AdGuardHome Asuswrt-Merlin-AdGuardHome-Installer (AMAGHI) cont.

[dave14305]

DNS filter, if I'm in the right place, is set to "On - Router"

And is there anything on the LAN DHCP Server / DNS fields?

Let’s check with:

iptables -t nat -S

 

[SomeWhereOverTheRainBow]

None of the queries appeared in the Adguard log.

DNS filter, if I'm in the right place, is set to "On - Router"

View attachment 50544

On the windows computer.

Follow these instructions and provide the screenshot:

• Open the Start menu, type Command Prompt and choose Run as administrator from the right pane.
• In the Command Prompt window, type ipconfig /all and press Enter.
• Provide a screenshot of what Command Prompt shows.

Some additional questions,
what web browser do you use for this device?
Can you provide a screenshot of your LAN DHCP settings page from your router webui (e.g. Advanced_DHCP_Content.asp)?

 

[jorgsmash]

And is there anything on the LAN DHCP Server / DNS fields?

Let’s check with:

iptables -t nat -S

I think you just helped me solve it!

# iptables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DNSFILTER
-N DNSVPN8
-N GAME_VSERVER
-N LOCALSRV
-N PCREDIRECT
-N PUPNP
-N VSERVER
-N VUPNP
-A PREROUTING -p tcp -m tcp --dport 53 -j DNSVPN8
-A PREROUTING -p udp -m udp --dport 53 -j DNSVPN8
-A PREROUTING -d redacted -j GAME_VSERVER
-A PREROUTING -d redacted -j VSERVER
-A PREROUTING -i br+ -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -i br+ -p tcp -m tcp --dport 53 -j DNSFILTER
-A PREROUTING -i br0 -m mac --mac-source redacted -j PCREDIRECT
-A POSTROUTING -s 10.10.0.0/24 -o tun11 -j MASQUERADE
-A POSTROUTING ! -s 10.2.0.2/32 -o wgc3 -j MASQUERADE
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING ! -s redacted -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.50.0/24 -d 192.168.50.0/24 -o br0 -j MASQUERADE
-A DNSFILTER -j DNAT --to-destination 192.168.50.1
-A DNSVPN8 -s 192.168.50.10/32 -j DNAT --to-destination 10.2.0.1
-A GAME_VSERVER -p tcp -m tcp --dport 3074 -j DNAT --to-destination 192.168.50.10
-A GAME_VSERVER -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.50.10
-A GAME_VSERVER -p tcp -m tcp --dport 3478 -j DNAT --to-destination 192.168.50.10
-A GAME_VSERVER -p udp -m udp --dport 3478 -j DNAT --to-destination 192.168.50.10
-A GAME_VSERVER -p tcp -m tcp --dport 4379:4380 -j DNAT --to-destination 192.168.50.10
-A GAME_VSERVER -p udp -m udp --dport 4379:4380 -j DNAT --to-destination 192.168.50.10
-A GAME_VSERVER -p tcp -m tcp --dport 27000:27050 -j DNAT --to-destination 192.168.50.10
-A GAME_VSERVER -p udp -m udp --dport 27000:27050 -j DNAT --to-destination 192.168.50.10
-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source redacted -j DNAT --to-desti                                                      nation 192.168.50.1:18099
-A VSERVER -p tcp -m tcp --dport 3074 -j DNAT --to-destination 192.168.50.10:3074
-A VSERVER -p tcp -m tcp --dport 27014:27050 -j DNAT --to-destination 192.168.50.10
-A VSERVER -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.50.10
-A VSERVER -p udp -m udp --dport 3478 -j DNAT --to-destination 192.168.50.10
-A VSERVER -p udp -m udp --dport 4379:4380 -j DNAT --to-destination 192.168.50.10
-A VSERVER -p udp -m udp --dport 27000:27031 -j DNAT --to-destination 192.168.50.10
-A VSERVER -p udp -m udp --dport 27036 -j DNAT --to-destination 192.168.50.10
-A VSERVER -p udp -m udp --dport 6969 -j DNAT --to-destination 192.168.50.3:1194
-A VSERVER -p udp -m udp --dport 9 -j DNAT --to-destination 192.168.50.10:9
-A VSERVER -j VUPNP

I am so sorry, I thought I had disabled the VPN I had set up in VPN director. I just bought a new vpn service and could have sworn that I turned it off. Brain fart on my part for not even thinking to check there.

