I have installed openwrt on my linksys velop whw01. This particular router has two ethernet ports (no WAN ports). One of the ethernet port is connected to the main internet router (which i don't have access to, only ISP can access).
Currently this is how the network interface look like on my openwrt:
I have configured Adguard home on my router, and then configured the DNS forwarder on openwrt:
Now i see the traffic is originating from the router itself, and not from the clients:
Also when I visit sites with Ads, they show normally and they are not being blocked. I am using the default DNS filter:
Also, if I try to block a certain website with a custom rule on adguard home, clients are still able to browse that site.
BTW, when the wifi clients connect, they are getting the openwrt as their default gateway (only this changed after I enabled the dns forwarder on the openwrt - before they were getting their IP address from the main internet router):
Can someone advise what i need to do, to fix the following:
- make sure the client IP address shows up in the adguard home
- the ads are blocked while browsing
- the custom rules are effective and blocking traffic on clients
appreciate your help.
It won't work, unless you can customize the settings in the main router.
why is that?
If the clients are configured with openwrt/adguardhome as their gateway and DNS server, why that wouldn't work? my understanding whatever rules/filtering applied on the gateway (in my case here for the clients it is the openwrt/adguardhome) they should follow/adhere?
So for instance, i tried blocking cnn.com, i see in the logs it is being blocked however, on client I am still able to browse it
Yes, if you set it up directly on the clients, then it's doable.
What clients?
Have you disabled or blocked DoT ?
Have you disabled or blocked DoH ?
Clients are wireless (Android, iOS)
no i did not disable/block DoT/DoH
Then that's why they're not getting blocked.
And it still won't stop hardcoded DNSes, some apps use.
Your first problem is that you connected the ISP router to a LAN port on OpenWrt. If you did not disable DHCP on OpenWrt, you are probably even running two DHCP servers.
The IMHO easiest option is to configure the ISP router in bridge mode and have OpenWrt do all routing, WiFi and filtering. If that's not an option, you're pretty much out of luck as you won't have access to clients not passing through OpenWrt (that would include all WiFi clients connected to the ISP router).
For a quick test, you can just repurpose OpenWrt's second LAN port as WAN and do double-NAT.
In my case I don't have access to the ISP router. It is owned by the ISP themselves and they don't provide access to it although it is in my house.
Anyways, No WiFi is enabled on the ISP router. However DHCP is enabled on this ISP router (192.168.70.0/24).
Can you guide me on how to make the second LAN port as WAN and double NAT?
As you can see from the my screenshots, the first LAN port is connected directly to ISP router and is bridge interface.
Currently the wireless ssids are also associated with the bridge network interface
post your /etc/config/network file.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5a:48cf:3adc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.70.254'
option netmask '255.255.255.0'
option gateway '192.168.70.1'
if that's all, I assume you've deleted the wan interface ?
recreate it, and move one of the ports (eth1 or eth2) to it.
put the interface in the wan firewall zone.
the interface should be a DHCP client.
or, if you haven't done any major customizing, just reset the device.
There was no wan interface when the firmware of openwrt was installed on this device. Anyways, I have created a wan interface and associated it with eth1 (btw eth1 is the one connected to the ISP router) and put the interface in the wan firewall zone.. DHCP is also enabled
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5a:48cf:3adc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.70.254'
option netmask '255.255.255.0'
option gateway '192.168.70.1'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
still lists both ports though ....
OK i have rectified that.. Here is how it looks like
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5a:48cf:3adc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
list ports 'eth2'
config interface 'lan'
option proto 'static'
option device 'eth1'
option ipaddr '192.168.70.254'
option netmask '255.255.255.0'
option gateway '192.168.70.1'
config interface 'wan'
option proto 'dhcp'
option device 'eth2'
still looks the same ?
worst case scenario, edit the file.
You wanted me to remove of the ports from bridge device. Here is how it looks like now
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd5a:48cf:3adc::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option proto 'static'
option device 'br-lan'
option ipaddr '192.168.70.254'
option netmask '255.255.255.0'
option gateway '192.168.70.1'
config interface 'wan'
option proto 'dhcp'
option device 'eth2'
now you should have a diff IP on the wan interface than on the lan interface ...
and you can start doing all the AGH activities, traffic should now flow through the device, not via it.
you might need to reconnect the clients (or just power cycle the unit)
Since in my case my openwrt is connected to ISP router on eth1 port, I would assume I should associate eth1 with wan interface, right?.
while lan interface should be associated with eth2 port.
Then on Wirless SSIDs, I should associate them with lan network?...
doesn't matter which port you use, just swap the cables ... you choice.
if the wifi already worked, you shouldn't need to touch it.
