AdGuard Home setup guide

[ChrisChros]

As a NAT - Port Forward rule?

In the past when I was using Pi-hole on a raspberry I was using this rule to forward all DNS traffic to the pi-hole.

[ChrisChros]

Is there a way to change the listen interfaces in AdGuard.
During the first setup I selected only my physical LAN interface and not the VLan's. Maybe this is the fault.

[yeraycito]

You can't, you have to uninstall and reinstall it. The DNS rule is not a port forward, you have to create it in Firewall - Rules - IOT and put it at the top. When installing Adguard, configure it on all interfaces.

[ChrisChros]

With this configuration of OPNsens and AdGuard is it necessary to create a NAT unbound rule to force all hardcoded devices like google home to use my provided DNS-Server?

[ChrisChros]

So now with all interfaces selected during the initial setup it's working.

[namnnumbr]

I'm trying to set AdGuardHome to work as the DNS for 4 vlans:

LAN:10.0.0.0
HOME: 10.1.0.0
LAB: 10.2.0.0
IOT: 10.3.0.0

On each interface, I have set the interface IP as the DNS server.
All VLANS have been set with a port forward rule to capture the dns requests and pass to 127.0.0.1:53.

Adguard works fine on LAN and HOME, but not on  LAB and IOT I get no resolution and if I dig, I receive an error: "reply from unexpected source: 10.0.0.1#45443, expected 10.3.0.1#53"
If I set LAB or IOT DNS server to 10.0.0.1 (LAN address), it works. 

I do not understand -- HOME works just fine with the DNS server set as HOME address, but LAB and IOT fail with DNS server set as their interface addresses.

Any suggestions as to why this is the case?

[ChrisChros]

Do you have maybe an inter VLan-routing deny rule on both Vlan's.

[ChrisChros]

I got it now working by following this instructions:
https://labzilla.io/blog/force-dns-pihole

But I also had to add a DNS-Allow rule on top of all other rules for the different networks.
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#1-allowing-only-specific-dns-servers

Now my network clients are using AdGuard and the internal DNS resolver, also devices with hardcoded DNS like google nest mini.

[namnnumbr]

Thanks for the resources.  If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.

I don't see how an intervlan deny rule would allow me to access across VLANs (IoT -> LAN) but not allow IoT -> IoT address (although it's entirely possible I've messed up somewhere)...  Additionally, I have the automatic NAT rule created which should allow access to interface_address:53

When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference.  I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination.  Still receiving the same error.

[ChrisChros]

Thanks for the resources.  If I can't resolve it tonight, I guess I'll try rebuilding from scratch and try to follow these instructions.

When you set up outgoing NAT, did you set it up per interface?
I've tried outgoing NAT, and it doesn't make a difference.  I wasn't sure I was doing it right, so I tried various permutations of LAN/IOT for interface, source, and destination.  Still receiving the same error.

I will do some screenshots from my rules this afternoon, I think this will explain it better than with my words.

The NAT rules I have not set them up for each interface. I have created a group with all related networks, including VLan's.
I will also do some screenshots from the NAT rules.

[ChrisChros]

Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...

Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.

I hope this will help you to setup your firewall.

[lilsense]

How do I change the HTTP port/etc once it's been set up. It looks like it's a one time deal.

Also, how do you set up the DoT?

[ChrisChros]

I think you are right its a one time deal.

for DoT I use unbound. But in AdGuard just type the TLS-server adrress in the upstream DNS-Server field. Examples are also shown on the DNS-settings page.

[Fawkesguy]

Here are my two Port Forward rules and the Outbound rule.
local_Networks is a Group and the members are all my related networks, eg. LAN, IoT, ...

Furthermore I have crated for all these Networks a pass DNS to internal server rule and below this a block any external DNS server rule.

I hope this will help you to setup your firewall.

Just to show another option:

I do my LAN rule a little differently.  First one blocks everything but my Adguard Home server from reaching outside DNS using an alias containing a list of public DNS servers.  This helps prevent clients from using DoT and DoH to bypass the NAT port forward.  Second rule is generated from the NAT port forward.

The "Public_DNS" alias contains https://public-dns.info/nameservers-all.txt

[lilsense]

I think you are right its a one time deal.

for DoT I use unbound. But in AdGuard just type the TLS-server adrress in the upstream DNS-Server field. Examples are also shown on the DNS-settings page.

Thanks.  I uninstalled it since it does not support regex in whitelist...