Adguardhome: Different client filter configuration

Was thinking same.

Specifically around children, being able to group their devices by MAC address and then provide the additional safe search and parental control settings on that group.

That would be great to have specific settings for specific device based on devicename/MAC/IP.
I would apply Parent control & multiple filtering lists for kid's tablet, but allowed some resources for my smart or PC.

I would like to set different upstream DNS servers for children and adults.

So here's what is requested:

1. General settings (browsing security / safe search / parental control) per client
2. Different filters per client
3. Different DNS servers per client

Number 1 is relatively easy. 2 and 3 are quite harder, though.

Number 1 is done: #727

Any ETA for this issue ?

@vtolstov 1 and 3 are done.

What for 2, most likely we'll use a different approach to it -- see https://github.com/AdguardTeam/AdGuardHome/issues/1081

https://github.com/AdguardTeam/AdGuardHome/issues/1081 https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#-ctag
Offer an option to add single or several tags for whole filter list then we can assign them for clients

Now that Pihole 5.0 has been released with group-based filters it would be great if AdGuard Home would also support setting filters based on clients/networks :)

@ameshkov
Is there an ETA to have this available? or is not even a priority?
I see it has not milestone and is a quite useful feature.

I have not yet decided how we should approach this. In order to do this, I'd like to know how exactly you'd like to use this.

Here's one example, unblocking a couple of domains for a specific device: https://github.com/AdguardTeam/AdGuardHome/issues/1716

I need more examples to make a decision.

I had a specific use case just this week.
I work for a company whose primary domain name is blocked by AG's default filters. I've had to unblock a lot of subdomains just so I can work (or fire up VPN to bypass AGH).
I would've loved the ability to just nominate my laptop's IP address to bypass some filters, or white list just for my IP the root domain that was being blocked.
I know I can likely achieve same by creating a client group, then setting a ctag, and then manually creating some allow list entries with the ctag, but it was just too complicated for me to mess around with.
As it was, I just ended up turning AGH off for 5 mins to get something done and then turned it back on!

I would've loved the ability to just nominate my laptop's IP address to bypass some filters, or white list just for my IP the root domain that was being blocked.

Yep, got it.

This makes sense, and I am thinking that the easiest way would be to simply allow adding rules for specific clients. Something like this: @@||example.org^$client=192.168.1.1

We can make it even easier by adding an option to do this right from the query log.

I have not yet decided how we should approach this. In order to do this, I'd like to know how exactly you'd like to use this.
I need more examples to make a decision.

The problem with ctag; it's suitable for permanent rules something like printers etc as discussed in the feature request https://github.com/AdguardTeam/AdGuardHome/issues/1081 but if we maintain them frequently as add/remove rules from lists, assign for different devices time to time or when adult person and kids use same device at home then its too complicated with existing feature

So i suggest to add an option for write prefer tag names when create lists then we can assign them to devices through client settings page. that's how google cloud platform has designed to work with firewall rules

(Allow user to add multiple tag names to each list and use same tag name to multiple lists)

From a user experience point of view I think the best way would be

Every time you add a new block list you have the option to choose if:
1.1 This list will be apply by default to any new asset not tagged or defined as a client (Checkbox) (if nothing is selected it will apply to everything, always like it is now)
1.2 Then deffined to what applies with this options
1.2.1 Define the clients to which the block list applies (clients defined already in AGH)
1.2.2 Define the tags to which the block list applies (tags for clients are defined in the client section)
1.2.3 Define IP ranges or subnets to which the block list applies (this will override 1.1)

The same logic will apply to "custom filtering rules" or "whitelisting" sections

@lordraiden it is not a question of how to add a client-specific list, I need to know when and why exactly you would use that (or something like that).

@lordraiden it is not a question of how to add a client-specific list, I need to know when and why exactly you would use that (or something like that).

Ok,

Well I have dockers, vm and normal users at home.

In dockers and servers I want to use blocklists that are only related to malware domains. I don't care about phishing, or ads (depending on the product used) because no one is going to browse from those IP's. Even if it is a service that phone home like plex, I only need to block 1 domain for that specific service (analytics.plex.tv)

Another case would be IoT (TVs, Alexa, etc..) Maybe in this case I only want to block certain domains or use a specific list for my samsung TV.

Kids maybe I can load to them a specific domain list to block p0rn xD (energized lists)

In more complex environments probably there are more use cases, and if in a future you want block website categories (I think AGH or the user would need to pay for those lists) you have half of the work done since you can define a blocking policy and apply that policy to clients.
Free and probably a poor source but maybe better than nothing https://dsi.ut-capitole.fr/blacklists/index_en.php

Talking about policies, maybe this would be a cleaner way, you define a complete policy (blocklists, DNS, Whitelist, etc. with all the options and then you apply that policy to the clients you want.

BTW I have eddited my previous comment, take a quick look or maybe you read the latest
One more thing, another interesting use case would be to allow only a client to contact certain domains.
I think it would be quite useful for IoT devices, for example if I have a device that only calls to *abc.com, I would like to define that for that client only *abc.com is allowed so if the deviced gets compromised or does something weird it will be blocked.
In addition many server services, plex, duplicati, etc... can have a very limited range of domains that are in use so I can do a quick search in the logs over a month period, see all the domains they called and setup and allow list and block everyhing else.

This will probably require a different approach since we are not working with blocklists and allow everyhing else but we define a whitelist and block everything else. But with the policy concept will be easy to define the logic (at least in the ui), it will be like a enterprise grade proxy/firewall, all of them use policies that are applied to something fw rules, users etc.

Maybe I'm a little bit security paranoid xD

BTW I have eddited my previous comment, take a quick look or maybe you read the latest
One more thing, another interesting use case would be to allow only a client to contact certain domains.
I think it would be quite useful for IoT devices, for example if I have a device that only calls to *abc.com, I would like to define that for that client only *abc.com is allowed so if the deviced gets compromised or does something weird it will be blocked.
In addition many server services, plex, duplicati, etc... can have a very limited range of domains that are in use so I can do a quick search in the logs over a month period, see all the domains they called and setup and allow list and block everyhing else.

This will probably require a different approach since we are not working with blocklists and allow everyhing else but we define a whitelist and block everything else. But with the policy concept will be easy to define the logic (at least in the ui), it will be like a enterprise grade proxy/firewall, all of them use policies that are applied to something fw rules, users etc.

Maybe I'm a little bit security paranoid xD

I second this, its very good security practice. These days we have such a random bunch of IOT/Smart home devices within the bounds of our internal network. It would be great to whitelist exactly which URLs/Call Home destinations they need. They should not need to connect to any other domains or be part of someones botnet to launch a DDoS. Having a 'Allow List' based on source IP would be amazing.

@ameshkov Will you asign a milestone to this?

Nope, I use this issue as a place for discussion and create new relevant issues for that.

Meanwhile, v0.103.3 adds $client modifier support: https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#-client

This lets you create client-specific filtering rules.

Next steps:

1. Allow creating client-specific rules from UI (block/unblock for this client)
2. Allow setting client-specific rules in the client settings

Nope, I use this issue as a place for discussion and create new relevant issues for that.

Meanwhile, v0.103.3 adds $client modifier support: https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#-client

This lets you create client-specific filtering rules.

Next steps:

1. Allow creating client-specific rules from UI (block/unblock for this client)

2. Allow setting client-specific rules in the client settings

Any news on this?
It's in the roadmap?
It would be something like this https://docs.pi-hole.net/database/gravity/example/

1. Allow creating client-specific rules from UI (block/unblock for this client)

Done in v0.104