AdGuard Home setup guide

[Inxsible]

I have a question regarding the Blocked services.

I see that there is an option to pause the blocking. Can someone confirm if there's a way to pause blocking only for certain services instead of pausing the block for all services?

For eg. I just want to unblock YouTube from 6PM to 7AM on Weekdays and all day on Sat, Sun. I don't want to pause the blocking of any other services. Can this be achieved with the current Pause Blocking feature?

[9axqe]

I don't know the answer to your question, I would recommend asking this on the AdGuard Home own forums, as this is unrelated to opnsense:
https://github.com/AdguardTeam/AdGuardHome/discussions

[RamSense]

I think you can achieve this by per client setting: Adguard home - setting - client settings - Persistent clients, Add client. In there you can specify the "Pause service blocking" for that client, day and time.

[Inxsible]

I didn't want to do it per client. I just want the service available to all clients during a specified time. However, I don't want to unblock all the other services.

Looks like that is not possible at the moment with AdGuard Home

[kosta]

Does someone have the issues with the OPNsense update-mechanism since installing the mimugmail repository for ADGuard? I still didn't remove it to test it whether that really is the issue, but since I've installed it, updates take couple of minutes to load and plugins need like 3-5minutes to show up. And God forbid you change the menu and go back, the process begins again.

[yahyoh]

Hey Guys,

I just want to to double check,,

Is it ok to bind 0.0.0.0 interface instead of choosing local ip address?

I faced some issue with binding only local lan & 127.0.0.1 & ::1, where out of nowhere it stopped forwarding DNS to clients (even after adding firewall rule), so i changed the listening interfaces to 0.0.0.0 and i noticed it started working again and AGH seems now resolving  ipv6 clients requests not just ipv4.

edit: NVM AGH stopped receiving DNS requests again, had to add router ip as DNS servers in opnsense setting to get it to work!! i dont even know if thats the right solution tbh..

[OzziGoblin]

Hi, I hope someone can assist me here?

I've installed AGH on my OpnSense Router, I kept the default port of 3000, but I can only administer it from the subnet/interface that I installed it from (192.168.50.x). I've created some additional fw rules to attempt access from a wifi network (192.168.61.x) as I have multiple VLANs, but no success. Am I missing something?

Has anyone else found a fix for this?

thanks

[9axqe]

I think you need to edit the "/usr/local/AdGuardHome/AdGuardHome.yaml" and bind against the IPs of the router in each subnet. Or, alternatively, you must route between subnets.

Are you able to ping from the second subnet anything in the first subnet?

[OzziGoblin]

Hi

I'll check the yaml file, but I can see in the settings the IPs are bound to all the IP's of the router,

I would have thought that AGH was accessible from the default gateway on each subnet and therefore I should be able to login to the admin console from the default gateway (192.168.61.1:3000) on each subnet or am I wrong?

thanks for your reply.

[OzziGoblin]

the Yaml file looks like this, looks like I need something different where the address is 192.168.50.1:3000, like 127.0.0.1???

http:
  pprof:
    port: 6060
    enabled: false
  address: 192.168.50.1:3000
  session_ttl: 720h
users:
EXCLUDED
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: en
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53

[Patrick M. Hausen]

0.0.0.0:3000 probably.

[stuffu]

Until a few months back, I had a fully working setup with unbound and adguard home, until something happened (my guess is that an update broke something).

Short story is that devices within the DHCP range is not affected by blocked client services, not by ip and not by MAC.

If I add the device to a static DHCP outside of the DHCP range, it works. I have also checked which DNS server is used and the clients are shown using cloudflare, which is set up in opnsense and not in adguard.

Also, no clients has ad filtering applied (at least not that I can see the effect of).

adguard:

Upstream DNS
192.168.1.1:8053

Bootstrap DNS servers
192.168.1.1:8053

Private reverse DNS servers
192.168.1.1:8053

opnsense
Settings > General (checked)
Prefer IPv4 over IPv6
Allow DNS server list to be overridden by DHCP/PPP on WAN

unbound > general (checked)
enabled
listen port: 8053
DNSSEC support
Register ISC DHCP4 Leases
Register ISC DHCP Static Mappings
Flush DNS Cache during reload

unbound > DNS over TLS
ip 1.1.1.1
port 853
Verify CN cloudflare-dns.com

ISC DHCPv4
DNS entries empty

I think that's it.

Anything I have overlooked/misunderstood?

[9axqe]

If you haven't configured a DNS IP under ISC DHCPv4, which is what I understand when you write "DNS entries empty" then I would say it is expected the device will not take adguard.

You need to configure the IPs adguard is listening to (which you can find in the "/usr/local/AdGuardHome/AdGuardHome.yaml" file.

[stuffu]

Hmm but to get a global setting that all devices are filtered through adguard, I don't need to specify them there? I use static dhcp as a workaround and don't really need static addresses on most devices.

Edit: Ok, understood and checked yaml, it points to opnsense ip, which I added in DHCP settings as well. Still no change.

[9axqe]

It might take a while, DHCP lease has to expire or reach something like 75% or 50% of its lifetime to be automatically renewed. Disconnect/reconnect wifi on a client should trigger a new DHCP lease.

You could do a packet capture and filter for dhcp, DHCP is not encrypted and you should be able to see if it's sending the right DNS server IP to the clients.