Error when mounting adguard container

DyadyaGenya · Wed Dec 06, 2023 2:53 pm

I have RB4011iGS+5HacQ2HnD. It is based on arm architecture, and it seems that I can install containers on it. I understand that it is not the best idea to put a container on it, because it does not have an external drive. But I really want to filter out advertising for all devices on the network at once. I followed the instructions from the wiki before starting the container and got this error:

/container add remote-image=adguard/adguardhome:latest interface=veth1 root-dir=adguard mounts=adguard_etc
failure: not allowed by device-mode

At the same time, all other settings seemed to be applied without problems.
If necessary, I can show you the entire order of command execution

Wed Dec 06, 2023 2:58 pm

First enable container functionality here:
https://help.mikrotik.com/docs/display/ROS/Device-mode

DyadyaGenya · Wed Dec 06, 2023 4:18 pm

First enable container functionality here:
https://help.mikrotik.com/docs/display/ROS/Device-mode

Strange, I seemed to do it as a command

/system device-mode update container=yes

but when checking it was only

system device-mode print
       mode: enterprise

Perhaps I reset the settings poorly. Now I repeated this procedure and now received the following report:

system device-mode print
       mode: enterprise
  container: yes

Then I tried again

/container add remote-image=adguard/adguardhome:latest interface=veth1 root-dir=adguard mounts=adguard_etc

It seems that I didn’t receive an error, but if I look in the list of containers, the status is “error”

jvanhambelgium · Wed Dec 06, 2023 4:24 pm

Add the logging=yes directive on the container-creation command and look in the logs. Might explain more about the error.

DyadyaGenya · Wed Dec 06, 2023 4:46 pm

Add the logging=yes directive on the container-creation command and look in the logs. Might explain more about the error.

Unfortunately, setting up logging is an unknown topic for me. I did as written in the Mikrotik wiki

/container set 0 logging=yes

The existing log was cleared and new entries like:

was unable to import, container 78af614f-b4ef-427b-8e17-22e1dc08ba93

jvanhambelgium · Wed Dec 06, 2023 5:21 pm

Remove the container and re-create and provide the logging=yes from the beginning. You should see a bit more output when it downloads the various layers. I agree the logging is pretty ... basic .... and will probably not reveil WHY you have this issue.

You specify as root-dir=adguard => This will write on the local flash, you have enough space ??

DyadyaGenya · Wed Dec 06, 2023 5:26 pm

Remove the container and re-create

This was the first thing I tried after your advice to enable logging.

You specify as root-dir=adguard => This will write on the local flash, you have enough space ??

Yes, I write directly to a local drive. In the topic header I wrote a model of my Mikrotik and wrote that I understand that this is not the best idea. But I don’t know how to check how much space is on the local drive.

optio · Wed Dec 06, 2023 5:29 pm

On which ROS version? There was issue with OCI manifest, fixed in ROS 7.10.
*) container - fixed "container pull" to support OCI manifest format;

DyadyaGenya · Wed Dec 06, 2023 5:53 pm

On which ROS version? There was issue with OCI manifest, fixed in ROS 7.10.
*) container - fixed "container pull" to support OCI manifest format;

7.9.1
Now I’ll try to update to 7.10.2 But I forgot, will I also need to update the packages that are installed on me?

DyadyaGenya · Wed Dec 06, 2023 6:00 pm

Although I updated ROS and saw that the packages needed to be updated. The container installation is now successful. Although in the state it writes that it has been stopped. I think that the main problem has been solved, I will read further on how to start a container

optio · Wed Dec 06, 2023 6:50 pm

Containers are stopped by default after deploying, needs to be started manually /container/run <container_number> and also you can set start-on-boot=yes to autorun container on ROS startup.

DyadyaGenya · Wed Dec 06, 2023 6:51 pm

Now I have another problem. The container was downloaded, installed, received the status “stopped”, I made a command so that it would start automatically after rebooting Mikrotik

container set start-on-boot=yes 0

I overloaded the router, the logs show that the container has started, the status is “running”, but the address is not pinged, the status is “timeout”. The firewall is disabled, or rather almost empty.
At the same time, it writes in the logs

2023/12/06 16:38:40.922017 [info] go to http://172.17.0.2:3000

That is, in theory the container has started (I assigned this address to the interface with the container)
I can’t access the address in the browser either.

