help with adguard container setup

lpetrov · May 4, 2024, 2:26pm

I just installed Adguard and configured the DNS settings on it. Now my problems is that FW is blocking DNS requests. I’m able to download blocklists from Adguard which means thru Adguard UI. But what I’m missing? Here is my current configuration:

# 2024-05-04 17:16:15 by RouterOS 7.14.3

#
# model = RB5009UG+S+

/interface bridge
add name=br-Uplink port-cost-mode=short vlan-filtering=yes
add name=containers
/interface ethernet
set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=\
    ether1-LAN-Hybrid
set [ find default-name=ether2 ] comment=proxmox name=ether2-LAN-Hybrid
set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ether3-LAN-Access
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether7 ] comment=mngmnt name=ether7-LAN-mngmnt
set [ find default-name=ether8 ] name=ether8-WAN-Static
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1
/interface wireguard
add listen-port=14567 mtu=1420 name=wireguard1
/interface vlan
add comment="Management VLAN" interface=br-Uplink name=Management-10 vlan-id=\
    10
add comment="Smart Home VLAN" interface=br-Uplink name="Smart Home-30" \
    vlan-id=30
add comment="Users VLAN" interface=br-Uplink name=Users-100 vlan-id=100
add comment="Servers VLAN" interface=br-Uplink name=vlan20-Servers vlan-id=20
/interface list
add name=LAN
add name=WAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_management_pool ranges=192.168.10.242-192.168.10.249
add name=dhcp_users_pool ranges=192.168.100.100-192.168.100.249
add name=dhcp_smarthome_pool ranges=192.168.30.100-192.168.30.249
add name=dhcp_servers_pool ranges=192.168.12.242-192.168.12.254
/ip dhcp-server
add address-pool=dhcp_management_pool interface=Management-10 name=\
    dhcp-management
add address-pool=dhcp_users_pool interface=Users-100 name=dhcp-users
add address-pool=dhcp_smarthome_pool interface="Smart Home-30" name=\
    "dhcp-smart home"
add address-pool=dhcp_servers_pool interface=vlan20-Servers name=dhcp-servers
/container
add interface=veth1 logging=yes root-dir=/Adguard start-on-boot=yes workdir=\
    /opt/adguardhome/work
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1
/interface bridge port
add bridge=br-Uplink comment="unmanaged switch poe" interface=\
    ether1-LAN-Hybrid internal-path-cost=10 path-cost=10 pvid=30
add bridge=br-Uplink comment=proxmox interface=ether2-LAN-Hybrid pvid=20
add bridge=br-Uplink comment="ABB IPS" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3-LAN-Access pvid=\
    30
add bridge=br-Uplink comment="office(right socket)" frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4-LAN pvid=10
add bridge=br-Uplink comment=unknown frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7-LAN-mngmnt pvid=\
    10
add bridge=containers interface=veth1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=br-Uplink tagged=ether2-LAN-Hybrid,br-Uplink untagged=\
    ether1-LAN-Hybrid,ether3-LAN-Access vlan-ids=30
add bridge=br-Uplink comment="wifi users" tagged=\
    ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid vlan-ids=100
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink,ether2-LAN-Hybrid \
    vlan-ids=10
add bridge=br-Uplink tagged=ether1-LAN-Hybrid,br-Uplink untagged=\
    ether2-LAN-Hybrid vlan-ids=20
/interface list member
add interface=ether8-WAN-Static list=WAN
add interface=Management-10 list=LAN
add disabled=yes interface=br-Uplink list=LAN
add interface=Users-100 list=LAN
add interface=wireguard1 list=LAN
add interface=wireguard1 list=MGMT
add interface=Management-10 list=MGMT
add interface="Smart Home-30" list=LAN
add interface=vlan20-Servers list=LAN
/interface wireguard peers
add allowed-address=10.10.20.2/32 comment=lubo-yoga interface=wireguard1 \
    public-key="KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK"
add allowed-address=10.10.20.3/32 comment="Lubo iphone 15 Pro" interface=\
    wireguard1 public-key="qY77/mHFihsaB+jWMCkVO18WU23K3PvCF6AceyDusTc="
add allowed-address=10.10.20.4/32 comment="Lubo Ipad Pro" interface=\
    wireguard1 public-key="KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK"
/ip address
add address=XXX.XXX.XXX.41/24 interface=ether8-WAN-Static network=XXX.XXX.XXX.0
add address=192.168.12.1/24 interface=vlan20-Servers network=192.168.12.0
add address=192.168.100.1/24 interface=Users-100 network=192.168.100.0
add address=192.168.10.1/24 interface=Management-10 network=192.168.10.0
add address=192.168.30.1/24 interface="Smart Home-30" network=192.168.30.0
add address=10.10.20.1/24 interface=wireguard1 network=10.10.20.0
add address=172.17.0.1/24 interface=containers network=172.17.0.0
/ip dhcp-server lease
add address=192.168.10.250 client-id=1:d8:d0:90:1b:5b:af comment=\
    "Lubo Yoga Wired" mac-address=D8:D0:90:1B:5B:AF server=dhcp-management
