Diversion Diversion - the Router Ad-Blocker

[Ninko]

I have been looking through the thread but there's a lot of conflicting advise, is it best to whitelist a load of Amazon domains or switch off pixelserv-tls?

Thanks

 

[L&LD]

What does one have to do with the other?

 

[Ninko]

What does one have to do with the other?

Or maybe just uninstall Division altogether and have done with it!
Nothing changes with you does it.

 

[QuikSilver]

I have been looking through the thread but there's a lot of conflicting advise, is it best to whitelist a load of Amazon domains or switch off pixelserv-tls?

Thanks

Or maybe just uninstall Division altogether and have done with it!
Nothing changes with you does it.

One could argue that the reason there is conflicting advice is because each person's network is unique to them, meaning what may work for one may not for the other.

 

[CriticJay]

I have been looking through the thread but there's a lot of conflicting advise, is it best to whitelist a load of Amazon domains or switch off pixelserv-tls?

Thanks

1. If you want to spend some time doing troubleshooting and determine exactly which domain is causing the issue with Amazon app, so you can whitelist it, then you can do that and continue to use Pixelserv-TLS (like me)

2. If you don't want to spend time doing troubleshooting, and just need to get the Amazon Shopping app running again ASAP (maybe your wife or girlfriend is bothering you) then you can just disable Pixelserv-TLS from within Diversion (which will disable it properly).

 

[lokester]

Needing some advice. Asus RT-AC88U router with latest Merlin. Had been running Pi-Hole on Raspberry PI, so had my DNS server field on Router config pointing to Raspberry Pi. Also had IP-Tables on Raspberry Pi set up with "recommended" rules from Raspberry Pi forum. A few months ago, I removed Pi-Hole from the RPi and installed/enabled Diversion on the RT-AC88U via AMTM. After installation of Diversion, I noticed it removed my static DNS address, so the RPi is no longer serving as my DNS server. IPCONFIG command from my PC confirms DNS server is the AC88U router IP 192.168.1.1

Looking at the "kern.log" on the Raspberry Pi, I am seeing where " iptables denied: IN=eth0 OUT= MAC=ff:ff ... SRC=192.168.1.1 DST=192.168.1.255 LEN=168 ... TTL=64 ID=0 DF PROTO=UDP SPT=39042 DPT=7788 LEN=148" and this message is happening every 10 to 15 seconds. IP 192.168.1.1 is the router IP. Not sure what 192.168.1.255 is but assume something to do with the router as well.

Other than cluttering up the log file, not sure it is causing me any grief, but not sure I need IPTABLES running on my Raspberry Pi blocking traffic on the Router?

So my question is this: Since I am no longer using the RPi as my DNS server, do I need to remove the IPTABLES rules that I added on the RPi ?

 

[QuikSilver]

Needing some advice. Asus RT-AC88U router with latest Merlin. Had been running Pi-Hole on Raspberry PI, so had my DNS server field on Router config pointing to Raspberry Pi. Also had IP-Tables on Raspberry Pi set up with "recommended" rules from Raspberry Pi forum. A few months ago, I removed Pi-Hole from the RPi and installed/enabled Diversion on the RT-AC88U via AMTM. After installation of Diversion, I noticed it removed my static DNS address, so the RPi is no longer serving as my DNS server. IPCONFIG command from my PC confirms DNS server is the AC88U router IP 192.168.1.1

Looking at the "kern.log" on the Raspberry Pi, I am seeing where " iptables denied: IN=eth0 OUT= MAC=ff:ff ... SRC=192.168.1.1 DST=192.168.1.255 LEN=168 ... TTL=64 ID=0 DF PROTO=UDP SPT=39042 DPT=7788 LEN=148" and this message is happening every 10 to 15 seconds. IP 192.168.1.1 is the router IP. Not sure what 192.168.1.255 is but assume something to do with the router as well.

Other than cluttering up the log file, not sure it is causing me any grief, but not sure I need IPTABLES running on my Raspberry Pi blocking traffic on the Router?

So my question is this: Since I am no longer using the RPi as my DNS server, do I need to remove the IPTABLES rules that I added on the RPi ?

192.168.1.255 is considered the "broadcast address" for your 192.168.1.XXX network. If the RPi is no longer needed then I would remove it. If not to fix this (if it does), but to help clean up in case you need to troubleshoot the network in the future.

 

[lokester]

Thanks for the info on the .255 broadcast address. The RPi is doing other things for me, so it needs to stay. I guess I do not understand enough about "iptables" and I just don't understand how the RPi can get involved with a route within the router? Maybe I just need to uninstall the "iptables" from the RPi and let the Router take care of everything?

 

[QuikSilver]

Maybe I just need to uninstall the "iptables" from the RPi and let the Router take care of everything?

I would...."less cooks in the kitchen".

 

[lokester]

Getting rid of iptables on the RPi cleaned up a lot of clutter on my log files.
Thank you for the help.

