I am on Luci 21.02 and I just bought a Raspberry Pi4 and installed Pihole. I saw three ways to try this; Network > Interfaces > WAN > Common Configuration > Advanced Settings > Use custom DNS servers Network > Interfaces > LAN > DHCP Server > Advanced Settings > DHCP-options Network > DHCP and DNS > Server Settings > DNS forwardings Confused I searched Google. Then it occurred to me, OneMarcFifty, of course! Wow, this really demystified these settings and then you showed even more advanced ones I never imagined. I'm going to try the Network->DHCP and DNS first, and when I'm pretty comfortable, move on to your third option. Thanks Marc, now I won't have to stay up till 4:00 a.m. trying to figure it out!
The timing couldn't be any better. I recently bought a new router and flashed Openwrt. I was struggling this morning to setup DNS as it was a bit confusing at first glance. I am already running AdGuard Home on a separate machine. Keep up the good work Marc ! Looking forward to the Sunday discord session.
You have singlehandedly saved my mental health! I've been wrecking my brain trying to figure out what I've been doing wrong, and thanks to your detailed and great explanations, I now have everything working (new openwrt router, adguard running on home assistant pi), and as an added bonus, I've also learned a lot! Thank you a billion times!
Very detailed tutorial. I am using AdGuard since 2021 with Raspberry Pi 4 and I started with OpenWrt in 2022. Now I am using OpenWrt as my main router and installed the AdGuard manually to get the control over the latest versions.
I am using PiHole as a network wide ad blocker. I started using it around 3 years ago. I used it as a DHCP server too. At some point an update messed up something on the rpi and I had to start using the router as DHCP again. I am watching this video to see if I can turn off the router DHCP and use the Pihole's DHCP to filter ads. Thank you for making a very informative and beginner friendly video.
I can't believe how do u manage to reply to everyone, that's an outstanding work!! Im super thankful of you doing what u do for all of us who wants to learn about openwrt and solutions. Its way better than reading a page, specially with the quality of ur vids.
Hey, thank you very much for your friendly feedback. Yes, I firmly believe that in the long run viewers prefer to be able to interact with the creators. As long as I can manage it I'll reply to everyone ;-)
Great video and so well explained with lovely visuals!!! I have to tackle this soon for my home network which I use for work and family too and need to sort out ads and parental restrictions. I will be watching this video a lot in the near future! Perfect length and level of detail, please continue with this kind of material! Get the sense you really enjoy making these from the big smile you always seem to have 😊
Call to action!!! Hi Mark! I am using pihole + unbound in a raspy zero with GB ethernet adapter as dns attached to my Archer C7 with OpenWrt. I have firewalled 53 & 853 ports in OpenWrt, so there is no other way than the pihole (or VPN) to get DNS service inside my networks. It works like a charm. I use it for ads/track blocking and parental control. There are several useful, well maintained list out there. Thank you as always, excellent video! Regards!
Of course I need a reject rule for every zone I have configured. But I did the setup unce and it works great. Without having to install new packages :) An now I am thinking... Those rules I set up before deploying unbound, when I had public DNS set up in the pihole. I think now I could even block ports 53 &853 completely since all DNS are resolved inside the pihole. Right?
In answer to your questions: Yes. Network wide adverts and nasties blocking. Five minutes to download and configure. PiHole. Been running it for nearly three years, on a first batch Pi 1 Model B. (256MB RAM version) Had to reinstall after about a year due to cheap crap SD card. No other problems at all. It's great, and visitors appreciate the ad free experience.
I use pihole on an old pi3. Asus router. Works perfect. Don't forget to redirect dns request pushed to the default gateway to the pihole. More and more apps / games on phones try this route to skip dns filtering. Also, if you have isolated guest wifi access, you need to go through the default gateway
Hi Marc, thanks for your videos, you're awesome! I used to be a techie but I'm trying to come back slowly. I'd love to see more videos what we can do with a Raspberry Pi (recently bought it) and OpenWRT. I've been using OpenWRT for OpenVPN (Security mainly) on a Archer C7 but thanks to you I implemented a couple of thing on my OpenWRT. I installed AdGuard (after this video) I used implementation n1 (DNS Ad by DCHP) however, I forward my DNS traffic directly from AdGuard to my Public secure DNS Server. I'm really excited about my Raspberry Pi and looking forward to have different use cases.
i've used PiHole in two different instances. First, at home for ad blocking and was utilized as a docker container in OMV5/6 running on a Raspberry Pi setup as a home NAS. Secondly, I have a similar setup for an RV trailer I live in during the week at my job, that bridges a connection to the work wifi, setting up a small wifi network within the trailer. It has a desktop hardwired via ethernet to a Netgear router running OpenWRT and broadcasting for the wireless devices to also connect. It has PiHole also setup as a container on the RV trailer NAS on a Raspberry Pi running OMV6. Took several nights after work to research on Google and RUclips methods to set it up. I used some information from other videos you have done, and other have done as well, to set it all up. I generally use the RV trailer NAS to host media and use Jellyfin to serve up the movies and TV shows I have saved on it.
Nice, informative video. I've been and still using pFsense for a few years in combination with a virtualized AdGuard Home. Works absolutely perfect. All outgoing (V)LAN DNS traffic on port 53, 853 etc. is getting blocked and being forced through AGH. This a good way to also catch the rotten apples that use hardcoded DNS.
I have a similar setup to this using pfBlockerNG, but still working through some woes it causes such as RUclips apps on SmartTV not working and Adobe Creative Cloud complaining and throwing errors among other things
Note that those DNAT rules can also be rewritten a little bit to provide NTP from a single local source. This can help if you want all your machines to have the same clock settings as close as possible. (Simply set up your router or one of your servers as an NTP server and redirect all UDP port 123 queries to it.)
Yes - absolutely right! I actually had the use case for a couple of Tasmota devices which are hard coded to use an ntppool server in the netherlands and were flooding my logs with ntp requests. What I did is that I even excluded them from being served on DNS as they really should go to my router for Time ;-) thanks for sharing !!!
@@OneMarcFifty I wonder if just setting the right DHCP option would suffice. I did this in local hackerspace, so hosts in its network pick up the same time, so they could properly stream sound over PulseAudio, which is very picky in terms of clock synchronization. I did it by adding "list dhcp_option_force '42,' to the 'config dhcp' section for my LAN interface. Linux hosts did pick it up, however I had to use 'force' variant because they didn't ask for this option explicitly. Not sure about Tasmota, will have to check that as well, as I have quite a couple of devices too.
This was very useful! It helps you to understand a bit more of the underlying principles rather than just being a sequence of instructions. You gained another subscriber :-)
Wow. Really loved option No.3 where you force all DNS lookups to the Pi-hole. (I didn't know that this was even possible). Perhaps, you should do an advanced iptables/netfiler tutorial with a few scenarios like this.
I have been using OpenDNS as a parent control system, however adguard looks like a more private solution. I will try it this weekend. Thanks for the detailed explanation!
Hi! Thanks for the video, it's explains plenty of basic stuff, and I like your style. In my case my isp deals with pppoe, my owrt just acting as a router as dhcp client/server. About forwarding to a raspbey pi in my network on version 23.05 I found the following step somehow working: Network -> Interfaces -> Edit WAN -> Advanced Settings -> Use DNS servers advertised (untick, that reveal a new option) -> Use custom DNS servers -> set raspbery pi IP where adguard run. somehow without this It worked just for few query, even if I set under Interfaces » lan -> DHCP Server -> Advanced Settings -> DHCP-Options 6,IP-of-Rpi I don't know why, but strange. Marry x-mass
Would be nice if you updated this with instructions on v22 :) It uses nftables. The iptables-mod-extra does not work anymore. And in OpenWRT wiki there are instructions, but weirdly they don’t take effect on my router. These nftables are kinda new, so I guess not widely adopted and the ecosystem is not there yet. Great work btw!
Hi, yes - you are spot on - a lot of solutions still have dependencies on iptables. I'd say e just have to wait a bit in order to have all package maintainers switch to nftables.
Hi, Your video's are educational for me. I started to watch lot of your video's and learning about lot of tools I did not know before. Appreciate your help and support. In my setup I use pfsense with Pfblockerng .
Oh wow - that's probably the first WSL2 comment here on this channel ;-) The Windows PC that you are running docker on - is it a workstation or server ? Is it always on - I mean, woul dit be used by others or is it just your own workstation ?
