Wireguard + Adguard Help

stuntard · July 1, 2024, 9:39pm

Hi everyone. My setup is fairly simple (i think) and for the most part everything works. The issue I am having is with Adguard running in a container and Wireguard peers.
I followed The Network Berg’s setup video on Youtube for Adguard as well as a Gist i found. The only thing I did differently was I did not connect the VETH interface with a new bridge, rather I attached it to my single bridge with VLANs etc.

The problem I have is that there is no DNS resolution, and therefore no internet for any peers that are using the Adguard DNS server, unless I have this rule.

add action=accept chain=forward comment="Allow Adguard container WAN Access" \
    out-interface-list=WAN src-address=10.0.53.53

I believe it is because container is not a part of any of my interfaces that are in my VLAN interface list that has WAN access. I logged my firewall rules and I could see that traffic from that IP was coming from the bridge1 interface which by itself is not a part of any list that has WAN access.

Sometimes I find though that peers still don’t have internet access when using this DNS server. Is there a better way to go about doing what I want to do? That is have a single DNS server that is accessible by clients on my LAN as well as Wireguard?

# 2024-07-02 06:36:29 by RouterOS 7.15.1
# software id = 3WF7-CWJP
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=78:9A:18:D9:17:FF auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] auto-negotiation=no
set [ find default-name=ether3 ] auto-negotiation=no
set [ find default-name=ether4 ] auto-negotiation=no
set [ find default-name=ether6 ] auto-negotiation=no
/interface veth
add address=10.0.53.53/24 gateway=10.0.53.1 gateway6="" name=veth-adguard
add address=10.0.200.200/24 gateway=10.0.200.1 gateway6="" name=veth-mDNS
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=guest_vlan_20 vlan-id=20
add interface=bridge name=home_vlan_11 vlan-id=11
add interface=bridge name=iot_vlan_30 vlan-id=30
add interface=bridge name=mgmt_vlan_10 vlan-id=10
add interface=bridge name=servers_vlan_99 vlan-id=99
/container mounts
add dst=/opt/adguardhome/conf name=agh_conf src=/usb1/conf/adguard
/disk
set usb1 media-interface=none media-sharing=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add comment=Management name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.99.199-192.168.99.254
add name=Guest_Pool ranges=10.0.20.199-10.0.20.254
add name=Server_Pool ranges=192.168.0.199-192.168.0.254
add name=MGMT_Pool ranges=10.0.10.199-10.0.10.254
add name=IOT_Pool ranges=10.0.30.2-10.0.30.254
add name=Home_Pool ranges=10.0.11.199-10.0.11.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge lease-time=10m name=dhcp1
add address-pool=Guest_Pool interface=guest_vlan_20 name=Guest_DHCP
add address-pool=Server_Pool interface=servers_vlan_99 name=Management_DHCP
add address-pool=MGMT_Pool interface=mgmt_vlan_10 name=Server_DHCP
add address-pool=IOT_Pool interface=iot_vlan_30 name=IOT_DHCP
add address-pool=Home_Pool interface=home_vlan_11 name=Home_DHCP
/ip smb users
set [ find default=yes ] disabled=yes
/container
add envlist=repeater_envs interface=veth-mDNS logging=yes root-dir=usb1/mdns \
    start-on-boot=yes
add interface=veth-adguard logging=yes mounts=agh_conf root-dir=/usb1/adguard \
    start-on-boot=yes workdir=/opt/adguardhome/work
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1/pull
/container envs
add comment="mdns-repeater (FLO-254)" key=REPEATER_INTERFACES name=\
    repeater_envs value="eth0.11 eth0.30"
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 \
    internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 \
    internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 \
    internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10 pvid=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
    10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge interface=veth-mDNS
add bridge=bridge interface=veth-adguard
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=Servers_VLAN tagged=bridge untagged=ether1,ether4 \
    vlan-ids=99
add bridge=bridge comment=Guest_VLAN tagged=bridge,ether7 vlan-ids=20
add bridge=bridge comment=IOT_VLAN tagged=bridge,ether7,veth-mDNS vlan-ids=30
add bridge=bridge comment=MGMT_VLAN tagged=bridge untagged=ether3,ether7 \
    vlan-ids=10
add bridge=bridge comment=Home_VLAN tagged=bridge,ether7,veth-mDNS untagged=\
    ether2,ether5,ether6 vlan-ids=11
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether8 list=WAN
add interface=servers_vlan_99 list=LAN
add interface=guest_vlan_20 list=VLAN
add interface=iot_vlan_30 list=VLAN
add interface=servers_vlan_99 list=VLAN
add interface=mgmt_vlan_10 list=LAN
add interface=mgmt_vlan_10 list=VLAN
