AdGuardHome Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI) cont.

[SomeWhereOverTheRainBow]

This is quickly turning into a "Spot the Fed" contest! Lol

I told you they were listening here... https://www.snbforums.com/threads/skynet-7-4-0.84942/post-840802

shhhhhhh....

 

[darkj2k]

Why I can't access the web UI of ADGH at home router from office by WAN IP or DDNS with correct port number?

 

[SomeWhereOverTheRainBow]

Why I can't access the web UI of ADGH at home router from office by WAN IP or DDNS with correct port number?

Because the port is not open to the web. The installer script does not open any wan side ports. You need to configure that yourself.

 

[darkj2k]

Because the port is not open to the web. The installer script does not open any wan side ports. You need to configure that yourself.

Sorry for noob question. How can I do that?

 

[SomeWhereOverTheRainBow]

Sorry for noob question. How can I do that?

By utilizing Iptables and firewall-start custom scripts. Here some details.

iptables(8) - Linux man page

Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each ...

linux.die.net

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

Also, feel free to use google search, and the forum Search.

I also recommend creating a separate thread as your question relates to using firewall rules and custom scripts.

 

[Kyjiep]

I began to suspect that the Adguard application on my phone was somehow to blame, constantly running in the background to filter ads. I'll try turning it off for a week and see.

A week has passed. IP 11.41.108.58 no longer appeared in the AGH statistics. Other extraneous IP also did not appear. It looks like the culprit has been found, and it's the Adguard app on my android smartphone. Today I enabled the Adguard application in my smartphone again, but this time only for browsers and some applications whose traffic I want to filter through the Adguard application. I will watch further.

 

[jorgsmash]

Hey guys. Question about the WAN DNS settings when running AGH + Unbound. I recently moved and got new Internet from ATT. I am running the ATT modem/router/ONT in passthrough mode, which forwards the WAN IP from ATT to the WAN port on my router. I have noticed over the past few weeks that DHCP from the ATT router to the Asus router WAN port can break if WAN DNS in the ASUS router GUI is set to anything other than the LAN IP of the upstream ATT router.

I was using Quad9 Privacy respecting DNS set in the WAN DNS settings. This worked fine for a few day/week and I had the public IP of ATT assigned to the WAN port of the ASUS.

However, eventually I will get an error on the main screen that says my ISPs DHCP isn't working properly. If I change the WAN DNS setting to the LAN IP of the ATT router, it fixes it.


My question is what are drawbacks to leaving the LAN IP of the ATT router as the WAN DNS settings if I am using AGH and Unbound. LAN clients on the ASUS router are still getting the LAN IP of the router for their DNS. I assume AGH + Unbound is still working because I still get ads blocked on my LAN clients. I just want to make sure I am not sending DNS requests to ATT. My router WAN DNS settings and AGH upstream servers are as follows:

AGH Upstream settings:

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
#DoT
tls://unfiltered.adguard-dns.com
tls://dns.adguard-dns.com
#tls://security-filter-dns.cleanbrowsing.org
tls://1dot1dot1dot1.cloudflare-dns.com
tls://dns.quad9.net
#DoH
https://unfiltered.adguard-dns.com/dns-query
https://dns.adguard-dns.com/dns-query
#https://doh.cleanbrowsing.org/doh/security-filter/
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-query
#DoQ
quic://unfiltered.adguard-dns.com
quic://dns.adguard-dns.com
#Unbound
127.0.0.1:53535
tcp://127.0.0.1:53535
#9.9.9.9
#1.1.1.1
#tcp://9.9.9.9
#tcp://1.1.1.1

 

[SomeWhereOverTheRainBow]

Hey guys. Question about the WAN DNS settings when running AGH + Unbound. I recently moved and got new Internet from ATT. I am running the ATT modem/router/ONT in passthrough mode, which forwards the WAN IP from ATT to the WAN port on my router. I have noticed over the past few weeks that DHCP from the ATT router to the Asus router WAN port can break if WAN DNS in the ASUS router GUI is set to anything other than the LAN IP of the upstream ATT router.

I was using Quad9 Privacy respecting DNS set in the WAN DNS settings. This worked fine for a few day/week and I had the public IP of ATT assigned to the WAN port of the ASUS.

View attachment 50306


However, eventually I will get an error on the main screen that says my ISPs DHCP isn't working properly. If I change the WAN DNS setting to the LAN IP of the ATT router, it fixes it.


