Diversion - the Router Ad-Blocker

L&LD

Part of the Furniture
What does one have to do with the other?
 

QuikSilver

Very Senior Member
I have been looking through the thread but there's a lot of conflicting advise, is it best to whitelist a load of Amazon domains or switch off pixelserv-tls?

Thanks
Or maybe just uninstall Division altogether and have done with it!
Nothing changes with you does it.
One could argue that the reason there is conflicting advice is because each person's network is unique to them, meaning what may work for one may not for the other.
 

CriticJay

Senior Member
I have been looking through the thread but there's a lot of conflicting advise, is it best to whitelist a load of Amazon domains or switch off pixelserv-tls?

Thanks
1. If you want to spend some time doing troubleshooting and determine exactly which domain is causing the issue with Amazon app, so you can whitelist it, then you can do that and continue to use Pixelserv-TLS (like me)

2. If you don't want to spend time doing troubleshooting, and just need to get the Amazon Shopping app running again ASAP (maybe your wife or girlfriend is bothering you) then you can just disable Pixelserv-TLS from within Diversion (which will disable it properly).
 

lokester

Occasional Visitor
Needing some advice. Asus RT-AC88U router with latest Merlin. Had been running Pi-Hole on Raspberry PI, so had my DNS server field on Router config pointing to Raspberry Pi. Also had IP-Tables on Raspberry Pi set up with "recommended" rules from Raspberry Pi forum. A few months ago, I removed Pi-Hole from the RPi and installed/enabled Diversion on the RT-AC88U via AMTM. After installation of Diversion, I noticed it removed my static DNS address, so the RPi is no longer serving as my DNS server. IPCONFIG command from my PC confirms DNS server is the AC88U router IP 192.168.1.1

Looking at the "kern.log" on the Raspberry Pi, I am seeing where " iptables denied: IN=eth0 OUT= MAC=ff:ff ... SRC=192.168.1.1 DST=192.168.1.255 LEN=168 ... TTL=64 ID=0 DF PROTO=UDP SPT=39042 DPT=7788 LEN=148" and this message is happening every 10 to 15 seconds. IP 192.168.1.1 is the router IP. Not sure what 192.168.1.255 is but assume something to do with the router as well.

Other than cluttering up the log file, not sure it is causing me any grief, but not sure I need IPTABLES running on my Raspberry Pi blocking traffic on the Router?

So my question is this: Since I am no longer using the RPi as my DNS server, do I need to remove the IPTABLES rules that I added on the RPi ?
 

QuikSilver

Very Senior Member
Needing some advice. Asus RT-AC88U router with latest Merlin. Had been running Pi-Hole on Raspberry PI, so had my DNS server field on Router config pointing to Raspberry Pi. Also had IP-Tables on Raspberry Pi set up with "recommended" rules from Raspberry Pi forum. A few months ago, I removed Pi-Hole from the RPi and installed/enabled Diversion on the RT-AC88U via AMTM. After installation of Diversion, I noticed it removed my static DNS address, so the RPi is no longer serving as my DNS server. IPCONFIG command from my PC confirms DNS server is the AC88U router IP 192.168.1.1

Looking at the "kern.log" on the Raspberry Pi, I am seeing where " iptables denied: IN=eth0 OUT= MAC=ff:ff ... SRC=192.168.1.1 DST=192.168.1.255 LEN=168 ... TTL=64 ID=0 DF PROTO=UDP SPT=39042 DPT=7788 LEN=148" and this message is happening every 10 to 15 seconds. IP 192.168.1.1 is the router IP. Not sure what 192.168.1.255 is but assume something to do with the router as well.

Other than cluttering up the log file, not sure it is causing me any grief, but not sure I need IPTABLES running on my Raspberry Pi blocking traffic on the Router?