I added a Pi-hole running on a Pi 4b a year+ ago, this has a Stubby instance running which the Pi uses and hence all my DNS is also via TLS, the Pi also is a PVR getting me programs from Iplayer via a script otherwise it would be overkill as a Pi-hole only. I have another Pi 4b running OpenWrt as my router. I block port 853 for everything but the Pi-hole, hijack all requests to port 53 to stop bypasses from mostly mobiles. I do the same for time so my router is also the NTP for the whole network.
Great video. Currently I use PiHole as DHCP/DNS server on a Pi4. It is additionally configured using UNBOUND so it queries root servers directly rather than providing the usual suspects with browsing information. I also have a firewall rule blocking all DNS requests except from the PiHole, so if someone does try to manually assign a DNS server they wont get resolution. I am going to start using OpenWRT and so am interested in how ad blocking can be achieved. Thanks for putting time into these videos!
Hi Stuart, many thanks for your feedback - querying the root servers is a great idea! Is that something that unbound does by design or does it need to be configured for that ?
For my home network I use an old Windows 10 laptop running 24/7. Since I have no idea about Linux, I built my own DNS blocker on Windows 10. All my internet traffic now goes through Adguard Home, Unbound and dnscrypt-proxy (ODoH). It took me a while to build it because there are few instructions for Windows.
Hi Alex, yes it's still on. But before I do that my pull request needs to go through github.com/openwrt/luci/pull/5698 - I wrote a LuCI interface for that video ;-)
Another great video of yours, Marc! How would you announce your pihole/adguard home service for IPv6? For IPv4 we'd set option 6 but where would we announce the DNS filter for IPv6? Would you simply add the bitmask to your LAN interface's IPv6 Settings as a DNS server inside the DHCP settings tab? Let's say ::5:0:0:0:245 according to your example from the IPv6 with OpenWRT video?
On the Interface - DHCP Server tab - IPv6 Settings - Announced IPv6 DNS servers. Here you can put addresses of DNS Servers that would be announced via DHCPv6
I've set my DNS settings under Interfaces > WAN > Advanced > Use custom DNS servers. Also disabled the DNS by peers, to not use my ISP's DNS and setup a DNSCrypt container to resolve the queries encrypted.
Hi Marc, always a pleasure to look at your videos. To the point and very helpful. Please keep up the good work! I use Adguard home on a Raspberry 4 with 4 Gb. This is a bit of an overkill hardware wise. You could use a smaller Pi. I have various VMs and PC's which who are all directed via my Fritz to the Pi. It was a breeze to install and I am keeping track of all the relevant blocking lists and updates. So far so good.
Firstly, thank you so much for all your videos. They're great and have taught me loads! Secondly a hopeful request, is there any chance of getting and update on how to perform the enforcement with nf-tables? I tried using the iptables-nft but the --to command is not recognised.
Very interesting video and very well explained, as always ! I will try to use another router as DHCP because my ISP router has no option for customizing the DNS. Looking forward to test this with my raspberry Pi 3.
Two years ago I've installed Pi-Hole on T620 quad core thin client with Ubuntu Server. It's running perfectly. Power consumption about 5-6W. The difference between Pi-Hole and AdGuard is a consumption of RAM. Pi-Hole with ubuntu server use about 14-15% from 4GB ( Domains on Adlist more 2.339.000), when I run AdGuard it use more 50% with less Domains on Adlist then Pi-Hole). I think the better solution in AdGUard is the blocking all stuff like RUclips, Instagram... with one click on menu. The Pi-Hole requaire to add a specify adress to block list.
Great explanation!! Thanks a lot! How about SNI-based web filtering on OpenWRT? Because DNS over HTTPS cloud be used to bypass Pi-hole, many smart devices now implement DOH which is impossible for us to block them from phone home. Personally I use AdGuard home and redirect all dns (Port 53)
I am using pi-hole on a Raspberry Pi, in a docker container. The Ubiquity router is set up to pass the local address of RPi first, with Cloudflare 1.1.1.1 second. Found a thouruogh tutorial online si it didn't take very long to set up. It works quite well, the only problem is that the blacklists i use don't seem to stay real current. pi-hoie will reload them automatically once a week, but if they aren't being maintained stuff gets thru.
Yes, you are right. The initial script for this episode was much longer, initially I wanted to go through some settings of Adguard Home in the end but I found that 30 minutes would be more than enough ;-)
It's pretty easy to set up a blacklist with openwrt 22.03-rcx or newer. Ships with dnsmasq 2.86 which improves blacklist performance. Put a blacklist in /tmp/dnsmasq.d and you're good to go. I setup a cron job to update the blacklist from oisd daily and restart dnsmasq. You need 10MB of space and a decent amount of memory, but it's working well on my modest router with the full list.
Marc... I have a question... when do I seek for quality content on this topics I always end up in one of your videos??? ?did you installed some tracking cookies in my browsers?? ?or redirected my port 53 TCP/UDP to your DNS servers?? ;-)
Yeah ;-) Actually you're not far from the truth - If you have watched one of my videos, then youtube is quite likely suggesting another one to you ;-) Thanks for the feedback ;-)
Nice!, I do this differently, I can do this through a port forward and I can use the ! Sign aswell at src ip to whitelist the router and pihole ips in luci.
Hi guido - yes that works as well. You would just need to make sure that your IP address doesn’t change. I personally prefer rules based on MAC addresses
I played with PiHole as well as AdGuard Home. AdGuard Home is better (supports DoH out-of-the-box) but the best is OpenWrt built-in Adblock package ;-).
Oh - thats a very interesting aproach - what would you like to configure - I mean which type of interface or application would you like to hook into this ?
@@OneMarcFifty The most popular DNS service/server that can be configured via a rest API is PowerDNS - but Im unsure if it will run on a router. The next best option would be CoreDNS. So you use something like Ansible to manage the state/configuration of your DNS server using more "traditional devops" process than custom/adhoc process
For me at home, I'm running an Archer C7 with OpenWRT with AdBlock package (not Adguard Home). Also I use uBlock Origin on my browsers (Firefox, Chromium, LibreWolf) and AOSP (no google services on my mobile). My aim is to block anyone, especially Big Tech (Google, others) from invading my privacy and profiling me. When I'm away from home, I have a 4G router which has limited configuration options and doesn't permit me to choose DNS provider, so similar to your solution - I turned off DHCP on the 4G router, and have a Raspberry Pi running Pi-Hole and providing the DHCP service instead. I like your tutorial, however one thing that it doesn't seem to cover (and I'd like to do something about it myself - but it seems very tricky): DNS over HTTPS (DoH) - Proprietary applications, the Chrome browser, devices like Amazon Echo - All these things can potentially use DoH to punch DNS requests out of your home network to their DNS servers because they hide the queries in the HTTPS traffic. I believe the solution involves proxying HTTPS and/or blacklisting DoH server addresses. On the other side of the coin, I quite like DNS over TLS (DoT) because it gives you the privacy benefits of your DNS requests being encrypted (i.e. from your Pi-Hole to your preferred DoT server) but it runs on specific 853 port, which means that you can easily control access to it with your firewall rules. (For instance, block all 853 port traffic, except to this one trusted DoT server.)
You are totally spot on with your comment - many thanks ! A lot of comments here seem to point into the DoH direction - please also see my post here: ruclips.net/user/OneMarcFiftycommunity
Thanks Marc, great video as usual with easy way to understand. I have question: if we have a device connected to vpn, can we still direct its traffic to pihole or adguard?
Thank you so much for an easy to follow tutorial. Just a question. If I want to use DOH for example, then I wouldn't put the localhost:5353 address on upstream DNS right? Thanks!
Thank you for this amazing episode! But I do not have "Custom Rules" tab on my installation of openWRT. Is this installed via an additional LuCi package?
Using pfsense on HP-T620 with pfsense blocker . Though the thin client have only 1NIC i have converted an openwrt router into vlan managed switch . Now the router being used as both access point and managed switch.
In the OpenWRT router is there any way to change where the DNS queries are stored from AdGuard Home (usb , another partion,....etc) , Great explanation as usual keep it up
Unfortunately there is no way to set this in /etc/adguardhome.yaml as the feature does not exist yet: github.com/AdguardTeam/AdGuardHome/discussions/4467 - what you could do is create a symbolic link in /tmp/adguardhome/data to another location prior to starting the service in /etc/init.d/adguardhome...
