Diversion Diversion - the Router Ad-Blocker

[Stardust]

How to make sure it works, both regarding WAN settings with no VPN and with (Nord)VPN? Settings?

Regards

 

[Xentrk]

How to make sure it works, both regarding WAN settings with no VPN and with (Nord)VPN? Settings?

Regards

Using Policy Rules or Policy Rules (Strict) combined with the Accept DNS Configuration = Exclusive will prevent Diversion from working over the VPN tunnel as dnsmasq on the router is bypassed. Use Disabled, Relaxed or Strict.

 

[SomeWhereOverTheRainBow]

This experimental feature is an attempt to reduce YouTube video ads. The success rate that it prevents ads from playing is relatively low but can be at times very high or frustratingly ineffective.

After setup, all devices running through the router help adding to the forced IP redirect list which typically grows to a unique domain count of about 200-400 over time. The Skip Ad button, if shown, can safely be clicked, the request for the domain has at this time already passed through the router and will be picked up at the next count point (counter at x of xx) and added if not previously seen to the redirect list.

I believe some changes I made in the local development code may have increased the success rate, pending further testing and tweaking. Cross fingers and keep your hopes low...

With all that being said, even with out the youtube magic, Diversion is by far the best "router-base" ad blocking solution. Some users say it blocks too much. I think of that as a testament of the strength of your finished product.

 

[datan]

hi

something weird's going with the whitelist.
I have these two domains added to the white list and processed. But the first one is allowed while the other is blocked (checked in the dnsmasq.log). Any idea what I'm doing wrong?

_______________________________________________________________________________

Diversion 4.1.12 by thelonelycoder

RT-AC86U (aarch64) FW-384.19 @ 192.168.2.1

1.122M blocked domains by 1 hosts file(s)
21,188 t 21,188 w 4,841 n ads since Sep 22 05:20

/mnt/Diversion | Size 14.5G | Used 2.3G (16%)

d Diversion Standard enabled
c communication DivUn stats backup FWun

a ad-blocking to IP 192.168.2.2
l logging dnsmasq.log 13.5M

ep pixelserv-tls 192.168.2.2 v2.3.1

b blocking list Large Sun @ 2:00
el edit lists 2 w 0 b 0 wb

f follow dnsmasq.log

e exit u update more options o
____________________________________________________

Done edited list(s)

What do you want to do?

_________________________________________________________________________________


Your whitelist has these 2 entries:

1: acc-auth.sphdigital.com
2: api.tvb.com

_________________________________________________________________________________

C:\Windows\System32>nslookup acc-auth.sphdigital.com 192.168.2.2
Server: 192.168.2.2
Address: 192.168.2.2

Non-authoritative answer:
Name: alb-acc-authsphdigitalcom-2040396410.ap-southeast-1.elb.amazonaws.com
Addresses: 54.254.89.252
52.220.222.65
Aliases: acc-auth.sphdigital.com


C:\Windows\System32>nslookup api.tvb.com 192.168.2.2
Server: 192.168.2.2
Address: 192.168.2.2

Name: api.tvb.com
Address: 192.168.2.2


_________________________________________________________________________________

i To only see blocked domains from a single
device, enter its assigned IP address.

Enter device IP to filter by [q=Quit] 192.168.2.98

✔ 192.168.2.98 is a valid IP address

i Filtering by IP 192.168.2.98

i Press Ctrl-C to exit

22:29:29 blocked by blockinglist api.tvb.com

 

[andresmorago]

hello to all
im trying to troubleshoot some issues with my vpn client. i was wondering if this is a normal behavior from diversion and pixelserv in terms of routes?
pixelserv is running at 10.0.0.6. is it normal to see te 4th line when running:?

andresmorago@RT-AC3100-0548:/tmp/home/root# ip route
181.xxx.xxx.xxx dev eth0  proto kernel  scope link
181.xxx.xxx.0/24 dev eth0  proto kernel  scope link  src 181.xxx.xxx.xxx
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.xxx dev eth0

 

[Livin]

Question : Can I easily block URLs from only some devices? (ASUS built-in Firewall block URLs for ALL devices.)
I want to block specific URLs (not ads) like CrazyGames, YouTube, etc from ONLY my kids' devices (they all have DHCP reservations)

thx

 

