AdGuardHome Run AdGuard Home in AP mode? (Bypass check?)

[CB7]

Alright, removed the AGH Merlin script and replaced for adguardhome-go: all is up and running and it seems DHCP is working fine now without messing about - thank you! I did have to add a rule telling JFFS to move dnsmasq to another port since the router started listening on port 53. But that was easily solved (also thanks to your earlier post @SomeWhereOverTheRainBow).

Its not really related, but since we did discuss DNS Director: I noticed that clients on the VPN (IPSec) are exempt from DNS redirection. They can bypass it no problem. Added two iptables rules (and made them persistent through reboot):

iptables -t nat -A PREROUTING -s VPNRANGE/24 -p udp --dport 53 -j DNAT --to-destination ROUTERIP:53
iptables -t nat -A PREROUTING -s VPNRANGE/24 -p tcp --dport 53 -j DNAT --to-destination ROUTERIP:53

(Obviously replace VPNRANGE for your VPN IP-ranges and ROUTERIP for your router's LAN IP)

Now, VPN clients' DNS traffic is always routed to the router lan IP whilst DNS Director still works and isn't affected for the LAN clients. In case anyone cares or finds it useful.

Thanks again - all seems to work now as intended.

 

[SomeWhereOverTheRainBow]

Alright, removed the AGH Merlin script and replaced for adguardhome-go: all is up and running and it seems DHCP is working fine now without messing about - thank you! I did have to add a rule telling JFFS to move dnsmasq to another port since the router started listening on port 53. But that was easily solved (also thanks to your earlier post @SomeWhereOverTheRainBow).

Its not really related, but since we did discuss DNS Director: I noticed that clients on the VPN (IPSec) are exempt from DNS redirection. They can bypass it no problem. Added two iptables rules (and made them persistent through reboot):

iptables -t nat -A PREROUTING -s VPNRANGE/24 -p udp --dport 53 -j DNAT --to-destination ROUTERIP:53
iptables -t nat -A PREROUTING -s VPNRANGE/24 -p tcp --dport 53 -j DNAT --to-destination ROUTERIP:53

(Obviously replace VPNRANGE for your VPN IP-ranges and ROUTERIP for your router's LAN IP)

Now, VPN clients' DNS traffic is always routed to the router lan IP whilst DNS Director still works and isn't affected for the LAN clients. In case anyone cares or finds it useful.

Thanks again - all seems to work now as intended.

I am glad you got it working. I hate to see someone having to struggle over the same lines of code I have struggled with.

 

[SomeWhereOverTheRainBow]

Alright, removed the AGH Merlin script and replaced for adguardhome-go: all is up and running and it seems DHCP is working fine now without messing about - thank you! I did have to add a rule telling JFFS to move dnsmasq to another port since the router started listening on port 53. But that was easily solved (also thanks to your earlier post @SomeWhereOverTheRainBow).

Its not really related, but since we did discuss DNS Director: I noticed that clients on the VPN (IPSec) are exempt from DNS redirection. They can bypass it no problem. Added two iptables rules (and made them persistent through reboot):

iptables -t nat -A PREROUTING -s VPNRANGE/24 -p udp --dport 53 -j DNAT --to-destination ROUTERIP:53
iptables -t nat -A PREROUTING -s VPNRANGE/24 -p tcp --dport 53 -j DNAT --to-destination ROUTERIP:53

(Obviously replace VPNRANGE for your VPN IP-ranges and ROUTERIP for your router's LAN IP)

Now, VPN clients' DNS traffic is always routed to the router lan IP whilst DNS Director still works and isn't affected for the LAN clients. In case anyone cares or finds it useful.

Thanks again - all seems to work now as intended.

One thing i am curious about is what would the impact be to the routers service (e.g. aimesh) if you were to choose to set that dnsmasq port to zero (e.g. port=0). Obviously dhcp from dnsmasq would still work, but the dns service provided by dnsmasq wouldnt. I've been itching to tinker at it, but i wont be back at my actual router till sometime in october. My job has us finishing off a contract that was suppose to be finished in july, but it has been pushed to october. I could speculate more with you but i have to run for now.