What's new

Problem with reaching Adguard Home from outside home network

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

nothingness

New Around Here
Hello all,

Router - ASUS RT-AC86U; Gateway IP - 192.168.1.1
Firmware - Merlin 386.12 updated on September 17th 2023.
Issues - Reaching Adguard home from outside the home network

A bit of a background about my issue (presented later) - Although I'm in the medical profession, I always felt I had a calling towards IT (basic) and coding. Have been attempting to install and get Adguard Home running on my router and I always ran into problems (such as the service not restarting when I restart the router, not enough memory on the router etc.) I finally managed to solve these issues by creating a 2GB swap file on my 8GB pen drive (I did not know what a swapfile was until 2 years after I bought the router!!)

Anyway once all is setup, I'm chuffed that all is going to plan and I do not have any problems anymore! I opened ports 443 and 853 on the router and disabled the firewall and checked that I can access my adguard home server outside the home network. All is going to plan. Until...

A few days ago, I wanted to try Skynet Firewall, installed it for a few hours, did not really think it would be useful for my needs and uninstalled it. Since then I'm unable to access the adguard home web interface from outside the home network. Checked the firewall, it was re-enabled by skynet, disabled it and yet my problem isn't solved.

What is interesting is that, when I change set_http3 in the adguard home yaml file to 'true' I'm able to access my home DNS server using a h3:// address but I still can't access the https:// web interface. I then went ahead and used the quic protocol and it works perfectly well. Then checked with the TLS protocol and I can't reach my server.

Am I right in thinking - that I'm able to access my server through UDP (h3 over 443 and quic over 853) protocol but not through TCP (https over 443 and tls over 853) ? It seems there is some corroborating evidence as I'm able to reach the VPN server in my router (UDP) but unable to reach FTP (tcp over 20,21), which I previously was able to.

Any help will be greatly appreciated. Attaching screenshots of my port forwarding rules and syslog of port forwarding

P.S. - I have UPnP disabled and firewall disabled. I understand that port forwarding is from the router to a downstream LAN client but even when I input the router's IP address in Internal IP, it works (such as with VPN server and remote access of WebUI)
 

Attachments

  • Port Forwarding Syslog.PNG
    Port Forwarding Syslog.PNG
    129.8 KB · Views: 38
  • Port Forwarding.PNG
    Port Forwarding.PNG
    65.6 KB · Views: 41
Why on earth have you disabled the router's firewall and exposed all these services to the public internet? :eek: This is a huge security issue. You're basically inviting everyone to hack your router or abuse those services.
 
Thanks for your response.

I did this for

1. Accessing my home DNS server web interface from outside my home network

2. Using my home DNS server as a DNS upstream in my devices.

How do I expose these ports on the router, with the firewall intact?
 
Thanks for your response.

I did this for

1. Accessing my home DNS server web interface from outside my home network

2. Using my home DNS server as a DNS upstream in my devices.
This is fundamentally a terrible idea. Without restricting the source IP addresses to trusted hosts you are inviting everyone on the planet to either hack your router or use it as a relay for malicious activities.

How do I expose these ports on the router, with the firewall intact?
The purpose of the router's firewall is to protect it from external attacks and not publicly expose various services that should only be available to the LAN. If you need some on-router service available to the internet then you usually need to create an exception for the specific port using a firewall-start script. Sometimes it can be done through the GUI using port forwarding, but not always. It depends on the application.

The advice endlessly repeated on these forums is to never expose any services to the internet, other than a VPN server. Not even the router's web interface which has a long history of being hacked and people's router's becoming infected with malware.
 
Thanks for your response.

I have disabled access to router's web GUI through WAN. However I'd still like to access the Adguard home interface and DNS server.

Any advise or links to how to create a port exception in the firewall start script?
 
Thanks for your response.

I have disabled access to router's web GUI through WAN. However I'd still like to access the Adguard home interface and DNS server.

Any advise or links to how to create a port exception in the firewall start script?

There are 2 options that are safer than what you're trying to do:
1. VPN into your network to use Adguard
2. Set up your phone to use the public Adguard servers

Opening ports to create a public DNS server creates an attack point and will be used in DoS attacks against other systems. Read up on "Open resolver".
 
There are 2 options that are safer than what you're trying to do:
1. VPN into your network to use Adguard
2. Set up your phone to use the public Adguard servers

Opening ports to create a public DNS server creates an attack point and will be used in DoS attacks against other systems. Read up on "Open resolver".
Will read up, thank you.

What role does AIProtection play in this ? Does it effectively replace the function of a firewall ?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top