AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard
verified publisher icon AdguardTeam

Custom filtering rules not working with ipv6 addresses

Open snixel opened this issue 10 months ago • 6 comments

Prerequisites

Platform (OS and CPU architecture)

FreeBSD, AMD64 (aka x86_64)

Installation

Custom package (OpenWrt, HomeAssistant, etc; please mention in the description)

Setup

On a router, DHCP is handled by the router

AdGuard Home version

v0.107.60

Action

I'm trying to setup a custom filtering rule to allow a domain for a specific client based on the client's ipv6 address. I tried below two rules to achieve the same result (the ipv6 address listed below is not the real ipv6 address for privacy reasons):

@@||g.doubleclick.net^$client=fe80::198f:2d1f:6502:7fb5
@@||g.doubleclick.net^$client='iPhone'

For the second rule I have first created a persistent client on the “Settings → Client settings” page using it's ipv6 address as an identifier:

Image

And while the filter test of AGH shows the first filter rule as working correctly (filter test does not currently support testing the second rule because it uses client names):

Image

Expected result

The domain and it's subdomains should be allowed for that specific client.

Actual result

The DNS requests for the domain and subdomains are still being blocked by the configured blocklist:

Image

So both rules do not seem to work as expected.

Additional information and/or screenshots

When leaving the client modifier out of the custom filtering rules or when using an ipv4 address, the rules do work as expected. The issue might be related to this issue, but because i'm not 100% sure I created a new issue.

snixel avatar Apr 17 '25 08:04 snixel

I'll join in, because I have the same problem. IPv4 filter exceptions work, but IPv6 doesn't. I noticed that the IPv4 filter was working after I prohibited the use of IPv6 on my PC under Windows. Only then was the blocked site allowed on my PC. Even if I manually enable the client for the blocked site in the query log, it doesn't work with IPv6.

Just as a side note: I run Adguard Home as a host via a Docker container on a Synology NAS. I also use the Nginx Proxy Manager on the NAS.

Edit:

I found a solution to get the filtering working. I added a /128 to the IPv6 address. After that, the pages I wanted to allow for the client were accessible. However, this solution only works if I also enter a client under Client Settings and then create a custom filter rule that includes the client. If I only enter the IPv6 with the /128 extension under Custom Filter Rules, the error persists.

Image

Image

DiskDelta avatar Apr 21 '25 11:04 DiskDelta

I'm also experiencing this issue (running the adguard/adguardhome:v0.107.62 docker image on a mikrotik router) . I've tried adding the mac address as an identifier as well and that didn't work.

From the log it appears that the requests are correctly assigned to the client but the exceptions are not applied when the request comes from an ipv6 address.

dmrlawson avatar Jun 12 '25 15:06 dmrlawson

I'd like to add in as well, I've attempted to filter clients based on ip subnets, (settings - client settings) this works fine for ipv4 /24 subnets, but any filter applied to an ipv6 /56 or /64 prefix doesn't apply and the filters are still in effect.

Could this please be fixed as I now have to exclude certain vlans from IPv6 due to filtering restrictions.

thanks for the great product by the way

Image

Image

JonnyDep1969 avatar Jun 25 '25 09:06 JonnyDep1969

Can confirm, IPv6 rules are not applied when using Plain DNS. Works over DoT/DoH.

||dns.ftown.cloud^$client=10.4.0.0/16,dnsrewrite=NOERROR;A;10.4.0.2,dnstype=A,important
||dns.ftown.cloud^$client=10.4.0.0/16,dnsrewrite=NOERROR;AAAA;fe80::eeb1:d7ff:fe5a:bb6c,important,dnstype=AAAA,important
||dns.ftown.cloud^$client=fe80::/10,dnsrewrite=NOERROR;AAAA;fe80::eeb1:d7ff:fe5a:bb6c,dnstype=AAAA,important
||dns.ftown.cloud^$client=fe80::/10,dnsrewrite=NOERROR;A;10.4.0.2,dnstype=A,important

nslookup dns.ftown.cloud dns.ftown.cloud
Address:  10.4.0.2

Non-authoritative answer:
Name:    dns.ftown.cloud
Addresses:  fe80::eeb1:d7ff:fe5a:bb6c
          10.4.0.2

This is done over DoH and works.

nslookup dns.ftown.cloud fe80::eeb1:d7ff:fe5a:bb6c
Address:  fe80::eeb1:d7ff:fe5a:bb6c

Non-authoritative answer:
Name:    dns.ftown.cloud
Addresses:  2a01:799:15d1:8400:eeb1:d7ff:fe5a:bb6c
          158.248.116.56

Plain DNS over IPv6 fails, but IPv4 is rewritten.

xstasy avatar Jul 10 '25 16:07 xstasy

Adding myself to the discussion. Installed AGH in TrueNAS and using it as sole DHCP server. IPv6 filters based on Client settings are only applied when setting the IPv6 address explicitly. However, this changes every day. Entering the MAC address does not match on queries from IPv6 source address.

This setting only works with the IPv6 added to the client setting:

Image

Block list check respectively:

Image Image

blind-coder avatar Sep 06 '25 10:09 blind-coder