Community discussions

MikroTik App
  4. RouterOS
  5. General

Confirming HOSTED Adguard Setup- not working??  [SOLVED]

Post Reply
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 19360
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Confirming HOSTED Adguard Setup- not working??

Fri Mar 03, 2023 8:38 pm

Currently on an article I have the following steps to ensure an adguard system will work but something is not quite right. :-( :-(

1. IP DNS normal setup, allow external DNS etc.. stays in place to lets say 1.1.1.1. This allows the router to look for updates directly and we need a path for adguard itself.

2. Then in forward chain rules, all the subnets/vlans (A-C) need a firewall rule allowing access to adguard on subnet/vlan D.

3. We take all the DHCP server network settings and apply DNS-server of the adguard dns-server=IP_adguard. Except for subnet/vlan D, which hosts the adguard and this would remain at the standard DNS-Server setting of the gateway of subnet/vlan D.
We are trying to ensure the adguard doesnt point at itself, and become a fruit loop. "-)

4. We make firewall address for our destination nat rules. We call it "excluded", and it includes the IP address of the adguard itself.
add chain=dstnat action=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=tcp to-addresses=IP_Adguard
add chain=dstnat action=dst-nat in-interface-list=LAN src-address-list=!excluded dst-port=53 protocol=udp to-addresses=IP_Adguard

Again, we exclude the adguard from being forced to itself for DNS vice being able to exit the router for DNS.............
Also since we couldn't address users within the same subnet/vlan D, as adguard via the dhcp server network settings, the destination nat rule captures them quite nicely.

5. For those users within the same subnet we need the standard hairpin approach.
add chain=srcnat action=masquerade dst-address=subnet D src-address=subnet D

6. No special routes are required.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

However the above is not working.
Q1. Does the scrnat hairpin rule need to be refined such as.....
add chain=srcnat action=masquerade dst-address=adguard_IP src-address=subnet D

New information ---> the adguard is actually hosted on a PC ( in a container ), the PC has a different IP address = IP_PC within Subnet D.

Q2. Do I have to account for this difference or the IP-PC anywhere in the config??? Very confusing the interplay here. I thought it would be transparent.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Topic Author
Posts: 19360
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Confirming HOSTED Adguard Setup- not working??  [SOLVED]

Sat Mar 04, 2023 7:29 pm

SOLVED< the config I was looking at had an internally set adguard rule that was blocking traffic. Once removed the config worked as indicated.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], Google [Bot], rcarreira88 and 97 guests
  4. RouterOS
  5. General