Greetings
Have had a bunch of interesting learning experiences getting OPNsense up =- - - but it is.
Now trying to configure it =- - - wow!
Stumbling right now on AdGuard - - - specifically at the point of initial setup.
Is this the right place to ask questions - - - it is a community plugin and not official so me not knowing am asking.
Where might I get assistance?
TIA
Did a lot of looking.
paging @mimugmail
Greetings
I am having sever problems (unable to complete) initial setup for AdGuardHome.
Your repository has version 1.12 as being AdGuardHome 0.107.45 .
AdGuardHome version update 0.107.50 seems to be related to my difficulties.
Would you be able to update the repository - - - perhaps to 0.107.52?
(I have no clue of what I'm doing (can you tell) or I'd offer to help out with this!)
TIA
Don't get too concerned with having the latest version of AdGH. It doesn't need to be on latest to work.
Just post your setup and where it is failing and we'll try to figure out what is the problem.
AGH can be upgraded once you're past the initial setup.
In more restrictive setups you'll need two FW rules as follows:
1) Allow TCP -- source (v)lan net or IP -- destination <FW IP interface> destination port 3000 ### This is only used for the initial setup
2) Allow TCP -- source (v)lan net or IP -- destination <FW IP interface> destination port <port number you chose during the initial setup>
Quote from: cookiemonster on July 18, 2024, 12:17:42 AM
Don't get too concerned with having the latest version of AdGH. It doesn't need to be on latest to work.
Just post your setup and where it is failing and we'll try to figure out what is the problem.
That's the issue in a nutshell - - - I can't do the initial setup.
screen 2/5 (when one logs into 192.168.x.x:3000) needs 2 ports set.
I cannot set either of them.
Read some chatter that it might be related to not using static urls but that's not the case (ASAIK at least).
Or it might be related to the release notes for 0.107.50.
I dunno and have no real way of figuring out what the issue is.
Any ideas - - - - I'm a listening!!!
TIA
Quote from: newsense on July 18, 2024, 04:01:15 AM
AGH can be upgraded once you're past the initial setup.
In more restrictive setups you'll need two FW rules as follows:
1) Allow TCP -- source (v)lan net or IP -- destination <FW IP interface> destination port 3000 ### This is only used for the initial setup
2) Allow TCP -- source (v)lan net or IP -- destination <FW IP interface> destination port <port number you chose during the initial setup>
Apologies (but I'm a firewall 'me don't understand') all I've ever used was ufw.
You're suggesting that I write firewall rules like you have suggested - - yes?
(understand that 'IP interface' would be replaced with my system url, is there any similar in the 'source lan net or IP' ?)
TIA
You can post the LAN rules here in a screenshot - assuming that is where you'd be connecting from to the FW for AGH management.
In the creation of a rule you can specify either a source IP such as 192.168.2.34/32 which effectively gives access to that machine to whatever you specify as IPdestination/port, or you can go broader wherever appropiate and say LAN NET as source which effectively allows all the machines in that (v)lan to access the resource.
For example, if your LAN is 192.168.1.0/24 (or subnet mask 255.255.255.0) then the machines in the 1920168.1.2-254 range would be allowed to connect to the destination.
In OPNsense you'll find these networks (wherever there are more vlans) in the rule drop down menu as <vlan_name net>
Quote from: ajoeiam on July 18, 2024, 04:18:13 AM
Quote from: cookiemonster on July 18, 2024, 12:17:42 AM
Don't get too concerned with having the latest version of AdGH. It doesn't need to be on latest to work.
Just post your setup and where it is failing and we'll try to figure out what is the problem.
screen 2/5 (when one logs into 192.168.x.x:3000) needs 2 ports set.
I cannot set either of them.
TIA
Sorry don't remember what that screen asks for, can you post a screenshot or describe what it says?
AdG needs to know what DNS servers to use upstream, it might be related to that but want to be sure.
Also, please add your complete setup of what is your current DNS servers for the network. Is it Unbound and what port is Unbound using. Also confirm Unbound is set to listen on all interfaces (recommended).
Firewall rules are not normally needed when using defaults. That is because the allow all default rule will permit the LAN clients to reach the firewall on any port.
For other interfaces and networks in the firewall, yes, rules are needed.