DyadyaGenya · Wed Dec 06, 2023 6:52 pm

Containers are stopped by default after deploying, needs to be started manually /container/run <container_number> and also you can set start-on-boot=yes to autorun container on ROS startup.

I just did this, but another problem appeared, voiced above.

optio · Wed Dec 06, 2023 6:57 pm

If container VETH is on different bridge than LAN, then this is normal, you need firewall rule fo accept forward traffic in/out containers bridge or VETH IP (depends how you need to secure containers network).

DyadyaGenya · Wed Dec 06, 2023 7:03 pm

If container VETH is on different bridge than LAN, then this is normal, you need firewall rule fo accept forward traffic in/out containers bridge or VETH IP (depends how you need to secure containers network).

Of course it is on another bridge. I did as in the instructions. The bridge itself pings (172.17.0.1)
Unfortunately, I don’t understand the firewall rules. I just started studying them, but decided to get rid of online advertising first. But I don’t have them. I disabled the existing rule.

optio · Wed Dec 06, 2023 7:17 pm

If you added other rules from MT Container tutorial try with:

/ip/firewall/filter/add chain=forward action=accept in-interface-list=LAN out-interface=containers

If you have defconf configuration, order that rule below defconf: drop invalid rule.

DyadyaGenya · Wed Dec 06, 2023 7:31 pm

If you added other rules from MT Container tutorial try with:

I will try to do as in the instructions. Here are the steps I did:

/system device-mode update container=yes

/container set 0 logging=yes

/interface bridge add name=dockers

/ip address add address=172.17.0.1 interface=dockers

/interface veth add name=veth1 address=172.17.0.2/24 gateway=172.17.0.1

/ip firewall nat add chain=scrnat action=masquerade src-address=172.17.0.0/24

/container config set ram-high=100M
/container config set registry-ur=https://registry-1.docker.io
/container config set tmpdir=/tmp_docker

/container mounts add name=adguard_etc src=/adguard/etc dst=/etc/adguard

/container add remote-image=adguard/adguardhome:latest interface=veth1 root-dir=adguard mounts=adguard_etc

/container set start-on-boot=yes 0

try with:

/ip/firewall/filter/add chain=forward action=accept in-interface-list=LAN out-interface=containers

I understand that I have to substitute my values here. If I understand what LAN is, then I don’t understand what “out-interface=containers” is.

optio · Wed Dec 06, 2023 7:53 pm

then I don’t understand what “out-interface=containers” is.

I didn't know name you assigned to containers bridge, I assumed containers since is like that in tutorial, but in your case is dockers, then replace containers with dockers in that rule. in/out-interface in rules can be interface (not all) or bridge.

DyadyaGenya · Wed Dec 06, 2023 8:53 pm

I didn't know name you assigned to containers bridge, I assumed containers since is like that in tutorial, but in your case is dockers, then replace containers with dockers in that rule. in/out-interface in rules can be interface (not all) or bridge.

That's what I thought, but unfortunately, the ping still doesn't work.

I understand that you have looked at my commands and my steps for setting up the container. I didn't miss anything, did I? Did I do everything right?

optio · Wed Dec 06, 2023 9:00 pm

Address subnet is missing for dockers bridge:
/ip address add address=172.17.0.1/24 interface=dockers

DyadyaGenya · Wed Dec 06, 2023 9:06 pm

Address subnet is missing for dockers bridge:
/ip address add address=172.17.0.1/24 interface=dockers

Yes, again my carelessness. Ping went. Thank you. I will try to further understand containers and adguard.

DyadyaGenya · Wed Dec 06, 2023 9:09 pm

If you added other rules from MT Container tutorial try with:
Code: Select all
/ip/firewall/filter/add chain=forward action=accept in-interface-list=LAN out-interface=containers 
If you have defconf configuration, order that rule below defconf: drop invalid rule.

By the way, I tried to remove this rule and the container continued to work. It turns out that this rule was unnecessary in this situation?

optio · Wed Dec 06, 2023 9:26 pm

If it works without it - remove it, I have different setup (IP firewall for bridge) and I need this rule, since you didn't export whole ROS configuration it was my suggestion to try, but in your case it was just configuration error in address range for dockers bridge.

