WireGuard + AdGuard Home plugin: DNS works but no Internet if DNS is forced to

Started by user89, Today at 01:11:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 01:11:35 PM
Hi everyone,

I'm looking for help with an OPNsense setup that mostly works, but breaks when I enforce DNS filtering on a VLAN that uses policy routing through WireGuard.

Environment

Firewall / Router: OPNsense 25.7.10

VPN: WireGuard client to Mullvad

DNS: AdGuard Home official OPNsense plugin

WireGuard: running directly on the OPNsense router

Clients: smartphones, PCs, IoT devices


Network layout

  • LAN: 192.168.100.0/24

    OPNsense: 192.168.100.1

  • VPN / IoT VLAN: 192.168.41.0/24

        Interface: vlan_unifi_wifi_VPN

        Gateway: 192.168.41.1

  • WireGuard tunnel address: 10.x.x.x/32 (Mullvad)




Gateway configuration

(System → Routing → Gateways)

WAN gateway

Interface: WAN (DHCP)

Default gateway: Yes

Used for normal LAN traffic



WireGuard (Mullvad) gateway

Interface: WireGuard

Name: Mullvad_WG_GW

Default gateway: No

Monitor IP: configured (public IP / 1.1.1.1)

Status: Online

Used only via policy routing in firewall rules



Goal (important)

I'm intentionally using this design because:

  • the vlan_unifi_wifi_VPN network contains IoT devices

  • all clients on this VLAN must use filtered DNS

I want:

  • to force DNS traffic to AdGuard Home

  • to filter selected DNS queries (ads / tracking / domains)

  • after DNS filtering, to route all Internet traffic via WireGuard (Mullvad)

Using AdGuard is not optional in this VLAN.



What works

WireGuard itself works:

  • ping from WireGuard tunnel → 8.8.8.8 ✅
  • ping from 192.168.41.1 → 8.8.8.8 ✅
  • Outbound NAT on WireGuard is in place and working
  • Mullvad gateway is online
  • AdGuard Home receives DNS queries from the VPN VLAN
  • If I don't force DNS, Internet access works from the VPN VLAN
  • Using WireGuard directly on a phone (WG app) works perfectly


Problem

  • When I enable DNS firewall rules on the VPN VLAN:
  • AdGuard receives the DNS queries
  • DNS resolution works
  • BUT clients have no Internet access
  • clicking links → timeout
  • many apps fail to load

👉 If I disable the DNS firewall rules on vlan_unifi_wifi_VPN, Internet works immediately




Firewall rules – vlan_unifi_wifi_VPN

(order top → bottom)

1) Allow DNS to AdGuard

Action: PASS

Source: 192.168.41.0/24

Destination: 192.168.100.1

Port: 53 TCP/UDP

Gateway: default

2) Internet via Mullvad (policy routing)

Action: PASS

Source: alias VPN_Machines

includes 192.168.41.100–200

Destination: !RFC1918

Gateway: Mullvad_WG_GW

3) Block external DNS

  • Action: BLOCK

  • Source: 192.168.41.0/24

Destination: any

  • Port: 53 TCP/UDP



Firewall rules – LAN

Allow LAN net → any
(no restrictions during troubleshooting)


Additional checks

  • Firewall states reset multiple times
  • Outbound NAT in Hybrid mode
  • Explicit NAT rule:
  • Interface: WireGuard
  • Source: 192.168.41.0/24
  • Translation: Interface address
  • WireGuard MTU set to 1420
  • Tried MSS clamping via Firewall → Settings → Normalization
  • No obvious blocks in firewall logs



Questions

  • Is this the correct approach to force DNS through AdGuard on a policy-routed VLAN?
  • Are there known issues between:
  • AdGuard Home plugin
  • policy routing with WireGuard
  • blocking external DNS
  • Am I forcing/blocking DNS in the wrong place?
  • Would floating rules / reply-to / normalization be required here?





Screenshots available for:

gateways

VLAN firewall rules

LAN firewall rules

outbound NAT

WireGuard

AdGuard Home

Thanks in advance for any insight.
Today at 01:21:00 PM #1
I could see now that many people have problems with DNS after upgrading to 25.7.10, but with the version before i had have the some issue also.

Other interfaces are sending queries to adguardHome and works fine. The only issue is when i connect under wireguard(Mullvad)
Print
Go Up Pages1
User actions