I have a new UniFi network and added my Eblocker onto the network. I’ve changed the DHCP settings on the cloud gateway to point both the DNS and Default gateway to the eblocker under the DHCP settings in UniFi. 

I’ve configured eblocker DHCP to expert mode and set the DHCP to external. 

Eblocker is fine, but my hosted website on my network is no longer accessible from the internet. 

Is there anything else I need to do on the Eblocker to get it accessible again?

In short the speedtests when using eBlocker on a client the bandwidth is impacted too much.

Testing using Windows client, https enabled, cert added to firefox where the tests are made.

Test sites speed.cloudflare.com and fast.com.

eBlocker version 4 up to date. On a VM. First 2 GB memory, increased to 3 GB (yes not a multiple of 2) but when on 2 GB the usage peaked only to 90%. Removed the firewall from the virtio NIC, I am using VirtIO NIC as is the most performant. I have tested increasing to 2 and 4 queues for this NIC. MTU is same as bridge. 

For CPU it was as per the VM definition with x86-64-v2-AES but I have also tested with "Host". The host cpu is modern Ryzen 5.

Results: eBlocker enabled on client, 10 Mbps. eBlocker paused for device, 160 Mbps fast.com, 128 speed.cloudflare . ISP contract 510 Mbps.

WiFi connection on 5 GHz band (channel 116), link speed 961/1081 Mbps, 802.11ax protocol. Sec: WPA3-Personal.

This particular corner of the house doesn't get full speed despite strong signal so the question is not why not full 500 Mbps but why 10 Mbps with eBlocker, 160 Mbps without ? Of course there will be a hit from doing MiM inspection but is this 16 X impact expected? Not a complaint, only wanting to understand and if there are suggestions on what to check.

I have three testing clients: Android mobile phone, Windows 10 laptop, Ubuntu linux 24.04 laptop.

My network setup is non-standard and for that I am testing with eBlocker in-line, not replacing any other of my network components (yet). But I am lacking understanding of the flow.

1. I want to keep my own DHCP server.
2. I want to keep my AdGuardHome ads blocker but only recording stats. It will not be blocking anything.
3. I want to keep my own local DNS resolver (Unbound).

Therefore my currently desired flow for traffic is Client -> eBlocker -> AdGuardHome -> Unbound.

To achieve this I have these settings:
On the client:

• Manually set the DNS server to ip of eBlocker.
• Enabled https and installed cert in firefox browser.

On eBlocker:

• Network mode is Automatic. It shows the correct settings like ip address of eBlocker, the network mask and the Gateway. If I changed to use expert mode it would not need to change.

Now the questions. In this setup for the client with eBlocker set to enabled from the eBlocker dashboard, what type of traffic will go to eBlocker? All plain text DNS queries to port tcp/udp 53. Will it also identify DoT and/or DoH ? What about other non-DNS traffic, will it all go through eBlocker's decryption?

What will happen if I disabled eBlocker for the client in the dashboard? Does eBlocker use its upstream DNS server to simply forward the queries?

What I'm trying to get at is how to have eBlocker used for some not all devices. I am concerned about a single point of failure so understanding the flows and behaviours is very important to me.

I have downloaded the latest v3 vmdk disk and created a proxmox VM. Started it and seems good to try it soon. However I want to ask opinions on if it is even possible to use it the way I want. Let me explain:

My current setup has a Router/Firewall (OPNSense) on a proxmox VM. WAN port goes to a Fibre ONT. LAN port goes to a managed Mikrotik switch (Layer 2 only). Some wired clients go to the switch. One WiFi (eero 6) goes into the switch and there are two more eero nodes around the house providing mesh WiFi. This all works perfectly well. This all in a single VLAN. There is another VLAN but that is separate is not part of the question yet. I use only IPV4.

Now to the logical part. For DNS and privacy but also for learning purposes my setup is:

- ISC DHCP4 on the router issues clients with an IP address or are set with static lease. They are given the DNS ip:port as part of the lease. This is lan-router-ip:53

- AdGuardHome runs on the router listening on port 53. AdGH has as its upstream DNS the router ip:5353. In other words it comes back to the router on a different port.

- Unbound the DNS resolver is listening on port 5353 on all the router interfaces. It takes the queries from AdGuardHome.

- Last part, also on the router I run "Stubby" the DNS over TLS stub resolver from nlnet. stubby listens on port 8053 and is configured to use a few DNS over TLS public resolvers. Unbound is set to send all the queries to stubby, and stubby goes out to the internet on DoT encrypted.

Client -> AdGH -> Unbound -> stubby -> DoT public.

Convoluted, yes. But works well and my dns queries go encrypted to more than one provider. I've been using this setup for some years. I have firewall rules that force any client to go this way if is configured with their own hardcoded dns servers.

Additionally I have Zenarmor which inspects the SNI name from the TLS certificate for TLS connections. This is not a full decrypt and is only a bit better than no TLS SNI inspection.

BUT I know I have gaps. All this works if clients are NOT using DoT or DoH and those are more common now. These TLS encrypted DNS queries brought me here.

I have administrative control of all parts of this network so I can try different things.

MY GOAL: to test eBlocker to use full TLS inspection, for stopping ads and tracking.

To reach my goal I am thinking I likely remove Zenarmor and AdGuardHome, they might be duplicating functions of eBlocker, but only if it block as much AdGH but I also like the visibility of actions on the UI and customisation it allows like per client settings. Where I am not clear is if I should also remove or keep Unbound and Stubby. I keep looking at the documentation and I am a bit unclear.

- I want to retain control of DHCP server - seems I can, eBlocker has option to enable removed link

- It seems eBlocker can be set to use my own DNS server. Then I can just put eBlocker in the chain instead of AdGH. Good.

If you have read so far, can anyone suggest or critique the idea. I also would like to know is this setup a bad idea?

Client -> eBlocker -> Unbound -> stubby -> DoT public.

Great work on eBlocker by the way.