add address=192.168.10.6 client-id=1:1c:61:b4:14:a0:2c comment=\
    "TP Link EAP 615 Bedroom" mac-address=1C:61:B4:14:A0:2C server=\
    dhcp-management
add address=192.168.10.5 client-id=1:1c:61:b4:14:a9:a8 comment=\
    "TP Link EAP 615 Living Room" mac-address=1C:61:B4:14:A9:A8 server=\
    dhcp-management
add address=192.168.100.204 client-id=1:48:a6:b8:7:73:e2 comment="Sonos ARC" \
    mac-address=48:A6:B8:07:73:E2 server=dhcp-users
add address=192.168.100.249 client-id=1:72:70:2a:fe:13:ab comment=\
    "iPad Living Room" mac-address=72:70:2A:FE:13:AB server=dhcp-users
add address=192.168.100.203 client-id=1:54:2a:1b:23:ee:38 comment="Sonos SUB" \
    mac-address=54:2A:1B:23:EE:38 server=dhcp-users
add address=192.168.100.202 client-id=1:f0:f6:c1:c5:cf:d4 comment=\
    "Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:D4 server=dhcp-users
add address=192.168.100.201 client-id=1:f0:f6:c1:c5:cf:58 comment=\
    "Sonos ERA 300" mac-address=F0:F6:C1:C5:CF:58 server=dhcp-users
add address=192.168.30.2 client-id=1:2:78:7f:7f:66:2e comment=\
    "Home Assistant" mac-address=02:78:7F:7F:66:2E server="dhcp-smart home"
add address=192.168.30.205 client-id=1:64:d2:c4:e1:f5:dc comment=\
    "Apple TV Bedroom - Wireless" mac-address=64:D2:C4:E1:F5:DC server=\
    "dhcp-smart home"
add address=192.168.30.3 comment="ABB IPS2.1 (KNX)" mac-address=\
    00:0C:DE:93:50:5A server="dhcp-smart home"
add address=192.168.30.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
    "YOGA camelot" mac-address=B0:A4:60:9A:8C:1A server="dhcp-smart home"
add address=192.168.100.250 client-id=1:b0:a4:60:9a:8c:1a comment=\
    "YOGA castle" mac-address=B0:A4:60:9A:8C:1A server=dhcp-users
add address=192.168.30.4 client-id=1:0:24:6d:2:a6:6c comment=1HOME \
    mac-address=00:24:6D:02:A6:6C server="dhcp-smart home"
add address=192.168.30.5 client-id=1:64:d2:c4:d4:fb:c7 comment=\
    "Apple TV Bedroom - Wired" mac-address=64:D2:C4:D4:FB:C7 server=\
    "dhcp-smart home"
add address=192.168.12.244 client-id=1:3c:2a:f4:4c:81:e8 comment=\
    "Brother HL-3170CDW Printer" mac-address=3C:2A:F4:4C:81:E8 server=\
    dhcp-servers
add address=192.168.30.251 client-id=1:e2:2e:15:51:59:4e comment=\
    "Lubo Ipad Pro" mac-address=E2:2E:15:51:59:4E server="dhcp-smart home"
add address=192.168.100.251 client-id=1:9a:62:bd:95:32:39 comment=\
    "Lubo IPhone 15 Pro" mac-address=9A:62:BD:95:32:39 server=dhcp-users
add address=192.168.30.252 client-id=1:36:aa:c:fc:82:7d comment=\
    "Lubo IPhone 15 Pro" mac-address=36:AA:0C:FC:82:7D server=\
    "dhcp-smart home"
/ip dhcp-server network
add address=192.168.10.0/24 comment=mngmt dns-server=172.17.0.2 gateway=\
    192.168.10.1
add address=192.168.12.0/24 comment=servers gateway=192.168.12.1
add address=192.168.30.0/24 comment="smart home" gateway=192.168.30.1
add address=192.168.100.0/24 comment=users gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=172.17.0.2,8.8.8.8
/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=88.203.229.253 list=Svetulcho
add address=192.168.10.250 comment="admin local" list=Authorized
add address=192.168.30.250 comment="admin wifi" disabled=yes list=Authorized
add address=10.10.20.2 comment="admin remote wireguard" list=Authorized
add address=10.10.20.3 comment="admin remote ios wireguard" list=Authorized
add address=192.168.100.251 comment="admin wifi" disabled=yes list=Authorized
add address=10.10.20.4 comment="admin remote ios wireguard" list=Authorized
add address=10.10.20.0/24 list=LAN
add address=172.17.0.0/24 disabled=yes list=LAN
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow access from LAN to Plex" \
    dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=\
    LAN
add action=accept chain=forward comment=\
    "allow access from LAN to Home Assistant" dst-address=192.168.30.2 \
    dst-port=8123 protocol=tcp src-address-list=LAN
add action=accept chain=forward comment="allow access from LAN to Adguard" \
    dst-address=172.17.0.2 dst-port=80 protocol=tcp src-address-list=LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment=" Adguard" in-interface=\
    containers out-interface=ether8-WAN-Static
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=14567 \
    protocol=udp
add action=accept chain=input comment="Access for MGMT" in-interface-list=\
    MGMT src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
    443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
    192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
    in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
    to-ports=32400
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=XXX.XXX.XXX.1 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Sofia
/system identity
set name=RB5009
/system note
set show-at-login=no
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool sniffer
set filter-interface=ether2-LAN-Hybrid

