Thanks @trendy !
I started from scratch, changed main lan to 192.168.10.1, created guest lan on 10.0.0.1, disabled ipv6, installed Adguard Home and changed it to port 53, changed dnsmasq to 5353, created traffic rules for guest dns & dhcp and port forward rules for lan and guest.
On lan i put 192.168.10.1 on -Use custom DNS servers- & 6,192.168.10.1 on -DHCP-Option-.
On guest i put 192.168.10.10 on -Use custom DNS servers- & 6,192.168.10.10 on -DHCP-Option-.
Everything is OK with lan and wlan, but, devices get Ip address but no internet access when connect to guest.
Fixed this error on dnsmasq: -failed to load names from /tmp/hosts/dhcp.cfg01411c: Permission denied- but still no internet.
This is wrong. You should not use OpenWrt itself as an upstream nameserver. You should use the 10.10 address of Pihole. Regarding the dhcp option 6 it is not necessary because if you don't fill it in, it will automatically advertise itself to the dhcp clients as dns.
You don't need it in guest interface, only on lan interface, where it is reachable from.
Verify the IP/mask/gw/dns -> ipconfig /all in windows ip add;ip ro;cat /etc/resolv.conf in linux
Do a ping test ping google.com; ping 8.8.8.8
Thanks again @trendy !
After hours trying i got internet by using port forward rules and custom rules, now all devices can connect, the thing now is, private lan and wlan have no problem, they are served by adguard on router and the dns is forced so devices cannot change their dns, but, guest wifi goes through the raspberry pi as intended getting the dns i set without any relation to private lan apparently, the problem is that on the leaktests appears google dns mixed up, and the only device with that dns is the isp modem, i was thinking on disabling dhcp on the modem, what do you think?
I changed ISP Modem dns to cloudfare, this was the only device that had google dns, raspberry pi upstream is cloudfare and upstream for adguard home on this raspberry pi is opendns, the adguard on router has quad9 as upstream, so none of them have google dns, where should i look? because im still getting google dns showing on the leaktests.
I even checked with winscp every file conf and dnssmasq and there is no google dns reference in any.
GoogleDNS is often hardcoded in some Android/Google products. Not much you can do there, except hijacking.
You can try to isolate the device which queries GoogleDNS: opkg update; opkg install tcpdump; tcpdump -i any -evn 'port 53 and (host 8.8.8.8 or host 8.8.4.4)'
you test via recent browser version of FF/Chrome?
because they by default using 'secure DNS' , i.e. DNS over HTTPS to well-known DNS provider cloudflare, google, regardless your desktop is using the DNS server (pihole or adguard) offered via DHCP.
this method has worked for me after a fresh install only using banIP, but somehow if you install other stuff (like adguard home) and configure further then the DOH blocking dont work anymore, whats the permanent and final way to block DOH?