add comment=Wireguard interface=wireguard1 list=VLAN
add comment=Wireguard interface=wireguard1 list=LAN
add comment="Servers VLAN" interface=servers_vlan_99 list=MGMT
add comment="Management WG" interface=wireguard1 list=MGMT
add comment="Management VLAN" interface=mgmt_vlan_10 list=MGMT
add interface=home_vlan_11 list=LAN
add interface=home_vlan_11 list=VLAN
add interface=veth-adguard list=LAN
add interface=veth-adguard list=VLAN
/interface wireguard peers
XXXXXXXXXXXXXXXXXXXXXXX
/ip address
add address=192.168.99.1/24 comment=defconf interface=bridge network=\
    192.168.99.0
add address=192.168.69.1/24 interface=wireguard1 network=192.168.69.0
add address=192.168.0.1/24 interface=servers_vlan_99 network=192.168.0.0
add address=10.0.20.1/24 interface=guest_vlan_20 network=10.0.20.0
add address=10.0.30.1/24 interface=iot_vlan_30 network=10.0.30.0
add address=10.0.10.1/24 interface=mgmt_vlan_10 network=10.0.10.0
add address=10.0.11.1/24 interface=home_vlan_11 network=10.0.11.0
add address=10.0.53.1/24 interface=veth-adguard network=10.0.53.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether8
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.69 gateway=10.0.10.1
add address=10.0.11.0/24 dns-server=192.168.0.69 gateway=10.0.11.1
add address=10.0.20.0/24 gateway=10.0.20.1
add address=10.0.30.0/24 gateway=10.0.30.1
add address=10.0.40.0/24 gateway=10.0.40.1
add address=192.168.0.0/24 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.0.20.0/24 comment="Guest VLAN" list=Guest_List
add address=10.0.10.0/24 comment="Management VLAN" list=MGMT_List
add address=192.168.0.0/24 comment="Servers VLAN" list=Servers_List
add address=10.0.30.0/24 comment="IOT VLAN" list=IOT_List
add address=192.168.0.10 comment="HTPC PC" list=admin_ips
add address=10.10.10.0/24 comment="All VLANs" list=vlans
add address=10.10.20.0/24 comment="All VLANs" list=vlans
add address=10.10.30.0/24 comment="All VLANs" list=vlans
add address=192.168.0.0/24 comment="All VLANs" list=vlans
add address=192.168.0.2 comment="Josh PC" list=admin_ips
add address=192.168.69.7 comment="Work PC - WG" list=admin_ips
add address=192.168.69.2 comment="Phone - WG" list=admin_ips
add address=10.0.10.10 comment="Josh PC" list=admin_ips
add address=10.0.11.0/24 comment="All VLANs" list=vlans
add address=10.0.11.0/24 comment="Home VLAN" list=Home_List
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "Allow incoming traffic to the wireguard service" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" \
    dst-port=53 in-interface=wireguard1 protocol=udp
add action=accept chain=input comment="Allow DNS from Wireguard Users" \
    dst-port=53 in-interface=wireguard1 protocol=tcp
add action=accept chain=input comment="Allow admin IPs to Access Router" \
    in-interface-list=LAN src-address-list=admin_ips
add action=drop chain=input comment="Drop Everything Else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow Management VLAN access to ALL" \
    connection-state=new in-interface-list=MGMT
add action=accept chain=forward comment="Allow Adguard container WAN Access" \
    out-interface-list=WAN src-address=10.0.53.53
add action=accept chain=forward comment="Allow Home LAN to LAN" \
    connection-state=new out-interface-list=LAN src-address-list=Home_List
add action=accept chain=forward comment="Allow TV access to Jellyfin" \
    dst-address=192.168.0.69 dst-port=8096 protocol=tcp src-address=\
    10.0.30.10
add action=accept chain=forward comment=\
    "Allow casting to Google Nests from Home VLAN" dst-address-list=IOT_List \
    dst-port=8009,8443 protocol=tcp src-address-list=Home_List
add action=accept chain=forward comment="Allow LAN access to Adguard" \
    dst-address=10.0.53.53 dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=forward comment="Allow LAN access to Adguard" \
    dst-address=10.0.53.53 dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Forwarded Ports" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop Everything Else" \
    connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port Forward 80 to HTPC" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.0.10 to-ports=80
add action=dst-nat chain=dstnat comment="Port Forward 443 to HTPC" dst-port=\
    443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.10 \
    to-ports=443
add action=dst-nat chain=dstnat comment="Wireguard Unraid" dst-port=51820 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.0.69 to-ports=\
    51820
add action=dst-nat chain=dstnat comment="Wireguard HTPC" dst-port=51822 \
    in-interface-list=WAN protocol=udp to-addresses=192.168.0.10 to-ports=\
    51822
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Australia/Melbourne
/system leds settings
set all-leds-off=after-1min
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

