Diversion Diversion - the Router Ad-Blocker

[apathy]

Have you tried running this all without the "ds" settings enabled?

I'll try your suggestion. I completely disabled it. Unfortunately the issue only returns every few days. I'll be back in a few days to report the status.

Thank you to anyone who has given me suggestions. I'll be back in a few days with an update about my issue because it usually takes a few days for the issue to rear its ugly head.

 

[martinr]

While I prefer to stay anonymous under the @thelonelycoder handle, here's me, on a recent vacation to my favorite place in the US, Moab in Utah, from a work related trip to freezing Toronto, Canada.
The Colorado river winds its way around me, the colors at sunset are magical. This is bliss.

Lovely to see face behind the pseudonym, Martin. And to see what you’ve been up to as well.
Happy Christmas and 2019, and thanks again for all your hard work keeping us all safe and sound.

 

[bigmog]

Found a curious behavior with Android Pie.

On my Pixel 3 running Android Pi (9), ads are not getting blocked.
On my older Moto X Pure running Android Nougat (7.0), the ads are blocked.

Both have Chrome version 71.

Both devices are on the same network. I disabled mobile data on both devices.

Any ideas why Android Pi is showing the ads?

Diversion 4.0.5 by thelonelycoder
RT-AC86U (aarch64) FW-384.8 @ 192.168.1.1


Android 7.0 : Chrome 71

Android 9 : Chrome 71

 

[dave14305]

Found a curious behavior with Android Pie.

On my Pixel 3 running Android Pi (9), ads are not getting blocked.
On my older Moto X Pure running Android Nougat (7.0), the ads are blocked.

Both have Chrome version 71.

Both devices are on the same network. I disabled mobile data on both devices.

Any ideas why Android Pi is showing the ads?

Diversion 4.0.5 by thelonelycoder
RT-AC86U (aarch64) FW-384.8 @ 192.168.1.1


Android 7.0 : Chrome 71
View attachment 15555


Android 9 : Chrome 71
View attachment 15556

Check if your phone is set to use Private DNS in the Android settings. That would bypass your router’s DNS. It’s the Android 9 implementation of DNS over TLS (DoT).

 

[bigmog]

Check if your phone is set to use Private DNS in the Android settings. That would bypass your router’s DNS. It’s the Android 9 implementation of DNS over TLS (DoT).

Thanks for the useful suggestion.

Private VPN is off. However, the Google Fi VPN was enabled (despite having mobile data LTE disabled).

I disabled Google Fi VPN and the confirmed no banner ad.
Re-enabled Google Fi VPN, and the banner ads re-appeared.

I should think that the Google Fi VPN would be disabled when the mobile data is also disabled but it is a beta feature after all. Thanks for helping tracking down this mystery.

 

[Skeptical.me]

Is there any possible way that I can use policy routing while using Diversion without my dns leaking?? I live in Australia and I have a Roku 4 (I think, its badged with my Service Providers Brand on it) and I have my Antenna connected to it for all the free to air channels. But the catch is it only works if I'm connected to my ISP. And the Roku has all Australian Catch up Apps and News channels Apps, that can only be used when connected to the ISP. The simple solution is to stop the VPN while using the Roku, but there are other devices on my network that cannot be disconnected from the VPN, ever. So I'm stuck. I tried AdGurad Home but that useless for this problem. Is there a solution to this issue, at all?

 

[apathy]

Have you tried running this all without the "ds" settings enabled?

So far it seems to be working OK. Ive been staying around 50% ram usage now. Is there really any benefit to using the ds settings?

 

[road hazard]

I recently made this post: https://www.snbforums.com/threads/is-total-youtube-ad-blocking-possible-at-the-router-level.53988/

.... how effective is Diversion (coupled with Skynet, Pixel) at blocking YouTube ads network wide?

 

[Xentrk]

Is there any possible way that I can use policy routing while using Diversion without my dns leaking?? I live in Australia and I have a Roku 4 (I think, its badged with my Service Providers Brand on it) and I have my Antenna connected to it for all the free to air channels. But the catch is it only works if I'm connected to my ISP. And the Roku has all Australian Catch up Apps and News channels Apps, that can only be used when connected to the ISP. The simple solution is to stop the VPN while using the Roku, but there are other devices on my network that cannot be disconnected from the VPN, ever. So I'm stuck. I tried AdGurad Home but that useless for this problem. Is there a solution to this issue, at all?

We've brought up the DNS leak issue when using Policy Rules + Diversion in the past and had prior discussion with @RMerlin on it. In a nutshell, don't expect any changes to remedy. I've also attemped some hacks with no luck.

I highly doubt DNS leak is the source of your issue based on my testing with multiple streaming media providers. I think the fix for you may be Selective Routing. This involves the mining of dnsmasq.log to obtain the domain names. Then, writing a script to route those domains to WAN or VPN tunnel interface. The netflix-vpn-bypass repo (https://github.com/Xentrk/netflix-vpn-bypass) discusses the method you can use for obtaining the domain names, including the features of IPSET and downloading the IPv4 addresses based on the ASN of the streaming media provider.

From the issue you describe, I think you will need to determine the domains being called when watching the streaming services that only work when connected to WAN interface. Then, write a script to route those domains to the WAN, thereby bypassing the VPN interface.

Edit:
You may want to browse thru the end of the thread for the repo:
https://www.snbforums.com/threads/selective-routing-for-netflix.42661/

Another person is using it as a template for other streaming services he wants to selectively route. This will give you an idea of what is involved.

 

[Skeptical.me]

We've brought up the DNS leak issue when using Policy Rules + Diversion in the past and had prior discussion with @RMerlin on it. In a nutshell, don't expect any changes to remedy. I've also attemped some hacks with no luck.