So my question is this: Since I am no longer using the RPi as my DNS server, do I need to remove the IPTABLES rules that I added on the RPi ?
192.168.1.255 is considered the "broadcast address" for your 192.168.1.XXX network. If the RPi is no longer needed then I would remove it. If not to fix this (if it does), but to help clean up in case you need to troubleshoot the network in the future.
 

lokester

Occasional Visitor
Thanks for the info on the .255 broadcast address. The RPi is doing other things for me, so it needs to stay. I guess I do not understand enough about "iptables" and I just don't understand how the RPi can get involved with a route within the router? Maybe I just need to uninstall the "iptables" from the RPi and let the Router take care of everything?
 

QuikSilver

Very Senior Member
Maybe I just need to uninstall the "iptables" from the RPi and let the Router take care of everything?
I would...."less cooks in the kitchen". ;)
 

thelonelycoder

Part of the Furniture

yucca1960

New Around Here
Hi! first of all thanks to everybody for all the help that you guys give to all of us who does not know anything about scripts or coding.
I have a question, follow instructions and install diversion but when trying to start youtube ad blocking (b,#8,#1) I get this error:
( Error No recent YouTube domain found, view
some YouTube videos in a browser!) it does not matter how long I watch youtube videos and adds the result is the same. please be gentle
 

minhgi

Occasional Visitor
Recently I keep getting the error "something went wrong at our end" when using Amazon shopping app. Going by what I've read the problem is being caused by Division blocking something.
Is there anyway to fix this problem?

Thanks
Hope not to late. I have similar issue with the amazon app not working and see some help post with amazon whitelisting dns. If you whitelist all of those dns, your amazon shopping should work. Mine was fixed three days ago after using diversion full time. Weird that whitelisting amazon-adsystem.com didn't work but required the below dns.

aan.amazon-adsystem.com
aax-us-east.amazon-adsystem.com
aax-us-pdx.amazon-adsystem.com
aax.amazon-adsystem.com
c.amazon-adsystem.com
mads.amazon-adsystem.com
s.amazon-adsystem.com
 

Thomas Szücs

Occasional Visitor
Hallo

I have an issue with pixelserv-tls keep crashing. Any idea on what it might be? I can Disable and Enable it again, but after a day or so, it crashes again.

Unavngivet.png
 

thelonelycoder

Part of the Furniture
Hallo

I have an issue with pixelserv-tls keep crashing. Any idea on what it might be? I can Disable and Enable it again, but after a day or so, it crashes again.

View attachment 25134
Look in the routers Syslog, there will be entries for pixelserv-tls.
 

Thomas Szücs

Occasional Visitor
It died again..
Code:
Aug  4 11:50:05 Diversion: restarted Dnsmasq to apply settings
Aug  4 11:50:05 uiDivStats: dnsmasq has restarted, restarting taildns
Aug  4 11:50:09 rc_service: service 25505:notify_rc restart_dnsmasq
Aug  4 11:50:09 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
Aug  4 11:50:10 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Aug  4 11:50:11 Diversion: created br0:pixelserv-tls for 192.168.1.2
Aug  4 11:50:11 pixelserv-tls[26108]: pixelserv-tls 2.3.1 (compiled: Jun 12 2020 20:24:48 flags: tls1_3) options: 192.168.1.2
Aug  4 11:50:11 Entware (armv7sf-k2.6): Started pixelserv-tls (Diversion)
Aug  4 11:50:11 pixelserv-tls[26108]: Listening on :192.168.1.2:443
Aug  4 11:50:11 pixelserv-tls[26108]: Listening on :192.168.1.2:80
Aug  4 11:50:11 Diversion: restarted Dnsmasq to apply settings
Aug  4 11:50:12 uiDivStats: dnsmasq has restarted, restarting taildns
Aug  4 12:00:00 uiDivStats: Stale lock file found (>600 seconds old) - purging lock
Aug  4 12:03:12 dropbear[1485]: Exit (admin) from <192.168.1.4:54395>: Error reading: Connection reset by peer
Aug  4 12:32:37 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY OK: depth=1, C=HK, ST=Central, L=HK, O=Secure-ServerCA, OU=IT, CN=Secure-ServerCA, name=Secure-ServerCA, [email protected]
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY KU OK
Aug  4 12:41:28 ovpn-client1[1957]: Validating certificate extended key usage
Aug  4 12:41:28 ovpn-client1[1957]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY EKU OK
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY OK: depth=0, C=HK, ST=Central, L=HK, O=Secure-Server, OU=IT, CN=Secure-Server, name=changeme, [email protected]
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1552'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Aug  4 12:41:28 ovpn-client1[1957]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  4 12:41:28 ovpn-client1[1957]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  4 12:41:28 ovpn-client1[1957]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug  4 12:46:27 dropbear[20870]: Child connection from 192.168.1.4:55015
Aug  4 12:46:33 dropbear[20870]: Password auth succeeded for 'admin' from 192.168.1.4:55015
 