Quote from: cookiemonster on July 18, 2024, 10:06:48 AM
Quote from: ajoeiam on July 18, 2024, 04:18:13 AM
Quote from: cookiemonster on July 18, 2024, 12:17:42 AM
Don't get too concerned with having the latest version of AdGH. It doesn't need to be on latest to work.
Just post your setup and where it is failing and we'll try to figure out what is the problem.
screen 2/5 (when one logs into 192.168.x.x:3000) needs 2 ports set.
I cannot set either of them.
TIA
Sorry don't remember what that screen asks for, can you post a screenshot or describe what it says?
AdG needs to know what DNS servers to use upstream, it might be related to that but want to be sure.
Also, please add your complete setup of what is your current DNS servers for the network. Is it Unbound and what port is Unbound using. Also confirm Unbound is set to listen on all interfaces (recommended).
Firewall rules are not normally needed when using defaults. That is because the allow all default rule will permit the LAN clients to reach the firewall on any port.
For other interfaces and networks in the firewall, yes, rules are needed.
(//) (tried to attach a .png file - - - (using copy and paste - - unsuccessful instead used attach (was unseccessful as image was some 450k so cropped the image as much as possible - - - hope it works for you! )
Did not see all of the third part (static ip address).
Unbound is my current DNS server and port 5353 is the listed port. I had Unbound listening only to LAN but changed that to all (recommended). (I would prefer that my DNS server not really listen to outside stuff but if that's what is required I will acquiesce.)
Was unable to test the AdGuardHome setup as I seem to no longer get to it.
Previously I was able to unselect the service, reboot the machine. then re-select the service, again reboot the machine and at that point I was able to try the 192.168.x.x:3000 successfully - - - but not today.
Dunno - - - I'm wondering if the whole setup has become less responsive - - - becoming quite unsure of what to do going forward - - - starting to think that this is another instance of 'it works for someone else but NOT here' - - - I hope not!
Appreciate your continuing assistance - - really don't want to have to run another mini-pc that would make another point of failure - - - imo - - - I think I have too many already!
Regards
Quote from: newsense on July 18, 2024, 07:20:52 AM
You can post the LAN rules here in a screenshot - assuming that is where you'd be connecting from to the FW for AGH management.
In the creation of a rule you can specify either a source IP such as 192.168.2.34/32 which effectively gives access to that machine to whatever you specify as IPdestination/port, or you can go broader wherever appropiate and say LAN NET as source which effectively allows all the machines in that (v)lan to access the resource.
For example, if your LAN is 192.168.1.0/24 (or subnet mask 255.255.255.0) then the machines in the 1920168.1.2-254 range would be allowed to connect to the destination.
In OPNsense you'll find these networks (wherever there are more vlans) in the rule drop down menu as <vlan_name net>
@cookiemonster suggested that if I made unBound able to listen on all ports that I may be able to not need to use firewall rules.
Did that change - - - - still not successful.
Now quite lost!
Thanks for your assistance.
QuoteUnbound is my current DNS server and port 5353 is the listed port. I had Unbound listening only to LAN but changed that to all (recommended). (I would prefer that my DNS server not really listen to outside stuff but if that's what is required I will acquiesce.)
The default rule which prevents unsolicited inbound traffic to WAN will prevent it from answering queries in WAN. The query will never get to Unbound, it would have been blocked by the firewall by default. No need to worry about that.
