Hello. I have only learned of the existence of eBlocker and I am super impressed and excited to try it.
I have downloaded the latest v3 vmdk disk and created a proxmox VM. Started it and seems good to try it soon. However I want to ask opinions on if it is even possible to use it the way I want. Let me explain:
My current setup has a Router/Firewall (OPNSense) on a proxmox VM. WAN port goes to a Fibre ONT. LAN port goes to a managed Mikrotik switch (Layer 2 only). Some wired clients go to the switch. One WiFi (eero 6) goes into the switch and there are two more eero nodes around the house providing mesh WiFi. This all works perfectly well. This all in a single VLAN. There is another VLAN but that is separate is not part of the question yet. I use only IPV4.
Now to the logical part. For DNS and privacy but also for learning purposes my setup is:
- ISC DHCP4 on the router issues clients with an IP address or are set with static lease. They are given the DNS ip:port as part of the lease. This is lan-router-ip:53
- AdGuardHome runs on the router listening on port 53. AdGH has as its upstream DNS the router ip:5353. In other words it comes back to the router on a different port.
- Unbound the DNS resolver is listening on port 5353 on all the router interfaces. It takes the queries from AdGuardHome.
- Last part, also on the router I run "Stubby" the DNS over TLS stub resolver from nlnet. stubby listens on port 8053 and is configured to use a few DNS over TLS public resolvers. Unbound is set to send all the queries to stubby, and stubby goes out to the internet on DoT encrypted.
Client -> AdGH -> Unbound -> stubby -> DoT public.
Convoluted, yes. But works well and my dns queries go encrypted to more than one provider. I've been using this setup for some years. I have firewall rules that force any client to go this way if is configured with their own hardcoded dns servers.
Additionally I have Zenarmor which inspects the SNI name from the TLS certificate for TLS connections. This is not a full decrypt and is only a bit better than no TLS SNI inspection.
BUT I know I have gaps. All this works if clients are NOT using DoT or DoH and those are more common now. These TLS encrypted DNS queries brought me here.
I have administrative control of all parts of this network so I can try different things.
MY GOAL: to test eBlocker to use full TLS inspection, for stopping ads and tracking.
To reach my goal I am thinking I likely remove Zenarmor and AdGuardHome, they might be duplicating functions of eBlocker, but only if it block as much AdGH but I also like the visibility of actions on the UI and customisation it allows like per client settings. Where I am not clear is if I should also remove or keep Unbound and Stubby. I keep looking at the documentation and I am a bit unclear.
- I want to retain control of DHCP server - seems I can, eBlocker has option to enable removed link
- It seems eBlocker can be set to use my own DNS server. Then I can just put eBlocker in the chain instead of AdGH. Good.
If you have read so far, can anyone suggest or critique the idea. I also would like to know is this setup a bad idea?
Client -> eBlocker -> Unbound -> stubby -> DoT public.
Great work on eBlocker by the way.
MY GOAL: to test eBlocker to use full TLS inspection, for stopping ads and tracking.
You've come to the right spot. 😉
I want to retain control of DHCP server
No problem. Just set eBlocker's IP as the Gateway to be distributed to all clients.
Then I can just put eBlocker in the chain instead of AdGH.
Not sure why to chain two DNS blockers. This looks like double trouble in case overblocking takes place as the source is unclear.
BTW: You can add individual blocker lists to eBlocker - as an alternative to chaining.
Client -> eBlocker -> Unbound -> stubby -> DoT public.
Well, the ad- & tracker-blocking part will work fine. But enabling IP anonymization will encrypt all traffic after eBlocker. So the traffic is probably by-passing the Unbound... DoT chain. Nevertheless eBlocker will work as expected, I suppose.
Hope this helps.
THX!
Not sure why to chain two DNS blockers. This looks like double trouble in case overblocking takes place as the source is unclear.
It would be instead of AdGH. This is however clear.