tomsk

Very Senior Member
It died again..
Code:
Aug  4 11:50:05 Diversion: restarted Dnsmasq to apply settings
Aug  4 11:50:05 uiDivStats: dnsmasq has restarted, restarting taildns
Aug  4 11:50:09 rc_service: service 25505:notify_rc restart_dnsmasq
Aug  4 11:50:09 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
Aug  4 11:50:10 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Aug  4 11:50:11 Diversion: created br0:pixelserv-tls for 192.168.1.2
Aug  4 11:50:11 pixelserv-tls[26108]: pixelserv-tls 2.3.1 (compiled: Jun 12 2020 20:24:48 flags: tls1_3) options: 192.168.1.2
Aug  4 11:50:11 Entware (armv7sf-k2.6): Started pixelserv-tls (Diversion)
Aug  4 11:50:11 pixelserv-tls[26108]: Listening on :192.168.1.2:443
Aug  4 11:50:11 pixelserv-tls[26108]: Listening on :192.168.1.2:80
Aug  4 11:50:11 Diversion: restarted Dnsmasq to apply settings
Aug  4 11:50:12 uiDivStats: dnsmasq has restarted, restarting taildns
Aug  4 12:00:00 uiDivStats: Stale lock file found (>600 seconds old) - purging lock
Aug  4 12:03:12 dropbear[1485]: Exit (admin) from <192.168.1.4:54395>: Error reading: Connection reset by peer
Aug  4 12:32:37 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:32:37 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:14 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:23 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:32 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:39 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:33:51 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: create_child_sslctx: cannot find or use /opt/var/cache/pixelserv/_.adnxs.com
Aug  4 12:34:41 pixelserv-tls[26108]: tls_clienthello_cb: fail to create sslctx or cache _.adnxs.com
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY OK: depth=1, C=HK, ST=Central, L=HK, O=Secure-ServerCA, OU=IT, CN=Secure-ServerCA, name=Secure-ServerCA, [email protected]
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY KU OK
Aug  4 12:41:28 ovpn-client1[1957]: Validating certificate extended key usage
Aug  4 12:41:28 ovpn-client1[1957]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY EKU OK
Aug  4 12:41:28 ovpn-client1[1957]: VERIFY OK: depth=0, C=HK, ST=Central, L=HK, O=Secure-Server, OU=IT, CN=Secure-Server, name=changeme, [email protected]
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1559', remote='link-mtu 1552'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher AES-256-GCM'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'auth' is used inconsistently, local='auth SHA1', remote='auth [null-digest]'
Aug  4 12:41:28 ovpn-client1[1957]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Aug  4 12:41:28 ovpn-client1[1957]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  4 12:41:28 ovpn-client1[1957]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Aug  4 12:41:28 ovpn-client1[1957]: Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Aug  4 12:46:27 dropbear[20870]: Child connection from 192.168.1.4:55015
Aug  4 12:46:33 dropbear[20870]: Password auth succeeded for 'admin' from 192.168.1.4:55015
looks like an issue with your certificates ( or at least the one for .adnx.com) .... you could try purging them and seeing if that helps ... ep in diversion menu , option 3 manage pixelserv certificates, option 1 purge...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top