Please check what processes have listeners open, like this:
$ sudo sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
unbound unbound 58332 5 udp4 *:5353 *:*
unbound unbound 58332 6 tcp4 *:5353 *:*
unbound unbound 58332 7 udp4 *:5353 *:*
unbound unbound 58332 8 tcp4 *:5353 *:*
unbound unbound 58332 9 tcp4 127.0.0.1:953 *:*
dhcpd dhcpd 49891 12 udp4 *:67 *:*
root lighttpd 25766 7 tcp4 *:55443 *:*
root eastpect 74039 13 udp4 *:* *:*
root eastpect 74039 15 udp4 *:* *:*
root eastpect 74039 17 udp4 *:* *:*
root ntpd 13199 21 udp4 *:123 *:*
root ntpd 13199 22 udp4 92.28.XXX.163:123 *:*
root ntpd 13199 23 udp4 192.168.5.1:123 *:*
root ntpd 13199 26 udp4 127.0.0.1:123 *:*
root ntpd 13199 27 udp4 192.168.5.100:123 *:*
root ntpd 13199 28 udp4 192.168.200.1:123 *:*
root ntpd 13199 30 udp4 10.8.0.1:123 *:*
root ntpd 13199 31 udp4 10.0.0.1:123 *:*
root lighttpd 32222 4 tcp4 127.0.0.1:43580 *:*
root stubby 7242 3 udp4 127.0.0.1:8053 *:*
root stubby 7242 4 tcp4 127.0.0.1:8053 *:*
www haproxy 64624 4 tcp4 *:853 *:*
www haproxy 64624 5 tcp4 *:5000 *:*
www haproxy 64624 6 tcp4 *:443 *:*
www haproxy 64624 7 tcp4 192.168.5.100:80 *:*
www haproxy 64624 8 tcp4 192.168.5.100:853 *:*
www haproxy 64624 9 tcp4 192.168.5.100:5000 *:*
www haproxy 64624 10 tcp4 192.168.5.100:443 *:*
root AdGuardHom 348 115 udp46 *:53 *:*
root AdGuardHom 348 116 tcp4 192.168.5.1:8080 *:*
root AdGuardHom 348 117 tcp46 *:53 *:*
root crowdsec 96744 18 tcp4 192.168.5.1:8081 *:*
root crowdsec 96744 190 tcp4 127.0.0.1:6060 *:*
root openvpn 84396 8 udp4 92.28.XXX.163:1193 *:*
root sshd 70841 4 tcp4 *:22 *:*
? ? ? ? udp4 *:51820 *:*I've masked a part of my WAN ip but you can see I have AdG listening on port 53 and Unbound on 5353 so they don't clash. AdG ui on 8080. Unbound on all interfaces.
AdG settings:
- DHCP service is disabled. I don't want AdG to provide dhcp. OPN is doing that.
- Upstream DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its upstream DNS server.
- Bootstrap DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its upstream DNS server.
- Private reverse DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its reverse DNS server.
- Encryption settings: Only plain DNS is enabled. If you want to change this, I suggest to do it later, once the basic is working. For me there is no need. The encryption is done by from Unbound out.
DHCPv4 settings:
-- On LAN:
- DNS Servers: blank - I don't need to set DNS servers here because with Unbound enabled, the leases are issued with the Unbound ip address for each interface, in the LAN case it is 192.168.5.1 ; the default port 53 will be used, and that means will get to AdGuard, which will in turn send up to Unbound:
Starting Nmap 7.80 ( https://nmap.org ) at 2024-07-18 23:36 BST
Pre-scan script results:
| broadcast-dhcp-discover:
| Response 1 of 1:
| IP Offered: 192.168.5.238
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.5.1
| IP Address Lease Time: 5m00s
| Subnet Mask: 255.255.255.0
| Router: 192.168.5.1
| Domain Name Server: 192.168.5.1
| Domain Name: moomooland
| Bootfile Name: pxelinux.0
|_ TFTP Server Name: 192.168.5.1
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.81 seconds
Firewall rules:
- I have port forward to force misbehaved clients to comply with the settings above. We can get to that after.
Please check against this and we'll take it from there.
You did have an unorthodox setup before, with a pc you only switched on from time to time and plugged directly in a port of the firewall, that triggered a reconfiguration of interfaces and services every time. Even if that's changed, it would be good to tell us what the setup is, they might give clues. For now let's just see it as a service that you want to setup for the first time
Quote from: cookiemonster on July 19, 2024, 12:43:23 AM
QuoteUnbound is my current DNS server
snip
Please check what processes have listeners open, like this:
$ sudo sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
unbound unbound 58332 5 udp4 *:5353 *:*
snip
root AdGuardHom 348 115 udp46 *:53 *:*
root AdGuardHom 348 116 tcp4 192.168.5.1:8080 *:*
root AdGuardHom 348 117 tcp46 *:53 *:*
root crowdsec 96744 18 tcp4 192.168.5.1:8081 *:*
root crowdsec 96744 190 tcp4 127.0.0.1:6060 *:*
root openvpn 84396 8 udp4 92.28.XXX.163:1193 *:*
root sshd 70841 4 tcp4 *:22 *:*
? ? ? ? udp4 *:51820 *:*
I've masked a part of my WAN ip but you can see I have AdG listening on port 53 and Unbound on 5353 so they don't clash. AdG ui on 8080. Unbound on all interfaces.