I have and OpenWrt router setup as the main internet router. On it I have DHCP setup for 4 vlans. I use a PiHole configured to be accessible in all vlans through adding the vlans to the configuration of the PiHole, servicing those vlans with blocking from 1 device. My setup works as I have it currently configured. My main OpenWrt router is an old Cisco EA3500 which I am only using as a wired router and which connects another OpenWrt router (configured as AP) and a Mesh pair of Asus routers (Stock Firmware and configured as AP) The vlans are mostly over the 2 OpenWrt routers, with the Asus routers being in their own vlan. I'm wanting to upgrade the whole mess at some point to be a Mikrotik hEX POE gigabit router and 2 cAP XL ac (Access Points) configured with vlans. Can't get either currently due to the chip shortages
@OneMarcFifty Thanks for a great video however I think something is missing. I did VLANs like in your other video and it is working great for a few months now but today I installed and configured AdGuardHome and suddenly I have no internet. At first I could access internet only from my main VLAN but connecting via WiFi had no access to internet (it connects and had IP but no internet). Now I have no internet whatsoever even on my Main VLAN though I changed very little on ADH so it could be some other things. I can however ping IPs on internet so clearly it has something to do with DNS Question: having VLAN and installing ADH (and changing dnsmasq to 5353) should I also add some firewall rules or change anything else?
Appreciate the excellent tutorial! I attempted to install AdGuard on my device (and forwarded it to port 5383). However, the guest network is no longer functioning. Should I apply a firewall rule, and if so, which one would be appropriate?
I run PiHole in container on one of my NAS'. 2x WRT19000 routers with fast roam and af couce OpenWRT. Netgear managed switch to beef it up (link aggregation)
@@OneMarcFifty Thank you for the video and the link. But for me it’s not easy to understand and they don’t use Ad Guard. A new video explaining the configuration of Unbound would be great 😉
I'm currently running Pi-Hole on a RPi3 which is acting as both DHCP and a recursive DNS server via Unbound. Ads be damned, and with Wireguard on my phone the blocking even extends outside of my home network.
Or, if you ARE using pfSense, you run pfBlockerNG. A VERY powerful DNS filter and DNSBL utility that runs ON the router integrated with Unbound. (in response to your Call For Action)
great explanation as always, been a year using adguardhome running on raspbery pi openwrt, it filtering almost everything, except all requests from client using DoH. how to handle it?
Many thanks for the feedback ! DoH is a nasty thing - I'll make a community post about this - might be worth an episode... ruclips.net/user/OneMarcFiftycommunity
I have used your method and many other configuration with adguard/pihole. The strange issues with openwrt is when you move dnsmasq off 53 to another port then openwrt itself cannot resolve anything DNS. This in itself solves openwrt flooding adguard or pihile with PTR requests. When you add a dns server of the lan interface into dnsmasq under init.d, this then populates your lan ip int /tmp/resolve.conf restoring openwrt to being able to resolve DNS, but as mentioned starts flooding adguard/pihole with PTR requests. I am convinced this is a bug in openwrt.
This is by design and discussed here forum.openwrt.org/t/solved-luci-floods-dnsmasq-log-with-ptr-queries/89073 Please close any open LuCI pages and see if the problem persists
@@OneMarcFifty I have resolved through manually editing conf/yaml files and bindings, my suggestion of being a bug is not accurate, it's more a shortfall in the implementation of LuCI. In my instance I also had to change manually an Adguard script as I settled on adguard over pi-hole in the end. I found it more favorable if you aren't attached to a more robust logging history. Thanks for your reply, your videos have been handy in shortening my investigation into implementing my new router/network with openwrt.
Hi Marc, Amazing video, thank you, I'm currently using solution 3, is there any way to know which device made the request in AdGuard? It identifies as my router made the request. Also, it's possible to still access hostname of the main router? Thank you
Hi great video as usual, can I use adguard home as well as adblock on my openwrt router? Also when are you going to start uploading your videos to odyssey?
Hi Gary - I have not tested adblock and adguard home in parallel - but why would you want to do that ? I'd rather strive to have the lists integrated into one solution. W/r to odyssey - I probably won't use it - due the fact that it is blockchain based I could see issues if I wanted to edit or remove content. I am currently examining the possibility to provide Vimeo ad-free content to my Patrons.
@@OneMarcFifty Hi thanks for the reply adblock is working very well for me tbh but always nice to have other options Regards odysee I always think its better for creators to have back up options if youtube decides you have broken one of their 'rules'
Hey marc, thank you for that video, but i think i do something wrong, because all my clients now are using adguard home but the router itself is not able to resolve any adress. The resolv.conf has 127.0.0.1 in it. When i rewrite that to the lan ip adress of the openwrt(with adguard) [192.168.1.1] it will work. But the resolv.conf gets rewritten every now and then. I try to fix this for 2 days now. 😮💨
I'm too facing the very same problem. Router itself isn't able to connect to internet. My resolv.conf has ::1 in addition to it and a "search lan" term at the very top. Adding "nameserver 9.9.9.9" or any other DNS server solve it for a moment or the next restart of network service but then it got flushed back to search lan, 127.0.0.1 and ::1.
You really need to move dnsmasq to a different port (other than 53) and have ADGUARD listen on port 53, therefore the router and other clients should listen on adguard.
@@OneMarcFifty Marc, I'm a bit confused about this reply. Is this a typo? Should this be "dnsmasq to a different port (other than 53) and have AdGuard listen on port 53" instead of "dnsmasq to a different port (other than 53) and have DNSMASQ listen on port 53"?
Excellent one Marc, I am wondering if the Netgear WNDR4300 v2 with 120 MiB memory will be enough to run AdGuard on it, I have 68 MiB of memory free. I hope to catch up on your discord server soon. Thank you very much for all the great content!
Mark! I say mark! been waiting, holding my breath, for the video you announced on vlan over lan as opposed to wifi! is it coming? ehh? i have turned blue and will shortly have to start breathing again! well at least i can now add add guard to my setup while i wait!
Please keep breathing 😂 - the batman-adv video just takes a bit of time because I had to write the user interface which is currently in the testing phase - please see my community postings on that ;-)
@@OneMarcFifty thank you for making extra effort with the luci interface. I am tweaking the batman configuration myself with the config files. Luci with your changes included is definitely more user friendly
just installed pi-hole via dietpi (which runs on many different sbc ,not only raspberry pi) , can run a webserver so you manage/view the pi-hole remotely (after setup) to manage you need password ...
@OneMarcFifty Hi I have been following along with some your howto's, but for this one when I install the iptables-mod-extra, I don't get any custom tab in 23.05.2, have you come across this issue and how did you fix it?
Hi, I'm trying to follow the enforcement step but after upgrading to openwrt 22.03, custom rules tab no longer available even after installing the iptables extra. Will you be releasing an updated guide? Ty.
Hi Vance, there are a coupe of videos that need updating really ;-) W/r to the custom rules you can also use DNAT (in the port forwarding section) for that
@@OneMarcFifty ty. Looking forward to an updated guide/s. Your videos help me a lot as it is easy to follow and understand for a beginner in networking like me
Thanks for your video. I plan to use openwrt x86 on a powerful firewall with 8 ports. I would add adguardhome. My concern is how to configure the remaining 7 ports as a switch. eth0 will be wan and eth1 to eth7 will have the same ip.
Not really using any blocking but i use dns over tls in pfsense and if i were to filter i would just change to 1.1.1.2 for malware protection from cloudflare which surely would do a better job than me.
Hey there, is me again. I'm trying to do this on openwrt 21 nftables, but it is not working. I translate the rules here, but it does not fit. The router itself has connection to the world, but my devices does not have. Could you help me here.?
Hi - welcome back ;-) I am afraid that I need to skill up myself on nftables before I can give compelling advice here ;-) But I think I need to do a couple of follow-up videos on OpenWrt rather sooner than later anyhow. fw4, nftables - big changes under the hood.
I previously ran adguardhome on docker on a nas before I replaced my router. So after I replaced to openwrt based router I would go to a proven solution, adguardhome. But I can't get it running correctly, and the tutorial on openwrt forum is kinda confusing. Luckily someone who compiled openwrt for my device also included adblock and DoH. Setting it isn't much hassle. And have the same user experience as adguardhome.
i used pihole for a while, but it can't block youtube ads, so i am trying adblock on openwrt in hope it could help. Do i need to delete the route on dnmasq like you did with adguard home? Would Iptable command on your description help with youtube ads? I followed your tutorial on Belkin RT3200, I can't find The Firewall > Custom Rules after flashing Belkin RT3200 to openwrt snapshot. Am I missing something?