[Johnny_B]

So here's one for ya.. I am at a loss to what could be wrong here. Everything has been working up until recently I had some problems with my ISP. I had to reboot everything, and now I'm seeing ads, on my Android phone only.
My setup:
A RT-AC3200 router with 384.13_8 firmware. Amtm, Diversion, Pixelsrv, Entware installed and up to date. In the router everything is setup following the guides. I will attach some screenshots of the settings screens.
I tested a few things:
- I am aware of newer Android devices adding a Google DNS server to the wifi connection. I tried setting static IP and DNS server, and then ads are blocked. When I enable IP from DHCP, ads start showing again. The solution for this should be to use DNSFilter on the router set to Router mode. I has worked before, but now something has changed or so it seems.
- When I connect to VPN server on my router from 4G network on my phone, ad blocking works!
- On all other computers in my network Diversion seems to work fine.

What could I be doing wrong?
Thanks for any input!

 

[XIII]

Question : Can I easily block URLs from only some devices? (ASUS built-in Firewall block URLs for ALL devices.)

Diversion blocks hosts / domain names, not URLs.

You can exclude clients, but I'm not sure the opposite (what you want) is possible?

 

[Xentrk]

hello to all
im trying to troubleshoot some issues with my vpn client. i was wondering if this is a normal behavior from diversion and pixelserv in terms of routes?
pixelserv is running at 10.0.0.6. is it normal to see te 4th line when running:?

andresmorago@RT-AC3100-0548:/tmp/home/root# ip route
181.xxx.xxx.xxx dev eth0  proto kernel  scope link
181.xxx.xxx.0/24 dev eth0  proto kernel  scope link  src 181.xxx.xxx.xxx
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
10.0.0.0/8 dev br0  proto kernel  scope link  src 10.0.0.6
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.xxx dev eth0

Maybe do a search on 10.0.0.6 and "br0" in the system log and confirm the program name creating the route. May require a reboot. Does the route exist if you shut down pixelserv-tls?

Check system log that pixelserv-tls starts up okay:

Sep 24 17:21:07 RT-AC88U-8248 pixelserv-tls[16643]: Listening on :192.168.1.10:443
Sep 24 17:21:07 RT-AC88U-8248 pixelserv-tls[16643]: Listening on :192.168.1.10:80

Are you on a bridged network? How do you connect to ISP?

 

[zekesdad]

Can we get the statistics for youtube ad blocking added to the weakly email? Cause it sure seems like I'm not getting any blocked after a LONG time of it being activated.

 

[andresmorago]

Maybe do a search on 10.0.0.6 and "br0" in the system log and confirm the program name creating the route. May require a reboot. Does the route exist if you shut down pixelserv-tls?

Check system log that pixelserv-tls starts up okay:

Sep 24 17:21:07 RT-AC88U-8248 pixelserv-tls[16643]: Listening on :192.168.1.10:443
Sep 24 17:21:07 RT-AC88U-8248 pixelserv-tls[16643]: Listening on :192.168.1.10:80

Are you on a bridged network? How do you connect to ISP?

hi again

My ac3100 is connected to the isp cablemodem which works in bridge mode. i have a fixed public ip address on the router assigned by my isp (181.xxx.xxx.xxx)

Does the route exist if you shut down pixelserv-tls?

No. it disappears when i shut pixelserv down. thats why i dont think this route thing is related to the issue im having with my vpnclient and the recursive routing errors

andresmorago@RT-AC3100-0548:/tmp/home/root# ip route
181.xxx.xxx.1 dev eth0  proto kernel  scope link
181.xxx.xxx.0/24 dev eth0  proto kernel  scope link  src 181.xxx.xxx.xxx
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.1 dev eth0