AdG settings:
- DHCP service is disabled. I don't want AdG to provide dhcp. OPN is doing that.
- Upstream DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its upstream DNS server.
- Bootstrap DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its upstream DNS server.
- Private reverse DNS servers: 192.168.5.1:5353 - I am telling AdG to use Unbound as its reverse DNS server.
- Encryption settings: Only plain DNS is enabled. If you want to change this, I suggest to do it later, once the basic is working. For me there is no need. The encryption is done by from Unbound out.
snip
Please check against this and we'll take it from there.
You did have an unorthodox setup before, with a pc you only switched on from time to time and plugged directly in a port of the firewall, that triggered a reconfiguration of interfaces and services every time. Even if that's changed, it would be good to tell us what the setup is, they might give clues. For now let's just see it as a service that you want to setup for the first time
Very interesting - -
you have quite a few more lines in the output of sockstat than I have (grin) - - - lines that include AdGuardHome look like this:
root AdGuardHom 90822 13 tcp4 192.168.1.1:80 *:*
root AdGuardHom 90822 15 udp4 127.0.0.1:53 *:*
root AdGuardHom 90822 22 tcp4 127.0.0.1:53 *:*
Cannot do any AdG settings - - - cannot log into that 192.168.1.1:3000 address to set up my instance.
Suggestions on how I might be able to change the configuration file for AdG ?
TIA
that's probably your problem:
root AdGuardHom 90822 13 tcp4 192.168.1.1:80 *:*
Unless you have moved from port 80, it will be clashing with OPN GUI port, look for your port for httpd in your output of sockstat.
If you have a clash, then you could move the OPN Gui to another port and a restart of loghttpd will free up port 80 when it moves to the new one and will allow you then to reach AdG.
It's best to leave the core services running on their default ports, plugins can be set up on any other ports with an associated port forward rule.
Would be a lot cleaner for troubleshooting, and in case of a plugin/service loss you'll know the FW boots and it is operational even if a faulty upgrade brought down AdGuardHome in this case.
System > Settings > Administration.
The UI has the ability to change the port the GUI is listening on. Many of us change it from the default for a variety of reasons. No need to worry about changing it here, is not a hack, and it survives updates and upgrades.
That said, in general, the advice is sound.
Quote from: cookiemonster on July 21, 2024, 10:42:59 PM
System > Settings > Administration.
The UI has the ability to change the port the GUI is listening on. Many of us change it from the default for a variety of reasons. No need to worry about changing it here, is not a hack, and it survives updates and upgrades.
That said, in general, the advice is sound.
(Greatly appreciating the patience of those assisting!!)
OK - - - now - - sockstat -4l says
root AdGuardHom 22252 13 tcp4 192.168.1.1:80 *:*
and
root ligthtpd 44161 7 tcp4 *:82 *:*
( had set the web gui protocol to https (following HomeNetworkGuy so re-set to http with a restart)
Firefox was barfing at using http so changed the setting for network security to false
Still cannot load into either of 192.168.1.1:80 or 192.168.1.1:3000 for AdGuardHome setup.
Suggestions - - - please?
TIA
So now OPN GUI is listening on port 82 and AdGH on 80 it seems.
Quote"Still cannot load into either of 192.168.1.1:80 or 192.168.1.1:3000 for AdGuardHome setup."
What happens? Whether you can not reach it or you can but errors, different solutions.
The AdGH config can be modified manually but it is no good if you can't reach it.
Please tell where you are trying to reach it from, the same network, or a different one?
I can't assume because of your previous setup with machines on different ports on the firewall.
p.s from your screenshot (re-added here for reference), the interface is called vtnet1. Is this a virtualised setup? If so, can you please provide the complete setup with all interfaces, assignments, etc. all is relevant.
Quote from: cookiemonster on July 23, 2024, 11:24:40 PM
So now OPN GUI is listening on port 82 and AdGH on 80 it seems.
Quote"Still cannot load into either of 192.168.1.1:80 or 192.168.1.1:3000 for AdGuardHome setup."
What happens? Whether you can not reach it or you can but errors, different solutions.
The AdGH config can be modified manually but it is no good if you can't reach it.
Please tell where you are trying to reach it from, the same network, or a different one?
