I'm trying to get the AdGuardHome plugin working on my firewall. I have installed the plugin via shell
fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf
I moved Unbound to port 5454. My current DNS setup goes straight to CloudFlare (not sure if that's correct?). The plugin installs, and I make sure that enable and use as primary DNS are checked in Services > AdGuardHome > General, but notice that the service showing as not started. I have tried to start both via gui, and from shell. Both appear to start without issue. However, I cannot access the AdGuard webui via (ip:3000). One thing I noticed is on the initial start the yaml file is not created. Some searching seems to show how to create one manually which I did.
bind_host: 0.0.0.0
bind_port: 3000
users:
- name: admin
password: *****************
I checked to see if anything else is using port 3000:
sockstat -4 | grep 3000
root AdGuardHom 14702 115 tcp46 *:3000
I've tried uninstalling/reinstalling the plugin several times and no luck. Another thing I tried was to create a LAN firewall rule for AGH for port 3000. One weird thing I notice is that when I specify the destination port (other, 3000), when I apply the rule and recheck it, the destination port says HCBI instead. I'm not sure if the rule is needed but tried it as part of my troubleshooting.
What am I missing?
Nothing much. 3000 is the well known port for the HBCI protocol, but AGH is the only thing listening on that port so all is well. Show the firewall rules on LAN, probably a quirk there. You don't have "allow any" on LAN, anyway?
This is what I have currently as I removed the rule for AGH not knowing for sure if the rule was relevant
The first two rules redirect all packets to the WAN_Failover gateway (group?) so you cannot communicate with the firewall locally.
Place a rule for TCP, destination "LAN interface", destination port "3000/HBCI" above all others. Without the gateway setting, of course.
EDIT: or add an inverted destination to your rules and replace destination "any" with !"This Firewall".
Quote from: Patrick M. Hausen on March 25, 2025, 07:42:42 AMThe first two rules redirect all packets to the WAN_Failover gateway (group?) so you cannot communicate with the firewall locally.
Place a rule for TCP, destination "LAN interface", destination port "3000/HBCI" above all others. Without the gateway setting, of course.
EDIT: or add an inverted destination to your rules and replace destination "any" with !"This Firewall".
The WAN_Failover is a group as I have 2 gateways, which one serves as a backup. However, I'm a bit confused about the destination. I have a LAN net, and LAN address for destination but not LAN interface. I tried LAN net, but no luck. So I changed it to This Firewall and inverted as you suggested above all other rules, and still no luck.
It's LAN address, not LAN interface. Sorry, my bad.
Quote from: Patrick M. Hausen on March 25, 2025, 04:08:28 PMIt's LAN address, not LAN interface. Sorry, my bad.
I'm not entirely sure how but I have that part working now. But I am facing another issue. I also want to use Unbound in conjunction with AGH. I configured AGH private reverser to Unbound on port 53530, but I have no internet access. According to AGH, when I test the upstream, it reports as working correctly. I did not change anything in my Unbound setup as it was working fine before. So I'm not sure what I am missing now with regard to not being able to have internet access.
You have that rule for DNS on port 53 that for some reason throws all queries from your clients out towards your gateway group. Like if you don't want a local resolver at all but use e.g. 8.8.8.8 on your clients only.
Why you have that rule is yours to answer 😉
My guess: Multi-WAN step 5, but didn't follow the instructions...
I suppose thats true, its been a while since I set that part up. But changing that group to default fixed it.