Ok thx,Joulinar.
And if I want to apply AdGuard across all devices without having to change each device’s DNS settings, what’s the best way to do that? Note, my router won’t allow me to point to the AdGuard Rpi.
Can you disable the dhcp server on the ISP router and use one on the dietpi? These are more flexible in terms of dhcp options.
Yes AGH has an own DHCP server functionality. Easiest way is to disable on your router and activate in AGH. You just need to reconnect your devices to your network once, to get the new settings via DHCP.
Success!! Thanks Joulinar & Trendy!
AGH is now the DHCP server and yes, using AGH provides more options & shows a lot more detailed info about various devices. 
I couldn’t have gotten it set up properly without your help, Joulinar. Again, many thanks!
Is UFW necessary to be on if my AGH Rpi is behind my router firewall?
Also, Joulinard, when you said, “allow income traffic from local network on port 53” is the command simply, “ufw allow 53” ?
Is UFW necessary to be on if my AGH Rpi is behind my router firewall?
It depends if you have open ports and your system is reachable from internet.
What was the reason for you to install UFW?
Force of habit. I think the Raspberry Pi OS setup I’ve done in the past, suggests installing and enabling UFW.
Here’s the current ufw status:
To Action From
-- ------ ----
22 ALLOW Anywhere
8083 ALLOW Anywhere
3000 ALLOW Anywhere
22 (v6) ALLOW Anywhere (v6)
8083 (v6) ALLOW Anywhere (v6)
3000 (v6) ALLOW Anywhere (v6)
if you don’t have any direct access from internet, you should be fine to remove UFW. If you like to stay with UFW, you would need to add port 53 to be allowed.
Ok. Is then the command simply “ufw allow 53”? Or something else. I ask because you earlier said to allow Local traffic. Not sure if the above command allows more than that.
at the moment you are allowing traffic from Anywhere on the ports defend. If you like, you could restrict the access to a local network/subnets or specific network interface
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-18-04
Excellent tutorial link, Joulinar! I’ve got UFW setup to allow access to port 53 only my local network. Thank you, again.
Also:
- I have a guest network setup on the same router for any IoT devices. But I notice after enabling UFW as above the Echo 5 doesn’t connect to the network. I assumed that allowing my local network access to port 53 would allow this device access to, but apparently not. [EDIT: after rebooting the router it appears a few devices can’t find the network. So I’ve disabled UFW until I figure this one out.]
- At one point, I removed Unbound. Now when I enter cat /etc/resolv.conf I see my Rpi address 192.168.1.100. What is the advantage of Unbound if my Rpi is already the DNS server?
- Does Dietpi running AGH perform well with other software installed such as Snapcast and Motioneye? Or is it preferable to install these on a separate Rpi? I’m using the 4GB model for AGH.
- I have a guest network setup on the same router for any IoT devices. But I notice after enabling UFW as above the Echo 5 doesn’t connect to the network. I assumed that allowing my local network access to port 53 would allow this device access to, but apparently not. [EDIT: after rebooting the router it appears a few devices can’t find the network. So I’ve disabled UFW until I figure this one out.]
Usually guest network is separated from your local network and devices inside the guest network should not be able to connect to the normal one. Or did you allowed this? Does your IoT systems start working once UFW has been disabled? Can you share your UFW rules?
- At one point, I removed Unbound. Now when I enter cat /etc/resolv.conf I see my Rpi address 192.168.1.100. What is the advantage of Unbound if my Rpi is already the DNS server?
Best practice is not to use AGH as DNS server for your RPi themselves (/etc/resolv.conf). We recommend to use a global public DNS provider like Quad9 or Cloudflare on the RPi locally. Why? Because what happen if AGH is failing? Your local DNS resolution would not be working anymore and you would need to change local settings anyway. This has no effect to devices on your local network, they will use AGH still as settings inside /etc/resolv.conf are impacting the RPi only.
The benefit of Unbound is not to perform local DNS resolution. It is more data privacy. Because Unbound will not use a public DNS provider to resolve DNS request. On a default configuration Unbound will use the root DNS directly. Means non of the public DNS provider or your ISP knows what you are looking for. As well it’s a little bit of failsafe. If one of the root DNS server is failing, still others are available to be used.
- Does Dietpi running AGH perform well with other software installed such as Snapcast and Motioneye? Or is it preferable to install these on a separate Rpi? I’m using the 4GB model for AGH.
AGH is a small application leaving a small footprint on your system. There shouldn’t be an issue to have it running together with other apps.
The IoT device starts working on the guest network once UFW is disabled. I notice I didn’t click “Isolate Clients” on the guest network options, so I assume they can access the regular network. I’ve now selected “Isolate Clients” option.
I notice the regular network (not guest network) also doesn’t work with UFW enabled. I must’ve changed something at some point. Gets a bit confusing! However, with UFW disabled both guest and normal network work fine.
Here are the UFW rules:
To Action From
22 ALLOW Anywhere
8083 ALLOW Anywhere
3000 ALLOW Anywhere
53 ALLOW 192.168.1.0
22 (v6) ALLOW Anywhere (v6)
8083 (v6) ALLOW Anywhere (v6)
3000 (v6) ALLOW Anywhere (v6)
Re: not using AGH server for the Rpi: can you clarify how to use AGH for the DNS server but not for the Rpi? I like the added features of AGH compared to my router. Much clearer, detailed info is available in AGH.
can you share the output of
cat /etc/resolv.conf
nameserver 192.168.1.100
nameserver 192.168.1.100
Not sure why it outputs twice.
ok let’s check the location of the file
readlink -f /etc/resolv.conf
if location is same, you can simply edit the file using nano /etc/resolv.conf and change DNS server to Quad9 or any other public DNS provide
nameserver 9.9.9.9
nameserver 149.112.112.112
Aha, ok I get it. The file was in the same location and has been updated.
Thanks, Joulinar!
I notice 3 unknown devices on my network shown in Adguard. I thought AGH was set up correctly but I’ve blocked the IP addresses for now. What settings can I check to ensure my network is secure?
But this has nothing to do with AGH as it is a simple AdBlocker and not a network security tool. AGH or DuetPi wil ll not prevent devices to connect. You could search the web on how to increase network security. There are quite a lot of guides available.
Ok, I’ll investigate. I had disabled ufw because it stopped my Echo 5 device from connecting.
Next question: When I shut down the Raspberry Pi that AGH is installed on, I have no internet access. I thought the Rpi AGH was setup to allow access should the Rpi fail.
I have looked at the /etc/resolv.conf which shows Quad9 servers 9.9.9.9 & 149.112.112.112. Router DNS servers are the same. What other settings can I tweak to allow access should the Rpi fail?