Different client filter configuration

[Kleinhirn]

Hi,

is it possible to add a function for different client filter configuration. I want to set different filters for my pc`s in network - do you can make this?

• childen pc with parent control
• different filter for PC/Laptop/Smartphone

Thanks

[AnthonyBe]

Was thinking same.

Specifically around children, being able to group their devices by MAC address and then provide the additional safe search and parental control settings on that group.

[alexsannikov]

That would be great to have specific settings for specific device based on devicename/MAC/IP. I would apply Parent control & multiple filtering lists for kid's tablet, but allowed some resources for my smart or PC.

[Orava2]

I would like to set different upstream DNS servers for children and adults.

[ameshkov]

So here's what is requested:

1. General settings (browsing security / safe search / parental control) per client
2. Different filters per client
3. Different DNS servers per client

Number 1 is relatively easy. 2 and 3 are quite harder, though.

[ameshkov]

Number 1 is done: #727

[vtolstov]

Any ETA for this issue ?

[ameshkov]

@vtolstov 1 and 3 are done.

What for 2, most likely we'll use a different approach to it -- see https://github.com/AdguardTeam/AdGuardHome/issues/1081

[ghost]

https://github.com/AdguardTeam/AdGuardHome/issues/1081 https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#-ctag Offer an option to add single or several tags for whole filter list then we can assign them for clients

[zejar]

Now that Pihole 5.0 has been released with group-based filters it would be great if AdGuard Home would also support setting filters based on clients/networks :)

[lordraiden]

@ameshkov Is there an ETA to have this available? or is not even a priority? I see it has not milestone and is a quite useful feature.

[ameshkov]

I have not yet decided how we should approach this. In order to do this, I'd like to know how exactly you'd like to use this.

Here's one example, unblocking a couple of domains for a specific device: https://github.com/AdguardTeam/AdGuardHome/issues/1716

I need more examples to make a decision.

[AnthonyBe]

I had a specific use case just this week. I work for a company whose primary domain name is blocked by AG's default filters. I've had to unblock a lot of subdomains just so I can work (or fire up VPN to bypass AGH). I would've loved the ability to just nominate my laptop's IP address to bypass some filters, or white list just for my IP the root domain that was being blocked. I know I can likely achieve same by creating a client group, then setting a ctag, and then manually creating some allow list entries with the ctag, but it was just too complicated for me to mess around with. As it was, I just ended up turning AGH off for 5 mins to get something done and then turned it back on!

[ameshkov]

I would've loved the ability to just nominate my laptop's IP address to bypass some filters, or white list just for my IP the root domain that was being blocked.

Yep, got it.

This makes sense, and I am thinking that the easiest way would be to simply allow adding rules for specific clients. Something like this: @@||example.org^$client=192.168.1.1

We can make it even easier by adding an option to do this right from the query log.

[Aikatsui]

I have not yet decided how we should approach this. In order to do this, I'd like to know how exactly you'd like to use this. I need more examples to make a decision.

The problem with ctag; it's suitable for permanent rules something like printers etc as discussed in the feature request https://github.com/AdguardTeam/AdGuardHome/issues/1081 but if we maintain them frequently as add/remove rules from lists, assign for different devices time to time or when adult person and kids use same device at home then its too complicated with existing feature

So i suggest to add an option for write prefer tag names when create lists then we can assign them to devices through client settings page. that's how google cloud platform has designed to work with firewall rules

(Allow user to add multiple tag names to each list and use same tag name to multiple lists)

[lordraiden]

From a user experience point of view I think the best way would be

Every time you add a new block list you have the option to choose if: 1.1 This list will be apply by default to any new asset not tagged or defined as a client (Checkbox) (if nothing is selected it will apply to everything, always like it is now) 1.2 Then deffined to what applies with this options 1.2.1 Define the clients to which the block list applies (clients defined already in AGH) 1.2.2 Define the tags to which the block list applies (tags for clients are defined in the client section) 1.2.3 Define IP ranges or subnets to which the block list applies (this will override 1.1)

The same logic will apply to "custom filtering rules" or "whitelisting" sections

[ameshkov]

@lordraiden it is not a question of how to add a client-specific list, I need to know when and why exactly you would use that (or something like that).

[lordraiden]

@lordraiden it is not a question of how to add a client-specific list, I need to know when and why exactly you would use that (or something like that).

Ok,

Well I have dockers, vm and normal users at home.

In dockers and servers I want to use blocklists that are only related to malware domains. I don't care about phishing, or ads (depending on the product used) because no one is going to browse from those IP's. Even if it is a service that phone home like plex, I only need to block 1 domain for that specific service (analytics.plex.tv)

Another case would be IoT (TVs, Alexa, etc..) Maybe in this case I only want to block certain domains or use a specific list for my samsung TV.