I highly doubt DNS leak is the source of your issue based on my testing with multiple streaming media providers. I think the fix for you may be Selective Routing. This involves the mining of dnsmasq.log to obtain the domain names. Then, writing a script to route those domains to WAN or VPN tunnel interface. The netflix-vpn-bypass repo (https://github.com/Xentrk/netflix-vpn-bypass) discusses the method you can use for obtaining the domain names, including the features of IPSET and downloading the IPv4 addresses based on the ASN of the streaming media provider.

From the issue you describe, I think you will need to determine the domains being called when watching the streaming services that only work when connected to WAN interface. Then, write a script to route those domains to the WAN, thereby bypassing the VPN interface.

Thank you for the reply. It appears to be DNS leaking, as soon as I setup policy routing with a few devices routed to the WAN I check ipleak.net and my DNS is leaking and I get the Proxy warning on streaming devices. However, I'll take a look at what you've linked and see if I can figure it out, it'll be a challenge but I think I'll enjoy it. Thank you.

 

[Skeptical.me]

We've brought up the DNS leak issue when using Policy Rules + Diversion in the past and had prior discussion with @RMerlin on it. In a nutshell, don't expect any changes to remedy. I've also attemped some hacks with no luck.

I highly doubt DNS leak is the source of your issue based on my testing with multiple streaming media providers. I think the fix for you may be Selective Routing. This involves the mining of dnsmasq.log to obtain the domain names. Then, writing a script to route those domains to WAN or VPN tunnel interface. The netflix-vpn-bypass repo (https://github.com/Xentrk/netflix-vpn-bypass) discusses the method you can use for obtaining the domain names, including the features of IPSET and downloading the IPv4 addresses based on the ASN of the streaming media provider.

From the issue you describe, I think you will need to determine the domains being called when watching the streaming services that only work when connected to WAN interface. Then, write a script to route those domains to the WAN, thereby bypassing the VPN interface.

Edit:
You may want to browse thru the end of the thread for the repo:
https://www.snbforums.com/threads/selective-routing-for-netflix.42661/

Another person is using it as a template for other streaming services he wants to selectively route. This will give you an idea of what is involved.

Thanks for the extra link.

This will be interesting, if I can do it I'll be happy, if not I'll just kick the wall haha

 

[skeal]

Thank you for the reply. It appears to be DNS leaking, as soon as I setup policy routing with a few devices routed to the WAN I check ipleak.net and my DNS is leaking and I get the Proxy warning on streaming devices. However, I'll take a look at what you've linked and see if I can figure it out, it'll be a challenge but I think I'll enjoy it. Thank you.

When you use policy routing, don't enter an ip routed to WAN it makes no sense. Just route the ips or ranges that need vpn through. I've been policy routing for years and see no reason to have a entry in policy rules to route something through WAN unless you are lazy and use the route all traffic setting. Trying to exclude devices from the VPN is hard to do without leaks.

 

[Skeptical.me]

When you use policy routing, don't enter an ip routed to WAN it makes no sense. Just route the ips or ranges that need vpn through. I've been policy routing for years and see no reason to have a entry in policy rules to route something through WAN unless you are lazy and use the route all traffic setting. Trying to exclude devices from the VPN is hard to do without leaks.

Without Diversion installed policy routing is tight, it works perfect on all the ASUS-Merlin routers I've owned. I don't think I can recall a leak.

Edit: I misunderstood you. However if I don't select route ALL with diversion installed it leaks. If you know how I can have diversion installed and have 1 streaming device exposed to the WAN, by all means explain away

 

[Skeptical.me]

When you use policy routing, don't enter an ip routed to WAN it makes no sense. Just route the ips or ranges that need vpn through. I've been policy routing for years and see no reason to have a entry in policy rules to route something through WAN unless you are lazy and use the route all traffic setting. Trying to exclude devices from the VPN is hard to do without leaks.

By the way, I know this is off topic but ... what are a few things in Entware that you find really useful. I looked through Entware and there's just so much there I wouldn't know where to start.

 

[skeal]

By the way, I know this is off topic but ... what are a few things in Entware that you find really useful. I looked through Entware and there's just so much there I wouldn't know where to start.

The only things I have installed with Entware is pixelserv-tls, stubby, bind-dig, htop.

 

[thelonelycoder]

I searched but didn't find anything. Why change the name?

Just to get rid of the ad-block name?

https://diversion.ch/diversion/diversion.html

 

[thelonelycoder]

Handsome bugger!

Aww! First grey hairs started at 25, now at double that age I only have a few of my original light brown hairs left...

 

[thelonelycoder]

I think a useful enhancement to Diversion would be to incorporate kvics reporting script which requires an email notification script (like you already provide) and ideally separate logging for the extra pixelserv logging level. Just an idea to consider.

Added to the (optional) future feature list.

 

[thelonelycoder]

Another quick question.....I am obviously not a network guy etc, so I don't know how this all works. When I am connected to my own router that's running Diversion and I am behind Google VPN, ads don't get blocked. Is there a setting that I can change to fix this ?

If I understand your network correctly, then it looks like this:
ISP --> Asus Router with Diversion --> VPN device
VPN device connects directly through a tunnel to Google VPN, circumventing the router.
Ask Googleto add Diversion on their servers...

 

[thelonelycoder]

Did you do any Slick Rock biking while in Moab?
btw. looking forward to 4.06

The two legged and four wheeled propulsion is my thing. I did see some bikers, but not many. I prefer the off season to have the trails mostly exclusively to myself. That's the way I like it.