DyadyaGenya · Thu Dec 07, 2023 12:08 am

I have different setup (IP firewall for bridge) and I need this rule

Apparently I still have an error in setting up the firewall configuration. The fact is that although my adguard starts, the statistics show nothing. And it’s not clear whether this is a problem with Adguard or Mikrotik settings. At the same time, in all the videos that I watched on the topic of launching AdGurd, regardless of the launch location (Mikrotik or another server), traffic blocking begins immediately at the default settings. So I tried to return your rule and even added a rule from the Mikrotik instructions for pi-hole, that is, this:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.0.2 dst-port=80 protocol=tcp to-addresses=172.17.0.2 to-ports=80

And I added a DNS server for this subnet,

/ip dns set servers=172.17.0.2

but still the statistics on the adguard website are not updated. Apparently there is no traffic. How else can this be checked and configured?

However, if I make a printout like this:

>container print
 0 name="5ae8a330-5a2b-45ea-89e2-63f29a037a74" tag="adguard/adguardhome:latest" os="linux" arch="arm" interface=veth1 root-dir=adguard mounts=adguard_etc dns=""
   workdir="/opt/adguardhome/work" logging=yes start-on-boot=yes status=running

It seems like there is no dns here. I don’t know if we are talking about the same DNS, and whether any changes need to be made here.

optio · Thu Dec 07, 2023 12:59 am

Unfortunately I'm not familliar with Adguard, personally I use Pi-Hole so I can't be much help for it. If you can access Adguard admin from LAN you should also able to access it's DNS, no need for that nat rule. Set Adguard IP for DNS manually for test directly on your machine, maybe you are not even using it.

DyadyaGenya · Fri Dec 08, 2023 3:06 pm

I realized one mistake. The container’s DNS was registered at the end of the queue, I raised it higher and it seemed like the traffic went through the container. BUT I don’t see requests from devices via Wi-Fi. Although Wi-Fi seems to be involved in network bridge and there is Internet on the phones.

optio · Fri Dec 08, 2023 3:50 pm

From your previous post you have set Adguard as upstream DNS for ROS DNS (/ip dns set servers=172.17.0.2), in this case if is not manually set Adguard IP on device for DNS devices will use DHCP set DNS which is ROS DNS (I guessing that since you didn't reveal configuration) which means only ROS will use Adguard, others will use ROS (still hosts will be filtered by Adguard on clients, just you have caching in ROS DNS because is in the middle). Also this can be DNS loop for Adguard if you didn't specify different DNS IP for container, some external (from ISP or some public like 1.1.1.1 or 8.8.8.8 ) unless Adguard use some internally configured DNS for resolving hosts for its internet connection for fetching/refreshing block lists, update check, etc (not using Adguard, idk).
Here you can se my scenario how I use additional DNS services with ROS.

DyadyaGenya · Fri Dec 08, 2023 5:53 pm

I guessing that since you didn't reveal configuration

I believe that you meant this type of configuration, because I can’t draw as beautifully as you do, and I don’t understand everything, and I’m not sure whether my drawing will coincide with reality.

