ASUS RT-AX58U Settings for AdGuard Home (via Raspberry Pi 4)

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

SpicyLimes

Occasional Visitor
Greetings,

After about a month of experimentation and research on building a Raspberry Pi Router that tunnels all traffic through a VPN Client (using Surfshark) and Ad Blocker (using AdGuard Home or Pi-Hole), I decided to pull the trigger on the ASUS RT-AX58U Router due to it's reliability. This is also due to the fact that it has the ability to setup a VPN Client straight through the web GUI of the Merlin Firmware, and has Ad Blocking options through Diversion and SkyNet (not to mention other third party firmware that allows me to setup AdGuard Home directly on the router).

Well, after some additional experimentation with using AMTM, Entware, Diversion, and SkyNet, I came across multiple pain points:

  • Any USB Drive inserted into the router itself (even using a powered USB Hub as a proxy which helped reduce the problem, but didn’t fix it) causes issues with my 2.4GHz Wi-Fi Band (which, after some research, I found it has to do with USB devices being properly shielded - but I did try multiple brands, brand new and previously used, with the same results).
  • With recent power outages and 'flickers', I noticed that I have to re-setup Diversion and SkyNet every time this happened (along with having to reboot my gateway and every network switch in my apartment for some reason), which is something I do not care to troubleshoot since I really didn’t like Diversion or SkyNet.
  • Because of having to use a USB Drive to benefit from these third-party software/firmware packages, the memory use was almost always maxed out on the router (though, to be fair, I did use the SWAP feature within AMTM to help with the load). And before anyone asks “how was the drive formatted”, I tried all type of partition formats including NTFS, FAT32, and EXT4 - which EXT4 worked the best in keeping the memory usage lower than other formats.

I then decided to give the Jack-Think-ASUS-Bootloader firmware a try since it has AdGuard Home as an installable addon-on without much backend work (still some because of a wget-noSSL command within one of the installation scripts, which I fixed). This solution worked really well and it uses a “monit” web GUI interface that I liked a lot. The only issues with this solution was, again, the load on the router’s memory and also the fact that upgrading requires a full re-install of the script. I didn’t seem to have as many issues with the 2.4GHz Wi-Fi band using this script, but I believe that was due to me rigging (through trial and error) up my powered USB 3.0 hub in a specific way.

So, I made the executive decision to simply let one of my Raspberry Pi’s doing the heavy lifting instead of the router. With that said, I will be using a Home-Assistant AdGuard Home Add-On on my ‘Smart Home Pi’ and I would like input from the community as to the exact settings that I will need to modify and/or change and/or setup to fully benefit from AdGuard Home’s features. Edit: During my research, I did find this Reddit Post on how to force all traffic through Pi-Hole on an ASUS Router using Merlin firmware, but I wasn't sure if those settings would also apply to AdGuard Home.

While I am not new to Raspberry Pi’s, Linux, IoT, etc., I am new(ish) to networking. I had previously experimented with Pi-Hole and AdGuard Home on a dedicated Raspberry Pi in the past (using an older Apple AirPort Extreme Router with success), so I am aware of their settings and general features. However, with the ASUS AX58U being way more customizable than my AirPort Extreme, I wanted some feedback from those that are using a setup like this or are knowledgeable on the subject of what settings need to be used within the router’s web GUI.

Below you will find my current setup and goals to assist anyone in providing me with the needed setting changes and whatnot:

  • Hardware: ASUS RT-AX58U with Merlin 386.1_2 Firmware
  • Current VPN Setup: VPN Tunnel to force all Traffic through my VPN Client (Surfshark via OpenVPN)
  • Goals: Use AdGuard Home as a Home-Assistant Add-On on a Raspberry Pi 4 which will then be used via the router to force all traffic through the Ad Blocking function of AdGuard Home

Any assistance is greatly appreciated!
 
Last edited:

AdrianH

Occasional Visitor
AdGuard Home is a DNS server with domain filters, you don't push all the traffic through it.

The two choices you have is

1) Set the router DNS server to your AGH server. Each client in your network queries the router which in turn queries the AGH server.

2) Set the DHCP DNS server on the router to your AGH server, while router DNS goes to public DNS. Each client in your network queries the AGH DNS server directly.

I personally opted for option 2 as then I can see each client's DNS request. If you opt for option 1, it's always the router performing the DNS query.

As a side note, you need to give the router a domain name, mine is called "local" . Then you set a rule into AGH to forward all queries from clients with .local afterwards to specified IP, namely your router IP as it gave out DHCP and knows each client name. This is so that AGH knows not to send the request for one of your network clients upstream to a public DNS server.

Screenshot_20210328_212023.jpg
 

Vexira

Part of the Furniture
You can do it slightly differently to see the client names without using .LAN or local

Put this into DNS servers but replace the IP with yours.
[/168.192.in-addr.arpa/]192.168.50.1
 

SpicyLimes

Occasional Visitor
AdGuard Home is a DNS server with domain filters, you don't push all the traffic through it.

