OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: neek on February 28, 2022, 05:41:14 pm

Title: Setting up AdGuard Home for only some subnets?
Post by: neek on February 28, 2022, 05:41:14 pm

Hi, I'm trying to setup AdGuard Home for my home network, but I have to leave one subnet untouched by AdGuard.

Is the right way to do this to do a few port forwarding rules so that the networks I want protected redirect to AdGuard's DNS port, and the other nets point to Unbound directly? It looks like AdGuard Home has support for mapping individual clients, but I'd prefer to do this with rules of the form:

192.168.1.0/24 --> AdGuard DNS --> Unbound DNS forward
192.168.41.0/24 --> Unbound DNS directly

(I configure the "Unbound DNS forward" as a fallback DNS server in AdGuard Home.)

I'm running AdGuard Home via the os-adguardhome-maxit community plugin, btw.

thanks

Title: Re: Setting up AdGuard Home for only some subnets?
Post by: Vesalius on February 28, 2022, 06:36:41 pm

Easiest way I know of, which won’t take adguard out of the loop but will result in bypassing adguard filtering, is to go to the client section of adguard settings and setup a new client using the entire 192.168.41/24 subnet, then remove that client form any global list or filtering under that clients settings.

https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#idclient

Title: Re: Setting up AdGuard Home for only some subnets?
Post by: KHE on February 28, 2022, 07:15:59 pm

If you are using port forwarding rules, you should consider to create interface groups in Firewall: Groups.
One for Adguard interface(s) and one for the unbound interface(s). For each group a net will be available to use in the Firewall rules, so you can create in Firewall: NAT: Port Forward a Port forward rule with the destination from that group net to Adguard and one for the the other group to unbound.
You can also apply firewall rules then in the groups, which will appear in Firewall: Rules: <GroupName>.

Keep in mind that this group rules are processed before the interface rules.

KH

Title: Re: Setting up AdGuard Home for only some subnets?
Post by: zz00mm on February 28, 2022, 08:23:53 pm

I did something of this sort with Unbound and AdGuardHome. I kept Unbound on 9 of my VLANs plus localhost. (10.0 thru 10.8, and localhost) The 10th VLAN (which is streaming TV i.e. Roku and Apple) has AdGuard listening on port 53 and forwarding to localhost:53 for upstream. I did this lazy approach so I could see what the streaming TV's are doing. Also did an outbound NAT port 53 into localhost:53 to stop the Roku going to 8.8.8.8. Next step is looking at ZenArmor to stop DoT & DoH from getting out, as I see my iPhone when on Wifi goes to some dns-apple.com site it looks like for resolution. So far it's working good. The only gotcha, I had to modify my floating rule to reverse/ignore via an alias my domain/dns to allow them outside access (no blocking of anykind) as backup/testing of name resolution.

Title: Re: Setting up AdGuard Home for only some subnets?
Post by: neek on March 01, 2022, 01:17:52 am

Thanks, this sounds exactly like what I need to do.

Would you be willing to share a screenshot or detail of the floating firewall rule?

Quote from: zz00mm on February 28, 2022, 08:23:53 pm

I did something of this sort with Unbound and AdGuardHome. I kept Unbound on 9 of my VLANs plus localhost. (10.0 thru 10.8, and localhost) The 10th VLAN (which is streaming TV i.e. Roku and Apple) has AdGuard listening on port 53 and forwarding to localhost:53 for upstream. I did this lazy approach so I could see what the streaming TV's are doing. Also did an outbound NAT port 53 into localhost:53 to stop the Roku going to 8.8.8.8. Next step is looking at ZenArmor to stop DoT & DoH from getting out, as I see my iPhone when on Wifi goes to some dns-apple.com site it looks like for resolution. So far it's working good. The only gotcha, I had to modify my floating rule to reverse/ignore via an alias my domain/dns to allow them outside access (no blocking of anykind) as backup/testing of name resolution.

Title: Re: Setting up AdGuard Home for only some subnets?
Post by: zz00mm on March 01, 2022, 09:19:27 pm

Sure, I've attached a screen capture, in case it's hard to read here's the text of the options changed/set:

Interfaces:   <Select interfaces for rule>

Protocol:      TCP/UDP
(click Source Advanced to see additonal options)
Source/invert:   checked
(In my case did this to exclude my internal Domain/DNS Servers from being filtered)
Source:      <selected alias containing internal Domain/DNS Servers)

(If no internal DNS Servers need to be excluded from this, set Source=any and DON'T check Source/Invert)

Destination
  port range:   DNS to DNS
 
Redirect
  target IP:   Single host or network
            value = 127.0.0.1
            
Redirect
  target port:   DNS
 
Description: External attempts to DNS forwarded to localhost

Title: Re: Setting up AdGuard Home for only some subnets?
Post by: zz00mm on March 01, 2022, 09:22:17 pm

@KHE, great idea I'll try this out on test FW before I change the main FW. Thanks

Quote from: KHE on February 28, 2022, 07:15:59 pm

If you are using port forwarding rules, you should consider to create interface groups in Firewall: Groups.
One for Adguard interface(s) and one for the unbound interface(s). For each group a net will be available to use in the Firewall rules, so you can create in Firewall: NAT: Port Forward a Port forward rule with the destination from that group net to Adguard and one for the the other group to unbound.
You can also apply firewall rules then in the groups, which will appear in Firewall: Rules: <GroupName>.

Keep in mind that this group rules are processed before the interface rules.

KH