DNS(Addguard) not working with CARP

Started by weidah, May 09, 2024, 03:07:16 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 09, 2024, 03:07:16 AM
I've got the Addguard plugin, which was working fine until I set up CARP.

I have to set the DNS on windows to the actual IP of the LAN interface. I can't use CARP VIP to resolve hostnames for some reason.


Any ideas what could be the issue?
May 09, 2024, 06:28:38 AM #1
May 09, 2024, 10:30:39 AM #2
Bind AGH to 127.0.0.1 and use NAT port forwarding to make it reachable at the CARP address. That should do it.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 09, 2024, 11:15:01 AM #3 Last Edit: May 09, 2024, 11:17:02 AM by weidah
Quote from: mimugmail on May 09, 2024, 06:28:38 AM
Yep, thats a known bug in adguard

https://github.com/AdguardTeam/AdGuardHome/issues/3015

Seems that this is the case, yes.

Quote from: Patrick M. Hausen on May 09, 2024, 10:30:39 AM
Bind AGH to 127.0.0.1 and use NAT port forwarding to make it reachable at the CARP address. That should do it.

Actually tried that yesterday. Didn't work unless there's something I'm missing.
VIP 192.168.0.1


SS from Adguard

May 09, 2024, 11:26:56 AM #4
You need TCP/UDP. Did you configure the "Firewall rule association" as "Pass"?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 09, 2024, 11:35:20 AM #5 Last Edit: May 09, 2024, 12:01:02 PM by weidah
Yeah I have it setup to automatically add the rules.
Changed it to tcp/udp, still didn't work.

But when I forward it to the actual IP of the current master it works



Also I have to add that my testing is very unscientific, just "ipconfig /flushdns" and try pinging, visiting the website and checking query logs from Adguard
May 09, 2024, 12:28:24 PM #6
Is AGH listening on port 53?

This is my rule - see screenshot - and it works flawlessly. The port definition is 53530 because I have Unbound running on 53. Also did you configure an upstream server in AGH? AGH cannot do recursive lookups on its own. Here AGH forwards to Unbound.

At first I would try directly on OPNsense:

dig google.com @127.0.0.1

If that works it's the port forwarding rule or similar. If it gives you a SRVFAIL, then AGH is not configured correctly.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 09, 2024, 12:37:41 PM #7 Last Edit: May 09, 2024, 01:02:32 PM by weidah
Thing is, I just started playing around with HA and CARP. It worked before, no issues, even for WireGuard clients which was a completely different IP range. I just cloned the virtual machines for CARP testing, fixed any duplicate entries and everything worked flawlessly, apart from AGH.

I've now just created an alias for the IPs of the two instances of Opnsense as target. This seems to work, although it takes the first query a bit long, then it's normal and fast.

Will still investigate this further. The issue I'm also facing now is SR-IOV not playing nice with CARP.  >:(


EDIT: Using Alias was not a good idea. While windows kinda figures out what to do, every other client on the network is really slow to resolve. I've now for the time being disabled NAT syncing between the two instances and set each to forward to their own network IP.
May 09, 2024, 03:00:40 PM #8
I think I've got it.
ADH config had bind_hosts set to 0.0.0.0 I guess it didn't like that. I now manually set all the IPs including 127.0.0.1 and I was able to NAT it.
May 09, 2024, 06:12:42 PM #9
Thx for the feedback:)
Print
Go Up Pages1
User actions