I understand and know what AdGuard Home is - as I mentioned in my original post, I have used it as well as Pi-Hole in the past for many months. Maybe you misunderstood what I was saying - I know that, at the most basic level, I will replace the DNS Servers within my ASUS Router with my Raspberry Pi's IP Address. When I say "tunnel" all traffic through it, this is what I was referring to (i.e.; instead of having to manually add the Pi's IP Address to each Client's DNS Server that is connected to the router). My question more pertained to, "what else should I be enabling, disabling, inputting, etc within the router's web GUI" to successfully use AdGuard Home, and not have any DNS Leaks.

The main reason why I am asking this question is because of the fact that I came across that Reddit post where they were going above the usual "just add the IP address of the Pi to the DNS Servers within your router" modification and were making additional modifications as well. With that said, I wanted to see what others have done specifically with AdGuard Home AND an ASUS Router running the Merlin Firmware.

The two choices you have is

1) Set the router DNS server to your AGH server. Each client in your network queries the router which in turn queries the AGH server.

Yes, I mentioned this above, but again, is there anything else that folks are modifying specifically for this router other than simply adding the Pi's IP Address to the DNS Servers within the web GUI.

2) Set the DHCP DNS server on the router to your AGH server, while router DNS goes to public DNS. Each client in your network queries the AGH DNS server directly.

This is not what I would like to do. While I know what this is and how to implement it, I will be keeping the router's DHCP functionality. Prior to the ASUS Router I current use (as well as prior to using my AirPort Extreme), I was using my ISP's Arris Fiber Gateway/Router in which I set it up where a Raspberry Pi running Pi-Hole was acting as my main DHCP Server, but again I did not like that setup so I switched over to the AirPort Extreme to handle the DHCP (and then inevitably the ASUS AX58U). There was more to that story, but I am too tired to get into it and it's not all that relevant to my current question.

I personally opted for option 2 as then I can see each client's DNS request. If you opt for option 1, it's always the router performing the DNS query.

Option 1 will be my solution, but as mentioned, are there any other settings that others in the ASUS-WRT Merlin community change on different sections (other than the standard DNS Servers) of the web GUI.

As a side note, you need to give the router a domain name, mine is called "local" . Then you set a rule into AGH to forward all queries from clients with .local afterwards to specified IP, namely your router IP as it gave out DHCP and knows each client name. This is so that AGH knows not to send the request for one of your network clients upstream to a public DNS server.

This is not something that I have ever seen someone do, but it is interesting none-the-less. While I do not believe it necessary for my specific setup, it is always good to know.
 
Last edited:

SpicyLimes

Occasional Visitor
You can do it slightly differently to see the client names without using .LAN or local

Put this into DNS servers but replace the IP with yours.
[/168.192.in-addr.arpa/]192.168.50.1

Thanks for providing this information, however I do not really mind not being able to see the breakdown for each Client - although, other than when I was using AdGuard Home via the Jack-Think-Bootloader Script, I was always able to see the breakdown per Client. Again, thank you both for this information as it is always something to throw in the ole' tool belt for future use should I require it.

So, are there any other settings within the router's web GUI that you all change other than simply adding the Pi's IP Address to the router's DNS Server? Such as "DNS-Based Filtering" or "DDNS" or "DoT" or "Forward local domain queries to upstream DNS", or disabling the "Smart Connect" feature, etc... As I mentioned above within the Reddit Tutorial, they are changing a bunch of settings.

Hopefully that makes more sense.
 
Last edited:

AdrianH

Occasional Visitor
I understand and know what AdGuard Home is - as I mentioned in my original post, I have used it as well as Pi-Hole in the past for many months. Maybe you misunderstood what I was saying - I know that, at the most basic level, I will replace the DNS Servers within my ASUS Router with my Raspberry Pi's IP Address. When I say "tunnel" all traffic through it, this is what I was referring to (i.e.; instead of having to manually add the Pi's IP Address to each Client's DNS Server that is connected to the router). My question more pertained to, "what else should I be enabling, disabling, inputting, etc within the router's web GUI" to successfully use AdGuard Home, and not have any DNS Leaks.

You shouldn't need to do this at all when using Asus router as DHCP.

(Options ) If the router is set to use your AGH in the WAN settings , all the DHCP leases will get the router's IP as the DNS server, and the router to forward any and all DNS requests to AGH.
(Options ) If the DHCP DNS on the router is set to your AGH IP, all the DHCP leases will get the AGH's IP as the DNS server. (see my setup below)

I think your biggest issue with regards to DNS leaks are devices like Google speakers and Roku's that try request from 8.8.8.8 directly. To circumvent this, I had to block using static routes.