My question is what are drawbacks to leaving the LAN IP of the ATT router as the WAN DNS settings if I am using AGH and Unbound. LAN clients on the ASUS router are still getting the LAN IP of the router for their DNS. I assume AGH + Unbound is still working because I still get ads blocked on my LAN clients. I just want to make sure I am not sending DNS requests to ATT. My router WAN DNS settings and AGH upstream servers are as follows:

AGH Upstream settings:

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
#DoT
tls://unfiltered.adguard-dns.com
tls://dns.adguard-dns.com
#tls://security-filter-dns.cleanbrowsing.org
tls://1dot1dot1dot1.cloudflare-dns.com
tls://dns.quad9.net
#DoH
https://unfiltered.adguard-dns.com/dns-query
https://dns.adguard-dns.com/dns-query
#https://doh.cleanbrowsing.org/doh/security-filter/
https://dns.cloudflare.com/dns-query
https://dns.quad9.net/dns-query
#DoQ
quic://unfiltered.adguard-dns.com
quic://dns.adguard-dns.com
#Unbound
127.0.0.1:53535
tcp://127.0.0.1:53535
#9.9.9.9
#1.1.1.1
#tcp://9.9.9.9
#tcp://1.1.1.1

View attachment 50307

If your modem dhcp service requires you to use the IP address of the ATT router for DNS for its dhcp services to function properly, then I suggest you do such. It will not impact the DNS used by clients, since that would be pointed at AGH who inturn uses Unbound as upstream DNS recursive resolver (this is assuming ATT is not forcibly subjecting you to use their DNS via builtin rules on the ATT router). But to be fair, this whole situation could easily become a messy one. I typically don't recommend running any setup in such fashion; I prefer to have a managed VLAN configured switch properly managing things at a granular level.

 

[matssa]

The only service dnsmasq serves on port 53 is dns resolution itself, the dhcp is handled by a different port, dnsmasq dns port is changed to port 553, and adguardhome becomes the dns service on port 53. Dnsmasq advertises the routers address on port 53 through dnsmasq dhcp options(done via a different port) to clients which tells the client that dns is served by the router at port 53(adguardhome). For local request and local name resolution, adguardhome is told to communicate back to dnsmasq (@ port 553) for client information that is communicated to it via dhcp.

Heya,

Question on dnsmasq : I set some custom domain names inside so that my queries stays on my local network (for example test.com --> 192.168.X.X). Before AGH, no problem.
Since I installed AGH they don't seem to work anymore, even though I didn't change any parameters (or than adding 127.0.0.1 for unbound).
I configued the installer to redirect everything to AGH (all DNS queries from network, all custom and non custom queries, local caching).

Is this normal since in my DNS upstream servers I have 553 stuff and private reverse DNS? AGH should ask my dnsmasq for the entries right?

Thanks!

 

[SomeWhereOverTheRainBow]

Heya,

Question on dnsmasq : I set some custom domain names inside so that my queries stays on my local network (for example test.com --> 192.168.X.X). Before AGH, no problem.
Since I installed AGH they don't seem to work anymore, even though I didn't change any parameters (or than adding 127.0.0.1 for unbound).
I configued the installer to redirect everything to AGH (all DNS queries from network, all custom and non custom queries, local caching).

Is this normal since in my DNS upstream servers I have 553 stuff and private reverse DNS? AGH should ask my dnsmasq for the entries right?

Thanks!

What entries do you have for your Upstream DNS servers settings in your adguardhome instance ? what entries do you have for your Private reverse DNS servers in your adguardhome instance?

Please share screen shots of the above requested information. If you want to keep anything private, just message it to me. Also, I need you to share a screen shot of your settings on Advanced_WAN_Content.asp , Advanced_DHCP_Content.asp, and Advanced_WANPort_Content.asp of your Asus Routers WebUi. Please redact any entries that you wish to keep private (e.g. mac addresses and the sorts). for the Advanced_DHCP_Content.asp I need to see how you are defining your entries and what DNS addresses you have listed for LAN DHCP. Also, if you could please share a screenshot of your DNSDirector.asp. Also, please describe your general setup -(e.g. Are you running any VPN services in the background?). Are there any extra setup requirements specific to your router that other Home users might not have -(e.g. Dual Wan, or WAN Aggregation?).

Short story long, there are numerous possible configuration issues that could cause the problem you are experiencing. It will take a full investigation into your router and AdGuardHome settings in order for me to come back with a definitive resolution (if one can be found). So instead of me assuming I know right from the start what the cause of the problem is, I will need to review the information I have request from you before coming to any conclusions.

 

[dave14305]

Is this normal since in my DNS upstream servers I have 553 stuff and private reverse DNS? AGH should ask my dnsmasq for the entries right?

Do you inform AGH to send test.com queries to dnsmasq on your router IP on port 553? Something like [/*.test.com/]192.168.1.1:553

 

[matssa]

What entries do you have for your Upstream DNS servers settings in your adguardhome instance ? what entries do you have for your Private reverse DNS servers in your adguardhome instance?

Please share screen shots of the above requested information. If you want to keep anything private, just message it to me. Also, I need you to share a screen shot of your settings on Advanced_WAN_Content.asp , Advanced_DHCP_Content.asp, and Advanced_WANPort_Content.asp of your Asus Routers WebUi. Please redact any entries that you wish to keep private (e.g. mac addresses and the sorts). for the Advanced_DHCP_Content.asp I need to see how you are defining your entries and what DNS addresses you have listed for LAN DHCP. Also, if you could please share a screenshot of your DNSDirector.asp. Also, please describe your general setup -(e.g. Are you running any VPN services in the background?). Are there any extra setup requirements specific to your router that other Home users might not have -(e.g. Dual Wan, or WAN Aggregation?).

