What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Yes, I had the Cert.

However, I think I found the issue. I added this domain to the whitelist:
- mobile.pipe.aria.microsoft.com

The weird thing is that it never came up when I was following the log..
*** Not sure if it is possible to use a hosted whitelist and still have your custom whitelist. That would make this amazing :)

Don't think so, no. But that whitelist doesn't change very often. You can literally add all those domains manually to a custom whitelist and add yours.
 
Hello
A little question, is it possible that Diversion only works if the traffic goes thru the WAN and not a VPN-Connection (1-5)? In my network works Diversion great for all device that use directly WAN, but not for devices that use a VPN connection.
Thank you very much
 
Hello
A little question, is it possible that Diversion only works if the traffic goes thru the WAN and not a VPN-Connection (1-5)? In my network works Diversion great for all device that use directly WAN, but not for devices that use a VPN connection.
Thank you very much

With some extra configuration, Diversion will work over a VPN tunnel. The important part is that all DNS queries must be answered by the local DNS server Dnsmasq.

See the website by @Xentrk with detailed instructions:
https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/
 
How can I add a domain to whitelist when using a hosted domain? is it possible to allow adding individual domain when also using a hosted whitelist? it would also be great to use more than 1 hosted whitelist
 
Post the content of /jffs/scripts/post-mount, use SF to show the file in Diversion.
Also, the output of this command is of interest:
Code:
df

sf command shows what's attached
edf163f6a6d1378bbafb473e38d9274e.jpg


Sent from my SM-G965F Duos
a39023e9654e5b23c60043dd6084de21.jpg
 
Last edited:
'df' (Disk Free) is not an amtm or Diversion command, run it directly in the terminal.
I have just updated previous post, thanks

Sent from my SM-G965F Duos
 
sf command shows what's attached
edf163f6a6d1378bbafb473e38d9274e.jpg


Sent from my SM-G965F Duos
a39023e9654e5b23c60043dd6084de21.jpg
Reboot the router. It seems to run out of memory as Entware is not running the column package install command.
 
How can I add a domain to whitelist when using a hosted domain? is it possible to allow adding individual domain when also using a hosted whitelist? it would also be great to use more than 1 hosted whitelist
Use your own curated whitelist. Hosted or not. There will not be an option to use several hosted lists in el.
 
Sorry my questions regarding Diversion and VPN was not accurate, i use x3mRouting and i don't think diversion is because i've read Diversion

There are two options available if you want the OpenVPN client to use DNSMASQ when using Policy Rules. This is done by setting "Accept DNS Configuration" to either "Strict" or "Disabled".

and x3mRouting needs "Exclusive".
 
Reboot the router. It seems to run out of memory as Entware is not running the column package install command.
I did before a reboot and didn't work, did one again and swap still not showing under amtm/diversion and pixelserv still not starting.

I only have running FreshQoS, DivStats, AMTM, Diversion, connmon.

Also I've never seen using more than 50% of RAM (at least what WebGUI has shown), and swap was 2GB

UPDATE: I'm unable to create the swap file. It says reference removed from post-mount, every time I try to create it...

What can I do to avoid reinstalling all scripts again?
Also, how do I restore Diversion backup? (I have it already saved it )

Sent from my SM-G965F Duos
 
Last edited:
Also, how do I restore Diversion backup? (I have it already saved it )
The local backup in d? Just run the install command, Diversion will ask at a prompt.
 
I am running AC86U as main router w/ AC68U as AIMesh Node. I have a USB drive formatted EXT2 as a swap file with 2GB space. I am running DIVERSION, SKYNET and have an OpenVPN client. My goals are to block ads, have the router firewall and route all local traffic through my VPN client on the router. I would like to use Cloudflare my DNS with DoT. However I am running into a few issues: I seem to be able to block ads and not be on 1.1.1.1 w/o DoT or no have any internet at all.

With the settings all below I have access to the internet AND block ads, however no cloudflare or DoT.

If I switch my DNS Server from my local LAN IP to 1.1.1.1, I lose internet connection if all these other screenshot settings stay the same.
upload_2019-8-10_11-23-15.png


Policy Rules are (strict) - I used this from X3MTek's Policy Routing. Is this code actually doing anything? I thought since, under VPN Client "Accept DNS Configuration" I have it set to Disabled, that this DHCP option would route to Cloudflare, is it or is it not functioning? Well it can't be correct as its not demonstrating it at 1.1.1.1/help.
upload_2019-8-10_11-25-58.png


Stubby will no longer install in AMTM. I turned the DoT on and selected Cloudflare as my server. However, if I turn the privacy protocol to NONE and leave the other screenshot settings alone, I lose the internet. With these options on though, I do not show that I am using Cloudflare or using DoT when I navigate to 1.1.1.1/help.
upload_2019-8-10_11-27-16.png


upload_2019-8-10_11-27-34.png



upload_2019-8-10_11-28-28.png




I appreciate any insights. I have been trying to play with different settings for the last 3 days but the family is getting tired of dad trying to figure it out. With it being the weekend already, a fear a mutiny is coming =).

Take care.
 
