Diversion Diversion - the Router Ad-Blocker

[HairyA00]

Yes, I had the Cert.

However, I think I found the issue. I added this domain to the whitelist:
- mobile.pipe.aria.microsoft.com

The weird thing is that it never came up when I was following the log..
*** Not sure if it is possible to use a hosted whitelist and still have your custom whitelist. That would make this amazing

Don't think so, no. But that whitelist doesn't change very often. You can literally add all those domains manually to a custom whitelist and add yours.

 

[suxus]

Hello
A little question, is it possible that Diversion only works if the traffic goes thru the WAN and not a VPN-Connection (1-5)? In my network works Diversion great for all device that use directly WAN, but not for devices that use a VPN connection.
Thank you very much

 

[HairyA00]

Hello
A little question, is it possible that Diversion only works if the traffic goes thru the WAN and not a VPN-Connection (1-5)? In my network works Diversion great for all device that use directly WAN, but not for devices that use a VPN connection.
Thank you very much

With some extra configuration, Diversion will work over a VPN tunnel. The important part is that all DNS queries must be answered by the local DNS server Dnsmasq.

See the website by @Xentrk with detailed instructions:
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

 

[Delusion]

How can I add a domain to whitelist when using a hosted domain? is it possible to allow adding individual domain when also using a hosted whitelist? it would also be great to use more than 1 hosted whitelist

 

[sentinelvdx]

Post the content of /jffs/scripts/post-mount, use SF to show the file in Diversion.
Also, the output of this command is of interest:

df

sf command shows what's attached

Sent from my SM-G965F Duos

 

[Asad Ali]

The command "df" is not responding under amtm or diversion.

'df' (Disk Free) is not an amtm or Diversion command, run it directly in the terminal.

 

[sentinelvdx]

'df' (Disk Free) is not an amtm or Diversion command, run it directly in the terminal.

I have just updated previous post, thanks

Sent from my SM-G965F Duos

 

[thelonelycoder]

sf command shows what's attached

Sent from my SM-G965F Duos

Reboot the router. It seems to run out of memory as Entware is not running the column package install command.

 

[thelonelycoder]

How can I add a domain to whitelist when using a hosted domain? is it possible to allow adding individual domain when also using a hosted whitelist? it would also be great to use more than 1 hosted whitelist

Use your own curated whitelist. Hosted or not. There will not be an option to use several hosted lists in el.

 

[suxus]

Sorry my questions regarding Diversion and VPN was not accurate, i use x3mRouting and i don't think diversion is because i've read Diversion

There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting "Accept DNS Configuration" to either "Strict" or "Disabled".

and x3mRouting needs "Exclusive".

 

[sentinelvdx]

Reboot the router. It seems to run out of memory as Entware is not running the column package install command.

I did before a reboot and didn't work, did one again and swap still not showing under amtm/diversion and pixelserv still not starting.

I only have running FreshQoS, DivStats, AMTM, Diversion, connmon.

Also I've never seen using more than 50% of RAM (at least what WebGUI has shown), and swap was 2GB

UPDATE: I'm unable to create the swap file. It says reference removed from post-mount, every time I try to create it...

What can I do to avoid reinstalling all scripts again?
Also, how do I restore Diversion backup? (I have it already saved it )

Sent from my SM-G965F Duos

 

[thelonelycoder]

Also, how do I restore Diversion backup? (I have it already saved it )

The local backup in d? Just run the install command, Diversion will ask at a prompt.

 

[Nebulaz]

I am running AC86U as main router w/ AC68U as AIMesh Node. I have a USB drive formatted EXT2 as a swap file with 2GB space. I am running DIVERSION, SKYNET and have an OpenVPN client. My goals are to block ads, have the router firewall and route all local traffic through my VPN client on the router. I would like to use Cloudflare my DNS with DoT. However I am running into a few issues: I seem to be able to block ads and not be on 1.1.1.1 w/o DoT or no have any internet at all.

With the settings all below I have access to the internet AND block ads, however no cloudflare or DoT.

If I switch my DNS Server from my local LAN IP to 1.1.1.1, I lose internet connection if all these other screenshot settings stay the same.

Policy Rules are (strict) - I used this from X3MTek's Policy Routing. Is this code actually doing anything? I thought since, under VPN Client "Accept DNS Configuration" I have it set to Disabled, that this DHCP option would route to Cloudflare, is it or is it not functioning? Well it can't be correct as its not demonstrating it at 1.1.1.1/help.

Stubby will no longer install in AMTM. I turned the DoT on and selected Cloudflare as my server. However, if I turn the privacy protocol to NONE and leave the other screenshot settings alone, I lose the internet. With these options on though, I do not show that I am using Cloudflare or using DoT when I navigate to 1.1.1.1/help.

I appreciate any insights. I have been trying to play with different settings for the last 3 days but the family is getting tired of dad trying to figure it out. With it being the weekend already, a fear a mutiny is coming =).

Take care.

 

[dave14305]

If I switch my DNS Server from my local LAN IP to 1.1.1.1, I lose internet connection if all these other screenshot settings stay the same.