Hey, you shouldn't block RUclips ads - YT creators need the income ;-) Just kidding - it would help with the overlay ads (i.e. the ones that pop up) but not the embedded video ads.
Hi Marc, thank you for sharing your knowledge. I still need to understand a simple solution for DNS. How can I configure OpenWrt (via Luci or CLI) to use a specific DNS? In my case, I'm looking to use the OpenDNS. I hope you can help me.
It will slow things down for some things as it needs to do an additional hop. It will however speed up a lot of pages as you won't get ads any more. My personal experience is that the "felt" speed is the same, but without the ads.
In option 4 why not keeping adguard home as downstream dns and dnsmasq as upstream dns? I also see there's a dns filter module for openwrt, could that conflict with adguard home?
Hi Marc, I've Xiaomi AX3600 with recent snapshot build + luci. I've installed Adguard Home following your tutorial exactly. It was working fine until device reboot. After that I'm able to login to luci and adguard interface, but there is no outside internet connection. I found few similar threads, so I tried to: 1. change ntp servers to their ip addresses (and reboot) 2. disable dnsmasq (and reboot) None of that helps. Do you have any idea what might be wrong? I don't know if this is relevant, but I have additional network interface for guest network, also configured using your video help ;)
You can actually use the port forwarding (DNAT) tab for that. Do a port forwarding for port 53 on the network that you want to filter to your adguard/pihole
Thanks alot for the video. Can we do MAC address filtering with adguardhome. I am using adguardhome for dhcp and want to block all devices which are not added in dhcp static lease
Hi OneMarcFifty. First of all, crangratulations for yout content! I watched all of your videos and now i have more knowledges about tecnology! I would like to ask you about one important thing about my net: Here I have basicly 2 wi-fi networks, the main one and the guest one, with diferent IP addresses. Well, I would like to use the pihole to filter DNS ads on both of them, but I am not shure how to do that because I have 2 differents networks trying to use it. Could you help me? I'm looking forward to the next videos, especially for B.A.T.M.A.N. ! Thank you
@@OneMarcFifty I tryed to use the last solution with the iptables comands, but after that problem, i just created some "virtual ethernet devices" on raspberry and i put each one in a different vlan and then now my dhcp send to the clients the ip of the dns server for each vlan. It works, but i would like to redirect through the main router...
There are also public AdGuard DNS servers that can be used. Of course, it will be slower than the private ones. BTW, do you know an easy way of switching IP/DNS used by clients? Sometimes you just want to see the ads ...
Hi Cezary, many thanks for the feedback! Well, you could either change the network settings on the client, you could use privacy badger on the client and switch it off or - you could have two different Wi-fi networks. One being filtered and the other one being unfiltered
I did not have a detailed look at adblock. I think adguard home is a bit feature-richer but adblock has an integrated LuCI interface (which AdGuard does not)
@@OneMarcFifty Indeed, adblock's luci interface has a simple checkbox for "Force local DNS" which automatically takes care of the firewall settings needed to redirect (aka: hijack) all DNS requests on the LAN. (There are sub-fields for zones and ports, but defaults work for me.) This alone would make it my first recommendation for most people, with the proviso to check the memory usage (via status->overview->memory->used) and trim the block list selection accordingly.
I run nsd on an Alma server for authoritative DNS for the home network. An Ubuntu server running Samba talks to it to get/serve LAN names and acts as its own DNS server. AdGuard is running on my OPNsense router/gateway, with unbound behind it talking to the quad9 recursor. We have a PiHole instance running as backup for AdGuard (but since AG is on the router, if AG stops working it's probably because something else is wrong, so the PiHole isn't going to be much help).
@@OneMarcFifty Yeah, I only heard about them about a year(?) ago from Tom Lawrence. He did a long video talking to one of their principals about how the company was founded, their commitment to privacy and so on. I switched from cloudflare immediately... 😀
They both can. You could even use dns over https with dnsmasq on your router if you wanted to completely close the chain. There is a software package called http-dns-proxy here: openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
I run a synology nas and have adguard home on it with a seperate ip for its DNS. I have however started to run a domain server from the nas too. All of the workstation computers were set to use the dns ip of adguard home, however for the domain controller to work, i now need to set the dns ip of the nas for the work stations to be on the domain. Being that I can only use one or the other for the dns ip, i have to choose between adguard or the domain. Is there a way around this?
Please visit my channel page: ruclips.net/user/onemarcfifty
Want to talk to me? Join my Discord Server: discord.com/invite/DXnfBUG
I am on Luci 21.02 and I just bought a Raspberry Pi4 and installed Pihole. I saw three ways to try this; Network > Interfaces > WAN > Common Configuration > Advanced Settings > Use custom DNS servers
Network > Interfaces > LAN > DHCP Server > Advanced Settings > DHCP-options
Network > DHCP and DNS > Server Settings > DNS forwardings
Confused I searched Google. Then it occurred to me, OneMarcFifty, of course!
Wow, this really demystified these settings and then you showed even more advanced ones I never imagined. I'm going to try the Network->DHCP and DNS first, and when I'm pretty comfortable, move on to your third option. Thanks Marc, now I won't have to stay up till 4:00 a.m. trying to figure it out!
Awesome feedback - many thanks - glad you can get some more sleep now ;-)
The timing couldn't be any better. I recently bought a new router and flashed Openwrt. I was struggling this morning to setup DNS as it was a bit confusing at first glance. I am already running AdGuard Home on a separate machine. Keep up the good work Marc !
Looking forward to the Sunday discord session.
Awesome - many thanks Vibhu ;-)
You have singlehandedly saved my mental health! I've been wrecking my brain trying to figure out what I've been doing wrong, and thanks to your detailed and great explanations, I now have everything working (new openwrt router, adguard running on home assistant pi), and as an added bonus, I've also learned a lot!
Thank you a billion times!
Hi Ragnar, thank you so much for the feedback. I am happy that the video could help.
Very detailed tutorial. I am using AdGuard since 2021 with Raspberry Pi 4 and I started with OpenWrt in 2022. Now I am using OpenWrt as my main router and installed the AdGuard manually to get the control over the latest versions.
Many thanks for sharing ;-)
I am using PiHole as a network wide ad blocker. I started using it around 3 years ago. I used it as a DHCP server too. At some point an update messed up something on the rpi and I had to start using the router as DHCP again. I am watching this video to see if I can turn off the router DHCP and use the Pihole's DHCP to filter ads. Thank you for making a very informative and beginner friendly video.
I can't believe how do u manage to reply to everyone, that's an outstanding work!! Im super thankful of you doing what u do for all of us who wants to learn about openwrt and solutions. Its way better than reading a page, specially with the quality of ur vids.
Hey, thank you very much for your friendly feedback. Yes, I firmly believe that in the long run viewers prefer to be able to interact with the creators. As long as I can manage it I'll reply to everyone ;-)
Great video and so well explained with lovely visuals!!!
I have to tackle this soon for my home network which I use for work and family too and need to sort out ads and parental restrictions.
I will be watching this video a lot in the near future!
Perfect length and level of detail, please continue with this kind of material!
Get the sense you really enjoy making these from the big smile you always seem to have 😊
awesome - glad you like it - many thanks for the feedback!
Call to action!!!
Hi Mark!
I am using pihole + unbound in a raspy zero with GB ethernet adapter as dns attached to my Archer C7 with OpenWrt. I have firewalled 53 & 853 ports in OpenWrt, so there is no other way than the pihole (or VPN) to get DNS service inside my networks.
It works like a charm. I use it for ads/track blocking and parental control. There are several useful, well maintained list out there.
Thank you as always, excellent video!
Regards!
config rule
option name 'DNS-Forward-Allow-raspy'
option src 'lan'
option dest 'wan'
option dest_port '53 853'
option target 'ACCEPT'
list src_mac 'raspy mac addr'
config rule
option name 'DNS-Forward-Reject-lan'
option src 'lan'
option dest 'wan'
option dest_port '53 853'
option target 'REJECT'
Of course I need a reject rule for every zone I have configured. But I did the setup unce and it works great. Without having to install new packages :)
An now I am thinking... Those rules I set up before deploying unbound, when I had public DNS set up in the pihole. I think now I could even block ports 53 &853 completely since all DNS are resolved inside the pihole. Right?
