AdGuard Home setup guide

[namnnumbr]

@ChrisChros, @Fawkesguy -- thanks much for taking the time to share screenshots of your setup!  I think I have a pretty good idea of what should work.  Unfortunately, I'm still not getting an appropriate response (i.e., for some reason my IoT network (10.3.0.0/24) thinks it's getting a response from the LAN interface (10.0.0.1).

... which suggests to me that I probably have issues either elsewhere in my firewall rules or a bit of a hinky opnsense install.

I'll probably spend the weekend wiping and resetting everything...

[ChrisChros]

A short update to my rules. They are not working as expected. I have two google devices connected to my IoT network. The google home mini is working without any issues, but the google nest mini do not want to establish an internet connection.
I can see in the live log that 10.10.10.22 (nest mini) is catched up by the rdr rule every second, while the home mini (10.10.10.23) has more or less no entries.

Nest mini and Home mini are more or less the same devices, but the behavior is completely different to my NAT rules.
Any suggestions what is going wrong with my rules?

[ChrisChros]

So I think I have it now.
I checked all my port forward rules and realized that NAT reflection was set to "Use system default", this has to be set to "Disabled".

[RamSense]

@ChrisChros,
I followed your https://labzilla.io/blog/force-dns-pihole
guide to adguard home plugin on opnsense. this works like it should for [Test it out]- point 4

but when doing [Test it out] - point 5 "by temporarily disabling the first NAT rule" I get
;; connection timed out; no servers could be reached

Do you know what can cause this?

[ChrisChros]

Unfortunately not. I only performed Test 4.

After that I was happy that my hardcoded DNS devices were able to connect to the inet.

[RamSense]

ah ok.
Well the difference I have with your guide vs what I had is that instead of nslookup showing always my adguard ip (opnsense ip), now when you try to bybass with e.g. 1.1.1.1 it is showing like it seems to come from 1.1.1.1 but actually adguard is doing the dns. Sounds better than what I had, so great.

only test 5 fails, I'm curious if that is working at your end

*update*
Got it working. I had a firewall-rules-lan block #53 still there :-)
when removed test 5 works like it should. It seems that with your bypass guide solution I can delete this block rule while all is going to be pushed to adguard now (normal and hardcoded) or does somebody else has another opinion?

[ChrisChros]

So what I observed today ist a little bit strange.
My Google Nest mini is this morning not able to connect to the internet. In AdGuard I can see that at 2 AM the DNS queries rising from 2500 to 18000. No changes have been done to the firewall rules during that time.
Does anybody else has a similar behavior?

[RamSense]

do you use ipv6?
I still have some problems with ipv6 on opnsense 22.1
if yes, try stop and start Services-DHCPv6 and stop and start services-Router Advertisements
and see if that gets your nest mini back on

[ChrisChros]

I do not use IPv6, it is completely deactivated. I do not see the benefit for home use.

[namnnumbr]

For the record, part of my problem was that my port forward rules were for TCP only... and DNS is UDP.  So fixing that helped.

The other part of my problem was an overly complex and janky vpn setup between OPNsense and my switch.

Everything is working cleanly now.

[mupi2k]

I recently acquired a NanoPi R4S. Amazing router, and trivial to run OPNsense.  However, the mimigmail repo doesn't work on aarch64.

Which leads to the question of why it's even necessary.

Installing the mimugmail repo already implies SSH access to run the requisite `fetch` command.  So why not simply `fetch` the freebsd native adguard home?  At that point, you just have to extract the archive, and then follow Adguard's own installation steps.  Nothing terribly complicated there, beyond knowing that OPNsense is Freebsd-based, and what architecture you are running (likely 95%+ AMD64).

Yes, adguard will complain that port  80 is in use. Pick another one! (3000 works, unless you are running graphana on the same host. 8080 works too, unless you are running nginx on that port.)

If you don't stop unbound, it will complain about port 53, too, but you can either move adguard (and then point unbound to adguard), move unbound to a different port, or stop unbound. (adguard already does most of what unbound does).