I can't assume because of your previous setup with machines on different ports on the firewall.
I am using the browser to reach http://192.168.1.1:80 or :3000 - - - the browser just sends a timed out message.
This is from a machine with the address 192.168.1.100 (so I think that's the same network - - yes?)
Sorry - - - at this point I am totally lost so I get to wait until you offer some kind of solution to try.
TIA
Quote from: cookiemonster on July 24, 2024, 12:12:02 AM
p.s from your screenshot (re-added here for reference), the interface is called vtnet1. Is this a virtualised setup? If so, can you please provide the complete setup with all interfaces, assignments, etc. all is relevant.
What was added for reference was actually taken from the document that I was using for setup and configuration.
This was NOT from my machine - - - I am not using any kind of virtualised setup.
(Was cured of that idea a few years ago investigating LXD, on snapd - - - don't need that kind of mess again!)
Sorry for the not accurate info - - - the machine that I'm doing this on is a mini-pc and I'm using a laptop for its control and modification. This all is on a separate network with its own ip address so getting a screenshot - - - dunno how I'd even do it as the laptop does not connect with the other network.
Thanking you for your consideration and assistance!
Ok that helps to clear.
Check please that AdgH is running, before and after stopping/starting it from the OPN dashboard, in services list, or console.
You can look for the service in the console and start/restart it.
$ sudo service adguardhome status
Password:
adguardhome is running as pid 31785.
$ sudo ps -vvv 31785
PID STAT TIME SL RE PAGEIN VSZ RSS LIM TSIZ %CPU %MEM COMMAND
31785 Is 0:00.09 75 127 0 12728 2260 - 12 0.0 0.0 daemon: /usr/local/AdGuardHome/AdGuardHome[31884] (daemon)
$ sudo service adguardhome onerestart
Stopping adguardhome.
Waiting for PIDS: 31785
done.
Starting adguardhome.
$ sudo service adguardhome onestatus
adguardhome is running as pid 44395.
What we're interested in is seeing if it is up and running. Then start it or restarting it from console in the hope it will spit out errors if it fails silently from the OPN UI. You should also use sockstat as before.
AdgH will use two processes and ports. One for the UI and one for the listener for traffic to filter.
I am tempted to suggest to uninstall it, followed by re-installation so you can re-run the wizard with the correct ports this time.
Well - - - I gambled on understanding what you meant in your last sentence.
So I uninstalled adguardhome then re-installed it and was successful in connecting to the ports suggested
that is ip:3000 to access and ip:53 for DNS server listening.
Thank you very much for your assistance!!!!!!!!!!!!!!!!!
Now - - - how do I find a good configuration/setup chart for adguardhome?
Please?
TIA
congratulations on building your next time sink :)
For configuration - the site documentation https://github.com/AdguardTeam/AdguardHome/wiki/Getting-Started
For which blocklists to use - there are many. I suggest to start with the Steven Black list https://github.com/StevenBlack/hosts
Be ready to start allow-listing to fine tune to your requirements.
Quote from: cookiemonster on July 24, 2024, 10:51:25 PM
congratulations on building your next time sink :)
For configuration - the site documentation https://github.com/AdguardTeam/AdguardHome/wiki/Getting-Started
For which blocklists to use - there are many. I suggest to start with the Steven Black list https://github.com/StevenBlack/hosts
Be ready to start allow-listing to fine tune to your requirements.
ja - - - time sink - - - first it was information then it was puters then its all the facets inside of that - - - - where will it end?
(likely won't - - - lol)
OK - - am trying to learn - - - that last sentence "Be ready to start allow-listing to fine tune to your requirements." - - - what does that mean?
TIA
it means that AdgH as any host-based Ad blocker, the block lists are not perfect for everyone. They block so much that at some point there will be "things" that will not work until you allow a particular domain.
Let's say your family member is looking at a product website and likes something, and tries to buy it. Then the sign up for the site dialog just spins and never finishes. They complain to you.
Your just starting with AdGH so you disabe AdGH and that works now. So now you need to figure out which of the blocked items is the one that corresponds to that particular site. You need to whitelist that.
That is a requirement just for your network because although it is using Ads to complete the registration, you are OK with whitelisting it, making an exception in the list that otherwise works fine for you and most users.
A bit like intrusion detection. You need to create your own exceptions for your needs.
Hope it makes sense.