Hi Tomás, you could block the ports but you would need to make sure that you don't block them between the pihole and router.
In answer to your questions:
Yes.
Network wide adverts and nasties blocking.
Five minutes to download and configure.
PiHole.
Been running it for nearly three years, on a first batch Pi 1 Model B. (256MB RAM version) Had to reinstall after about a year due to cheap crap SD card. No other problems at all. It's great, and visitors appreciate the ad free experience.
Awesome - many thanks for the feedback !
I use pihole on an old pi3. Asus router.
Works perfect. Don't forget to redirect dns request pushed to the default gateway to the pihole. More and more apps / games on phones try this route to skip dns filtering.
Also, if you have isolated guest wifi access, you need to go through the default gateway
Many thanks for your feedback !
The best and the most comprehensive tutorial for openwrt and adguardhome/pihole. Thanks
Cool - many thanks for the positive feedback !
I'm running both Adguard & pihole on a LXC as DNS 1 & 2. Nice video. Very explanatory
Many thanks for your feedback!!
Hi Marc, thanks for your videos, you're awesome! I used to be a techie but I'm trying to come back slowly. I'd love to see more videos what we can do with a Raspberry Pi (recently bought it) and OpenWRT. I've been using OpenWRT for OpenVPN (Security mainly) on a Archer C7 but thanks to you I implemented a couple of thing on my OpenWRT. I installed AdGuard (after this video) I used implementation n1 (DNS Ad by DCHP) however, I forward my DNS traffic directly from AdGuard to my Public secure DNS Server. I'm really excited about my Raspberry Pi and looking forward to have different use cases.
Excellent ! Many thanks for the feedback !
i've used PiHole in two different instances. First, at home for ad blocking and was utilized as a docker container in OMV5/6 running on a Raspberry Pi setup as a home NAS. Secondly, I have a similar setup for an RV trailer I live in during the week at my job, that bridges a connection to the work wifi, setting up a small wifi network within the trailer. It has a desktop hardwired via ethernet to a Netgear router running OpenWRT and broadcasting for the wireless devices to also connect. It has PiHole also setup as a container on the RV trailer NAS on a Raspberry Pi running OMV6. Took several nights after work to research on Google and RUclips methods to set it up. I used some information from other videos you have done, and other have done as well, to set it all up. I generally use the RV trailer NAS to host media and use Jellyfin to serve up the movies and TV shows I have saved on it.
Wow - I can imagine that this took a while to be configured ;-) Many thanks for sharing !!!
Nice, informative video. I've been and still using pFsense for a few years in combination with a virtualized AdGuard Home. Works absolutely perfect. All outgoing (V)LAN DNS traffic on port 53, 853 etc. is getting blocked and being forced through AGH. This a good way to also catch the rotten apples that use hardcoded DNS.
Hi, many thanks for the feedback and sharing ;-)
I have a similar setup to this using pfBlockerNG, but still working through some woes it causes such as RUclips apps on SmartTV not working and Adobe Creative Cloud complaining and throwing errors among other things
Note that those DNAT rules can also be rewritten a little bit to provide NTP from a single local source. This can help if you want all your machines to have the same clock settings as close as possible. (Simply set up your router or one of your servers as an NTP server and redirect all UDP port 123 queries to it.)
Yes - absolutely right! I actually had the use case for a couple of Tasmota devices which are hard coded to use an ntppool server in the netherlands and were flooding my logs with ntp requests. What I did is that I even excluded them from being served on DNS as they really should go to my router for Time ;-) thanks for sharing !!!
@@OneMarcFifty I wonder if just setting the right DHCP option would suffice. I did this in local hackerspace, so hosts in its network pick up the same time, so they could properly stream sound over PulseAudio, which is very picky in terms of clock synchronization.
I did it by adding "list dhcp_option_force '42,' to the 'config dhcp' section for my LAN interface. Linux hosts did pick it up, however I had to use 'force' variant because they didn't ask for this option explicitly. Not sure about Tasmota, will have to check that as well, as I have quite a couple of devices too.
This was very useful! It helps you to understand a bit more of the underlying principles rather than just being a sequence of instructions. You gained another subscriber :-)
Wow. Really loved option No.3 where you force all DNS lookups to the Pi-hole. (I didn't know that this was even possible). Perhaps, you should do an advanced iptables/netfiler tutorial with a few scenarios like this.
Hi, many thanks for the feedback. I've noted your suggestion ;-)
You might even have to update it because in the next version of OpenWrt iptables will be replaced by nftables.
I have been using OpenDNS as a parent control system, however adguard looks like a more private solution. I will try it this weekend. Thanks for the detailed explanation!
Hi Jaime! Great stuff - let me know how it goes!
Deine Videos sind so unglaublich gut erklärt und hilfreich! Tausend mal Danke!
Hi!
Thanks for the video, it's explains plenty of basic stuff, and I like your style.
In my case my isp deals with pppoe, my owrt just acting as a router as dhcp client/server.
About forwarding to a raspbey pi in my network on version 23.05 I found the following step somehow working:
Network -> Interfaces -> Edit WAN -> Advanced Settings -> Use DNS servers advertised (untick, that reveal a new option) -> Use custom DNS servers -> set raspbery pi IP where adguard run.
somehow without this It worked just for few query, even if I set under
Interfaces » lan -> DHCP Server -> Advanced Settings -> DHCP-Options 6,IP-of-Rpi
I don't know why, but strange.
Marry x-mass
Great video as usual!
Always a lot to learn from your interesting videos
Thank you
Thank you very much !
I just want to say thank you for the great work, your videos very helpful and easy to understand.
Would be nice if you updated this with instructions on v22 :)
It uses nftables. The iptables-mod-extra does not work anymore. And in OpenWRT wiki there are instructions, but weirdly they don’t take effect on my router.
These nftables are kinda new, so I guess not widely adopted and the ecosystem is not there yet.
Great work btw!
Hi, yes - you are spot on - a lot of solutions still have dependencies on iptables. I'd say e just have to wait a bit in order to have all package maintainers switch to nftables.
Hi, Your video's are educational for me. I started to watch lot of your video's and learning about lot of tools I did not know before. Appreciate your help and support. In my setup I use pfsense with Pfblockerng .
Awesome - many thanks for your feedback.
PiHole with unbound running on a Pi Zero. Used it for ad blocking which works like a charm. Only regret was I should've done it sooner.
Same here ;-)
I run Pi-hole in a docker Ubuntu WSL2 container on a separate Windows PC. Runs great.
Oh wow - that's probably the first WSL2 comment here on this channel ;-) The Windows PC that you are running docker on - is it a workstation or server ? Is it always on - I mean, woul dit be used by others or is it just your own workstation ?
I added a Pi-hole running on a Pi 4b a year+ ago, this has a Stubby instance running which the Pi uses and hence all my DNS is also via TLS, the Pi also is a PVR getting me programs from Iplayer via a script otherwise it would be overkill as a Pi-hole only. I have another Pi 4b running OpenWrt as my router. I block port 853 for everything but the Pi-hole, hijack all requests to port 53 to stop bypasses from mostly mobiles. I do the same for time so my router is also the NTP for the whole network.
Hi, many thanks for the feedback and sharing!
Great video. Currently I use PiHole as DHCP/DNS server on a Pi4. It is additionally configured using UNBOUND so it queries root servers directly rather than providing the usual suspects with browsing information. I also have a firewall rule blocking all DNS requests except from the PiHole, so if someone does try to manually assign a DNS server they wont get resolution.
I am going to start using OpenWRT and so am interested in how ad blocking can be achieved.
Thanks for putting time into these videos!
Hi Stuart, many thanks for your feedback - querying the root servers is a great idea! Is that something that unbound does by design or does it need to be configured for that ?
For my home network I use an old Windows 10 laptop running 24/7. Since I have no idea about Linux, I built my own DNS blocker on Windows 10.
All my internet traffic now goes through Adguard Home, Unbound and dnscrypt-proxy (ODoH). It took me a while to build it because there are few instructions for Windows.
Hi Sven, many thanks for the feedback.
Thanks Marc, great video!!!! last video you mentioned the Batman protocol, do you still plan to release this video?
Hi Alex, yes it's still on. But before I do that my pull request needs to go through github.com/openwrt/luci/pull/5698 - I wrote a LuCI interface for that video ;-)
Awesome! Can't wait🎉🎉
Another great video of yours, Marc!
