pfSense AdGuardHome With ( DOQ ) !
-
@ubernupe This didn't work for me, I'm afraid. I did everything except for the encryption step as I don't want my pfsense box exposed to the internets (I only access it via LAN or SSH port forwarding). That said, once I made the changes to DNS Resolver and the DNS servers under System > General, I couldn't get any DNS requests to resolve. I even tried directly from pfSense diagnostics and I say "no response" from 127.0.0.1 and ::1. I've ensured that I added the extra commands in DNS resolver and AdGuardHome is configured to listen on port 5353 - what else might I be missing? Is step 8 required or optional?
-
Sorry to be that guy but just had a look at this guide and it's definitely not the best way to setup AdguardHome on pfSense.
Unbound should not be forwarding to Adguard as that really screws with the individual host reporting and ability to create unique host rules within Adguard due to everything coming from localhost.
I would suggest others to take a look at this guide instead as means of setup.
https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/
-
@betapc check out my comment above. It addresses that issue.
-
@stylenz said in pfSense AdGuardHome With ( DOQ ) !:
I would suggest others to take a look at this guide instead as means of setup.
https://broadbandforum.co/threads/installing-adguard-home-on-pfsense.205884/
But that is the exact same link posted in the original post, in the second paragraph.
-
I couldn't understand why involve unbound into this. It's not meant for this. Those DoQ servers can be setup in AdGuardHome directly.
-
@pfpv interesting, well, what he linked should be the better way.
Also regarding unbound, the advantage to shifting unbound to another port means you can still utilize it if you prefer and if you don't need it and prefer DoQ or DoH just point to the desired servers within Adguard instead.
Using root servers over forwarding it to the likes of Google or Cloudflare, and/or if you use QoS or firewall rules too. ie, I forward to Cloudflare over DoT and have port 853 higher in my QoS priority can be just a few reasons why you would want to still incorporate Unbound.
-
@stylenz
But the link that you and the OP posted doesn't involve unbound at all. However, the OP sets unbound to forward to AdGuardHome withforward-zone: name: "."With this config you can't use unbound for what it was intended for - being a recursive DNS resolver. It will just forward to AdGuardHome and do nothing. There is a DNS forwarder for this.
-
@pfpv - think outside of a guide. In the guide I reference (to be better suited for most peoples needs), Unbound is configured to listen on 6666 instead of 53. All you would need to do is configure Adguard to use 127.0.0.1:6666 as it's DNS server to forward to.
-
@stylenz
In that guide it is set to that port to simply move out of AdGuard's way. I don't know why not disable it instead. I see what you mean but this thread is about DoQ that can't be used with unbound. -
@pfpv - Well, yes, it is intended to move it out of the way and agree with you there, also agree that if you ultimately don't require unbound because you are forwarding elsewhere via Adguard (whether it be DoQ or DoH or whatever) it also makes sense to disable it.
I was just highlighting how the OP's way is not ideal in any way as it breaks so much of the functionality within Adguard to forward from pfSense > Adguard instead of going from Adguard > pfSense (Unbound aside).
-
@stylenz I have one question, I tried to get the "green padlock" in that way I don't get the "this connection is not secure" warning. I have encryption working for DNS over HTTPS. pFSense web interface had "green padlock". Adguard home not. I am using stable version of Adguard Home, not the Beta, no Edge.
Thanks
-
@betapc - I imagine you have a cert issued to your pfsense (host.domain.tld) then for that to be green padlocked.
In my setup I use a wildcard cert for everything and reverse proxy to all hosts using the same wildcard cert (pfsense using the same cert too).
So under my HAProxy setup I have a seperate backend for Adguard that's pointing to my pfsense with the port you set for AdguardHome which in my case the front-end for AdguardHome looks for adguard.domain.tld instead.
The other method which in my view is a bit more effort to setup is in the adguard settings itself, find the cert that pfsense is using and configure adguard to use that too (I ran into issues with the cert being in an incompatible format). Downfall too is you won't have a unique FQDN for solely just adguard than using the HAProxy method.
Hope that makes sense for ya.
-
@stylenz thanks for the reply,
The cert that I'm am using on pFSense works without issues with Adguard Home. For my case will be easy use the same cert and do the setup on Adguard Home. The problem I don't find the costume setting on the Adguardhone.yaml file to put the my.domain.ltd.
I don't have any issues accessing pFSense web interface with https://my.domain.ltd:port#.
So what I need to modify on Adguardhome.yaml file to access Adguard Home web interface with https://my.domain.ltd and if I need to change any settings on the firewall?
Thanks
-
@betapc - all details for that are done via the web gui for Adguard more or less. Settings > Encryption > Enable Encryption.
- change the default 443 port to something else as this will conflict with pfsense
-
X xokia referenced this topic on