Well, the ad- & tracker-blocking part will work fine. But enabling IP anonymization will encrypt all traffic after eBlocker probably by-passing the Unbound... chain.
Hope this helps.
Right it does help, thank you. So I'll likely not use IP anonymisation. That said there seems not to be an option. I have:
One or the other, no option to disable but it seems global. If I go to a device settings there is a dropdown to select Tor but currently has no selection. How is the anonymisation meant to be used for global settings ie. that apply to all unless over-ridden per-device?
I have started up the VM. I've enabled https mode for two clients, one linux ubuntu and one microsoft windows. No changes made to the clients' settings other than installing the cert but no changes to my infrastructure and all seems fine.
In eBlocker Netowork section I have it as Automatic Network Mode. It has the correct settings for me
Your current network settings:
Testing on a linux ubuntu 24.04 that I mentioned. https mode is enabled, cert added to the firefox certs. youtub(e) ads still displaying on firefox. The cert I haven't added to the OS store. Why would the ads still show? Is it because is eBlocker 3.2.3 ?
I have it as Automatic Network Mode
This will not work in your environment as it involves ARP-spoofing.
You are obviously a pro. Set up your eBlocker like a pro, and use eBlocker's Expert Network mode. Otherwise your external DHCP and "special" routing will not be supported / by-passed as the ads show.
THX!
Thanks @Random. Apologies but I still don't understand. You see with Automatic Mode I read it as@
IP address: the ip address of eBlocker appliance.
Gateway: the ip address of the network's gateway. It is correct for me.
But I have this ads in youtub(e) so something not right. Attempting your suggestion to go to edit to use Expert Mode I can't edit only the DHCP settings on there to give it my dhcp server 192.168.5.1. I can only edit the fields "ip address" and "gateway". The gateway does not need to be changed. Then only when changing the "ip address" field, it sets both services to the same ip: the ip address of eBlocker and of the dhcp server.
If I understand you, you suggest to have ip of eBlocker as is for example 192.168.5.217 ; ip of gateway as it should be 192.168.5.1 but ip of the dhcp server to what that is and in my case it is 192.168.5.1 same as the gateway. Expert mode doesn't allow me. Is there another way to do it ?
@cooks The IP of your DHCP server is irrelevant.
Make sure to configure your DHCP server to distribute the Gateway and DNS as indicated in the red box in your screenshot. Done.
This makes sure that the client (from DHCP it gets it's IP, the Gateway .217, the DNS .217) sends DNS requests as well as all traffic to eBlocker first (which acts as the gateway).
Client->eBlocker->Internet
If you feel like inspecting/routing/modifing the outbound trafic, just set the Gateway in eBlocker Expert Mode to the IP of the inspection server.
Client->eBlocker->inspection-server
THX!
Addition: For forwarding DNS requests to some internal DNS infrastructure (like unbound) go to Settings>DNS-Blocker. There chose External DNS Server. Under the tab External DNS Servers add the IP of your unbound DNS. Remove all other entries.
THX!
@cooks The IP of your DHCP server is irrelevant.
Make sure to configure your DHCP server to distribute the Gateway and DNS as indicated in the red box in your screenshot. Done.
This makes sure that the client (from DHCP it gets it's IP, the Gateway .217, the DNS .217) sends DNS requests as well as all traffic to eBlocker first (which acts as the gateway).
Client->eBlocker->Internet
If you feel like inspecting/routing/modifing the outbound trafic, just set the Gateway in eBlocker Expert Mode to the IP of the inspection server.
Client->eBlocker->inspection-server
THX!
Aha!. That was the understanding I was missing. Those settings in the red box are those to give to my DHCP server. I need to try that. Thank you.
One more and separately: I saw your question regarding VM images being old and seen the pdf on how to get a newer one for a qnap device. I'm going to have to use that to try to convert the ova to a vmdk so I can replace my version 3 with a beta 4. But I don't have a qnap so going to have to use other mechanism to convert. Your instructions can be followed but don't match. I suspect the v 4 matches.