FWG + AdGuard Home + NextDNS
So, before I made my FWG purchase I did a lot of Googling around trying to ensure I'd be able to continue using AGH. I switched from PiHole to AGH simply because it's far, far better at blocking specific services, such as YouTube. I'm sure somebody will come back and say PiHole is better if I just do X, Y, and Z, but that's not what this post is about.
There seems to be some conflicting guidance on just how to set up a third-party DNS adblocker with Firewalla. Some guides say disable the DNS Booster, some say you have to put the adblock device in a separate network segment, etc. Well, I'm not sure if it's because the Firewalla software was updated in the meantime, some specific ability of the FWG, or what, but I apparently didn't have to do that. I'm posting this not as a guide, but just as a record of what worked for me.
1) Running FWG in router mode. I have two old routers set in AP mode providing wifi at either end of the house. I have one "main" LAN set up. IPv6 is enabled through prefix delegation.
2) Booted up a Raspberry Pi, let it get an address from DHCP and then reserved it. Installed AdGuard Home and pointed that at my NextDNS.io DoH address.
3) Set the DNS address on my main LAN segment to point to the reserved AGH IP. Didn't disable DNS Booster.
4) Immediately entries began appearing in the AGH log, however they were coming from the FWG directly. Rebooting the AP's and the FWG one at a time made them click over to showing their actual IP's.
5) After ten minutes or so, AGH began resolving these IP's to the name assigned by the FWG, via ARP cache.
Everything seems to be fine. Monitoring in FWG seems to work, network flows show everything they used to. Entries show up properly in AGH, and ditto for NextDNS.io. I might be missing some protection from the FWG, but with DNS Booster still on I thought that would be mitigated some.
Anybody think I messed up? Please let me know if this worked for you as well.
-
I too had some oddities here based in what I thought about it works.
I did this.
1 - have a Pi running pihole on a dedicated segment connected to FWG.
2 - on the FWG WAN port I designate the DNS to be the Pihole IP
3 - on each other FWG lan I specify the pihole IP
4 I disabled dns booster for a subset of devicesFor a few days I only saw the subset of devices hitting pihole plus the IP that is FWG
I noticed yesterday that now all 30+ devices now show up in pihole stats but they still have dns booster on.
So it seems I don't need to turn off dns booster to get discrete stats now?
I have ad blocking and DoH disabled on the FWG
-
Okay, reverted to just the FWG for now.
What I found was that over time, responsiveness started to drag dramatically. It's possible that with the Booster enabled there was some form of loop behavior occurring. Disabling it didn't seem to help, either. An nslookup on any domain resulted in a timeout, though DNS requests do eventually resolve in a browser. Not sure what that means. Initiating RDP to a local box took significantly longer as well.
Another thing I found was that disabling IPV6 on the LAN segment entirely disabled AGH's ability to resolve ARP entries. No idea why, I'm not sure what it's doing under the hood. Upon reenabling IPV6, hostnames began to resolve again in AGH.
I also attempted to forward local DNS queries from AGH to the FWG, as you would using conditional forwarding on a PiHole, and that certainly created some kind of loop behavior, killing all requests for DNS.
I'm going to continue fiddling with it, but in the meantime I have a simple rule set up to block ytimg.com on the devices I don't want YouTube available on.
-
One point to note i cleared my pihole logs and now I am only seeing traffic from the devices I turned off DNS booster for. So I wonder if when I last booted the FWG if DNS booster startsup delayed and at first all the devices had used the pihole ip I have set from the LAN? Maybe I will restart the FWG and see if they connect again
Please sign in to leave a comment.
Comments
5 comments