How to allow ADGUARDHOME through firewall rules

himurae · October 8, 2023, 6:02pm

hello vyos family using latest rolling release i managed to use firewall rules from the official guide and it works ,but when i use dns forwarding to adguard home it breaks the internet and i cannot access adguard home page.

But when i uninstall adguard and use set dns forwarding command, internet works but download speed is also slow now earlier i had 310mbps down and 120up, now it is 140mbps and 64 up did i use too many rules

So what shall i change in firewall rules to accommodate ad guard home

set firewall global-options all-ping 'enable'
set firewall global-options broadcast-ping 'disable'
set firewall global-options ip-src-route 'disable'
set firewall global-options ipv6-receive-redirects 'disable'
set firewall global-options ipv6-src-route 'disable'
set firewall global-options log-martians 'enable'
set firewall global-options receive-redirects 'disable'
set firewall global-options resolver-cache
set firewall global-options resolver-interval '60'
set firewall global-options send-redirects 'disable'
set firewall global-options source-validation 'disable'
set firewall global-options syn-cookies 'enable'
set firewall global-options twa-hazards-protection 'disable'
set firewall group interface-group LAN interface 'eth1'
set firewall group interface-group WAN interface 'eth0'
set firewall group network-group NET-INSIDE-v4 network 'xxx.xxx.10.0/24'
set firewall ipv4 forward filter rule 10 action 'jump'
set firewall ipv4 forward filter rule 10 jump-target 'CONN_FILTER'
set firewall ipv4 forward filter rule 100 action 'jump'
set firewall ipv4 forward filter rule 100 destination group network-group 'NET-I                                                                                                             NSIDE-v4'
set firewall ipv4 forward filter rule 100 inbound-interface interface-group 'WAN                                                                                                             '
set firewall ipv4 forward filter rule 100 jump-target 'OUTSIDE-IN'
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 jump-target 'CONN_FILTER'
set firewall ipv4 input filter rule 20 action 'jump'
set firewall ipv4 input filter rule 20 destination port '22'
set firewall ipv4 input filter rule 20 jump-target 'VyOS_MANAGEMENT'
set firewall ipv4 input filter rule 20 protocol 'tcp'
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 30 protocol 'icmp'
set firewall ipv4 input filter rule 30 state new 'enable'
set firewall ipv4 input filter rule 40 action 'accept'
set firewall ipv4 input filter rule 40 destination port '53'
set firewall ipv4 input filter rule 40 protocol 'tcp_udp'
set firewall ipv4 input filter rule 40 source group network-group 'NET-INSIDE-v4                                                                                                             '
set firewall ipv4 input filter rule 50 action 'accept'
set firewall ipv4 input filter rule 50 source address 'xxx.xxx.0.0/8'
set firewall ipv4 name CONN_FILTER default-action 'return'
set firewall ipv4 name CONN_FILTER rule 10 action 'accept'
set firewall ipv4 name CONN_FILTER rule 10 state established 'enable'
set firewall ipv4 name CONN_FILTER rule 10 state related 'enable'
set firewall ipv4 name CONN_FILTER rule 20 action 'drop'
set firewall ipv4 name CONN_FILTER rule 20 state invalid 'enable'
set firewall ipv4 name OUTSIDE-IN default-action 'drop'
set firewall ipv4 name VyOS_MANAGEMENT default-action 'return'
set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept'
set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface interface-group                                                                                                              'LAN'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface interface-group                                                                                                              'WAN'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count '4'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time 'minute'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new 'enable'
set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept'
set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface interface-group                                                                                                              'WAN'
set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new 'enable'
set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:c0'
set interfaces ethernet eth0 offload gro
set interfaces ethernet eth0 offload gso
set interfaces ethernet eth0 offload lro
set interfaces ethernet eth0 offload rfs
set interfaces ethernet eth0 offload rps
set interfaces ethernet eth0 offload sg
set interfaces ethernet eth0 offload tso
set interfaces ethernet eth0 ring-buffer rx '4096'
set interfaces ethernet eth0 ring-buffer tx '4096'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth1 address 'xxx.xxx.10.1/24'
set interfaces ethernet eth1 duplex 'auto'
set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:be'
set interfaces ethernet eth1 offload gro
set interfaces ethernet eth1 offload gso
set interfaces ethernet eth1 offload lro
set interfaces ethernet eth1 offload rfs
set interfaces ethernet eth1 offload rps
set interfaces ethernet eth1 offload sg
set interfaces ethernet eth1 offload tso
set interfaces ethernet eth1 ring-buffer rx '4096'
set interfaces ethernet eth1 ring-buffer tx '4096'
set interfaces ethernet eth1 speed 'auto'
set interfaces ethernet eth2 hw-id 'xx:xx:xx:xx:xx:bf'
set interfaces ethernet eth3 hw-id 'xx:xx:xx:xx:xx:c1'
set interfaces loopback lo
set interfaces pppoe pppoe0 authentication password xxxxxx
set interfaces pppoe pppoe0 authentication username xxxxxx
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '1'
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 sla-id '0'
set interfaces pppoe pppoe0 ip adjust-mss 'clamp-mss-to-pmtu'
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 ipv6 adjust-mss 'clamp-mss-to-pmtu'
set interfaces pppoe pppoe0 source-interface 'eth0'
set nat source rule 100 outbound-interface 'pppoe0'
set nat source rule 100 source address 'xxx.xxx.10.0/24'
set nat source rule 100 translation address 'masquerade'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 defaul                                                                                                             t-router 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 domain                                                                                                             -name xxxxxx
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 lease                                                                                                              '86400'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 name-s                                                                                                             erver 'xxx.xxx.10.1'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range                                                                                                              0 start 'xxx.xxx.10.10'
set service dhcp-server shared-network-name xxxxxx subnet xxx.xxx.10.0/24 range                                                                                                              0 stop 'xxx.xxx.10.254'
set service dns forwarding allow-from 'xxx.xxx.10.0/24'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address 'xxx.xxx.10.1'
set service ntp allow-client xxxxxx 'xxx.xxx.0.0/0'
set service ntp allow-client xxxxxx '::/0'
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service ntp server xxxxx.tld
set service router-advert interface eth1 name-server 'xxxx:xxxx::1111'
set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800'
set service ssh port '22'
set system config-management commit-revisions '100'
set system conntrack expect-table-size '10485760'
set system conntrack hash-size '10485760'
set system conntrack modules ftp
set system conntrack modules h323
set system conntrack modules nfs
set system conntrack modules pptp
set system conntrack modules sip
set system conntrack modules sqlnet
set system conntrack modules tftp
set system conntrack table-size '10485760'
set system console device ttyS0 speed '115200'
set system host-name xxxxxx
set system ip arp table-size '32768'
set system ip multipath layer4-hashing
set system ipv6 multipath layer4-hashing
set system ipv6 neighbor table-size '32768'
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system name-server 'xxx.xxx.1.1'
set system option
set system syslog global facility all level 'info'
set system syslog global facility local7 level 'debug'
set system time-zone 'Asia/Dubai'

