Messages

AGH has the ability to "rewrite" DNS as well, so you can make you own domain point to local IPs using just AdGuard Home. Hence you could put AdGuard first (and maybe you don't need dnsmasq at all anymore?).

Just an idea.

That's excellent, I didn't know AGH could do that with wildcards and exclusions, but it actually can.
I set up AGH to do the same as I've done with dnsmasq so far, and it seems to work correctly, so I'll be uninstalling dnsmasq and the end result is a simplified setup, very nice!

I feel like I need to jump in here and ask for some AdGuard help as well. I'm having issues configuring dnsmasq+adguard on opnsense to be able to distinguish which clients are making which DNS lookups (i.e. retain local client IPs).

I currently have the requests going like `client -> dnsmasq (53) -> adguard (53530)`. The reason why I have dnsmasq is because I own a domain that I route to an internal reverse proxy on the LAN, so dnsmasq is resolving mydomain.com to a local IP and forwarding the rest to AdGuard.

The thread is very long at this point, so apologies if this has already been answered, but how can one go about setting things up so that AdGuard will be able to display the local client IPs in the dashboard, and not just 192.168.1.1 when forwarding via dnsmasq on the opnsense device?

No takers? Is this to say that what I'm looking for can't be done with dnsmasq and/or opnsense?

I'm running dnsmasq as my main dns handler on opnsense, because I split dns for some local use cases.
Recently I set up AdGuard Home and noticed that there is only one client ip shown, 192.168.1.1 of the router.
This I assume is due to dnsmasq acting as a dns proxy to adguard for all reguests going out to the public internet.

To summarize my requests go: client -> dnsmasq (53) -> adguard (53530) -> wan

Is there a way to configure dnsmasq and AdGuard so that requests passing through dnsmasq retain the client ip information which can then be properly displayed by AdGuard Home dashboard?

I'm trying to set up a streamer on a separate IoT network in my LAN so that the Symfonium android app can cast via UPnP to that device from a trusted network, keeping the streamer isolated from other devices but still accessible for casting.

Symfonium is the casting app, with a Wiim Pro streamer and a subsonic media server source. The media server and Symfonium phone is on VLAN "Trusted", and the Wiim Pro is in another VLAN "IoT".

The problem I'm having is that both the android apps for Spotify and Wiim can reach the steamer across my VLANs (I have set up mDNS multicast across the networks), however Symfonium is unable to find the streamer as a UPnP device if the phone is connected to the trusted network. If I connect the phone Wi-Fi to the IoT network, then Symfonium immediately finds the streamer and can cast audio.

I'm wondering what network configuration is needed, or even possible, in order to have UPnP traverse across VLANs?


Additional information:

I have temporarily enabled full network access between the VLANs to minimize any other sources of error. I also have firewall rules opening traffic to 224.0.0.251:5353 both ways between the VLANs to support mDNS multicast, along with a mDNS-repeater between the networks.

Summary

    Spotify and Wiim apps can discover the streamer device across VLANs
    Symfonium can not discover the streamer across VLANs
    Symfonium can discover the streamer if connected to the same VLAN
    Firewall rules are in place to support cross-network discovey with mDNS
    All other traffic between the two VLANs is currently open in order to mitigate other sources of error.

It's likely you'll have DHCP reservations for VPN clients so might as well provision the public resolver in the reservation profile

I'm not following, how does DHCP affect what DNS lookups I can make from inside my LAN?

Nobody?

I think I found the issue. I had accidentally set the egress rule from the Wireguard network to internet invert the source, i.e. it said "! Wireguard net -> allow egress to internet", which didn't work of course.

Use tcpdump on all relevant interfaces to observe where packets start to fail.

I tried packet capture between two sets of interfaces.

First from WireGuard to Trusted, here I can successfully ping an IP in the Trusted network and packet capture shows me the packets as expected.

Then I tried WireGuard to WAN interface and netcatting 1.0.0.1 port 53, in this case netcat fails to reach the destination and packet capture doesn't catch anything either.

I'm not sure else I can look at, what path are the packets expected to take from the WireGuard interface?

Do you have a matching outbound NAT rule on your WAN interface?

Yes, there is an auto-created outbound NAT rule for all networks, including the WireGuard one.

I have a situation where I want to do this:

Resolve *.example.com to 192.168.10.10
Resolve vpn.example.com to 1.1.1.1

I.e. I use example.com for all services in my LAN *except* for my VPN which I want to resolve from a public dns server instead.
How do I properly set this up?

I have *.example.com as a host override, but that resolves vpn.example.com to 192.168.10.10 as well

I have tried these additional settings to try to make an exception for vpn.example.com:

• Set query forwarding for vpn.example.com to 1.1.1.1 -> host override takes precedence
• Set a domain override for vpn.example.com to 1.1.1.1 -> host override takes precedence
• Set an additional host override for vpn.example.com to 192.168.1.1 -> causes DNS slowdown/loop (even if pointed to some dummy address like 66.66.66.66)

So is there a way to actually do this with Unbound DNS or do I need to move this to the AdGuard Home plugin DNS, dnsmasq or something else?

I've followed the Wireguard Road Warrior setup guide and HomeNetworkGuy's guide for the same thing to set up my Wireguard server and clients. I have my client able to connect to the server, but I can't reach the internet.

What I have so far is:

• Wireguard interface with assignment
• Client / server Wireguard configuration working, client is able to connect
• Firewall rule for the Wireguard network set to allow access to port 53 on the Wireguard address
• Firewall rule for the Wireguard network set to allow access to all non-RFC1918 networks
• Firewall rule for the Wireguard network set to allow access to my "Trusted" network

What I want to end up with is that my connected WG clients should be able to access clients on the "Trusted" network and the internet. I'm currently able to ping hosts on the Trusted network, so this seems to be working okay for now.

My WG client isn't able to ping 192.168.1.1 for DNS (I'm looking to use the Unbound DNS server with query forwarding to the AdGuard Home plugin for ad filtering). I'm not sure if I'm supposed to be able to, or if this should go through 192.168.100.1 (192.168.100.0/24 is my WG network). I'm also not able to ping 1.1.1.1 from the WG client, which I don't quite understand since I have a rule that allows traffic to all non-private networks and both guides state that NAT egress rules should be automatically created?

Currently I have all firewall rules set up on Wireguard interface, nothing on the "Wireguard (Group)" entry in the firewall rules list, this is empty and I'm not sure what to do with it as it's not mentioned in any of the guides.

Hello friends,

I'm looking at getting some new rack mounted hardware, the DEC2750 looks quite nice and is within my price range.
My home (and homelab) use case consists of:

• Running multiple VLANs, some isolated - home LAN, Wireguard network, IoT (isolated)
• Running a multitude of wireless AP's as I'm soon moving to a larger house
• Running a Wireguard server for remote connections into the LAN
• Running Netmaker (in the future, whenever it matures and OPNSense support is implemented)

If the DEC2750 is a poor choice for this, please let me know as I'm looking to place an order within the coming days.
My thinking is that the hardware should be good enough, power efficient, and the purchase would support the OPNSense project somewhat.

Two things I would need some clarification for:

• Can I plug in both an ethernet cable or SFP+ to the DEC2750 for the WAN access? or is it only SFP+ on this unit?
• What hardware should I look at to extend the number of RJ45 ports for connecting devices? I'm not that familiar with the differences between switches and how you usually connect these together with a device like the DEC2750, so any information and advice on this is much appreciated. (mainly considering performance and network isolation capabilities, but I might be overlooking something)