As an alternative, you can load adguard (and other!) lists to unbound.  A few years ago I wrote a script to "manage" black- and white- lists with unbound (whitelists being local overrides to the public lists, much like adguard does), but I abandoned that work after I found Adguard Home and realized they had already solved (better!) the big problem I was trying to solve: given a device trying to access a site, how do I know which site is blocked. It's easy to whitelest the site, but fairly difficult to parse the logs to see.  Adguard gives me a simple interface to see that, and with a click I can whitelist the domain, either everywhere, or just for that one device.

I really don't think a scratch install is any more complicated than installing a custom repo...

[RamSense]

I understand your view and opinion. But me for instance, i like the plugin concept. When being able to control opnsense and additions from the gui makes it easy and clear, gives a feeling of control compared to having to go to terminal / having to go and enable ssh for every install feels a bit threshold for me. I also like being able to get into the gui and control things in opnsense while being away by vpn and the comfort of my phone.
So with that being said; opnsense is all about being able to have many ways of control, the gui, terminal/ssh etc. So with both options available, everybody is happy :-)

ps. But there are improvements / wishlist: It would be great being able from within the plugin/gui to backup the config of adguard home with all dns-settings,used lists and custom rules.

[mupi2k]

I understand your view and opinion. But me for instance, i like the plugin concept. When being able to control opnsense and additions from the gui makes it easy and clear, gives a feeling of control compared to having to go to terminal / having to go and enable ssh for every install feels a bit threshold for me. I also like being able to get into the gui and control things in opnsense while being away by vpn and the comfort of my phone.
So with that being said; opnsense is all about being able to have many ways of control, the gui, terminal/ssh etc. So with both options available, everybody is happy :-)

I guess my main point was more for the "guide"; it really isn't difficult, and once installed the need for the cli is minimal.

It's probably also fair to note that I am the type who prefers the simplicity of a cli. Given the choice, I will almost always choose a cli over a gui because the  vast majority of the time it's faster, and the gui usually is just an abstraction around the cli anyway, and often makes assumptions that are hidden (or can't even be set).

That said, I understand that lots of people prefer a gui approach, even if it is slower and less secure. For me (and after reading this thread, I know I'm not alone...), if what I wanted was a 99%  GUI solution, I'd be running OpenWRT instead.

You *can* access your AdSense gui from a vpn easily enough. If you use the virtual IP approach, it wouldn't even feel weird because it would feel like you are logging on to a different host.  It's no more difficult to access the AdGuard gui from your phone than OPNsense (arguably easier, because AdGuard's mobile interface is well optimized).  You also can SSH on a vpn. I have a terminal program for my phone, even, that I could use.  Granted, securely using ssh requires a bit of work, but if you can install the mimugmail repo, you can run the two or three cli commands for key-based (as opposed to password-based) ssh login.  That's well out of scope *here* but I bet there's already guides for that... :D

[inlophe]

I can't seem to figure out what's wrong with my setup.

My Port Forward NAT already has rules to redirect outbound DNS to Adguard (using Groups, for several VLANs), Unbound listens to 53530, and Adguard Upstream DNS and bootstrap DNS point to 127.0.0.1:53530 (or LAN_ip:53530, tried both), but it's still won't resolv. I tried to reinstall adguard several times to make sure that I choose all interface on DNS listen interface.

I don't know if resolv is the right word, because I can see that my DNS requests show up in Adguard AND Unbound log, so that means the flow is correct, but I still never got any response on my VLANs, only my LAN that works.

Anyone have any idea?

EDIT: nevermind, turns out I need to point the DNS server in DHCP to the gateway/Adguard interface IP of each VLAN or leave it empty. It works now.

[Videopac]

Thanks for the guide/help.
I get a notification in the AdGuard Home webinterface that v0.107.5 is now available: can I update directly from the AdGuard Home webinterface or should I wait until the package gets updated?