Kids maybe I can load to them a specific domain list to block p0rn xD (energized lists)

In more complex environments probably there are more use cases, and if in a future you want block website categories (I think AGH or the user would need to pay for those lists) you have half of the work done since you can define a blocking policy and apply that policy to clients. Free and probably a poor source but maybe better than nothing https://dsi.ut-capitole.fr/blacklists/index_en.php

Talking about policies, maybe this would be a cleaner way, you define a complete policy (blocklists, DNS, Whitelist, etc. with all the options and then you apply that policy to the clients you want.

[lordraiden]

BTW I have eddited my previous comment, take a quick look or maybe you read the latest One more thing, another interesting use case would be to allow only a client to contact certain domains. I think it would be quite useful for IoT devices, for example if I have a device that only calls to abc.com, I would like to define that for that client only abc.com is allowed so if the deviced gets compromised or does something weird it will be blocked. In addition many server services, plex, duplicati, etc... can have a very limited range of domains that are in use so I can do a quick search in the logs over a month period, see all the domains they called and setup and allow list and block everyhing else.

This will probably require a different approach since we are not working with blocklists and allow everyhing else but we define a whitelist and block everything else. But with the policy concept will be easy to define the logic (at least in the ui), it will be like a enterprise grade proxy/firewall, all of them use policies that are applied to something fw rules, users etc.

Maybe I'm a little bit security paranoid xD

[brendan-intermission]

BTW I have eddited my previous comment, take a quick look or maybe you read the latest One more thing, another interesting use case would be to allow only a client to contact certain domains. I think it would be quite useful for IoT devices, for example if I have a device that only calls to abc.com, I would like to define that for that client only abc.com is allowed so if the deviced gets compromised or does something weird it will be blocked. In addition many server services, plex, duplicati, etc... can have a very limited range of domains that are in use so I can do a quick search in the logs over a month period, see all the domains they called and setup and allow list and block everyhing else.

This will probably require a different approach since we are not working with blocklists and allow everyhing else but we define a whitelist and block everything else. But with the policy concept will be easy to define the logic (at least in the ui), it will be like a enterprise grade proxy/firewall, all of them use policies that are applied to something fw rules, users etc.

Maybe I'm a little bit security paranoid xD

I second this, its very good security practice. These days we have such a random bunch of IOT/Smart home devices within the bounds of our internal network. It would be great to whitelist exactly which URLs/Call Home destinations they need. They should not need to connect to any other domains or be part of someones botnet to launch a DDoS. Having a 'Allow List' based on source IP would be amazing.

[lordraiden]

@ameshkov Will you asign a milestone to this?

[ameshkov]

Nope, I use this issue as a place for discussion and create new relevant issues for that.

Meanwhile, v0.103.3 adds $client modifier support: https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#-client

This lets you create client-specific filtering rules.

Next steps:

1. Allow creating client-specific rules from UI (block/unblock for this client)
2. Allow setting client-specific rules in the client settings

[lordraiden]

Nope, I use this issue as a place for discussion and create new relevant issues for that.

Meanwhile, v0.103.3 adds $client modifier support: https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#-client

This lets you create client-specific filtering rules.

Next steps:

1. Allow creating client-specific rules from UI (block/unblock for this client)

2. Allow setting client-specific rules in the client settings

Any news on this? It's in the roadmap? It would be something like this https://docs.pi-hole.net/database/gravity/example/

[ameshkov]

1. Allow creating client-specific rules from UI (block/unblock for this client)

Done in v0.104

[MZGSZM]

My use case for having per-device filters would be using more conservative lists for my family member's devices compared to my own. I currently use a regex list that catches more stuff on top of my main "ad and tracker blocker" list but it also has more false positives. I don't mind taking the time to whitelist a few things here and there as needed but it's a bit of a hassle when I'm not home and someone else comes across a false positive. So, I'd disable that list for select devices on the network.

[zzyonn]

So, for the moment there is no way to create group for user and specify list to this group ?

[Cybercave]

Blocky has support for client blocklists. And it is in Go, too.

https://0xerr0r.github.io/blocky/configuration/#client-groups

[privacy-advo]

I would like to bump the issue again. The sheer amount of mentioned issues and duplicates shows how many users would love to see a feature missing compared to all competitors.

White- or blacklisting individual domains per $client/$ctag is fine for a small set of rules. I'll paint a scenario: When it comes to securing my grandparents pc, my brothers smart-TV, my mothers Switch, my nephews <5 iPad and my fathers instagram-livestyle Android phone with a single AdGuard Home (probably hosted in a VPS), I need different filterlists as well as whitelists.