This is not what I would like to do. While I know what this is and how to implement it, I will be keeping the router's DHCP functionality. Prior to the ASUS Router I current use (as well as prior to using my AirPort Extreme), I was using my ISP's Arris Fiber Gateway/Router in which I set it up where a Raspberry Pi running Pi-Hole was acting as my main DHCP Server, but again I did not like that setup so I switched over to the AirPort Extreme to handle the DHCP (and then inevitably the ASUS AX58U). There was more to that story, but I am too tired to get into it and it's not all that relevant to my current question.

Not sure if I explained it properly. I still use DHCP on the Asus, but I explicitly give the DHCP DNS on Asus the AGH IP address. Then as part for the DHCP address lease, the AGH IP is the first DNS server with the Asus second. But yeah, this is only because I want to see the clients on the AGH query log.

Asus = 192.189.10.1
AGH = 192.168.10.14

WAN
1617003198751.png


DHCP
1617003338955.png


IPCONFIG
1617003458965.png
 
Last edited:

AdrianH

Occasional Visitor

Vexira

Part of the Furniture
I do dot or doh via adguad.
Thanks for providing this information, however I do not really mind not being able to see the breakdown for each Client - although, other than when I was using AdGuard Home via the Jack-Think-Bootloader Script, I was always able to see the breakdown per Client. Again, thank you both for this information as it is always something to throw in the ole' tool belt for future use should I require it.

So, are there any other settings within the router's web GUI that you all change other than simply adding the Pi's IP Address to the router's DNS Server? Such as "DNS-Based Filtering" or "DDNS" or "DoT" or "Forward local domain queries to upstream DNS", or disabling the "Smart Connect" feature, etc... As I mentioned above within the Reddit Tutorial, they are changing a bunch of settings.

Hopefully that makes more sense.
 

SpicyLimes

Occasional Visitor
You shouldn't need to do this at all when using Asus router as DHCP.

(Options ) If the router is set to use your AGH in the WAN settings , all the DHCP leases will get the router's IP as the DNS server, and the router to forward any and all DNS requests to AGH.
(Options ) If the DHCP DNS on the router is set to your AGH IP, all the DHCP leases will get the AGH's IP as the DNS server. (see my setup below)

I think your biggest issue with regards to DNS leaks are devices like Google speakers and Roku's that try request from 8.8.8.8 directly. To circumvent this, I had to block using static routes.



Not sure if I explained it properly. I still use DHCP on the Asus, but I explicitly give the DHCP DNS on Asus the AGH IP address. Then as part for the DHCP address lease, the AGH IP is the first DNS server with the Asus second. But yeah, this is only because I want to see the clients on the AGH query log.

Asus = 192.189.10.1
AGH = 192.168.10.14

WAN
View attachment 32544

DHCP
View attachment 32545

IPCONFIG
View attachment 32546

Ahhhh, I understand now what you were saying. My apologies - this specific setup is what I was planning on doing (which is also what that Reddit Post was suggesting as well), specifically setting the WAN DNS to Cloudflare and setting the LAN DNS to the Pi's IP Address - at least I believe that's how your setup is configured...?

As you mentioned with the DNS Leaks, it mainly happens on the WAN side, so since the router itself isn't actually resolving any external DNS itself, it will simply use the 9.9.9.9 to let the router to check for updates and things like that while the LAN DNS being set to the Pi as the main traffic resolver will handle the web traffic (or something like that)...correct?
 

SpicyLimes

Occasional Visitor
I'm sure there are multiple methods, but these work absolutely and no device can escape by using its internal DNS entries.
Pay particular attention to the way the GUI DNS entries are actually processed. They are not done #1 then #2 if #1 fails.

https://www.snbforums.com/threads/merlin-dnsmasq-pi-hole-accurate-device-names-how-to.69096/
This is what I was looking for, and interestingly enough, that thread is almost stating exacting what that Reddit Post was stating as well. If you haven't read through the post yet, I suggest it since it has a lot of good info - but if it's not (close) to the same thing, please let me know.
 

New2This

Senior Member
I’m using Unbound here with the setup of DoT, using NextDNS servers here
Haven’t had any issues
 

BreakingDad

Senior Member
All i did on mine is set LAN dns to the internal ip of the pi, and no secondary. Wan DNS as auto, works perfectly. DHCP performed by router. Any devices I don't want to go through isp dns and adguard I change on client.
 

GHammer

Senior Member
So you don't use the ASUS Router's DoT or DoH functions? Is one better than the other? What about using Unbound as a recursive DNS resolver...would you also suggest that?

Unbound can be used with the Pihole, that's what I do.
 

SpicyLimes

Occasional Visitor
So I followed the instructions listed on the Reddit Post and am able to see each Client within AdGuard Home. No DNS leaks either.

I will be looking at the other post that @GHammer mentioned later today to compare the settings. I have a feeling they are similiar.

Thanks for everyone's assistance!
 

SpicyLimes

Occasional Visitor
Actually - question for everyone: How exactly do I test for a DNS Leak? I am simply searching Google for sites that do the test, but I am not really sure what I am looking to verify to ensure no leaks are present...
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top