OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: crt333 on August 02, 2021, 02:03:07 am
-
Is it possible to configure adguard home lookups to go through WG tunnel instead of WAN?
Background:
In my setup I have two LANs and two WG tunnels, and everything from WAN0 goes through WG0 and everything from WAN1 goes through WG1.
I have port forwarding setup for all DNS requests on any LAN to any other DNS server to be forwarded to the router.
Before using Adguard I could configure the system DNS to go through a WG port, or I could configure unbound to go the a WG port, but now Adguard lookups are going out over WAN. Is there a simple way to change this?
-
Since you are using policy routing, what have you configured as your primary connection in your gateway group? Have you configured a FW rule for this type of traffic?
If you have your WAN as your primary, then that would explain it. You could lower the priority of WAN to make it the last in your group and / or raise WG priority so all traffic is sent out 1 or the other, or switching between the two, leaving WAN as last resort.
Be careful, making routing / GW changes can cause large issues causing bigger headaches.
-
Thanks for responding.
When I said I could configure OpnSense or unbound to use a tunnel I meant that these both have the ability to specify what interface to use for queries, AdGuard doesn't.
I don't have a gateway group, I have WAN, WG0, WG1 separate, with NAT and rules for LAN0 to WG0 and LAN1 to WG1, as well as port forward rules to catch DNS and send it to the router.
The challenge is, unlike LAN0 or LAN1 where I can make rules for WG, adguard runs on the router and I don't know how to say queries should go down WG instead of WAN. Other things, like NTP, also go out WAN, which is fine, but I'd rather the adguard stuff went out WG.
I may be missing something, but I don't how to make this happen.
-
What do you have setup as your default connection when looking at your GW (single) priorities? That will be the interface all the traffic defaults (I believe) including traffic originating from the FW itself.
-
Only WAN is marked upstream, and all the priorities are 255. If I mark WG0 as upstream all traffic stops
-
With opnsense, Anything marked with upstream will allow traffic through it. The high the priority dictates which interfaces to use. (logical)
However, when GW are not marked as upstream, they STILL can be used for send / receiving traffic. (Found out the hard way).
What you are trying to accomplish is listed in the docs. Although you are not trying to send lan traffic from multiple interfaces, the FW itself would use this.
https://docs.opnsense.org/manual/how-tos/multiwan.html?highlight=multi%20wan
https://docs.opnsense.org/manual/multiwan.html?highlight=multi%20wan
-
Thanks again "errored out"
I read through the material in the link you sent, and I wanted to make sure I understand what you're proposing.
In terms of the multi-wan settings, I already had most items configured as described:
1) Setup monitor IP's (was done for WAN, WG0 and WG1)
2) Gateway group (not done)
3) DNS addresses for each gateway (not done, none configured there)
4) Policy based routing (LANs to WGs was the previous setup)
5) DNS allow rule earlier in LAN lists (was done already)
This isn't really a failover situation, since even the WGs depend on WAN.
This could be a load balancing situation, but WAN statistics are always going to look better than WG since WG goes through WAN with extra processing. Could use an unequal weight to throw more traffic through WG (including adguard I assume), but I don't see other options. If I weighted 1 and 1000 I could make 1000 of every 1001 adguard lookups go through WG?
If I make a gateway group, how does WG know it can only reach the world through WAN?
I'm happy to try things, but am still a little fuzzy on the approach. Thanks for the idea, I'll wait to make sure I'm understanding before blindly trying.
-
I used a load balancing configuration before. The policy based routing will dictate which traffic goes through which interface ( out to the net).
With respects to gateway grouping. You select all the gateways you want to use in the group. Let's say you are using a VPN to transmit traffic accessing the Internet (aside from WAN0). VPN0, VPN1, VPN2. VPN0 and 1 connect to texas. VPN2 connects to florida. Where you live, Texas connects much faster.
I would group all 3 VPN into a single group. List VPN0 and 1 as a higher priority so they are equal, and set VPN2 as a lower weight. Traffic will flow between either VPN0 or 1, and bounce between the 2 depending on your setup. When the connectivity means any threshold you configured to "switch" connectivity, the traffic will route through VPN2. When the configured threshold is no longer met (connectivity for VPN0/1 has subsided) traffic will automatically resume to be sent through VPN 0/1.
-
Just tried something and it seems to work, so I'll post it.
I have adguard configured to lookup on:
tls://1.0.0.1
tls://9.9.9.9
so I made static routes to these two address through the WG tunnel and it seems to work. No more 853 on WAN.