# 2023-12-08 17:22:43 by RouterOS 7.10.2
#
# model = RB4011iGS+5HacQ2HnD

/interface bridge
add name=bridge-LAN
add name=dockers
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN
set [ find default-name=ether10 ] loop-protect=on name=eth10-WAN-LTE
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 name=veth1
/container mounts
add dst=/etc/adguard name=adguard_etc src=/adguard/etc
/interface list
add name=list1-WAN
add name=list2-LAN
add name=list3-WAN-LTE
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MyMikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    SecuretyPass supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no \
    frequency-mode=manual-txpower mode=ap-bridge name=wlan1-5Gz radio-name=\
    b869f4c58845 security-profile=SecuretyPass ssid=Dima1 station-roaming=\
    enabled
set [ find default-name=wlan2 ] antenna-gain=0 band=2ghz-b/g/n channel-width=\
    20/40mhz-XX country=no_country_set disabled=no frequency-mode=\
    manual-txpower mode=ap-bridge name=wlan2-2.4Gz security-profile=\
    SecuretyPass ssid=Dima1 station-roaming=enabled
/ip pool
add name=dhcp_pool1 ranges=192.168.0.10-192.168.0.99
add name=dhcp_pool2 ranges=192.168.0.11-192.168.0.99
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool2 interface=bridge-LAN lease-time=10m \
    name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/container
add interface=veth1 logging=yes mounts=adguard_etc root-dir=adguard \
    start-on-boot=yes workdir=/opt/adguardhome/work
/container config
set ram-high=100.0MiB registry-url=https://registry-1.docker.io tmpdir=\
    /tmp_docker
/interface bridge port
add bridge=bridge-LAN ingress-filtering=no interface=ether2
add bridge=bridge-LAN ingress-filtering=no interface=ether3
add bridge=bridge-LAN ingress-filtering=no interface=ether4
add bridge=bridge-LAN ingress-filtering=no interface=ether5
add bridge=bridge-LAN ingress-filtering=no interface=ether6
add bridge=bridge-LAN ingress-filtering=no interface=ether7
add bridge=bridge-LAN ingress-filtering=no interface=ether8
add bridge=bridge-LAN ingress-filtering=no interface=ether9
add bridge=bridge-LAN ingress-filtering=no interface=wlan1-5Gz
add bridge=bridge-LAN ingress-filtering=no interface=wlan2-2.4Gz
add bridge=dockers interface=veth1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=eth1-WAN list=list1-WAN
add interface=bridge-LAN list=list2-LAN
add interface=eth10-WAN-LTE list=list3-WAN-LTE
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.0.2/24 interface=bridge-LAN network=192.168.0.0
add address=172.17.0.1/24 interface=dockers network=172.17.0.0
/ip dhcp-client
add interface=eth1-WAN use-peer-dns=no use-peer-ntp=no
add interface=eth10-WAN-LTE use-peer-dns=no
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.2,192.168.0.1,8.8.8.8 \
    gateway=192.168.0.2
/ip dns
set servers="172.17.0.2,192.168.0.2,8.8.8.8,192.168.0.1,192.168.1.1,192.16\
    8.0.1,8.8.4.4"
/ip firewall address-list
add address=8.8.8.8 list=allowed-ping-to-WAN
/ip firewall filter
add action=drop chain=input comment="Drop IN echo request" disabled=yes \
    icmp-options=8:0 in-interface-list=list1-WAN protocol=icmp \
    src-address-list=NotAllowIPRemoteManagement
add action=accept chain=forward disabled=yes in-interface-list=list2-LAN \
    out-interface=dockers
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=list1-WAN
add action=masquerade chain=srcnat out-interface-list=list3-WAN-LTE
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.0.2 \
    dst-port=80 protocol=tcp to-addresses=172.17.0.2 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.0.2 \
    dst-port=80 protocol=tcp to-addresses=172.17.0.2 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no
/system leds
add interface=wlan2-2.4Gz leds="wlan2-2.4Gz_signal1-led,wlan2-2.4Gz_signal2-le\
    d,wlan2-2.4Gz_signal3-led,wlan2-2.4Gz_signal4-led,wlan2-2.4Gz_signal5-led" \
    type=wireless-signal-strength
add interface=wlan2-2.4Gz leds=wlan2-2.4Gz_tx-led type=interface-transmit
add interface=wlan2-2.4Gz leds=wlan2-2.4Gz_rx-led type=interface-receive

DyadyaGenya · Sat Dec 09, 2023 12:25 am

Here you can se my scenario how I use additional DNS services with ROS.

I wish I had found this topic sooner. Perhaps I would not have started my own topic. And since this happened, I’ll continue here, although it might be worth moving on to the topic you indicated.
I connected a couple more PCs and I think I understand where the problem is, but I don't know how to fix it.
Other PCs do not receive the new DNS (172.17.0.2), they still receive 192.168.0.2 as DNS. Apparently phones are in the same situation. Only my PC receives the required DNS.

optio · Sat Dec 09, 2023 2:56 am

Add to DHCP server network Adguard IP for DNS:
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=172.17.0.2,192.168.0.2,192.168.0.1,8.8.8.8 gateway=192.168.0.2

And you can remove it from ROS DNS (unless you really need it for some reason):
/ip dns
set servers="172.17.0.2,192.168.0.2,8.8.8.8,192.168.0.1,192.168.1.1,192.168.0.1,8.8.4.4"

jvanhambelgium · Sat Dec 09, 2023 11:14 am

And you should "intercept" anyway classic DNS packets in case some client does not want to use the Adguard.
See my example below (I use Pihole)
Make sure you excluded the Adguard/Pi-hole itself using the appropriate src-address-list.