 

[thelonelycoder]

Actually ......

Vacation was 1h 39m
European Vacation was 1h 35m

I admit, I don't get it. Can anyone enlighten me?

 

[Treadler]

I admit, I don't get it. Can anyone enlighten me?

Me neither, glad I’m not the only one.

 

[Jack Yaz]

I admit, I don't get it. Can anyone enlighten me?

LMGTFY ;-)

Vacation (2015 film) - Wikipedia

en.wikipedia.org

National Lampoon's European Vacation - Wikipedia

en.wikipedia.org

 

[thelonelycoder]

LMGTFY ;-)

Vacation (2015 film) - Wikipedia

en.wikipedia.org

National Lampoon's European Vacation - Wikipedia

en.wikipedia.org

I knew it was something trivial, thanks.

 

[yucca1960]

Hi! first of all thanks to everybody for all the help that you guys give to all of us who does not know anything about scripts or coding.
I have a question, follow instructions and install diversion but when trying to start youtube ad blocking (b,#8,#1) I get this error:
( Error No recent YouTube domain found, view
some YouTube videos in a browser!) it does not matter how long I watch youtube videos and adds the result is the same. please be gentle

 

[minhgi]

Recently I keep getting the error "something went wrong at our end" when using Amazon shopping app. Going by what I've read the problem is being caused by Division blocking something.
Is there anyway to fix this problem?

Thanks

Hope not to late. I have similar issue with the amazon app not working and see some help post with amazon whitelisting dns. If you whitelist all of those dns, your amazon shopping should work. Mine was fixed three days ago after using diversion full time. Weird that whitelisting amazon-adsystem.com didn't work but required the below dns.

aan.amazon-adsystem.com
aax-us-east.amazon-adsystem.com
aax-us-pdx.amazon-adsystem.com
aax.amazon-adsystem.com
c.amazon-adsystem.com
mads.amazon-adsystem.com
s.amazon-adsystem.com

 

[yucca1960]

thanks, I did find the problem it was my router settings . do really appreciated

 

[Thomas Szücs]

Hallo

I have an issue with pixelserv-tls keep crashing. Any idea on what it might be? I can Disable and Enable it again, but after a day or so, it crashes again.

 

[thelonelycoder]

Hallo

I have an issue with pixelserv-tls keep crashing. Any idea on what it might be? I can Disable and Enable it again, but after a day or so, it crashes again.

View attachment 25134

Look in the routers Syslog, there will be entries for pixelserv-tls.

 

[Thomas Szücs]

It died again..

Aug  4 11:50:05 Diversion: restarted Dnsmasq to apply settings
Aug  4 11:50:05 uiDivStats: dnsmasq has restarted, restarting taildns
Aug  4 11:50:09 rc_service: service 25505:notify_rc restart_dnsmasq
Aug  4 11:50:09 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
Aug  4 11:50:10 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Aug  4 11:50:11 Diversion: created br0:pixelserv-tls for 192.168.1.2
Aug  4 11:50:11 pixelserv-tls[26108]: pixelserv-tls 2.3.1 (compiled: Jun 12 2020 20:24:48 flags: tls1_3) options: 192.168.1.2
Aug  4 11:50:11 Entware (armv7sf-k2.6): Started pixelserv-tls (Diversion)
Aug  4 11:50:11 pixelserv-tls[26108]: Listening on :192.168.1.2:443
Aug  4 11:50:11 pixelserv-tls[26108]: Listening on :192.168.1.2:80
Aug  4 11:50:11 Diversion: restarted Dnsmasq to apply settings
Aug  4 11:50:12 uiDivStats: dnsmasq has restarted, restarting taildns
Aug  4 12:00:00 uiDivStats: Stale lock file found (>600 seconds old) - purging lock
Aug  4 12:03:12 dropbear[1485]: Exit (admin) from <192.168.1.4:54395>: Error reading: Connection reset by peer
Aug  4 12:32:37 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY OK: depth=1, C=HK, ST=Central, L=HK, O=Secure-ServerCA, OU=IT, CN=Secure-ServerCA, name=Secure-ServerCA, emailAddress=mail@host.domain
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY KU OK
Aug  4 12:41:28 ovpn-client1[1957]: Validating certificate extended key usage
Aug  4 12:41:28 ovpn-client1[1957]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY EKU OK
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY OK: depth=0, C=HK, ST=Central, L=HK, O=Secure-Server, OU=IT, CN=Secure-Server, name=changeme, emailAddress=mail@host.domain
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1552'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Aug  4 12:41:28 ovpn-client1[1957]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  4 12:41:28 ovpn-client1[1957]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  4 12:41:28 ovpn-client1[1957]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug  4 12:46:27 dropbear[20870]: Child connection from 192.168.1.4:55015
Aug  4 12:46:33 dropbear[20870]: Password auth succeeded for 'admin' from 192.168.1.4:55015