Diversion Diversion - the Router Ad-Blocker

[joe scian]

I was reviewing the past few pages, and while it has nothing to do with the "dirty needles" usb thumbdrive analogy someone made (ugh), I wanted to mention an oddity that cropped up with Diversity when using v384.12 alpha (now on stable). I had Amtm set to reboot twice a week in the wee hours, and when I checked on things the next morning, Diversity would be down, although Skynet (and others) would be running (happened repeatedly). I saw some people talking about how bad some USB drives performed and that they had switched over to an SSD, so I did the same and it seems to have solved the problem. There is no doubt the SSD (has swap installed also) is much more responsive than the USB thumbdrive, so maybe it can handle the haphazard OS startup procedure better (guessing). So, based on my limited experience, I would definitely recommend an SSD. I saw some discussion about the best enclosures, with Ugreen being mentioned positively; I'm using a Sabrent USB 3.0 enclosure, and it seems to be working fine also.

the obvious question is is why are you rebooting router twice a week - seems a pointless exercise and potentially contributing to your corruption.

 

[Ro berto]

the obvious question is is why are you rebooting router twice a week - seems a pointless exercise and potentially contributing to your corruption.

actually the key question is "When did Diversion turn into Diversity?" I know it's pride month but it took me by surprise!

Speaking of diversion, the definition in spanish (diversión) has several meanings, the most common of them is "fun, amusement, recreation..." like amusement park (Parque de diversiones)

 

[Elmer]

the obvious question is is why are you rebooting router twice a week - seems a pointless exercise and potentially contributing to your corruption.

The obvious question is why would amtm have "another" reboot scheduler if rebooting wasn't an option that some users need. I tried many paths and an occasional reboot keeps the household happy. But, stay in your little world and criticize - I'm just trying to help some fellow internet travelers. As for diversity, it was an odd mistake, but as said, it's "fun"-ny, and I'll leave it. Some of us don't know everything, and actually do make mistakes.

 

[thelonelycoder]

The obvious question is why would amtm have "another" reboot scheduler if rebooting wasn't an option that some users need.

The reason why I built the reboot scheduler into amtm is explained in the amtm thread.
Essentially, as for everything in amtm and amtm itself, it breaks down to one reason why I volunteer to spend countless hours to create and improve amtm and Diversion: Users use it.

 

[consorts]

can someone look at diversion's weekly overnight routine log entries and tell me if there is anything i need to adjust somewhere - as there seems to be a lot of error like dialog here;

https://pastebin.com/3KmWkLU2

dnsmasq[814]: Insecure DS reply received for net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers

 

[Mutzli]

can someone look at diversion's weekly overnight routine log entries and tell me if there is anything i need to adjust somewhere - as there seems to be a lot of error like dialog here;

https://pastebin.com/3KmWkLU2

dnsmasq[814]: Insecure DS reply received for net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers

Here is my setting and I have none of your log entries:

 

[dave14305]

can someone look at diversion's weekly overnight routine log entries and tell me if there is anything i need to adjust somewhere - as there seems to be a lot of error like dialog here;

https://pastebin.com/3KmWkLU2

dnsmasq[814]: Insecure DS reply received for net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers

Since that is a screenshot of your LAN DHCP page, it would suggest your clients aren't using the router and Diversion for DNS, unless you have DNSFilter enabled with Router mode. What are your DNS settings on the WAN page?

Whatever DNS server is configured on your WAN page must support DNSSEC, but it's also likely that Diversion (or SkyNet) is trying to parse potentially invalid DNS names from a blocking list or shared list.

 

[Jumpstarter]

what is this feature for

My real question is , If i do not configure a Skynet fast switch, and i decide to use my fast switch with diversion, will skynet still protect with the regular default skynet if i do not use a fast switch option for it?

 

[thelonelycoder]

My real question is , If i do not configure a Skynet fast switch, and i decide to use my fast switch with diversion, will skynet still protect with the regular default skynet if i do not use a fast switch option for it?

Both, Skynet and Diversion, have a fast switch fs feature to use a (presumably smaller or less aggressive) blocking set. If both are configured and you enable the Skynet fast switch in Diversion it will switch both of them at the same time if you switch it in Diversion. If not enabled in Diversion, Skynet will continue to block the with the current set.

 

[Jumpstarter]

Both, Skynet and Diversion, have a fast switch fs feature to use a (presumably smaller or less aggressive) blocking set. If both are configured and you enable the Skynet fast switch in Diversion it will switch both of them at the same time if you switch it in Diversion. If not enabled in Diversion, Skynet will continue to block the with the current set.

Okay I was just concerned that if i decide to use my Smaller FS with diversion, that if i didn't make a skynet FS, then skynet would no longer be blocking.

thank you for your response, I didn't mean to post in two places, I just didn't know which place would be the best place to ask.

 

[nzwayne]

https://github.com/kvic-z/pixelserv...ificate#import-pixelserv-ca-on-client-devices

Browse to http://192.168.1.2/ca.crt (or replace your pixelserv IP), and import the CA cert on all your main devices to solve that problem.

