Diversion Diversion - the Router Ad-Blocker

[thelonelycoder]

Real life interferes, Diversion update has to wait

 

[thelonelycoder]

Diversion 4.1.4 is now available

What's new in Diversion 4.1.4
- Now checks and sets to 'Yes' during installation: "Wan: Use local caching DNS server as system resolver (default: No)".
- New option in b to use a LAN blocking IP address instead of the local pixelserv-tls or NULL IP 0.0.0.0. This is for advanced users only.
- Correctly reverses IP in pointer record (ptr-record) added to Dnsmasq. Thanks @dave14305 for reporting.
- Checks for NPT date being synced before generating pixelserv-tls CA certificate.
- Option in ep to re-generate pixelserv-tls CA certificate (ca.crt, ca.key). New CA certificate has a 10 year validity and creates an EKU Extended Key Usage valid certificate.
- Expiry date is now shown in ep, 3 for the pixelserv-tls certificates.
- Option in ep, 6, 3 to install @Jack Yaz pixelserv-tls v2.3.0 which is compatible with new required security settings enforced by Apple and soon other companies.

For iOS 13 and MacOS 10.15 users: Requirements for trusted certificates changed: https://support.apple.com/en-us/HT210176
To be ready, the following steps are required if pixelserv-tls v2.2.1 or older is installed on your router.
1. Update Diversion to this latest version
2. Install Jack Yaz's pixelserv-tls v2.3.0 in ep, 6, 3
3. Re-generate the pixelserv-tls CA certificate in ep, 3, 2 (all domain certificates will be purged during that step)
4. Import the new pixelserv-tls CA certificate (ca.crt) into browsers and devices, replacing the previous certificate.
Open the certificate link in a browser with your pixelserv-tls IP address, typically this is 192.168.1.2/ca.crt and import it.

You may update pixelserv-tls to v2.3.0 even if you have no Apple devices. The steps above are still required if you do so.
As of now, there is no concrete feedback from the original developer of pixelserv-tls that an update through the regular Entware channel is in the works. I have had contact through a third party with the developer, but here we are. For this reason, Jack Yaz has taken on that challenge so we all can be compliant with Apples demands.

How to update Diversion
Use u or d and select Update.

 

[Asad Ali]

As of now, there is no concrete feedback from the original developer of pixelserv-tls that an update through the regular Entware channel is in the works. I have had contact through a third party with the developer, but here we are.

If you don't mind us telling, how long ago was this contact, did you happen to talk with @kvic ? I'm seriously concerned about his well being, it's been months since there's any news about him.

 

[thelonelycoder]

If you don't mind us telling, how long ago was this contact, did you happen to talk with @kvic ? I'm seriously concerned about his well being, it's been months since there's any news about him.

Recently, he's well but busy.

 

[Asad Ali]

Recently, he's well but busy.

Okay that's a comforting news, thanks for the update.

 

[jsbeddow]

Diversion 4.1.4 is now available

What's new in Diversion 4.1.4
- Now checks and sets to 'Yes' during installation: "Wan: Use local caching DNS server as system resolver (default: No)".

I am curious as to why this change (above)? Though I followed the reasoning behind Merlin's decision to change this setting to "No", I have yet to grasp why Diversion would now "prefer" (require?) this setting to be "Yes". Can you elaborate? I know some people claim a performance benefit, but it seems largely theoretical and somewhat controversial, so I have been running with Merlin's recommended setting since he changed the default.

 

[Ro berto]

so we all can be compliant with Apples demands.

 

[skeal]

What do log entries like this mean sir?

Sep 20 05:02:19 pixelserv-tls[22006]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/womanear.com

Noticed after the upgrade to new Diversion and Pixelserv JackYaz.

Also the install did not set my local dns caching setting to yes as explained in the twitter release post. AX88U also didn't reboot after install.

Never mind I figured it out. These are the purged certificates.

 

[Mutzli]

Do I still have to run option ps in AMTM to update the certificate for the WebUI?