 

[jorgsmash]

On the windows computer.

Follow these instructions and provide the screenshot:

• Open the Start menu, type Command Prompt and choose Run as administrator from the right pane.
• In the Command Prompt window, type ipconfig /all and press Enter.
• Provide a screenshot of what Command Prompt shows.

Some additional questions,
what web browser do you use for this device?
Can you provide a screenshot of your LAN DHCP settings page from your router webui (e.g. Advanced_DHCP_Content.asp)?

I just realized I had stupid vpn director turned on and I'm gonna disable it and re-test. Sorry for wasting everyone's time!

 

[SomeWhereOverTheRainBow]

I just realized I had stupid vpn director turned on and I'm gonna disable it and re-test. Sorry for wasting everyone's time!

Good catch! the oscar for best detective goes to @dave14305 !

 

[dave14305]

I think you just helped me solve it!

Great! Please redact your WAN IP in the iptables output.

 

[dave14305]

Good catch! the oscar for best detective goes to @dave14305 !

The fact that the nslookup output could not resolve 192.168.50.1 back to the router name (instead showing UnKnown), suggested a redirect was active.

 

[jorgsmash]

Great! Please redact your WAN IP in the iptables output.

Arrgghhh. I'm usually really good at doing that before posting.

All the rules are so confusing. I have a few port forward rules set up for games I play.

-A VSERVER -p tcp -m tcp --dport 27014:27050 -j DNAT --to-destination 192.168.50.10

This one here, is this even taking effect? Since I did a port range? I don't see the ports listed after the LAN IP, like it is listed for the tcp rule above it for port 3074.

Also, what does this rule do and where is it configured?

-A PCREDIRECT ! -d 192.168.50.0/24 -i br0 -p tcp -m tcp --dport 80 -m mac --mac-source 34:9F:7B:41:ED:A0 -j DNAT --to-destination 192.168.50.1:18099


Thanks!

 

[dave14305]

This one here, is this even taking effect? Since I did a port range? I don't see the ports listed after the LAN IP, like it is listed for the tcp rule above it for port 3074.

Yes, it will use the same destination port and just rewrite the IP. No need to specify the internal port if it is the same as the external forwarded port.

Also, what does this rule do and where is it configured?

Looks like a rule to block Internet access, but allow local access. Could be in the Client List or else Parental Controls.

Getting off-topic from AGH…

 

[SomeWhereOverTheRainBow]

The fact that the nslookup output could not resolve 192.168.50.1 back to the router name (instead showing UnKnown), suggested a redirect was active.

i figured something that wasn't apparent was happening with that. I just didn't link it back to redirect.

 

[jorgsmash]

Yes, it will use the same destination port and just rewrite the IP. No need to specify the internal port if it is the same as the external forwarded port.

Looks like a rule to block Internet access, but allow local access. Could be in the Client List or else Parental Controls.

Getting off-topic from AGH…

My apologies. AGH is working as expected now, and all is right with the world. Sorry I didn't catch that the VPN director was enabled before posting. And thank you guys for the help!

 

[exoxon]

I recently disabled native dhcp and enabled AGH DHCP server, everything seems working fine (I don't use aimesh) I'd even argue there is slight latency improvement, but maybe that's placebo effect anyways I have a question do i need to change anything on dns settings page? like changing port 553 to 53, disabling reverse dns etc?

 

[SomeWhereOverTheRainBow]

I recently disabled native dhcp and enabled AGH DHCP server, everything seems working fine (I don't use aimesh) I'd even argue there is slight latency improvement, but maybe that's placebo effect anyways I have a question do i need to change anything on dns settings page? like changing port 553 to 53, disabling reverse dns etc?

Sorry, there is currently no guide available for this approach. The AdGuardHome installer and its auxillary files are not designed or intended to incorporate this feature into their logic. Please feel free to write a forum tutorial or guide sharing your process with other users.

 

[saison2023]

Everything is working fine for WAN communication, I like very much this product, thanks a lot for the hard work.

I need some help to understand how to correctly configure communication on my LAN to resolve local machines FQDN.