If I switch my DNS Server from my local LAN IP to 1.1.1.1, I lose internet connection if all these other screenshot settings stay the same.
upload_2019-8-10_11-23-15-png.18963
For starters, I think you need to set WAN DNS 1 and 2 back to a proper external DNS resolver, or set “Connect to DNS Server automatically” to Yes to use your ISP DNS. Then go to the Tools -> Other Settings and make sure “Wan: Use local caching DNS server as system resolver” is set to No to allow the router to use WAN DNS to set ntp time, initiate DoT, etc.

Make sure your router has the proper date and time synced before trying to use DoT. If you can’t get NTP to sync on boot, solve that first.

You should remove the VPN dhcp-option for 1.1.1.1. @Xentrk used that configuration before Stubby was available.

You want your clients to use the router IP as DNS to take advantage of Diversion and DoT. Your DNSFilter setting is good.
 
For starters, I think you need to set WAN DNS 1 and 2 back to a proper external DNS resolver, or set “Connect to DNS Server automatically” to Yes to use your ISP DNS. Then go to the Tools -> Other Settings and make sure “Wan: Use local caching DNS server as system resolver” is set to No to allow the router to use WAN DNS to set ntp time, initiate DoT, etc.

Make sure your router has the proper date and time synced before trying to use DoT. If you can’t get NTP to sync on boot, solve that first.

You should remove the VPN dhcp-option for 1.1.1.1. @Xentrk used that configuration before Stubby was available.

You want your clients to use the router IP as DNS to take advantage of Diversion and DoT. Your DNSFilter setting is good.
Pretty sure that DNS over TLS being enabled overwrites the WAN setting, so that shouldn't matter. I'm assuming this wiki was used for OpenVPN configs? https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

What do you have for your LAN settings for DNS? Both fields DNS Server 1 and DNS Server 2 need to be empty in LAN/DHCP Server.
 
Pretty sure that DNS over TLS being enabled overwrites the WAN setting, so that shouldn't matter. I'm assuming this wiki was used for OpenVPN configs? https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

What do you have for your LAN settings for DNS? Both fields DNS Server 1 and DNS Server 2 need to be empty in LAN/DHCP Server.
It matters for the router’s own lookups on 384.12 and up (by default). It’s a baby step in getting a good environment for DoT to bootstrap. At least in my experience.
 
It matters for the router’s own lookups on 384.12 and up (by default). It’s a baby step in getting a good environment for DoT to bootstrap. At least in my experience.

I am running 384.13.

Okay, I am at your baseline from changing the requested settings above. WAN is set to connect DNS automatically. Under Tools, Use local cache is set to No. NTP timing is set. I have initiated DoT with Cloudflare 1.1.1.1 under server list for Privacy protocol. Xentrk's config under VPN has been removed.

You want your clients to use the router IP as DNS to take advantage of Diversion and DoT.

How do I ensure that the clients use the router IP as DNS?

All the changes have been made, so I believe like you told HairyA00, I have set up a good environment. However, the result has not yet been achieved. 1.1.1.1/help still shows that I am not connected or using DoT.

upload_2019-8-10_23-34-8.png



I really do appreciate the help. I am fortunate for your expertise.


Take care.
 
I am running 384.13.

Okay, I am at your baseline from changing the requested settings above. WAN is set to connect DNS automatically. Under Tools, Use local cache is set to No. NTP timing is set. I have initiated DoT with Cloudflare 1.1.1.1 under server list for Privacy protocol. Xentrk's config under VPN has been removed.



How do I ensure that the clients use the router IP as DNS?

All the changes have been made, so I believe like you told HairyA00, I have set up a good environment. However, the result has not yet been achieved. 1.1.1.1/help still shows that I am not connected or using DoT.

View attachment 18973


I really do appreciate the help. I am fortunate for your expertise.


Take care.
Like @HairyA00 mentioned, make sure there are no entries on the LAN / DHCP Server page for DNS 1 or 2 fields. They must be blank for DNSFilter router mode to give the desired results.
 
I am running 384.13.

Okay, I am at your baseline from changing the requested settings above. WAN is set to connect DNS automatically. Under Tools, Use local cache is set to No. NTP timing is set. I have initiated DoT with Cloudflare 1.1.1.1 under server list for Privacy protocol. Xentrk's config under VPN has been removed.



How do I ensure that the clients use the router IP as DNS?

All the changes have been made, so I believe like you told HairyA00, I have set up a good environment. However, the result has not yet been achieved. 1.1.1.1/help still shows that I am not connected or using DoT.

View attachment 18973


I really do appreciate the help. I am fortunate for your expertise.


Take care.



NOTE: There is currently an issue with the popular DoT/DoH test site provided by Cloudflare where it will fail to use properly signed DNSSEC hostnames during the test, causing the test to fail to correctly detect that you are using DoT. This does not indicate that your setup doesn't work, and is something that will hopefully eventually be fixed by Cloudflare. You can avoid this by temporarily disabling validation of unsigned records, however it is recommended to re-enable that option afterward.

Source: https://github.com/RMerl/asuswrt-merlin/wiki/DNS-Privacy

Another quick way to verify is to go here and see if you have only ONE Cloudflare entry: https://dns-leak.com/
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Top