Hiya, NEWB here. I've setup an Edgerouter 4 with Open WRT, Unbound and Ad-block fast. I've had several unsucessful goes at this mainly due to slightly out of date info on various Youtubes, and the non-practical nature of the official documentation. The latest setup is tantalisingly close to fully working.
How the three elements of DNSmasq, Unbound nd Ad-block fast connect is totally unclear to me. I've sucessfully got Unbound and Ad-block fast working and the router is correctly handing out DHCP IP6 and IP4 addresses.
If I have a device connected on an old lease with a Gateway (192.168.1.1) in it, everything functions. No ads, no list on 'DNSLeak' and the router is just ticking along doing this. As soon as the lease renews, I notice no Gateway is specified. At that point DNS lookups stops working (from that machine) and no internet. It get an IP and it can see the router though.
Someone must have this working and documented in a recent version? Or do you know what I've missed?
without you posting you config, how could we ?
do you really need unbound, it's overkill in most cases.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/unbound
BusyBox v1.37.0 (2026-03-25 20:09:53 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 25.12.2, r32802-f505120278 Dave's Guitar
-----------------------------------------------------
OpenWrt recently switched to the "apk" package manager!
OPKG Command APK Equivalent Description
------------------------------------------------------------------
opkg install <pkg> apk add <pkg> Install a package
opkg remove <pkg> apk del <pkg> Remove a package
opkg upgrade apk upgrade Upgrade all packages
opkg files <pkg> apk info -L <pkg> List package contents
opkg list-installed apk info List installed packages
opkg update apk update Update package lists
opkg search <pkg> apk search <pkg> Search for packages
------------------------------------------------------------------
For more information visit:
https://openwrt.org/docs/guide-user/additional-software/opkg-to-apk-cheatsheet
root@OpenWrt:~# ubus call system board
{
"kernel": "6.12.74",
"hostname": "OpenWrt",
"system": "UBNT_E300 (CN7030p1.2-1000-AAP)",
"model": "Ubiquiti EdgeRouter 4",
"board_name": "ubnt,edgerouter-4",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "25.12.2",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r32802-f505120278",
"target": "octeon/generic",
"description": "OpenWrt 25.12.2 r32802-f505120278",
"builddate": "1774469393"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '00049ba18740e49d44acae2b9bf80306116b'
option ula_prefix 'fdbc:6680:582d::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
option multipath 'off'
config interface 'wan'
option device 'lan0'
option proto 'pppoe'
option username 'xxxxxxxxxx'
option password 'xxxxxxxxxx'
option ipv6 'auto'
option norelease '1'
option multipath 'off'
option mtu '1492'
config interface 'wan6'
option device 'lan0'
option proto 'pppoe'
option username 'xxxxxxxx'
option password 'xxxxxxxx'
option ipv6 'auto'
option norelease '1'
option multipath 'off'
config device
option name 'lan0'
option macaddr '9c:53:22:4a:9f:20'
root@OpenWrt:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
option dhcpleasemax '150'
option port '0'
option localuse '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'hybrid'
option ra 'hybrid'
option master '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'
config host
option name 'NanoGarage'
list mac 'XX:XX'
option ip '192.168.1.135'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
root@OpenWrt:~# cat /etc/config/unbound
config unbound 'ub_main'
option add_extra_dns '0'
option dhcp_link 'dnsmasq'
option exclude_ipv6_ga '0'
option dns64 '1'
option domain 'lan'
option edns_size '1232'
option extended_stats '0'
option hide_binddata '1'
option interface_auto '1'
option listen_port '53'
option localservice '1'
option manual_conf '0'
option num_threads '1'
option protocol 'default'
option rate_limit '0'
option rebind_localhost '0'
option rebind_protection '1'
option recursion 'default'
option resource 'default'
option root_age '9'
option ttl_min '120'
option ttl_neg_max '1000'
option unbound_control '1'
option validator '1'
option verbosity '1'
list iface_trig 'lan'
list iface_trig 'wan'
list iface_wan 'wan'
option enabled '1'
config zone 'auth_icann'
option enabled '0'
option fallback '1'
option url_dir 'https://www.internic.net/domain/'
option zone_type 'auth_zone'
list server 'lax.xfr.dns.icann.org'
list server 'iad.xfr.dns.icann.org'
list zone_name '.'
list zone_name 'arpa.'
list zone_name 'in-addr.arpa.'
list zone_name 'ip6.arpa.'
config zone 'fwd_isp'
option enabled '0'
option fallback '1'
option resolv_conf '1'
option zone_type 'forward_zone'
list zone_name 'isp-bill.example.com.'
list zone_name 'isp-mail.example.net.'
config zone 'fwd_google'
option enabled '0'
option fallback '1'
option tls_index 'dns.google'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '8.8.4.4'
list server '8.8.8.8'
list server '2001:4860:4860::8844'
list server '2001:4860:4860::8888'
list zone_name '.'
config zone 'fwd_cloudflare'
option enabled '0'
option fallback '1'
option tls_index 'cloudflare-dns.com'
option tls_upstream '1'
option zone_type 'forward_zone'
list server '1.1.1.1'
list server '1.0.0.1'
list server '2606:4700:4700::1111'
list server '2606:4700:4700::1001'
list zone_name '.'
root@OpenWrt:~#
dogshome:
option port '0'
Do not completely disable the DNS function of dnsmasq, just change the listening port.
It's likely that only the DNS server is not advertised, but you can force the advertisement of both the DNS and Gateway address(es) using DHCP options.
uci set dhcp.@dnsmasq[0].port='1053'
uci add_list dhcp.lan.dhcp_option='3,192.168.1.1'
uci add_list dhcp.lan.dhcp_option='6,192.168.1.1'
uci commit dhcp
service dnsmasq restart