How would you announce your pihole/adguard home service for IPv6? For IPv4 we'd set option 6 but where would we announce the DNS filter for IPv6?
Would you simply add the bitmask to your LAN interface's IPv6 Settings as a DNS server inside the DHCP settings tab? Let's say ::5:0:0:0:245 according to your example from the IPv6 with OpenWRT video?
On the Interface - DHCP Server tab - IPv6 Settings - Announced IPv6 DNS servers. Here you can put addresses of DNS Servers that would be announced via DHCPv6
been waiting for this video. thank you!
Perfect - glad you like it ;-)
I've set my DNS settings under Interfaces > WAN > Advanced > Use custom DNS servers. Also disabled the DNS by peers, to not use my ISP's DNS and setup a DNSCrypt container to resolve the queries encrypted.
Many thanks for the feedback and sharing !
Hi Marc, always a pleasure to look at your videos. To the point and very helpful. Please keep up the good work!
I use Adguard home on a Raspberry 4 with 4 Gb. This is a bit of an overkill hardware wise. You could use a smaller Pi. I have various VMs and PC's which who are all directed via my Fritz to the Pi. It was a breeze to install and I am keeping track of all the relevant blocking lists and updates. So far so good.
Awesome - many thanks for sharing Hans !
Firstly, thank you so much for all your videos. They're great and have taught me loads! Secondly a hopeful request, is there any chance of getting and update on how to perform the enforcement with nf-tables? I tried using the iptables-nft but the --to command is not recognised.
Hi Ben, you might not even need a custom rule. Try using DNAT ( on the port forward tab of firewall)
Very interesting video and very well explained, as always !
I will try to use another router as DHCP because my ISP router has no option for customizing the DNS. Looking forward to test this with my raspberry Pi 3.
Perfect - let us know how it goes!
Two years ago I've installed Pi-Hole on T620 quad core thin client with Ubuntu Server. It's running perfectly. Power consumption about 5-6W. The difference between Pi-Hole and AdGuard is a consumption of RAM. Pi-Hole with ubuntu server use about 14-15% from 4GB ( Domains on Adlist more 2.339.000), when I run AdGuard it use more 50% with less Domains on Adlist then Pi-Hole). I think the better solution in AdGUard is the blocking all stuff like RUclips, Instagram... with one click on menu. The Pi-Hole requaire to add a specify adress to block list.
That's great feedback Marcin - many thanks for sharing!
You have to use lists designed for AdGuardHome.
Great explanation!! Thanks a lot! How about SNI-based web filtering on OpenWRT?
Because DNS over HTTPS cloud be used to bypass Pi-hole, many smart devices now implement DOH which is impossible for us to block them from phone home.
Personally I use AdGuard home and redirect all dns (Port 53)
For SNI - wouldn't you still need a blacklist behind that ?
@@OneMarcFifty yup, but SNI based web filtering can prevent DOH or DOT
I am using pi-hole on a Raspberry Pi, in a docker container. The Ubiquity router is set up to pass the local address of RPi first, with Cloudflare 1.1.1.1 second. Found a thouruogh tutorial online si it didn't take very long to set up. It works quite well, the only problem is that the blacklists i use don't seem to stay real current. pi-hoie will reload them automatically once a week, but if they aren't being maintained stuff gets thru.
Hi Gary, many thanks for the feedback. Yes - maintaining blacklists is a never-ending race ;-)
@
OneMarcFifty Adguard/Pihole has DHCP function as well - you forgot to mention it. :)
Yes, you are right. The initial script for this episode was much longer, initially I wanted to go through some settings of Adguard Home in the end but I found that 30 minutes would be more than enough ;-)
It's pretty easy to set up a blacklist with openwrt 22.03-rcx or newer. Ships with dnsmasq 2.86 which improves blacklist performance. Put a blacklist in /tmp/dnsmasq.d and you're good to go. I setup a cron job to update the blacklist from oisd daily and restart dnsmasq. You need 10MB of space and a decent amount of memory, but it's working well on my modest router with the full list.
Hi, many thanks for that info - I didn't know that !
Marc... I have a question...
when do I seek for quality content on this topics I always end up in one of your videos???
?did you installed some tracking cookies in my browsers??
?or redirected my port 53 TCP/UDP to your DNS servers??
;-)
Yeah ;-) Actually you're not far from the truth - If you have watched one of my videos, then youtube is quite likely suggesting another one to you ;-) Thanks for the feedback ;-)
Nice!, I do this differently, I can do this through a port forward and I can use the ! Sign aswell at src ip to whitelist the router and pihole ips in luci.
Hi guido - yes that works as well. You would just need to make sure that your IP address doesn’t change. I personally prefer rules based on MAC addresses
I played with PiHole as well as AdGuard Home. AdGuard Home is better (supports DoH out-of-the-box) but the best is OpenWrt built-in Adblock package ;-).
I've heard that a couple of times now - need to check it out - thanks for sharing ;-)
Going to start watching now, but Im thinking: It would be awesome if the DNS server/filter on the router could be configured via a rest API
Oh - thats a very interesting aproach - what would you like to configure - I mean which type of interface or application would you like to hook into this ?
@@OneMarcFifty The most popular DNS service/server that can be configured via a rest API is PowerDNS - but Im unsure if it will run on a router. The next best option would be CoreDNS. So you use something like Ansible to manage the state/configuration of your DNS server using more "traditional devops" process than custom/adhoc process
For me at home, I'm running an Archer C7 with OpenWRT with AdBlock package (not Adguard Home). Also I use uBlock Origin on my browsers (Firefox, Chromium, LibreWolf) and AOSP (no google services on my mobile). My aim is to block anyone, especially Big Tech (Google, others) from invading my privacy and profiling me.
When I'm away from home, I have a 4G router which has limited configuration options and doesn't permit me to choose DNS provider, so similar to your solution - I turned off DHCP on the 4G router, and have a Raspberry Pi running Pi-Hole and providing the DHCP service instead.
I like your tutorial, however one thing that it doesn't seem to cover (and I'd like to do something about it myself - but it seems very tricky): DNS over HTTPS (DoH) - Proprietary applications, the Chrome browser, devices like Amazon Echo - All these things can potentially use DoH to punch DNS requests out of your home network to their DNS servers because they hide the queries in the HTTPS traffic. I believe the solution involves proxying HTTPS and/or blacklisting DoH server addresses.
On the other side of the coin, I quite like DNS over TLS (DoT) because it gives you the privacy benefits of your DNS requests being encrypted (i.e. from your Pi-Hole to your preferred DoT server) but it runs on specific 853 port, which means that you can easily control access to it with your firewall rules. (For instance, block all 853 port traffic, except to this one trusted DoT server.)
You are totally spot on with your comment - many thanks ! A lot of comments here seem to point into the DoH direction - please also see my post here: ruclips.net/user/OneMarcFiftycommunity
Thanks Marc, great video as usual with easy way to understand.
I have question: if we have a device connected to vpn, can we still direct its traffic to pihole or adguard?
Yes, that is possible but it requires very thorough routing rules in order to prevent DNS leaking.
Thank you so much for an easy to follow tutorial. Just a question. If I want to use DOH for example, then I wouldn't put the localhost:5353 address on upstream DNS right? Thanks!
awesome video, waiting on the Batman-Adv OpenWRT integration.
Hi - yes -it's in the making - peae also see github.com/openwrt/luci/pull/5698 ;-)
Thank you for this amazing episode! But I do not have "Custom Rules" tab on my installation of openWRT. Is this installed via an additional LuCi package?
Using pfsense on HP-T620 with pfsense blocker . Though the thin client have only 1NIC i have converted an openwrt router into vlan managed switch . Now the router being used as both access point and managed switch.
Nice solution - thanks for sharing ;-)
In the OpenWRT router is there any way to change where the DNS queries are stored from AdGuard Home (usb , another partion,....etc) , Great explanation as usual keep it up
Unfortunately there is no way to set this in /etc/adguardhome.yaml as the feature does not exist yet: github.com/AdguardTeam/AdGuardHome/discussions/4467 - what you could do is create a symbolic link in /tmp/adguardhome/data to another location prior to starting the service in /etc/init.d/adguardhome...