pixelserv starts ok every time

Sep 24 10:02:59 RT-AC3100-0548 rc_service: service 17393:notify_rc restart_dnsmasq
Sep 24 10:02:59 RT-AC3100-0548 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
Sep 24 10:03:00 RT-AC3100-0548 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Sep 24 10:03:00 RT-AC3100-0548 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Sep 24 10:03:01 RT-AC3100-0548 Entware (armv7sf-k2.6): Started pixelserv-tls (Diversion)
Sep 24 10:03:01 RT-AC3100-0548 pixelserv-tls[17626]: pixelserv-tls 2.3.1 (compiled: Jan 31 2020 13:27:14 flags: tls1_3) options: 10.0.0.6
Sep 24 10:03:02 RT-AC3100-0548 rc_service: watchdog 456:notify_rc start_dnsmasq
Sep 24 10:03:02 RT-AC3100-0548 rc_service: waitting "restart_dnsmasq" via  ...
Sep 24 10:03:02 RT-AC3100-0548 stubby[17859]: Read config from file /etc/stubby/stubby.yml
Sep 24 10:03:03 RT-AC3100-0548 custom_script: Running /jffs/scripts/service-event-end (args: restart dnsmasq)
Sep 24 10:03:03 RT-AC3100-0548 pixelserv-tls[17626]: Listening on :10.0.0.6:443
Sep 24 10:03:03 RT-AC3100-0548 pixelserv-tls[17626]: Listening on :10.0.0.6:80
Sep 24 10:03:03 RT-AC3100-0548 custom_script: Running /jffs/scripts/service-event (args: start dnsmasq)
Sep 24 10:03:05 RT-AC3100-0548 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Sep 24 10:03:05 RT-AC3100-0548 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Sep 24 10:03:06 RT-AC3100-0548 stubby[18154]: Read config from file /etc/stubby/stubby.yml
Sep 24 10:03:07 RT-AC3100-0548 custom_script: Running /jffs/scripts/service-event-end (args: start dnsmasq)
Sep 24 10:03:08 RT-AC3100-0548 andresmorago: Started taildns from .

 

[Xentrk]

hi again

My ac3100 is connected to the isp cablemodem which works in bridge mode. i have a fixed public ip address on the router assigned by my isp (181.xxx.xxx.xxx)


No. it disappears when i shut pixelserv down. thats why i dont think this route thing is related to the issue im having with my vpnclient and the recursive routing errors

andresmorago@RT-AC3100-0548:/tmp/home/root# ip route
181.xxx.xxx.1 dev eth0  proto kernel  scope link
181.xxx.xxx.0/24 dev eth0  proto kernel  scope link  src 181.xxx.xxx.xxx
10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.1
127.0.0.0/8 dev lo  scope link
default via 181.xxx.xxx.1 dev eth0

pixelserv starts ok every time

Sep 24 10:02:59 RT-AC3100-0548 rc_service: service 17393:notify_rc restart_dnsmasq
Sep 24 10:02:59 RT-AC3100-0548 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
Sep 24 10:03:00 RT-AC3100-0548 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Sep 24 10:03:00 RT-AC3100-0548 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Sep 24 10:03:01 RT-AC3100-0548 Entware (armv7sf-k2.6): Started pixelserv-tls (Diversion)
Sep 24 10:03:01 RT-AC3100-0548 pixelserv-tls[17626]: pixelserv-tls 2.3.1 (compiled: Jan 31 2020 13:27:14 flags: tls1_3) options: 10.0.0.6
Sep 24 10:03:02 RT-AC3100-0548 rc_service: watchdog 456:notify_rc start_dnsmasq
Sep 24 10:03:02 RT-AC3100-0548 rc_service: waitting "restart_dnsmasq" via  ...
Sep 24 10:03:02 RT-AC3100-0548 stubby[17859]: Read config from file /etc/stubby/stubby.yml
Sep 24 10:03:03 RT-AC3100-0548 custom_script: Running /jffs/scripts/service-event-end (args: restart dnsmasq)
Sep 24 10:03:03 RT-AC3100-0548 pixelserv-tls[17626]: Listening on :10.0.0.6:443
Sep 24 10:03:03 RT-AC3100-0548 pixelserv-tls[17626]: Listening on :10.0.0.6:80
Sep 24 10:03:03 RT-AC3100-0548 custom_script: Running /jffs/scripts/service-event (args: start dnsmasq)
Sep 24 10:03:05 RT-AC3100-0548 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Sep 24 10:03:05 RT-AC3100-0548 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Sep 24 10:03:06 RT-AC3100-0548 stubby[18154]: Read config from file /etc/stubby/stubby.yml
Sep 24 10:03:07 RT-AC3100-0548 custom_script: Running /jffs/scripts/service-event-end (args: start dnsmasq)
Sep 24 10:03:08 RT-AC3100-0548 andresmorago: Started taildns from .

