@RT-AC68U-1340:/tmp/home/root#

Looks like files are corrupted. Try to run the disk check in amtm. But I doubt it helps.

 

[HairyA00]

Well, one (of several) advantages to keeping Diversion on your router (I’d uninstall Division, though, ), is that the blocking action takes place at your router, and not further downstream on the device with AdBlock Pro on it. And do all your current (and future) devices run AdBlock Pro?

This is not necessarily true. Take a look at my previous post regarding this topic:
https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-198#post-521027

 

[martinr]

This is not necessarily true. Take a look at my previous post regarding this topic:
https://www.snbforums.com/threads/diversion-the-router-ad-blocker.48538/page-198#post-521027

Yes, I remember that post. I just wish I could have uBlock Origin and uMatrix on the browsers on my iOS devices. I do use Brave, but not as often as I should.

 

[HairyA00]

Yes, I remember that post. I just wish I could have uBlock Origin and uMatrix on the browsers on my iOS devices. I do use Brave, but not as often as I should.

There are Safari content blockers available for iOS, but I've noticed they really slow down browsing (NoMoRoBo comes to mind).

For mobile, I do what you're doing: stick to Brave + pixelserv-tls; my experience has been incredibly fast and efficient.

 

[JaimeZX]

Is this what you want?
https://github.com/RMerl/asuswrt-merlin/wiki/Lighttpd-web-server-with-PHP-support-through-Entware

Hey man, thanks for this. Took me a little while to figure out how to configure it (changed some of the paths to suit where I wanted to "serve" files) but it seems to be working well. Thanks for the pointer!

 

[jadog]

Open WinSCP and go to:

/opt/share/diversion/list

Double click on hostslist


Add this Custom hosts list:

https://someonewhocares.org/hosts/zero/hosts
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext&useip=0.0.0.0
https://hosts-file.net/ad_servers.txt
https://hosts-file.net/grm.txt
https://hosts-file.net/emd.txt
https://hosts-file.net/exp.txt
https://hosts-file.net/hjk.txt
https://hosts-file.net/mmt.txt
https://hosts-file.net/psh.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn/hosts
https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hosts
https://raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/master/hosts.txt
https://zerodot1.gitlab.io/CoinBlockerLists/hosts
https://raw.githubusercontent.com/Clefspeare13/pornhosts/master/0.0.0.0/hosts
https://raw.githubusercontent.com/Sinfonietta/hostfiles/master/pornography-hosts
https://raw.githubusercontent.com/Sinfonietta/hostfiles/master/snuff-hosts
https://raw.githubusercontent.com/Sinfonietta/hostfiles/master/gambling-hosts


Extra host for block Social Media: (I do not use it)
https://raw.githubusercontent.com/Sinfonietta/hostfiles/master/social-hosts

Some of these host lists have duplicate entries. If I add the above custom hosts to the hostslist file, how does diversion handle the duplicates? Does it just weed those out, or are there actually duplicates that are potentially causing performance issues?

 

[thelonelycoder]

Some of these host lists have duplicate entries. If I add the above custom hosts to the hostslist file, how does diversion handle the duplicates? Does it just weed those out, or are there actually duplicates that are potentially causing performance issues?

It's an old list you dug up.
Diversion handles duplicates easily, none will get trough.

 

[doczenith1]

Well, one (of several) advantages to keeping Diversion on your router (I’d uninstall Division, though, ), is that the blocking action takes place at your router, and not further downstream on the device with AdBlock Pro on it. And do all your current (and future) devices run AdBlock Pro?

Another advantage that I have found is that when I am not at home I can connect my device to the vpn server on my router and get Diversion's ad blocking anywhere I go. I utilized Diversion out in the Atlantic ocean last year while on a cruise Not sure if the main benefit was no ads or less data to transfer over the very slow wifi.

 

[loady]

may have just wasted £190 on another router, this one doesnt take merlin, should have checked, can i run diversion still ?, its a DSL AC88U

 

[Makaveli]

may have just wasted £190 on another router, this one doesnt take merlin, should have checked, can i run diversion still ?, its a DSL AC88U

No Merlin no Diversion.