I have and OpenWrt router setup as the main internet router. On it I have DHCP setup for 4 vlans. I use a PiHole configured to be accessible in all vlans through adding the vlans to the configuration of the PiHole, servicing those vlans with blocking from 1 device. My setup works as I have it currently configured. My main OpenWrt router is an old Cisco EA3500 which I am only using as a wired router and which connects another OpenWrt router (configured as AP) and a Mesh pair of Asus routers (Stock Firmware and configured as AP) The vlans are mostly over the 2 OpenWrt routers, with the Asus routers being in their own vlan.
I'm wanting to upgrade the whole mess at some point to be a Mikrotik hEX POE gigabit router and 2 cAP XL ac (Access Points) configured with vlans. Can't get either currently due to the chip shortages
Many thanks for sharing - and yes - the chip shortage is a curse....
i have no idea how i got here, but thank you algorithm
Glad you like it ;-)
Thank you, that was an awesome, very comprehensive
Good job Marc. Thank You !!!
Many thanks Robert!
@OneMarcFifty Thanks for a great video however I think something is missing.
I did VLANs like in your other video and it is working great for a few months now but today I installed and configured AdGuardHome and suddenly I have no internet.
At first I could access internet only from my main VLAN but connecting via WiFi had no access to internet (it connects and had IP but no internet). Now I have no internet whatsoever even on my Main VLAN though I changed very little on ADH so it could be some other things. I can however ping IPs on internet so clearly it has something to do with DNS
Question: having VLAN and installing ADH (and changing dnsmasq to 5353) should I also add some firewall rules or change anything else?
Appreciate the excellent tutorial!
I attempted to install AdGuard on my device (and forwarded it to port 5383). However, the guest network is no longer functioning. Should I apply a firewall rule, and if so, which one would be appropriate?
Just all the information i need, thank
Thank you very much!
Currently I use Adblock under openwrt on a raspberry pi cm4 on a specialist router board.
Many thanks for sharing David!
I run PiHole in container on one of my NAS'. 2x WRT19000 routers with fast roam and af couce OpenWRT. Netgear managed switch to beef it up (link aggregation)
Awesome, thanks for sharing !
i use adaway on my phone(rooted ofc). that's all. ublock serves me pretty well on pc.
Great feedback, many thanks !
hello Marc,
how can I run AdguardHome unbound on a openwrt pls help.
For Adguard follow the video. For unbound please see this article openwrt.org/docs/guide-user/services/dns/unbound
@@OneMarcFifty Thank you for the video and the link. But for me it’s not easy to understand and they don’t use Ad Guard. A new video explaining the configuration of Unbound would be great 😉
I'm currently running Pi-Hole on a RPi3 which is acting as both DHCP and a recursive DNS server via Unbound. Ads be damned, and with Wireguard on my phone the blocking even extends outside of my home network.
Awesome- thanks for the feedback !
Or, if you ARE using pfSense, you run pfBlockerNG. A VERY powerful DNS filter and DNSBL utility that runs ON the router integrated with Unbound. (in response to your Call For Action)
Hi - many thanks for the feedback - yes, pfBlockerNG has come up a couple of times in the comments. Need to have a look at it :-)
great explanation as always, been a year using adguardhome running on raspbery pi openwrt, it filtering almost everything, except all requests from client using DoH. how to handle it?
Many thanks for the feedback ! DoH is a nasty thing - I'll make a community post about this - might be worth an episode... ruclips.net/user/OneMarcFiftycommunity
I'm using a Pihole with your solution 1, using the OpenDNS, Quad9 and Cloudflare servers... Its a fine setup, and I get rid of the adds
I've had a look at the Quad9 offering - it looks quite solid - many thanks for the feedback !
I have used your method and many other configuration with adguard/pihole. The strange issues with openwrt is when you move dnsmasq off 53 to another port then openwrt itself cannot resolve anything DNS. This in itself solves openwrt flooding adguard or pihile with PTR requests. When you add a dns server of the lan interface into dnsmasq under init.d, this then populates your lan ip int /tmp/resolve.conf restoring openwrt to being able to resolve DNS, but as mentioned starts flooding adguard/pihole with PTR requests. I am convinced this is a bug in openwrt.
This is by design and discussed here forum.openwrt.org/t/solved-luci-floods-dnsmasq-log-with-ptr-queries/89073 Please close any open LuCI pages and see if the problem persists
@@OneMarcFifty I have resolved through manually editing conf/yaml files and bindings, my suggestion of being a bug is not accurate, it's more a shortfall in the implementation of LuCI. In my instance I also had to change manually an Adguard script as I settled on adguard over pi-hole in the end. I found it more favorable if you aren't attached to a more robust logging history. Thanks for your reply, your videos have been handy in shortening my investigation into implementing my new router/network with openwrt.
Hi Marc,
Amazing video, thank you,
I'm currently using solution 3, is there any way to know which device made the request in AdGuard? It identifies as my router made the request.
Also, it's possible to still access hostname of the main router?
Thank you
Hi Daniel, unfortunately no - as we are rewriting the packets (or rather masquerading / DNATting) - there is no way to know that.
Hi great video as usual, can I use adguard home as well as adblock on my openwrt router? Also when are you going to start uploading your videos to odyssey?
Hi Gary - I have not tested adblock and adguard home in parallel - but why would you want to do that ? I'd rather strive to have the lists integrated into one solution. W/r to odyssey - I probably won't use it - due the fact that it is blockchain based I could see issues if I wanted to edit or remove content. I am currently examining the possibility to provide Vimeo ad-free content to my Patrons.
@@OneMarcFifty Hi thanks for the reply adblock is working very well for me tbh but always nice to have other options
Regards odysee I always think its better for creators to have back up options if youtube decides you have broken one of their 'rules'
Hey marc, thank you for that video, but i think i do something wrong, because all my clients now are using adguard home but the router itself is not able to resolve any adress. The resolv.conf has 127.0.0.1 in it. When i rewrite that to the lan ip adress of the openwrt(with adguard) [192.168.1.1] it will work. But the resolv.conf gets rewritten every now and then. I try to fix this for 2 days now. 😮💨
I'm too facing the very same problem. Router itself isn't able to connect to internet. My resolv.conf has ::1 in addition to it and a "search lan" term at the very top. Adding "nameserver 9.9.9.9" or any other DNS server solve it for a moment or the next restart of network service but then it got flushed back to search lan, 127.0.0.1 and ::1.
You really need to move dnsmasq to a different port (other than 53) and have ADGUARD listen on port 53, therefore the router and other clients should listen on adguard.
@@OneMarcFifty Marc, I'm a bit confused about this reply. Is this a typo? Should this be "dnsmasq to a different port (other than 53) and have AdGuard listen on port 53" instead of "dnsmasq to a different port (other than 53) and have DNSMASQ listen on port 53"?
Doh! Thanks for the reply! Yes - ADGUARD on port 53, DNSMASQ on other port ;-)
YOU’RE THE BEST
Thank you ;-)
Excellent one Marc, I am wondering if the Netgear WNDR4300 v2 with 120 MiB memory will be enough to run AdGuard on it, I have 68 MiB of memory free. I hope to catch up on your discord server soon. Thank you very much for all the great content!
That should work - just watch out for the log file growth!
@@OneMarcFifty Thank you!
Mark! I say mark! been waiting, holding my breath, for the video you announced on vlan over lan as opposed to wifi! is it coming? ehh? i have turned blue and will shortly have to start breathing again! well at least i can now add add guard to my setup while i wait!
Please keep breathing 😂 - the batman-adv video just takes a bit of time because I had to write the user interface which is currently in the testing phase - please see my community postings on that ;-)
@@OneMarcFifty thank you for making extra effort with the luci interface. I am tweaking the batman configuration myself with the config files. Luci with your changes included is definitely more user friendly
Hey Jonathan - hope you had started breathing in between - - your video is life ruclips.net/video/t4A0kfg2olo/видео.html
just installed pi-hole via dietpi (which runs on many different sbc ,not only raspberry pi) ,
can run a webserver so you manage/view the pi-hole remotely (after setup) to manage you need password ...
Hi, many thanks for the comment! Believe it or not - I didn't know dietpi ;-( I'll have a look at that !!!
@OneMarcFifty Hi I have been following along with some your howto's, but for this one when I install the iptables-mod-extra, I don't get any custom tab in 23.05.2, have you come across this issue and how did you fix it?
Hi, I'm trying to follow the enforcement step but after upgrading to openwrt 22.03, custom rules tab no longer available even after installing the iptables extra. Will you be releasing an updated guide? Ty.