This one has me stumped. A route using the 'br0' interface doesn't get created for pixelserv-tls on the routers I support. The ifconfig command does show pixelserv-tls assigned to br0 though.

 

[Xentrk]

@andresmorago
Do you have any entries on the LAN -> Routes screen

 

[andresmorago]

@andresmorago
Do you have any entries on the LAN -> Routes screen

No. All empty

This one has me stumped. A route using the 'br0' interface doesn't get created for pixelserv-tls on the routers I support. The ifconfig command does show pixelserv-tls assigned to br0 though.

the route gets created on my 2 routers. Ac3100 and ac68u on latest firmware and scripts versions and separate internet conections/setups

 

[Milan]

how to enable blocking list update job even the diversion is disabled?
can be the management of blocklist available even the diversion is disabled ?

i am using it together with unbound AdBlock ...

 

[Megahurtz]

Any ideas on how to block the type=65 requests? Or will that require an update to Diversion?

 

[thelonelycoder]

Can we get the statistics for youtube ad blocking added to the weakly email? Cause it sure seems like I'm not getting any blocked after a LONG time of it being activated.

The YouTube forced IP redirect counting is even less helpful since each redirect may not prevent an ad from showing. And there usually are a lot of requests for these domains, especially if YT is viewed directly in a browser.
Nevertheless, I added this feature a while ago to my local development code just to see what the results are. I may as well leave it in for the release version. The running counter can be set to be shown in the Diversion SSH UI, just as the regular blocked ads count is.

 

[thelonelycoder]

how to enable blocking list update job even the diversion is disabled?
can be the management of blocklist available even the diversion is disabled ?

i am using it together with unbound AdBlock ...

There is no way to enable the blocking list update through the UI options if Diversion is disabled or ad-blocking is set to off. What would be the point?
However, you can run this command periodically manually or by setting a cron job, provided Diversion has been set up properly:

sh /opt/share/diversion/file/update-bl.div

 

[thelonelycoder]

Any ideas on how to block the type=65 requests? Or will that require an update to Diversion?

That's outside of Diversion's control capabilities. AFAICT this would have to be implemented by the Dnsmasq developer to allow these types of queries be altered by a hosts entry, or any other Dnsmasq option.

Since these queries are generally followed by a A or AAAA type query for the same domain and then are blocked (if the domain is in fact blocked by Diversion), the impact at the moment is low.

 

[Megahurtz]

That's outside of Diversion's control capabilities. AFAICT this would have to be implemented by the Dnsmasq developer to allow these types of queries be altered by a hosts entry, or any other Dnsmasq option.

Since these queries are generally followed by a A or AAAA type query for the same domain and then are blocked (if the domain is in fact blocked by Diversion), the impact at the moment is low.

I’ve seen a large increase in ads since ios14/apps started using this. The problem seems to be that Diversion is allowing through the initial type=65 request and then blocking the following A one. Since the type=65 comes first, ads seem to be loading. Anything using iAds is leaking through, as is doubleclick. Probably some others, but those seem to be the most prominent ones I've been noticing.

Are you saying that because of the following A request being blocked, it would prevent the earlier type=65 one from being displayed? I might be missing something or misunderstanding you, because I don't see how this would be low impact given ads are being served from blacklisted domains. Diversion's effectiveness has decreased over the last couple weeks for me, presumably because of this.

2020-09-26 06:19	static.doubleclick.net	192.168.1.133	A	Blocked (blocking list)
2020-09-26 06:19	static.doubleclick.net	192.168.1.133	type=65	Allowed
2020-09-26 06:19	static-doubleclick-net.l.google.com	192.168.1.133	A	Blocked (blocking list)
2020-09-26 06:19	static-doubleclick-net.l.google.com	192.168.1.133	type=65	Allowed
2020-09-26 06:19	pagead46.l.doubleclick.net	192.168.1.133	A	Allowed
2020-09-26 06:19	pagead46.l.doubleclick.net	192.168.1.133	type=65	Allowed
2020-09-26 06:19	googleads.g.doubleclick.net	192.168.1.133	A	Blocked (blocking list)
2020-09-26 06:19	googleads.g.doubleclick.net	192.168.1.133	type=65	Allowed