Back from fiction: I import rules from my Nextcloud where I maintain my own filterlists. These are regex and adblock-style and have grown through years, to specifically suit the needs of the different persons and devices. Now that I want to use AdGuard Home to stop configuring each single device every time I need to adjust something, associating groups to block- and whitelists is key. I can do this with pi-hole, but I would love to use AdGuard Home because of the other great advantages.

Please ~ give it to the crowd.

[privacy-advo]

И на солнце есть пятна ... The new AdGuard DNS product "Different options for all purposes You may want to have different configurations for your kids' tablets, your work laptop, and your smart TV. With AdGuard DNS you can have an individual setup for each of your devices."

@ameshkov - Will we see this feature in AdGuard Home as well... ?

[ameshkov]

@privacy-advo we will definitely see it in AGH as well in the future. The new AG DNS was created from scratch so we could implement some of the features requested for AGH rather easily. In the case of AGH, the same requires some serious code rework. It is, of course, is going to happen, just trying to explain why it happened to AG DNS first.

[privacy-advo]

That's great news, can't wait to test the entirely new built system. I'm on the waiting list since the blog post. Actually it's very reasonable from a business perspective that you put your resources first into a new product. Nevertheless, I hope that you're price model won't challenge me to stop running my own (cheap) VPS AdGuard Home instances and go entirely for new AG DNS. (Don't get me wrong, I own 25 lifetime licenses which cover devices of family and friends.)

[privacy-advo]

@ameshkov commented on 6 Apr 2019:

So here's what is requested:

1. General settings (browsing security / safe search / parental control) per client

2. Different filters per client

3. Different DNS servers per client

Number 1 is relatively easy. 2 and 3 are quite harder, though.

Could 2. Different filterlists per client be an option for a milestone? It's still listed as P2.

[ameshkov]

Could 2. Different filterlists per client be an option for a milestone? It's still listed as P2.

Yeah, we have this in our future plans.

[privacy-advo]

As 0.108 is on the horizon, is there a chance we will see P2 #435?

[ameshkov]

Yes, there is:)

[zzyonn]

Upgraded to 0.108 Beta, but not found this possibility :s

[ameshkov]

There is a chance, it's not done yet:)

[zzyonn]

There is a chance, it's not done yet:)

Oupss sorry, my bad ..

[privacy-advo]

It's been almost 4 years. It would be great to finally see the feature. v0.107.16? 👍

[useronegit]

I really hope it will be added soon, for me it would be the best feature for Adguard Home

[privacy-advo]

+1 @ameshkov, is there a way the community could make it happen?

[gyCfjSnO]

It's been almost 4 years. It would be great to finally see the feature. v0.107.16? 👍

Almost 5 years now 😂

[privacy-advo]

It's been almost 4 years. It would be great to finally see the feature. v0.107.16? 👍

Almost 5 years now 😂

Yeah. You name it. Pretty frustrating to see other issues being implemented with every release and this P2 issue, graved by so many as one can see all the mentions, lasts in the void ...

[Knot3n]

This is def. needed to have services control for children .. e.g TikTok .. Whatsapp for specific clients in specific timeframes... @ameshkov could you give maybe an update about this ?

[gyCfjSnO]

This is def. needed to have services control for children .. e.g TikTok .. Whatsapp for specific timeframes... @ameshkov could you give maybe an update about this ?

You can control TikTok, Instagram, WhatsApp to be blocked/allowed at specific times.

However, you still can't apply custom blocklists/filters to different clients. For example applying a blocklists/filter only to clients a, b, c while the rest of the clients aren't impacted.

[AnthonyBe]

When I commented on this 5 years ago, it was primarily to better manage the devices of my teenage son.

That son is now an adult.

[Knot3n]

This is def. needed to have services control for children .. e.g TikTok .. Whatsapp for specific timeframes... @ameshkov could you give maybe an update about this ?

You can control TikTok, Instagram, WhatsApp to be blocked/allowed at specific times.

However, you still can't apply custom blocklists/filters to different clients. For example applying a blocklists/filter only to clients a, b, c while the rest of the clients aren't impacted.

Yeah sorry, i meant for a specific client not only a specific time.

[adrianmihalko]

C'mon developers, you can do it.

[bvandevliet]

I'd also like to have this feature! A newer issue (#4334) related to this was opened later on but got also closed already, don't know why..

[gyCfjSnO]

C'mon developers, you can do it.

I want to see this issue still open in 2028.

[lux5am]

I want this too. I want unknown devices to be unfiltered. My own devices with much aggressive AdBlock list. Some grandma certified AdBlock list for some known devices. Adult/gambling for others and so on. Currently it's not possibly, there's only 1 toggle to enable/disable global filters and custom filters. I setup nextdns server just for this at the moment.