Diversion [SOLVED] Diversion Guest Network Pro - blocklist applied to multiple SSID

[kstamand]

Does Diversion work with Guest Network Pro Profiles / Vlan? If yes, is there any additional configuration outside of what the Diversion script does?

Reason I ask is, it appears Diversion works as expected for the Wireless Network SSID (Main Network), but not for the additional SSID / VLAN Profiles created under Guest Network Pro (sites that are in Diversion's blocklist work under Guest Network Pro SSID / VLAN (as in, sites in blocklist are working, whereas I expected them to be blocked), but not under the Wireless Network SSID (as in, sites in blocklist are successfully being blocked) >> I was hoping the blocks would affect each VLAN, but no).
Looking at the dnsmasq-#.conf files that are created for each Guest Network Pro SSID/VLAN, I do not see the same Diversion Directives as I do under dnsmasq.conf

# start of Diversion directives #​

conf-file=/opt/share/diversion/list/allowlist.conf​

conf-file=/opt/share/diversion/list/blockinglist.conf​

conf-file=/opt/share/diversion/list/denylist.conf​

log-async​

log-queries​

log-facility=/opt/var/log/dnsmasq.log​

# end of Diversion directives #​

​

Also, if it matters, under LAN Settings, DNS Director is enabled and set to Router.

Thanks in advance

Edit: looking in dnsmasq.log, I don’t see any query / responses for any of the Guest Network Pro SSID / VLAN) - if I’m not mistaken, I expected to see query records for each.

 

[bennor]

Diversion is supposed to be functional with Asus-Merlin 3006.102.x firmware. See here:
https://www.snbforums.com/threads/c...ons-with-gt-be98-pro.90657/page-7#post-947006
And see the dedicated thread for Diversion, which may have more:
https://www.snbforums.com/threads/diversion-5-4-5-the-router-ad-blocker-may-03-2025.90804/
Edit to add:

Also, if it matters, under LAN Settings, DNS Director is enabled and set to Router.

To clarify, did you create an entry in DNS Director's Guest Network Pro profiles section for each of the profiles are using and set a specific redirection for them?

Note: if you were unaware, 3006 firmware changes the way DNS Director works.

Changelog (3006) | Asuswrt-Merlin

www.asuswrt-merlin.net

- CHANGED: Setting DNS Director to "Router" will now always
redirect to the router's own IP. Previously it
would redirect to the first DNS server configured
on the DHCP page (which defaults to the router
itself).
If you need DNS Director to redirect to an IP
configured in your DHCP settings, use a Custom DNS
entry in DNS Director. This makes it more consistant
with what the name implies, and was also necessary
for improved Guest Network support.

 

[kstamand]

@bennor - thanks for the suggestions. I did read those threads and I was aware of the Change log notes. I did try setting Custom DNS for each of the Profile, pointing to their respective subnet gateway (.1), but that didn’t change anything.

I’m still reading and trying different option (dnsmasq.postconf) to add the same Diversion directives to each dnsmasq-#.conf, but no success on that path yet.

Hoping someone can point me in the right direction if not bennor

 

[kstamand]

I got it working, which required creating /jffs/scripts/dnsmasq-sdn.postconf script file (copy below), to append the same Diversion directives that get added in the default dnsmasq.conf to each of the dnsmasq-#.conf files.

@thelonelycoder, did I mess up something in my initial setup of Diversion with Guest Network Pro (I’m running FW 3006.102.4) or was adding the same directives to each of the dnsmasq-#conf files in this manner the correct way to have Diversion blocklists applied to each?

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "# start of Diversion directives #" $CONFIG
pc_append "conf-file=/opt/share/diversion/list/allowlist.conf" $CONFIG
pc_append "conf-file=/opt/share/diversion/list/blockinglist.conf" $CONFIG
pc_append "conf-file=/opt/share/diversion/list/denylist.conf" $CONFIG
pc_append "log-async" $CONFIG
pc_append "log-queries" $CONFIG
pc_append "log-facility=/opt/var/log/dnsmasq.log" $CONFIG
pc_append "# end of Diversion directives #" $CONFIG

 

[thelonelycoder]

I got it working, which required creating /jffs/scripts/dnsmasq-sdn.postconf script file (copy below), to append the same Diversion directives that get added in the default dnsmasq.conf to each of the dnsmasq-#.conf files.

@thelonelycoder, did I mess up something in my initial setup of Diversion with Guest Network Pro (I’m running FW 3006.102.4) or was adding the same directives to each of the dnsmasq-#conf files in this manner the correct way to have Diversion blocklists applied to each?

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "# start of Diversion directives #" $CONFIG
pc_append "conf-file=/opt/share/diversion/list/allowlist.conf" $CONFIG
pc_append "conf-file=/opt/share/diversion/list/blockinglist.conf" $CONFIG
pc_append "conf-file=/opt/share/diversion/list/denylist.conf" $CONFIG
pc_append "log-async" $CONFIG
pc_append "log-queries" $CONFIG
pc_append "log-facility=/opt/var/log/dnsmasq.log" $CONFIG
pc_append "# end of Diversion directives #" $CONFIG

I'll check when time allows. This likely requires a Diversion update as the guest network is not (yet) part of the features.