/ip firewall nat add action=dst-nat chain=dstnat comment="DNS Intercept TCP - Pi-hole" dst-port=53 in-interface=Bridge-LAN log-prefix=IPV4-DNSCATCH-TCP protocol=tcp src-address-list=!Pihole to-addresses=172.29.45.251
/ip firewall nat add action=dst-nat chain=dstnat comment="DNS Intercept UDP - Pi-hole" dst-port=53 in-interface=Bridge-LAN log-prefix=IPV4-DNSCATCH-UDP protocol=udp src-address-list=!Pihole to-addresses=172.29.45.251

DyadyaGenya · Sat Dec 09, 2023 2:55 pm

Add to DHCP server network Adguard IP for DNS:
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=172.17.0.2,192.168.0.2,192.168.0.1,8.8.8.8 gateway=192.168.0.2

Yes, it helped. It’s just strange why it worked on my PC even without these settings.

And you can remove it from ROS DNS (unless you really need it for some reason):
/ip dns
set servers="172.17.0.2,192.168.0.2,8.8.8.8,192.168.0.1,192.168.1.1,192.168.0.1,8.8.4.4"

Before this, I didn’t even think about the fact that DNS is configured in two places and whether I need it. Therefore, I will turn to you here for advice. A little later, I plan to set up a DNS for the local network so that some of my devices can be accessed by name. Where is the best place to do this and how, and is it possible to remove DNS from the “configuration” in this case "ip dns"?

And you should "intercept" anyway classic DNS packets in case some client does not want to use the Adguard.

Why might this happen?

Make sure you excluded the Adguard/Pi-hole itself using the appropriate src-address-list.

/ip firewall nat add action=dst-nat chain=dstnat comment="DNS Intercept TCP - Pi-hole" dst-port=53 in-interface=Bridge-LAN log-prefix=IPV4-DNSCATCH-TCP protocol=tcp src-address-list=!Pihole to-addresses=172.29.45.251
/ip firewall nat add action=dst-nat chain=dstnat comment="DNS Intercept UDP - Pi-hole" dst-port=53 in-interface=Bridge-LAN log-prefix=IPV4-DNSCATCH-UDP protocol=udp src-address-list=!Pihole to-addresses=172.29.45.251

I just recently started trying to set up a firewall and I don’t understand everything. For example, 172.29.45.251 is the address of your PI Hole?

DyadyaGenya · Sat Dec 09, 2023 3:01 pm

There is one more question that theoretically concerns container configuration. Suppose I want traffic from a certain site to first pass through some third-party VPN service, and then return to the AdGuardHome container and then to my network. Is it possible to do this and how?

optio · Sat Dec 09, 2023 3:29 pm

Yes, it helped. It’s just strange why it worked on my PC even without these settings.

Maybe DNS IP is manually set on that PC?

A little later, I plan to set up a DNS for the local network so that some of my devices can be accessed by name. Where is the best place to do this and how, and is it possible to remove DNS from the “configuration” in this case "ip dns"?

You have several options to set static local hostnames and domain (example someting.lan):

set only in ROS DNS (/ip/dns) and in Adguard configure conditional DNS forwarding for lan domain to be resolved by ROS DNS (Pi-hole has that feature, for Adguard idk). With this you can achive when Adguard is down that failover ROS DNS resolves local someting.lan without additional configuration in that period and you will not have redundant static records on both DNS servers

set only in Adguard (should be supported, but idk), then in case of Adguard downtime you will not able to resolve these records (unless is already cached locally)

set in both DNS servers, resolving will work during Adguard downtime but you will need to maintain records on both DNS servers

My setup with Pi-hole is 1st option.

Why might this happen?

When someone sets manually DNS IP (overrides DHCP DNS) on some device in network.

optio · Sat Dec 09, 2023 3:41 pm

There is one more question that theoretically concerns container configuration. Suppose I want traffic from a certain site to first pass through some third-party VPN service, and then return to the AdGuardHome container and then to my network. Is it possible to do this and how?

Not really clear what you asking, guessing you want to use local Adguard DNS for resolving over VPN connection. For this you can set in VPN client configuration to assign Adguard IP for DNS upon connection, Wireguard has DNS = <ip> configuration for interface, for OpenVPN can be set with dhcp-option DNS <ip>, etc...

DyadyaGenya · Sat Dec 09, 2023 4:17 pm

Maybe DNS IP is manually set on that PC?