For starters, I think you need to set WAN DNS 1 and 2 back to a proper external DNS resolver, or set “Connect to DNS Server automatically” to Yes to use your ISP DNS. Then go to the Tools -> Other Settings and make sure “Wan: Use local caching DNS server as system resolver” is set to No to allow the router to use WAN DNS to set ntp time, initiate DoT, etc.

Make sure your router has the proper date and time synced before trying to use DoT. If you can’t get NTP to sync on boot, solve that first.

You should remove the VPN dhcp-option for 1.1.1.1. @Xentrk used that configuration before Stubby was available.

You want your clients to use the router IP as DNS to take advantage of Diversion and DoT. Your DNSFilter setting is good.

 

[HairyA00]

For starters, I think you need to set WAN DNS 1 and 2 back to a proper external DNS resolver, or set “Connect to DNS Server automatically” to Yes to use your ISP DNS. Then go to the Tools -> Other Settings and make sure “Wan: Use local caching DNS server as system resolver” is set to No to allow the router to use WAN DNS to set ntp time, initiate DoT, etc.

Make sure your router has the proper date and time synced before trying to use DoT. If you can’t get NTP to sync on boot, solve that first.

You should remove the VPN dhcp-option for 1.1.1.1. @Xentrk used that configuration before Stubby was available.

You want your clients to use the router IP as DNS to take advantage of Diversion and DoT. Your DNSFilter setting is good.

Pretty sure that DNS over TLS being enabled overwrites the WAN setting, so that shouldn't matter. I'm assuming this wiki was used for OpenVPN configs? https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

What do you have for your LAN settings for DNS? Both fields DNS Server 1 and DNS Server 2 need to be empty in LAN/DHCP Server.

 

[dave14305]

Pretty sure that DNS over TLS being enabled overwrites the WAN setting, so that shouldn't matter. I'm assuming this wiki was used for OpenVPN configs? https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

What do you have for your LAN settings for DNS? Both fields DNS Server 1 and DNS Server 2 need to be empty in LAN/DHCP Server.

It matters for the router’s own lookups on 384.12 and up (by default). It’s a baby step in getting a good environment for DoT to bootstrap. At least in my experience.

 

[Nebulaz]

It matters for the router’s own lookups on 384.12 and up (by default). It’s a baby step in getting a good environment for DoT to bootstrap. At least in my experience.

I am running 384.13.

Okay, I am at your baseline from changing the requested settings above. WAN is set to connect DNS automatically. Under Tools, Use local cache is set to No. NTP timing is set. I have initiated DoT with Cloudflare 1.1.1.1 under server list for Privacy protocol. Xentrk's config under VPN has been removed.

You want your clients to use the router IP as DNS to take advantage of Diversion and DoT.

How do I ensure that the clients use the router IP as DNS?

All the changes have been made, so I believe like you told HairyA00, I have set up a good environment. However, the result has not yet been achieved. 1.1.1.1/help still shows that I am not connected or using DoT.

I really do appreciate the help. I am fortunate for your expertise.


Take care.

 

[martinr]

.
How do I ensure that the clients use the router IP as DNS?

Take care.

In DNSFilter, under LAN, turn DNS Filter On and set the Global Mode to Router.

 

[dave14305]

I am running 384.13.

Okay, I am at your baseline from changing the requested settings above. WAN is set to connect DNS automatically. Under Tools, Use local cache is set to No. NTP timing is set. I have initiated DoT with Cloudflare 1.1.1.1 under server list for Privacy protocol. Xentrk's config under VPN has been removed.



How do I ensure that the clients use the router IP as DNS?

All the changes have been made, so I believe like you told HairyA00, I have set up a good environment. However, the result has not yet been achieved. 1.1.1.1/help still shows that I am not connected or using DoT.

View attachment 18973


I really do appreciate the help. I am fortunate for your expertise.


Take care.

Like @HairyA00 mentioned, make sure there are no entries on the LAN / DHCP Server page for DNS 1 or 2 fields. They must be blank for DNSFilter router mode to give the desired results.

 

[HairyA00]

I am running 384.13.

Okay, I am at your baseline from changing the requested settings above. WAN is set to connect DNS automatically. Under Tools, Use local cache is set to No. NTP timing is set. I have initiated DoT with Cloudflare 1.1.1.1 under server list for Privacy protocol. Xentrk's config under VPN has been removed.



How do I ensure that the clients use the router IP as DNS?

All the changes have been made, so I believe like you told HairyA00, I have set up a good environment. However, the result has not yet been achieved. 1.1.1.1/help still shows that I am not connected or using DoT.

View attachment 18973


I really do appreciate the help. I am fortunate for your expertise.


Take care.

NOTE: There is currently an issue with the popular DoT/DoH test site provided by Cloudflare where it will fail to use properly signed DNSSEC hostnames during the test, causing the test to fail to correctly detect that you are using DoT. This does not indicate that your setup doesn't work, and is something that will hopefully eventually be fixed by Cloudflare. You can avoid this by temporarily disabling validation of unsigned records, however it is recommended to re-enable that option afterward.

Source: https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

Another quick way to verify is to go here and see if you have only ONE Cloudflare entry: https://dns-leak.com/