I have the GL.iNet GL-MT6000 set up with Adguard Home successfully handling 2 basic client profiles. The first is any device with an IP of 192.168.8.2XX, these are admin/parents devices that only have ads blocked. The other type is any other IP, which defaults to the global settings, and the global settings block ads as well as many services like YouTube. All of this is configured through Adguard Home, except the static leases I assign to admin/parents devices via the GL-iNet Admin Panel. In other words, I'm not going into OpenWRT LuCI (or manually editing config files) for any of this. I learned the hard way the OpenWRT side is way harder to understand, and much less "safe" in terms of experimenting with certain settings and not breaking stuff.
Now I am interested in creating a per-device profile (just conceptually, could be composed of various parts like a static leases and Adguard or firewall rules) to have allowlist-only internet access. For example, a device where all traffic is blocked except the kids' school website and homework website. Not something like a recommended list or the parental controls that AGH has built-in, instead just 4-5 hand picked domains.
I know there is probably several ways to do this but I'm asking for suggestions based on what I already have working. Would it be easy to somehow do this through Adguard Home? Is there a simple way to do it through the firewall? The Admin Panel firewall config seems pretty limited, I think it would have to be through the OpenWRT side. Are there other "applications" that can help with an easy way to do this?
It is no problem to realize this with AdGuard Home - now comes the but:
You have to activate AdGuard Home Handle Client Requests and then create the respective clients (e.g. your children's devices) in AdGuard Home. You can then assign specific filter rules to them: Clients · AdguardTeam/AdGuardHome Wiki · GitHub
The learning curve is quite steep, but it shouldn't be a problem if you have the time and patience. And of course try it out.
Now come 2 big “buts”:
by enabling AdGuard Home Handle Client Requests, VPN policies will no longer work. This means that you can no longer define VPN exceptions.
modern devices usually use encrypted DNS and randomized MAC addresses. This means that there is no guarantee that the block cannot be bypassed. iPhones and iPads in particular bypass such blocks by default.
I just checked and I have Handle Client Requests selected already, so that seems good. I do use a VPN for work, so I'll keep an eye on that. I don't think anything related to the adblocking I care about, but I guess I'll need to be sure it isn't blocking something I need for work that I'm not aware of.
I'm familiar with the randomized MACs - I've turned this off for example on my own phone so I can have a static leases. So I should be ok figuring this out for other devices.
I have heard a lot about encrypted DNS but what I've seen so far is no devices I have are using it by default. I do see AGH has a section for setting up encryption that I've mainly ignored. If I do set this up, is it capable of applying all the same filters to encrypted DNS?
Lastly - to set up specific filter rules, I think I would need one Blocklist rule to "block everything" and then individual exceptions to that. I tried two things based on the docs that I thought would work but didn't.
||*^$client=192.168.8.99$denyallow=wikipedia.org|kidsa-z.com
# the rule is to block everything for just the one client, but then allow just those 2 domains. This seemed to just allow everything (except for the global config, that still applied)
||*^$client=192.168.8.99$
@@||wikipedia.org^$client=192.68.8.99
# this blocked everything, including Wikipedia.
It's not clear to me from the docs - how can I block everything but have exceptions take priority?
whoops I had a typo in the IP address when I tried first. I fixed it and now doing it this way is working:
# Block everything for 192.168.8.99
||*^$client=192.168.8.99
# Unblock Wikipedia and razkids
@@||wikipedia.org^$client=192.168.8.99
@@||kidsa-z.com^$client=192.168.8.99