AdGuard Home + Unbound + DHCP all on one Opnsense install

[fixjunk]

Two scenarios I'm curious about, maybe this is an easy answer so I will start with the easy question:

SCENARIO 1:
If I run both AGH and Unbound on my Opnsense install and MOST of my users want their ads blocked but ONE (my wife) does not, how do I configure her static DHCP entry?

Let's say I do what most people do: Unbound on some nonstandard DNS port (let's say 65353) and AGH on 53 and my opnsense machine is at 10.0.0.1. I'd set DHCP to hand out 10.0.0.1 to everyone by default but override with... what exactly on my wife's static DHCP entry? Can I add a port to the a DHCP DNS entry? I couldn't find out how.

SCENARIO 2:
Let's say I want to run both AGH and Unbound on port 53. Can I set up a virtual IP for one of them? How?

Remember these are both running on the 10.0.0.1 Opnsense machine.

Thanks!

[buffmenot]

I'm a newcomer to Opnsense so take it with a grain of salt. I'm recently set up Opnsense on bare metal with AGH on port 53 and unbound on xxx53, essentially AGH > Unbound. In Opnsense, I added a static IP to the client that wants ads. Then in the AGH > Settings > Client settings, add a persistent client: in the Identifier, enter that clients static IP and under Protection, uncheck Use global settings. This should allow that client to passthrough your AGH.

[cookiemonster]

spot on. Create a static lease in OPN identified by the MAC address of the client. That will ensure that they always get the same IP address on your network. Then it will always be the same ip also in AdgH.
Alternatively the MAC can also go as the identifier of the client on AdgH but above is neater, as you can then also apply other firewall rules if wanted/needed on OPN for it.
The only gotcha is if the client is a device that can and has randomised MACs enabled.

Scenario 2:
Don't run two services on the same port, it'll cause confusion on clients and they won't know if going to one or another service on the same port. \if you tried on the same machine, OPN or any, one of them will refuse to start, as the port will be in use already. Which one will fail? The second one, whichever gets to it last.

[fixjunk]

Thanks. I'll see about moving unbound to another port.

Looks like AGH allows me to enter multiple IP addresses for the client (phone, laptop, etc) which is nice.

It would be awesome if I could choose which lists to apply to specific clients without having to do 100% custom filters. I want to block all the obviously malicious sites but not ads for certain people.

[cookiemonster]

> It would be awesome if I could choose which lists to apply to specific clients without having to do 100% custom filters. I want to block all the obviously malicious sites but not ads for certain people.

yes it would. I suggest to check with AdgH in Github. Surely someone before has already asked.