Amm0 · May 4, 2024, 2:53pm

Your firewall is blocking access to the VETH / 172.17.0.0/24. You seem to add the VETH subnet to LAN address-list add address=172.17.0.0/24 BUT it is marked a disabled=yes. The quicker fix may be to add VETH to the LAN interface-list.

Mikrotik example for pihole uses a dst-nat rule, which you use for other things, but not DNS. See https://help.mikrotik.com/docs/display/ROS/Container#Container-Forwardportstointernalcontainer

I’d also make sure the container is working too. On the router with container, the following command should resolves an IP address if working:

 :put [:resolve server=172.17.0.2 google.com]

lpetrov · May 4, 2024, 2:58pm

I think I fixed the FW problems and now clients can access the DNS. I changed LAN to Adguard by removing protocols/ports. Can you please take a look at it and let me know if you have any suggestions? As always I appreciate your help. Here are the updated rules:

/ip firewall address-list
add address=192.168.12.0/24 list=Servers
add address=192.168.100.0/24 list=Users
add address=192.168.30.0/24 list=SmartHome
add address=192.168.12.0/24 list=LAN
add address=192.168.30.0/24 list=LAN
add address=192.168.10.0/24 list=LAN
add address=192.168.100.0/24 list=LAN
add address=88.203.229.253 list=Svetulcho
add address=192.168.10.250 comment="admin local" list=Authorized
add address=192.168.30.250 comment="admin wifi" disabled=yes list=Authorized
add address=10.10.20.2 comment="admin remote wireguard" list=Authorized
add address=10.10.20.3 comment="admin remote ios wireguard" list=Authorized
add address=192.168.100.251 comment="admin wifi" disabled=yes list=Authorized
add address=10.10.20.4 comment="admin remote ios wireguard" list=Authorized
add address=10.10.20.0/24 list=LAN
add address=172.17.0.0/24 disabled=yes list=LAN
/ip firewall connection tracking
set udp-timeout=10s
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow access from LAN to Plex" \
    dst-address=192.168.12.140 dst-port=32400 protocol=tcp src-address-list=\
    LAN
add action=accept chain=forward comment=\
    "allow access from LAN to Home Assistant" dst-address=192.168.30.2 \
    dst-port=8123 protocol=tcp src-address-list=LAN
add action=accept chain=forward comment="LAN to Adguard" dst-address=\
    172.17.0.2 src-address-list=LAN
add action=accept chain=forward in-interface-list=MGMT out-interface-list=LAN \
    src-address-list=Authorized
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "allow access for containers to internet" in-interface=containers \
    out-interface=ether8-WAN-Static
add action=drop chain=forward comment="Drop all else"
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="wireguard handshake" dst-port=14567 \
    protocol=udp
add action=accept chain=input comment="Access for MGMT" in-interface-list=\
    MGMT src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8-WAN-Static
add action=dst-nat chain=dstnat comment="port 443 to nginx proxy" dst-port=\
    443 in-interface=ether8-WAN-Static protocol=tcp to-addresses=\
    192.168.12.254 to-ports=443
add action=dst-nat chain=dstnat comment="port 32400 to Plex" dst-port=32400 \
    in-interface=ether8-WAN-Static protocol=tcp to-addresses=192.168.12.140 \
    to-ports=32400

Amm0 · May 4, 2024, 3:22pm

Looks like this covers it:

/ip/firewall/filter add action=accept chain=forward comment="LAN to Adguard" dst-address=172.17.0.2 src-address-list=LAN

I don’t see anything wrong there. You’re correct to leave the address-list entry for 172.17.0.0/24 disabled - otherwise the container be allowed full access to LAN.

FWIW, the reason Mikrotik shows NAT dst-nat rule in pihole example is this limit traffic only to DNS ports from clients. But this assumes the default “drop all” rule has the qualifier connection-state=new connection-nat-state=!dstnat which avoid needing a specific /ip/filter for container if there is a dst-nat rule for it. But since you’re using address-list in your firewall (not the default firewall’s interface-list approach), so your config here makes sense. n.b. And, there is a good argument to avoid NAT, as you do, see: https://tangentsoft.com/mikrotik/wiki?name=Bridged+Container+VETH&p

lpetrov · May 4, 2024, 3:29pm

thanks.