Apachez · October 8, 2023, 6:16pm

Im guessing you already gone through this thread?

More particular:

and

tjh · October 8, 2023, 6:16pm

Please share the rules you’re using and how you have configured your Vyos. Also how have you configured your clients to talk to your Adguard etc.

Without this we’ll go around in circles for months

himurae · October 8, 2023, 6:28pm

yes thats my thread and i was successfully using adguard without any issues but i never used any firewall rules since they broke adguard ,but today i tried to remove adguard and use the standard configuration as in the quick start guide with all fw rules the setup works ,but as mentioned slow internet ,but i would like to have fw rules as well as adguard ,can you guide

Apachez · October 8, 2023, 6:36pm

Oh sorry about that

I guess you have already seen my “template” regarding a zonebased approach for 1.5-rolling?

Note that the above isnt complete (IPv6 stuff is missing and defaults for input/output filter should be changed from “accept” to “drop”).

Since your adguard container runs locally on the VyOS I think its the input/output filters you will have to act on (and not the forward filter).

Note that for DNS you have to allow both UDP53 and TCP53 in the input filter (stuff that cannot fit in a single UDP-packet, normally max 1280 bytes (smallest allowable MTU for IPv6) will switch to use TCP instead - not uncommon when DNSSEC and other is being used) for your adguard to work properly.

And then in the output filter basically the same thing so the adguard container can perform the resolving towards authortive servers.

himurae · October 9, 2023, 4:16am

The internet speed had improved now after i let it overnight things sorted out by itself

himurae · October 9, 2023, 4:19am

I will look into this, sir you have been a gem in this forum will report back with my findings please do respond,cause now i have all other things sorted with vyos only truly understanding fw rules is left,after that i can confidently use in other installations