Hi Vance, there are a coupe of videos that need updating really ;-) W/r to the custom rules you can also use DNAT (in the port forwarding section) for that
@@OneMarcFifty ty. Looking forward to an updated guide/s. Your videos help me a lot as it is easy to follow and understand for a beginner in networking like me
Thanks for your video. I plan to use openwrt x86 on a powerful firewall with 8 ports. I would add adguardhome. My concern is how to configure the remaining 7 ports as a switch. eth0 will be wan and eth1 to eth7 will have the same ip.
Have you checked my OpenWrt playlist ? ruclips.net/p/PLZXNpqQDHIJrgzaR7h1V1AT4bdaNjS0zZ
Not really using any blocking but i use dns over tls in pfsense and if i were to filter i would just change to 1.1.1.2 for malware protection from cloudflare which surely would do a better job than me.
Many thanks for the feedback, Bruce !
OpenWrt 23.05.3 doesn't have the custom rules tab anymore! I think you need an updated video for current OpenWRT (23.05.x).
Hey there, is me again. I'm trying to do this on openwrt 21 nftables, but it is not working. I translate the rules here, but it does not fit. The router itself has connection to the world, but my devices does not have. Could you help me here.?
Hi - welcome back ;-) I am afraid that I need to skill up myself on nftables before I can give compelling advice here ;-) But I think I need to do a couple of follow-up videos on OpenWrt rather sooner than later anyhow. fw4, nftables - big changes under the hood.
I previously ran adguardhome on docker on a nas before I replaced my router. So after I replaced to openwrt based router I would go to a proven solution, adguardhome. But I can't get it running correctly, and the tutorial on openwrt forum is kinda confusing. Luckily someone who compiled openwrt for my device also included adblock and DoH. Setting it isn't much hassle. And have the same user experience as adguardhome.
Many thanks for the feedback Arief!
Its possible to use !IP_TO_ADGUARDHOME for source IP address in firewall setting to prevent adguard-home to loop back
Hi, I didn't know that - thanks for sharing
i used pihole for a while, but it can't block youtube ads, so i am trying adblock on openwrt in hope it could help. Do i need to delete the route on dnmasq like you did with adguard home? Would Iptable command on your description help with youtube ads?
I followed your tutorial on Belkin RT3200, I can't find The Firewall > Custom Rules after flashing Belkin RT3200 to openwrt snapshot. Am I missing something?
Hey, you shouldn't block RUclips ads - YT creators need the income ;-) Just kidding - it would help with the overlay ads (i.e. the ones that pop up) but not the embedded video ads.
Hi Marc, thank you for sharing your knowledge. I still need to understand a simple solution for DNS. How can I configure OpenWrt (via Luci or CLI) to use a specific DNS? In my case, I'm looking to use the OpenDNS. I hope you can help me.
He described the different methods explicitly for openwrt in solution 1 (8:42 over DHCP) and solution 2 (15:46 DNS Forward).
I have a Belkin 3200, with openwrt, and Wireshark with vpn. Will adding Adguard home package on it slow down my internet speed?
It will slow things down for some things as it needs to do an additional hop. It will however speed up a lot of pages as you won't get ads any more. My personal experience is that the "felt" speed is the same, but without the ads.
In option 4 why not keeping adguard home as downstream dns and dnsmasq as upstream dns? I also see there's a dns filter module for openwrt, could that conflict with adguard home?
Hi Marc,
I've Xiaomi AX3600 with recent snapshot build + luci. I've installed Adguard Home following your tutorial exactly. It was working fine until device reboot. After that I'm able to login to luci and adguard interface, but there is no outside internet connection. I found few similar threads, so I tried to:
1. change ntp servers to their ip addresses (and reboot)
2. disable dnsmasq (and reboot)
None of that helps. Do you have any idea what might be wrong? I don't know if this is relevant, but I have additional network interface for guest network, also configured using your video help ;)
Hi, would you please make a video for the enforcement after the custom rules tab vanished. Thank you
Good point. Need to think that over.
@@OneMarcFiftythank you for you informative videos.
with nftables, I would like to filter the djs traffic too. But it is new to me. Any insight ?
@@OneMarcFifty hello, any update or workaround to achieve the enforcement solution 3
You can actually use the port forwarding (DNAT) tab for that. Do a port forwarding for port 53 on the network that you want to filter to your adguard/pihole
Thanks alot for the video. Can we do MAC address filtering with adguardhome. I am using adguardhome for dhcp and want to block all devices which are not added in dhcp static lease
This should be done on the router’s dhcp settings, not in Adguard
@@OneMarcFifty ok... thank you so much for the reply...
Hi OneMarcFifty. First of all, crangratulations for yout content! I watched all of your videos and now i have more knowledges about tecnology! I would like to ask you about one important thing about my net: Here I have basicly 2 wi-fi networks, the main one and the guest one, with diferent IP addresses. Well, I would like to use the pihole to filter DNS ads on both of them, but I am not shure how to do that because I have 2 differents networks trying to use it. Could you help me? I'm looking forward to the next videos, especially for B.A.T.M.A.N. !
Thank you
Either you allow DNS traffic from both networks to the DNS filter on the firewall or tou use solution 3
@@OneMarcFifty I tryed to use the last solution with the iptables comands, but after that problem, i just created some "virtual ethernet devices" on raspberry and i put each one in a different vlan and then now my dhcp send to the clients the ip of the dns server for each vlan. It works, but i would like to redirect through the main router...
@@OneMarcFifty I forgot to say that I use VLANs running in the same infrastructure without physical separation
There are also public AdGuard DNS servers that can be used. Of course, it will be slower than the private ones. BTW, do you know an easy way of switching IP/DNS used by clients?
Sometimes you just want to see the ads ...
Hi Cezary, many thanks for the feedback! Well, you could either change the network settings on the client, you could use privacy badger on the client and switch it off or - you could have two different Wi-fi networks. One being filtered and the other one being unfiltered
With OpenWrt you can assign each device a different DNS IP in case you want ads on a certain device.
I can't see "Custom Rules" tab on Firewall settings. What am I missing here ?
I'm using the adblock package from openwrt. Is the adguard home any better?
I did not have a detailed look at adblock. I think adguard home is a bit feature-richer but adblock has an integrated LuCI interface (which AdGuard does not)
@@OneMarcFifty Indeed, adblock's luci interface has a simple checkbox for "Force local DNS" which automatically takes care of the firewall settings needed to redirect (aka: hijack) all DNS requests on the LAN. (There are sub-fields for zones and ports, but defaults work for me.) This alone would make it my first recommendation for most people, with the proviso to check the memory usage (via status->overview->memory->used) and trim the block list selection accordingly.
I run nsd on an Alma server for authoritative DNS for the home network. An Ubuntu server running Samba talks to it to get/serve LAN names and acts as its own DNS server. AdGuard is running on my OPNsense router/gateway, with unbound behind it talking to the quad9 recursor. We have a PiHole instance running as backup for AdGuard (but since AG is on the router, if AG stops working it's probably because something else is wrong, so the PiHole isn't going to be much help).
Wow - I didn't know Quad9 - Swiss made ;-) I'll need to have a closer look here ;-) Thanks for sharing!
@@OneMarcFifty Yeah, I only heard about them about a year(?) ago from Tom Lawrence. He did a long video talking to one of their principals about how the company was founded, their commitment to privacy and so on. I switched from cloudflare immediately... 😀
@@OneMarcFifty Found it, kinda long, but stuffed with good info. ruclips.net/video/bgA0w7efQC8/видео.html
can pihole or adguard use dns over https? if so, then you can block pihole servers' udp53 as well, to prevent dns leakage from that server as well.
They both can. You could even use dns over https with dnsmasq on your router if you wanted to completely close the chain. There is a software package called http-dns-proxy here: openwrt.org/docs/guide-user/services/dns/doh_dnsmasq_https-dns-proxy
I run a synology nas and have adguard home on it with a seperate ip for its DNS. I have however started to run a domain server from the nas too. All of the workstation computers were set to use the dns ip of adguard home, however for the domain controller to work, i now need to set the dns ip of the nas for the work stations to be on the domain. Being that I can only use one or the other for the dns ip, i have to choose between adguard or the domain. Is there a way around this?
Hi, it's not entirely clear to me how you set this up. Maybe you want to jump on the Discord Server and post a drawing there?
Thanks for this amazing video,, I'm playing fifa 22 in Ps5 ,, can u help me how to have a better condition when I'm playing!?
Sorry - I don't think that I can do that ;-)