 

[dave14305]

I think there will need to be careful consideration how to handle the guest networks. Duplicating the primary blocklists could get expensive in terms of RAM for each guest instance of dnsmasq. People tend to overdo it on the size of their blocklists.

A more economical approach might be to have each guest network dnsmasq instance forward its DNS queries to the main instance (e.g. server=192.168.50.1).

 

[visortgw]

I think there will need to be careful consideration how to handle the guest networks. Duplicating the primary blocklists could get expensive in terms of RAM for each guest instance of dnsmasq. People tend to overdo it on the size of their blocklists.

A more economical approach might be to have each guest network dnsmasq instance forward its DNS queries to the main instance (e.g. server=192.168.50.1).

I do that now with PiHole.

 

[bennor]

A more economical approach might be to have each guest network dnsmasq instance forward its DNS queries to the main instance (e.g. server=192.168.50.1).

Isn't that something easily accomplished by using DNS Director and pointing the Guest Network Pro profiles to the router?
Doing something similar for my Guest Network Pro Profiles by pointing them to a local network PiHole.

 

[dave14305]

Isn't that something easily accomplished by using DNS Director and pointing the Guest Network Pro profiles to the router?

That’s an option, but then the guest network clients can’t resolve local names from the guest network if that’s even a requirement on guest networks.

My point was intended to be that adding the same Diversion blocklists to every guest instance could stress the memory utilization of the router if not done smartly.

 

[bennor]

That’s an option, but then the guest network clients can’t resolve local names from the guest network if that’s even a requirement on guest networks.

Would that (guest network client names) be solved by manually assigning host names, IP addresses, to the Guest Network Pro clients? Or by using a /jffs/scripts/dnsmasq-x.conf.add file to do the same? (or a dnsmasq-sdn.postconf file)

PS: My Pi-Hole properly uses the Guest Network Pro client names used by a /jffs/scripts/dnsmasq-x.conf.add file.

 

[dave14305]

Would that (guest network client names) be solved by manually assigning host names, IP addresses, to the Guest Network Pro clients? Or by using a /jffs/scripts/dnsmasq-x.conf.add file to do the same? (or a dnsmasq-sdn.postconf file)

If you use DNS Director to bypass the guest network dnsmasq completely, then no, the manual assignments or dnsmasq-x.conf.add files won't matter at all.

 

[kstamand]

@bennor and @dave14305, I tried both options with no luck and I wanted to share my findings in case they prove useful:
- DNS Director, with a User Defined DNS set to the IP Address of the Main Network where DNSMASQ blocklist is setup via Diversion >> results DNS queries would time out, no servers could be found
- DNSMASQ-SDN.POSTCONF, adding server=192.168.x.1 to the address of the Main Network where DNSMASQ is setup via Diversion >> results, DNS queries would work, but as though the blocklist was not there.

FWIW - with the same blocklist directives that are applied to the Main Network via Diversion, are applied to each of the 3 Guest Network Pro profiles, via DNSMASQ-SDN.POSTCONF, the RAM hit was negligible and everything works as I hoped. Granted, maybe my blocklists are not as large as others, but I don't believe they are small either (OISD BIG AND NSFW) for a total of 661K block domains, and I still have almost 400K free of 1G total RAM on the router >> other users mileage my vary!!!

THANK YOU for all the useful feedback and I welcome any and all future feedback.

 

[dave14305]

- DNSMASQ-SDN.POSTCONF, adding server=192.168.x.1 to the address of the Main Network where DNSMASQ is setup via Diversion >> results, DNS queries would work, but as though the blocklist was not there.

It wouldn't be enough to just add the server option. You would also need to remove the servers-file option so it ignores whatever upstream servers it was already configured to use. Example:

#!/bin/sh

CONFIG="$1"
. /usr/sbin/helper.sh
pc_delete "servers-file=" "$CONFIG"
pc_append "server=192.168.50.1" "$CONFIG"

 

[kstamand]

@dave14305 - DOH!! I totally missed that, to delete the existing "servers-file" line. Once I deleted that, it worked!!

Now we know there are two options that work (adding all directives or just pointing to the existing IP where Diversion is applied), and your's with the "server=" recommendation is more efficient (unless someone wants to have different blocklists for different Guest Network Pro SSID maybe, in which case have different blocklist directives will be necessary)!!.

THANKS!!!

Revised dnsmasq-sdn.postonf script for reference - note that I want ONE of the Guest Networks to bypass Diversion's blocklist (Guest Network Pro number 2, which is an Adults network in my environment)

#!/bin/sh

CONFIG=$1
SDN=$2

source /usr/sbin/helper.sh

if [[ $SDN -ne 2 ]]; then
logger -t mySDN "SDN $SDN being processed now"
pc_delete "servers-file=" $CONFIG
pc_append "server=192.168.##.1" $CONFIG # change ## to be whatever subnet you are using on your Main Network
fi