own3r1138 · July 1, 2024, 9:54pm

As you’ve got the Adguard running, why not go the extra step, configure the DoH on the container, and point the MT DNS server to the DoH address?
All the clients should be able to take advantage of Adguard.

stuntard · July 1, 2024, 11:14pm

I tried to setup LetsEncrypt to grab cets in the hope I could use them for Adguard, but I hit a wall with LE needing webfig port 90 open as I have Caddy on my network and Port 80 dstnatted to the server IP. I can’t work out any other way to get a valid certificate for my domain into my Adguard container to use DoH

stuntard · July 1, 2024, 11:41pm

Also am I correct in that

add action=accept chain=forward comment=“Allow Adguard container WAN Access”
out-interface-list=WAN src-address=10.0.53.53

Is needed for the container still so it can actually access the internet. Adguard doesn’t seem to work at all without it, but I have not seen a similar line at all in any Adguard tutorials that I have seen.

own3r1138 · July 2, 2024, 8:25am

Alternatively, You could use a DNS challenge to get your cert. Furthermore, to automate the certificate renewal, you can utilize an API key on any CDN for the DNS TXT record validation.

llamajaja · July 2, 2024, 7:27pm

Observations:

(1) Dont see sfpplus1 identified on /interface bridge vlans…
(2) Simplify your interface list member, the bridge is not needed for starters.
why do you have both LAN and VLAN. Then you duplicate everything on firewall address lists…redundant and usually not required.
Keep address lists for external users/subnets and anytime you have something less than a subnet or users across subnets.

Ensure you have LAN, and only if you need to identify a subset of subnets, for a firewall rule purpose make another list item
Management interface is also another that normally is identified
In this case it should be VLAN10 as a member, and possibly wireguard if you as admin are coming into configure the router!!!
interface list entry of VLAN, serves no purpose thus far that I can see.

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=Management name=MGMT

/interface list members
add comment=defconf interface=ether8 list=WAN
add interface=mgmt_vlan_10 list=LAN
add interface=home_vlan_11 list=LAN
add interface=guest_vlan_20 list=LAN
add interface=iot_vlan_30 list=LAN
add interface=servers_vlan_99 list=LAN
add comment=Wireguard interface=wireguard1 list=LAN
add comment=“Management VLAN” interface=mgmt_vlan_10 list=MGMT
add comment=“Servers VLAN” interface=servers_vlan_99 list=MGMT
add comment=“Management WG” interface=wireguard1 list=MGMT

/ip neighbor discovery-settings
set discover-interface-list=MGMT

/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

This looks reasonable…
/ip firewall address-list
add address=192.168.0.10 comment=“HTPC PC” list=admin_ips
add address=192.168.0.2 comment=“Josh PC” list=admin_ips
add address=10.0.10.10 comment=“Josh PC” list=admin_ips
add address=192.168.69.7 comment=“Work PC - WG” list=admin_ips
add address=192.168.69.2 comment=“Phone - WG” list=admin_ips

Get rid of this default setting
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(4) if not using ipv6 disable it and remove all associated rules, lists etc..