Short story long, there are numerous possible configuration issues that could cause the problem you are experiencing. It will take a full investigation into your router and AdGuardHome settings in order for me to come back with a definitive resolution (if one can be found). So instead of me assuming I know right from the start what the cause of the problem is, I will need to review the information I have request from you before coming to any conclusions.

Hey,

Sorry for the late reply, heck here...

I didn't change the default settings for AGH. Below are my DNS upstream :

[/0.0.e.8.7.f.a.8.8.0.b.c.1.0.a.2.ip6.arpa/][::]:553
[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/lan/][::]:553
[//][::]:553
127.0.0.1:53535
tcp://127.0.0.1:53535

For the pivrate reverse dns:

[::]:553
[/10.in-addr.arpa/][::]:553
[/168.192.in-addr.arpa/][::]:553

As you can see, I'm running Unbound since then, otherwise everything is the same except for the 127.0.0.1...

For the Asus router, please find attached.

I currently am running Wireguard through AMTM in order to connect my phone to my network for maintenance if needed when I'm gone. I also have an RP-AXC56 (wifi extender) on stock UI.

 

[matssa]

Do you inform AGH to send test.com queries to dnsmasq on your router IP on port 553? Something like [/*.test.com/]192.168.1.1:553

Hi,

Yes, here is what I added in the dnsmasq.conf.add under /jffs/configs:

interface=wg*     # WireGuard
address=/<redacted.something.something>/<redacted 192 IP>

 

[dave14305]

Hi,

Yes, here is what I added in the dnsmasq.conf.add under /jffs/configs:

interface=wg*     # WireGuard
address=/<redacted.something.something>/<redacted 192 IP>

That is for dnsmasq. AGH needs to know to forward that domain to dnsmasq instead of the default DNS server.

 

[SomeWhereOverTheRainBow]

Hi,

Yes, here is what I added in the dnsmasq.conf.add under /jffs/configs:

interface=wg*     # WireGuard
address=/<redacted.something.something>/<redacted 192 IP>

@matssa it would look like
[/test.com/][::]:553
if you want to use the same syntax as your other upstream lookups in adguardhome. Place this in the upstream dns section of adguardhome.

[/test.com/][192.168.1.1]:553 should also work as well. [::] just means send it to any address listening on :553. Dnsmasq listens on all addresses at 553.

 

[matssa]

@matssa it would look like
[/test.com/][::]:553
if you want to use the same syntax as your other upstream lookups in adguardhome. Place this in the upstream dns section of adguardhome.

[/test.com/][192.168.1.1]:553 should also work as well. [::] just means send it to any address listening on :553. Dnsmasq listens on all addresses at 553.

Hey,

Ok thanks not really sure that I needed that since they should use the private DNS settings right?
In terms of AGH config, what do you suggest between the 3 settings (fastest IP, parallel demands or load balancing)?

Other question, is this "better" than adding directly the redirections inside AGH directly in the DNS rewrite config?

 

[SomeWhereOverTheRainBow]

Hey,

Ok thanks not really sure that I needed that since they should use the private DNS settings right?
In terms of AGH config, what do you suggest between the 3 settings (fastest IP, parallel demands or load balancing)?

Other question, is this "better" than adding directly the redirections inside AGH directly in the DNS rewrite config?

Yes it is better because you are not relying the performance of redirection to achieve your desired results. By placing the entry in the upstream section, you are saying that this request will always be handled by that particular upstream.

Also, I typically use parallel. I never trust fastest ip and ballanced algorithms to always perform properly.

 

[jorgsmash]

Would anyone be willing to help me diagnose why a particular client doesn't appear to have its requests going through AGH? Over the past couple weeks I noticed that I couldn't see any queries in the query log for my main gaming PC. I double checked today, and there are a few queries, but they are all for google. I refreshed a bunch of browser tabs for various sites, and did nslookup through the command prompt, and none of the queries show up in the query log.

You can see a huge gap in the query logs from 5/18 to today, 5/31.

My router IP is 192.168.50.1, which you can see is the dns server responding to nslookup.

https://1.1.1.1/help doesn't show that I'm using DoH, DoT, or anything. It used to show I was using either depending on which upstream server in AGH the requests went through.

 

[dave14305]

My router IP is 192.168.50.1, which you can see is the dns server responding to nslookup.

Did these queries appear in the Adguard log?

Do you have any DNSFilter rules enabled? Or other custom firewall scripts?

 

[jorgsmash]

Did these queries appear in the Adguard log?

Do you have any DNSFilter rules enabled? Or other custom firewall scripts?

None of the queries appeared in the Adguard log.

DNS filter, if I'm in the right place, is set to "On - Router"