Here is the situation:

• When I have AdGuard enabled:
  • I can't ping by hostname (either "server1" or "server1.domain.local")
    • Ping request could not find host server1
    • Ping request could not find host server1.domain.local
  • I can ping by using IP and using "-a" to resolve the hostname, which is giving me the right name FQDN I tried before!!!!
    • Pinging 1.2.3.4 with 32 bytes of data: Reply from 1.2.3.4: bytes=32 time<1ms TTL=128
    • Pinging server1.domain.local [1.2.3.4] with 32 bytes of data: Reply from 1.2.3.4: bytes=32 time<1ms TTL=128
• When I have AdGuard disabled, everything is working fine

I know I have to configure DNS in "Settings" => "DNS settings" but I am struggling to find the right way to do it correctly to have my local domain ("domain.local") be resolved by my router.
I found the documentation (here) but maybe I am too stupid to understand it.

Anyone could help?

Thanks

 

[Khadanja]

Everything is working fine for WAN communication, I like very much this product, thanks a lot for the hard work.

I need some help to understand how to correctly configure communication on my LAN to resolve local machines FQDN.

Here is the situation:

• When I have AdGuard enabled:
  • I can't ping by hostname (either "server1" or "server1.domain.local")
    • Ping request could not find host server1
    • Ping request could not find host server1.domain.local
  • I can ping by using IP and using "-a" to resolve the hostname, which is giving me the right name FQDN I tried before!!!!
    • Pinging 1.2.3.4 with 32 bytes of data: Reply from 1.2.3.4: bytes=32 time<1ms TTL=128
    • Pinging server1.domain.local [1.2.3.4] with 32 bytes of data: Reply from 1.2.3.4: bytes=32 time<1ms TTL=128
• When I have AdGuard disabled, everything is working fine

I know I have to configure DNS in "Settings" => "DNS settings" but I am struggling to find the right way to do it correctly to have my local domain ("domain.local") be resolved by my router.
I found the documentation (here) but maybe I am too stupid to understand it.

Anyone could help?

Thanks

This is what I have in DNS Setting & it works for me, might help.

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/routerdomainname/][::]:553
[//][::]:553

 

[saison2023]

This is what I have in DNS Setting & it works for me, might help.

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/routerdomainname/][::]:553
[//][::]:553

Thanks, I will give it a try.
Unfortunately, this does not fix the trouble because I already have same lines at the beginning of "Upstream DNS servers" in "DNS Settings" page
I re-entered values, validated there is no "ghost" character.......... no luck
I don't understand what I am doing wrong.

 

[SomeWhereOverTheRainBow]

Thanks, I will give it a try.
Unfortunately, this does not fix the trouble because I already have same lines at the beginning of "Upstream DNS servers" in "DNS Settings" page
I re-entered values, validate there is no "ghost" character.......... no luck
I don't understand what I am doing wrong.

what output value do you get from typing nvram get lan_domain into the ssh terminal

 

[saison2023]

what output value do you get from typing nvram get lan_domain into the ssh terminal

I got the fqdn of my local domain, the same I have entered in the router webGui.
As I said before, when I disable AdGuard, my local DNS resolution is working fine.
I know there is something in my config, but I can't catch it!
Luckly, Internet communication is working fine (otherwise family would tell me some bad words...)

 

[SomeWhereOverTheRainBow]

I got the fqdn of my local domain, the same I have entered in the router webGui.
As I said before, when I disable AdGuard, my local DNS resolution is working fine.
I know there is something in my config, but I can't catch it!
Luckly, Internet communication is working fine (otherwise family would tell me some bad words...)

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/routerdomainname/][::]:553 #### YOUR value listed for $(nvram get lan_domain) needs to be listed here
[//][::]:553

Another thing worth mentioning is that your "fqdn" must follow the traditional rules of fqdn naming

Each label must consist of 1 to 63 characters and the total FQDN may not exceed 255 characters in total. Only letters, numbers, or dashes can be used. Each label has to have either a letter or a number at the beginning.

 

[saison2023]

[/router.asus.com/][::]:553
[/www.asusnetwork.net/][::]:553
[/www.asusrouter.com/][::]:553
[/use-application-dns.net/][::]:553
[/dns.resolver.arpa/][::]:553
[/routerdomainname/][::]:553 #### YOUR value listed for $(nvram get lan_domain) needs to be listed here
[//][::]:553

Another thing worth mentioning is that your "fqdn" must follow the traditional rules of fqdn naming

You're right, but my FQDN is "ad.localdomain" (I wasn't very inspired, I put the first thing I thought of that would make people think "local")
I think it's respecting the rules