Michael HülsenIn my home lab, I have an AdGuard instance running that should block all kinds of ads/trackers for the clients. This was working seamlessly before I split up the networks.
With Unifi, it is quite comfortable to set up different networks, e.g. one for the servers/IoT devices, and multiple virtual local area networks (VLAN) for different groups of clients that may access different WiFi₋SSIDs which are broadcasted from the access points (e.g. guest network vs. internal network).
Below, you find a schematic overview.
But now, the AdGuard was not working as expected anymore. AdGuard was set up correctly as DNS (domain name service) and the DNS was provided to all clients by the dynamic host configuration protocoll (DHCP) from the network controller. But, there were two observations:
1.) The Gateway (192.168.0.1) was the only client which showed up in the AdGuard statistics.
2.) Clients outside the root LAN (192.168.1.0/24) were still retrieving ads.
The solution was twofold as well. First, the VLANs needed an extra configuration to tell their clients where the DNS is located that I wanted them to reach (the AdGuard instance at 192.168.1.1): This was not enough, since the traffic to the DNS was blocked by the firewall that protects the VLANs traffic. Hence, traffic from the VLANs to the root LAN needs to be accepted:
Accept VLAN --> 192.168.1.1 on port 53 for TCP/UDP
Et voilà, everything is working (again).