Although I was sure that I had dynamic DNS registered, I decided to double-check and you were right. I forgot to clear persistent DNS in my PC settings.

set only in ROS DNS (/ip/dns) and in Adguard configure conditional DNS forwarding for lan domain to be resolved by ROS DNS (Pi-hole has that feature, for Adguard idk). With this you can achive when Adguard is down that failover ROS DNS resolves local someting.lan without additional configuration in that period and you will not have redundant static records on both DNS servers

Yes, I also wanted to make sure that local names were available in case of AdGuard downtime. It turns out that I need to leave a note:

/ip dns
set servers="172.17.0.2,192.168.0.2,8.8.8.8,192.168.0.1,192.168.1.1,192.168.0.1,8.8.4.4"

When someone sets manually DNS IP (overrides DHCP DNS) on some device in network.

Yes, I was in a hurry with this question... In fact, the situation with my PC is just the opposite. I had to think for myself a little.

Not really clear what you asking, guessing you want to use local Adguard DNS for resolving over VPN connection. For this you can set in VPN client configuration to assign Adguard IP for DNS upon connection, Wireguard has DNS = <ip> configuration for interface, for OpenVPN can be set with dhcp-option DNS <ip>, etc...

no, the question did not concern Wireguard. This is not a website. And frankly, I’m not sure that it makes sense to deploy Wireguard traffic in any other way.
Let's say I want all traffic from YouTube to first go through a third-party VPN in some other country. That is, all traffic from YouTube, before getting to my Adguard, seemed to be seen on YouTube from an IP address of another country.

optio · Sat Dec 09, 2023 4:38 pm

Adguard is DNS service afaik (resolving hosts into IPs), it has nothing with traffic routing. You can set or not set Adguard DNS IP in configuration for third-party VPN client, that's why I mentioned Wireguard, OpenVPN..., assuming that third-party VPN uses some common VPN protocol.

Tichi · Sat Dec 09, 2023 5:29 pm

Maybe unpopular comment but on Youtube you got The Networn Berg who has dedicated complete explanation on this. He does it also for Pi-hole depending on your preference.

optio · Sat Dec 09, 2023 6:01 pm

If you referring to this video, it's a lot of talk for basic setup. For eg. not covered how to have non redundant static DNS entries for local network with failover, discussed in above posts.

jvanhambelgium · Sat Dec 09, 2023 6:15 pm

Why might this happen?
I just recently started trying to set up a firewall and I don’t understand everything. For example, 172.29.45.251 is the address of your PI Hole?
-> There are (Android) clients that I've seen that always contact 8.8.8.8 etc. And in case there is a client with hardcoded DNS settings other then the one you distribute via DHCP. This is just a "failsafe" to catch anyone that tries to "evade" the Adguard.
Offcourse I also do my best to block DNS-over-HTTPS, DNS-over-TLS etc,etc. but that is a bit hit & miss.

-> Yes, in this example NAT-rule, 172.29.45.251 would be a Pihole-instance.

DyadyaGenya · Sat Dec 09, 2023 6:33 pm

Adguard is DNS service afaik (resolving hosts into IPs), it has nothing with traffic routing.

I understand that AdGuard has nothing to do with redirecting traffic. That’s why I wrote that my question only theoretically partially concerns setting up the container.
I assume that such traffic redirection is carried out by other Mikrotik rules and tools. That’s why I wanted to clarify whether I’m right, and if I’m right, then how to do it?

Maybe unpopular comment but on Youtube you got The Networn Berg who has dedicated complete explanation on this. He does it also for Pi-hole depending on your preference.

I watched some videos by this author, including one on setting up Adguard. Perhaps I didn’t understand you quite correctly, but I didn’t see the answer to my question from him. My question concerns setting up this container only indirectly and may even be done without a container at all. I’ll try to formulate it again, excluding the mention of Adguard.
Is it possible to somehow configure Mikrotik so that traffic from YouTube reaches it only through some third-party VPN. If so, how? YouTube in this situation is given only as an example. It could be any other site. But YouTube is better known and it may be easier to check the setup of such traffic redirection.

optio · Sat Dec 09, 2023 7:28 pm

You are contradicting yourself, you "understand that AdGuard has nothing to do with redirecting traffic" but it was in your routing question context and you have concerns about setting up container about that?

Regarding routing per host name on MT, search forum, you have some topics like viewtopic.php?t=171665 or open anoher topic for such question, it has nothing with Adguard or DNS in general, if we exclude DNS resolving from context for ROS address list (for linked topic solution), thats why I suggested in some above post to remove Adguard from ROS upstream DNS, to avoid filtering for ROS.

Who is online