Ad Guard with pfSense

Cylosoft

@zululander Set your DHCP server settings in pfSense to have the clients use the Adguard DNS server IP. Only Adguard, not Adguard and pfSense IP.

Then set the DNS server for pfSense to do it's own lookups or forward to Quad9 or whatever your preferred service is. That's what pfSense will use for itself and you don't want that Adguard filtered.

In the Adguard DNS settings I'd configure it to have your local domain requests be forwarded to pfSense since pfSense will know about DHCP entries and Adguard won't. I also have Aduard forward local reverse lookups to pfSense. And have Adguard use DNS over HTTPS.

You'd need to adjust this for your LAN IP, pfSense IP and DNS provider. Something like this replace home.local with your local domain and 192.168.1.1 with your pfSense DNS IP. I usually set Adguard to parallel request and do something like this. The first 3 lines handle sending local info that pfSense would have to pfSense. The last 2 get you the fastest lookup from 2 different services.

[/home.local/]192.168.1.1
[/in-addr.arpa/]192.168.1.1
[//]192.168.1.1
https://security.cloudflare-dns.com/dns-query
https://dns.quad9.net/dns-query

Zululander

@steveits, @Gblenn & @Cylosoft Thanks for that. I think I am nearly there.

My router IP is 192.168.1.1 and it has the following DNS servers:

• 9.9.9.10
• 149.112.112.10

pFsense has IP 192.168.1.5 and Adguard 192.168.10.15

AD Guard settings:
Upstream servers

• [/home.local/]192.168.1.5
• [/in-addr.arpa/]192.168.1.5
• [//]192.168.1.5
• https://security.cloudflare-dns.com/dns-query
• https://dns.quad9.net/dns-query

Parallel requests

("And have Adguard use DNS over HTTPS", I will set this up later once I have sorted out everything else)

pFsense settings

Adgaurd is now reporting more stats and blocking some adult sites, but not all i.e. it blocks www.peachesandcream.co.nz but not https://www.porn.com/

Also it still only lists one client i.e. 192.168.0.0

Also I had a host override (see below) which I can no longer browse to i.e. now need use the IP.

I am obviously still not understanding something :)

Patch

@zululander said in Ad Guard with pfSense:

My router IP is 192.168.1.1 and it has the following DNS servers:

9.9.9.10
149.112.112.10

pFsense has IP 192.168.1.5 and Adguard 192.168.10.15

You are making life harder than it needs to be.
Clients on your network need to only see only he one DNS, which does your DNS filtering (Adguard). If your clients use any other DNS your filtering will not work reliably. Currently they can used

• Adguard 192.168.10.15
• pfsense 192.168.1.5
• your router 192.168.1.1
• internet DNS

Imo I suggest

• Put your ISP router in bridge mode and use pfsense as a router.
• Connect all Lan & wifi defices to pfsense (not the ISP router)
• in pfsense block DNS accesses except from Adguard 192.168.10.15
• in pfsense DHCP set clients to used Adguard 192.168.10.15 for DNS
• in pfsense leave DNS resolver with the default configure so it access appropriate internet sources

Zululander

This post is deleted!

Zululander

@patch Thanks for this.

• pFsense is using 192.168.10.15 (adguard) for DNS
• pfsense DHCP setis clients to Adguard for DNS
• I am forcing all DNS requests to go via Adguard using: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
• I have left the DNS reolver with the default option.

Relavent sites are now blocked although I am still only seeing one client (192.168.0.0) listed on the ADGuard dashboard.

I am not to sure about setting up pFsense as the router. My ASUS-AC58U allows me to change operation mode from Router to AP mode. I am guessing I start with that.

Currently my router is set to WAN connection type: Automatic IP. Looking at pFsense I have the following options

Looking at these options I cannot see where to set the following options required by my ISP:

• WAN Connection Type: DHCP (Automatic IP/Dynamic IP/IP over Ethernet)
• list item802.1Q: Enabled
• list itemVLAN ID (802.1Q): 10
• list item802.1P (Priority): 0
• IP Version: IPv4 or IPv6
• MTU Size: 1492 or 1500 (I can find this one)
• NAT: Enabled

Patch

@zululander said in Ad Guard with pfSense:

I am not to sure about setting up pFsense as the router. My ASUS-AC58U

If you have a ADSL/VDSL wan connection you will need a modem to connect to your ISP.

If you put your all in one router in bridge mode it will become just a modem and can be used for that purpose. (note you also loose access to most other function in your all in one router such as wifi). Your ISP wan parameters are then entered into pfsense Wan settings.

If you put an all in one router in AP mode you can connect it to the LAN side of pfsense and wifi connected devices can be managed by pfsense like all other Lan devices. Note putting your all in one router in AP mode means it no longer needs nor has a wan interface settings

Note the simplified configuration I'm recomending requires your modem is a different hardware device to your wifi AP

Zululander

@patch I have fibre that comes to the ONT and then goes to the ASUS router. Can I plug the ONT directly into the pFsense WAN? If so, then I am battling to find where to put the settings the ISP gave to me.

If not, what modem (make/model) do you recommend for a home lab?

Patch

@zululander said in Ad Guard with pfSense:

I have fibre that comes to the ONT and then goes to the ASUS router. Can I plug the ONT directly into the pFsense WAN?

Yes
How to do so will depend on:

• How many NIC does your computer running pfsense have? At least 2 makes things easiest.
• If only 1 do you will need to use Vlan and pfsense on a stick configuration. Do have a programmable switch (at least level 2)?

When you have at least 2 interfaces to pfsense, one will be Wan the other Lan. The ISP setting are entered via
Pfsense -> Interfaces -> Wan -> (See the Manual)

Your ASUS router can then be put in AP mode, connected to the pfsense Lan and used for wifi access.

SteveITS

@zululander re: using a VLAN for WAN, I see posts here every few months. I’d search for your ISP and/or VLAN on WAN.

Zululander

@patch I have 3 nics i.e. WAN, LAN & OPT1.

I can only see MTU on the WAN interface and not the rest of

• WAN Connection Type: DHCP (Automatic IP/Dynamic IP/IP over Ethernet)
• list item802.1Q: Enabled
• list itemVLAN ID (802.1Q): 10
• list item802.1P (Priority): 0
• IP Version: IPv4 or IPv6
• NAT: Enabled

Can't see the above in the documents

Sorry for being a little slow with all of this.

Yes I do have a level 2 switch. VLAN 1 is for 192.168.1.0 (WAN)and VLAN10 for 192.168.10.0 (LAN). Lics are patched accordingly.

SteveITS

@zululander you’ll have to create it as a new interface
https://docs.netgate.com/pfsense/en/latest/vlan/configuration.html#web-interface-vlan-configuration

Then use that instead of WAN. I haven’t done that myself…see if you can find a thread for your ISP. Might be better to start another thread too, so people find it by title.