(5) firewall rules: This is where ADGUARD usage could be the problem
Remember the adguard or pi server etc first needs to use local DNS to establish the location of encrypted dns services.

Redundant rule not required. Remember we add a rule allowing Home Subnet to the entire LAN so this rule is not required as the traffic is already allowed!!
add action=accept chain=forward comment=
“Allow casting to Google Nests from Home VLAN” dst-address-list=IOT_List
dst-port=8009,8443 protocol=tcp src-address-list=Home_List

Redundant default rule removed…
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN

/ip firewall filter
add action=accept chain=input c" connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input comment=“WG handshake” dst-port=13231 protocol=udp
add action=accept chain=input comment=“Admin Access” in-interface-list=MGMT src-address-list=admin-ips
add action=accept chain=input comment=“adguard access to router services” dst-port=53 protocol=udp src-address=10.0.53.53
add action=accept chain=input comment=“adguard access to router services” dst-port=53 protocol=tcp src-address=10.0.53.53
add action=drop chain=input comment=“Drop Everything Else”
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet access” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow users to Adguard” in-interface-list=LAN
dst-address=10.0.53.53 dst-port=53 protocol=udp
add action=accept chain=forward comment=“Allow users to Adguard” in-interface-list=LAN
dst-address=10.0.53.53 dst-port=53 protocol=tcp
add action=accept chain=forward comment="Admin access’ in-interface-list=MGMT src-address-list=admin_ips out-interface-list=LAN
add action=accept chain=forward comment=“Allow Home LAN to LAN” src-address=10.0.11.0/24 out-interface-list=LAN
add action=accept chain=forward comment=“Allow TV access to Jellyfin” dst-address=192.168.0.69
dst-port=8096 protocol=tcp src-address=10.0.30.10
add action=accept chain=forward comment=“port forwrding” connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop Everything Else”

(6) In terms of NAT rules, the port forwarding ones look fine, assuming its really for external users.
I do not quite understand the purpose of the UNRAID rules, can you explain?
add action=dst-nat chain=dstnat comment=“Wireguard Unraid” dst-port=51820
in-interface-list=WAN protocol=udp to-addresses=192.168.0.69 to-ports=
51820
add action=dst-nat chain=dstnat comment=“Wireguard HTPC” dst-port=51822
in-interface-list=WAN protocol=udp to-addresses=192.168.0.10 to-ports=
51822

(7) Missing NAT rules, is forcing users to your adguard server.
/ip firewall address-list
add address=10.0.53.53 list=Excluded
add address=A.B.C.D list=Excluded comment=“user that is excluded” { if applicable }
add address=subnetX list=Excluded comment=“subnet that is excluded” { if applicable }

add chain=dstnat action=dstnat in-interface-list=LAN dst-port=53 protocol=udp to address=10.0.53.53 src-address-list=!Excluded
add chain=dstnat action=dstnat in-interface-list=LAN dst-port=53 protocol=tcp to address=10.0.53.53 src-address-list=!Excluded
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

I dont think adguard needs internet access so try the above changes and if that doesnt solve then add
add action=accept chain=forward src-address=10.0.53.53 out-interface-list=WAN but only as a last resort, do not think its required.,.. will keep thinking on this one.

stuntard · July 2, 2024, 11:28pm

Thanks I will make those changes and see how it goes. The Unraid NAT rules are there as I have Wireguard running on my server as a backup that was working before I got my Rb5009.

stuntard · July 3, 2024, 2:14am

Seems to be working OK, but I had to add

/ip firewall filter
add action=accept chain=forward comment="Allow MGMT to Adguard" in-interface-list=MGMT dst-address=10.0.53.53 dst-port=80 protocol=tcp

otherwise I couldn’t access the WebUI for Adguard. I would have thought having the Adguard VETH interface as part of the LAN interface list which MGMT has full access to would have worked but it didn’t.

anav · July 3, 2024, 7:29pm

Well in my setup you will not the VETH was not part of the LAN interface, if you copied my setup verbatim then that is why you would need the rule.
However if you kept the VETH as part of LAN interface in /interface list members, then it is indeed a bit weird unless MT doesnt consider the VETH a legitimate interface for firewall rules…