On my RT-AX88U setup (FW-384.12 & Diversion 4.1.2) I have installed the CA certificate as per https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#import-pixelserv-ca-on-client-devices Done this for Firefox, Edge & Internet explorer on my Windows 10 64bit Pro platform. If I try to repeat to install it, says "already installed". What I'm getting though after that cert install, is this error message....
Ideas please!! Thks.

 

[dave14305]

On my RT-AX88U setup (FW-384.12 & Diversion 4.1.2) I have installed the CA certificate as per https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#import-pixelserv-ca-on-client-devices Done this for Firefox, Edge & Internet explorer on my Windows 10 64bit Pro platform. If I try to repeat to install it, says "already installed". What I'm getting though after that cert install, is this error message.... View attachment 18526
Ideas please!! Thks.

Perhaps you put it in the wrong cert store.

1. Click "Install Certificate.." and select "Local Machine".
2. Click "Place all certificate in the following store" on next screen.
3. Click "Browse..." and select "Trusted Root Certification Authorities".
4. Click "Next" and then "Finish" on next screen.

Restart browser to take effect.

 

[Asad Ali]

On my RT-AX88U setup (FW-384.12 & Diversion 4.1.2) I have installed the CA certificate as per https://github.com/kvic-z/pixelserv-tls/wiki/Create-and-Import-the-CA-Certificate#import-pixelserv-ca-on-client-devices Done this for Firefox, Edge & Internet explorer on my Windows 10 64bit Pro platform. If I try to repeat to install it, says "already installed". What I'm getting though after that cert install, is this error message.... View attachment 18526
Ideas please!! Thks.

Firefox by default doesn't trust certificates installed via Windows certificate trust store, you need to either import the certificate directly in Firefox or enable Windows certificate support.

You can enable this feature in about:config by this boolean value:

security.enterprise_roots.enabled

and set it to true.

 

[nzwayne]

Perhaps you put it in the wrong cert store.

Yep..maybe wrong place . When I go to install again, get advised the certificate is already installed, but doesn't advise where.

I manually looked through all the certificates under "Certificates - Local Computer" and didn't see any with text of "pixelserv". Did the same with Windows regedit and no hits. What should I be looking for to remove, to allow re-install?

 

[Asad Ali]

Yep..maybe wrong place . When I go to install again, get advised the certificate is already installed, but doesn't advise where.
View attachment 18530

I manually looked through all the certificates under "Certificates - Local Computer" and didn't see any with text of "pixelserv". Did the same with Windows regedit and no hits. What should I be looking for to remove, to allow re-install?

Are you getting certificate errors on Egde as well or it's just Firefox?

 

[dave14305]

Yep..maybe wrong place . When I go to install again, get advised the certificate is already installed, but doesn't advise where.
View attachment 18530

I manually looked through all the certificates under "Certificates - Local Computer" and didn't see any with text of "pixelserv". Did the same with Windows regedit and no hits. What should I be looking for to remove, to allow re-install?

It should be under Trusted Root Certificates named Pixelserv CA, IIRC.

 

[thelonelycoder]

It should be under Trusted Root Certificates named Pixelserv CA, IIRC.

Or named with the pixelserv-tls IP address, something like 192.168.1.2:443

 

[thelonelycoder]

Yep..maybe wrong place . When I go to install again, get advised the certificate is already installed, but doesn't advise where.
View attachment 18530

I manually looked through all the certificates under "Certificates - Local Computer" and didn't see any with text of "pixelserv". Did the same with Windows regedit and no hits. What should I be looking for to remove, to allow re-install?

Looks like a Firefox pop up. Look for the certificate named after your pixelserv-tls IP, it'll be registered as something like this: 192.168.1.2:443

In Firefox, the certs are viewable in Options / Privacy and Security. At the bottom of that page are the Certificates. It should be listed under Servers.

 

[FTC]

Hi, I have diversion installed in my ax88, and it insists on managing my swapper file through the post_mount script. This is fine with me, *except* that it wants to run the swapon command at *every* post_mount invocation.. and I have 2 USB drives hooked, being the drive where the swapper file exists mounted first, so 'swapon' gets called normally twice (the second one being unnecessary and even possibly risky)..
If I code an 'if' sentence in front of the swapper activation to make sure swapon is only ran when the partition holding the swapfile is mounted, then everytime I run the 'diversion' command the 'if' gets removed... and the file restored to the way diversion wants it to be.. is there any way to avoid this and tell diversion for instance that I will manage swapper my own ?

 

[thelonelycoder]

Hi, I have diversion installed in my ax88, and it insists on managing my swapper file through the post_mount script

*Swap file* will do.

This is fine with me, *except* that it wants to run the swapon command at *every* post_mount invocation.. and I have 2 USB drives hooked, being the drive where the swapper file exists mounted first, so 'swapon' gets called normally twice (the second one being unnecessary and even possibly risky)..

What risk? It runs an explicit command for an explicit file. If the swap file is already active the command is ignored.

If I code an 'if' sentence in front of the swapper activation to make sure swapon is only ran when the partition holding the swapfile is mounted, then everytime I run the 'diversion' command the 'if' gets removed... and the file restored to the way diversion wants it to be..

For compatibility reasons with Skynet the better alternative code is not in use. And Diversion is very picky with it's own files. Best to leave them untouched, the checks are there for a very good reason.

is there any way to avoid this and tell diversion for instance that I will manage swapper my own ?

No.