 

[Delusion]

I am curious as to why this change (above)? Though I followed the reasoning behind Merlin's decision to change this setting to "No", I have yet to grasp why Diversion would now "prefer" (require?) this setting to be "Yes". Can you elaborate? I know some people claim a performance benefit, but it seems largely theoretical and somewhat controversial, so I have been running with Merlin's recommended setting since he changed the default.

It should be set to 'No' and too bad cause I feel 'Yes' is more responsive . When its set to 'Yes' the connection Icon turns off, the internet works fine but Skynet for instance thinks there is no internet connection . ..
Too bad its like that. Some versions ago local caching DNS was working fine ....
After a restart you also might have issues with clock syncing and such... this feature should be set to 'No' . I also wonder why Diversion set it to YES.

Spoiler: Connection Icon turns off but connection works

 

[Mutzli]

Do I still have to run option ps in AMTM to update the certificate for the WebUI?

Yes, I still had to update the certificate manually to have the WebUI display the green padlock after updating the certificate with the new 2048 bit pixelserv-tls CA.

 

[thelonelycoder]

I am curious as to why this change (above)? Though I followed the reasoning behind Merlin's decision to change this setting to "No", I have yet to grasp why Diversion would now "prefer" (require?) this setting to be "Yes". Can you elaborate? I know some people claim a performance benefit, but it seems largely theoretical and somewhat controversial, so I have been running with Merlin's recommended setting since he changed the default.

For my liking, too many users complained that adblocking is no longer working when the router was updated to this firmware. Since the 'Yes' setting was standard before in all Merlin releases I figured this best be set by Diversion.
You can always change it back, it only sets it during installation wkth a message that it did so.

 

[thelonelycoder]

Do I still have to run option ps in AMTM to update the certificate for the WebUI?

The certificate for the WebUI is generated by pixelserv-tls. With the new version v2.3.0, the compliant certificate will be re-generated.

 

[thelonelycoder]

It should be set to 'No' and too bad cause I feel 'Yes' is more responsive . When its set to 'Yes' the connection Icon turns off, the internet works fine but Skynet for instance thinks there is no internet connection . ..
Too bad its like that. Some versions ago local caching DNS was working fine ....
After a restart you also might have issues with clock syncing and such... this feature should be set to 'No' . I also wonder why Diversion set it to YES.

Spoiler: Connection Icon turns off but connection works

I think you mix up things. For most Diversion installations, the setting 'Yes' is the correct setting.

 

[Smokey613]

Is this DNS setting under the WAN screen? I do not see it on mine, provided I am looking in the correct location.

 

[Mutzli]

Is this DNS setting under the WAN screen? I do not see it on mine, provided I am looking in the correct location.

Tools - under second tab.

 

[Smokey613]

Tools - under second tab.

Thanks, found it.

 

[bluepoint]

For my liking, too many users complained that adblocking is no longer working when the router was updated to this firmware. Since the 'Yes' setting was standard before in all Merlin releases I figured this best be set by Diversion.
You can always change it back, it only sets it during installation wkth a message that it did so.

Just so you know in rt-ax88u or maybe other models, when local caching DNS server is set to yes, the NTP does not function @boot time, therefore, any components that rely on exact time doesn't start. This behaviour doesn't happen in my old 68P.

 

[thelonelycoder]

Just so you know in rt-ax88u or maybe other models, when local caching DNS server is set to yes, the NTP does not function @boot time, therefore, any components that rely on exact time doesn't start. This behaviour doesn't happen in my old 68P.

I'll double check on mine but I doubt it.

 

[Asad Ali]

Just so you know in rt-ax88u or maybe other models, when local caching DNS server is set to yes, the NTP does not function @boot time, therefore, any components that rely on exact time doesn't start. This behaviour doesn't happen in my old 68P.

I'm not seeing any such behavior on my RT-AX88U. Make sure you're not using any scripts which interferes with ntp_ready nvram variable.