Using MAC address for clients without enabling DHCP server

[AnthonyBe]

Problem Description

Currently, Clients can only be identified by MAC address if AdGuard Home is also a DHCP server. This is a significant limitation given the newness of limited capability of AGH DHCP server currently.

Proposed Solution

As the client MAC will be in the network packets, why can't MAC address identifiers be used even if AGH is not the DHCP server? Requiring that AGH be the DHCP server significantly limits the abilty to use client filters and this would likely impact the vast majority of AGH users.

Alternatives Considered

Do not wish to use AGH DHCP server at this time due to features missing that are available in more mature DHCP servers. AGH DHCP Server is still considered "Experimental" (it is labeled this way in the UI)

[ameshkov]

Any other way of using a MAC address would be unreliable. We can't simply synchronize the IP<->Mac table with the DHCP server, there will always be a time when it's out of sync.

Do not wish to use AGH DHCP server at this time due to features missing that are available in more mature DHCP servers.

Could you please explain what important features are missing?

AGH DHCP Server is still considered "Experimental" (it is labeled this way in the UI)

Well, yeah, but it's close to removing this label:)

[davidbdyer]

One problem with the DHCP server I ran into. My server had a static IP address assigned by my router. When I switched over to using AdGuards DHCP server I was unable to set that IP as it's static when I tried it said IP already in use. Why can't assign the IP a device already has as it's static?

[szolin]

when I tried it said IP already in use

It was already fixed in #833, it will be published in the next version.

[AnthonyBe]

Could you please explain what important features are missing?

Apologies if anything below is incorrect, but it is based on my observation so I may have overlooked or just not worked out how to do something, or a feature might just not be obviously documented. I'm basing my comparison on Windows Server DHCP Server which I currently use, and within that, the features I currently use.

1. Doesn't work on Windows (I just tried to configure a scope and got error "Can't detect static IP: not supported on Windows")
2. Doesn't support setting DHCP Reservations
3. Not sure, but doesn't appear to support multiple IP ranges, or conversely, range exclusions?
4. Not option to define DNS Server IP (is this 'hard coded' assuming that AGH's IP is offered as DNS server address?).
5. No option to offer multiple IP addresses for DNS setting (i.e. primary and secondary DNS) so clients have fallback
6. DHCP Logging (audit logs)
7. Conflict detection (i.e. server checks for existence of the IP address it plans to offer, before it offers)

[AnthonyBe]

Keeping open in hope in gets fixed

[ameshkov]

Sorry for missing this

Doesn't work on Windows (I just tried to configure a scope and got error "Can't detect static IP: not supported on Windows")

This would be extremely complicated to implement:( The only option on Windows is to run AGH with Docker.

Doesn't support setting DHCP Reservations

It does support DHCP static leases.

Not sure, but doesn't appear to support multiple IP ranges, or conversely, range exclusions?

Yeah, it is rather simple right now.

Not option to define DNS Server IP (is this 'hard coded' assuming that AGH's IP is offered as DNS server address?). No option to offer multiple IP addresses for DNS setting (i.e. primary and secondary DNS) so clients have fallback

Yeah, that's the reason to use it in the first place.

DHCP Logging (audit logs)

It's all in the AdGuard Home logs. Is it useful to expose this information to the UI?

Conflict detection (i.e. server checks for existence of the IP address it plans to offer, before it offers)

It does it automatically

[AnthonyBe]

Doesn't work on Windows (I just tried to configure a scope and got error "Can't detect static IP: not supported on Windows")

This would be extremely complicated to implement:( The only option on Windows is to run AGH with Docker.

Hmm.. So, name resolution (which started this thread if you recall) relies on running the AGH DHCP server, and the DHCP server function isn't available on all platforms.

This feels like you've architected yourselves into a corner with increasingly significant feature compromise. Well, it does from a Windows user perspective anyway.

[ameshkov]

This feels like you've architected yourselves into a corner with increasingly significant feature compromise. Well, it does from a Windows user perspective anyway.

It was the Windows version limitation from the very beginning -- caused by the limitations of golang. The alternative solution is possible I think, we could write that part in C, but it is time-consuming, and we've not seen a big demand for it: https://github.com/AdguardTeam/AdGuardHome/issues/616

[AnthonyBe]

Understood.

Still, feature disparity across OS's is not ideal.

[rufengsuixing]

on linux the correspondence between ip and mac can be monitored from netlink socket，but on windows maybe a dhcp server is needed to do this or use wincap to get the arp package

[szolin]

We have a separate task for DHCP Server for Windows: https://github.com/AdguardTeam/AdGuardHome/issues/616

multiple IP ranges, or conversely, range exclusions?

Is it really that necessary? Please describe your use-case.

DHCP Logging (audit logs)

I think we can add info messages on which IP we assign for each MAC. That's useful indeed.

[AnthonyBe]

Multiple ranges and/range exclusions would normally come about over time. For example, scenario where you need to extend a DHCP scope but run up against fixed IP devices that changing the IP will require other apps/devices to require a config change so it's easier to extend the range through this and then exclude a small chunk of the IPs

[WildByDesign]

One problem with the DHCP server I ran into. My server had a static IP address assigned by my router. When I switched over to using AdGuards DHCP server I was unable to set that IP as it's static when I tried it said IP already in use. Why can't assign the IP a device already has as it's static?

when I tried it said IP already in use

It was already fixed in #833, it will be published in the next version.

@szolin This issue mentioned about in quote and the linked commit/fix seems to be an issue that I still have several times now.

• Running AGH service on OpenWrt with AGH DHCP enabled
• AGH DHCP is working 99% fantastic with only this one issue that I have noticed
• Client machine is Windows

Quite often when I am doing my testing with AGH, I set my main Windows client system with a static IP during this testing time so that I don't lose connections during this time. When I am satisfied with my testing of changes to AGH, I set my main Windows client system back to receiving IP and DNS automatically.

It is at this point that my Windows client machine fails to receive an IP address from AGH DHCP server, noting a conflict of IP. I always have to resort to drastic measures by stopping the AGH service, deleting leases.db, sessions.db, stats.db and restarting the AGH service.

This is the only time that I get an IP conflict and there is no choice but to do these drastic measures because AGH DHCP cannot recover from this state. This only affects my Windows client machine and only specifically after setting a static IP address.

[olivamauricio]

Hi guys. A little question: due to the lack of synchronism due to the use of DHCP in the blocking of websites, it would no longer be correct to enable blocking only for the settings where the administrator user uses "static DHCP leases".

It would be great to use mac address blocking using this feature. It's possible?

Here's the tip!

[ameshkov]

Merging #2383 here, we shouldn't forget to add MAC-addresses support to client modifier.

[ameshkov]

Had to postpone a little bit, in v0.106 we'll focus on #2704 which is not the same, but kinda relevant.

[siewers]

In my case I'm using an AmplifyHD router, where I cannot disable the DHCP server unless I put it in bridge mode, effectively making it a glorified switch with a clock. It doesn't allow me to override the client names either, so I'm left with some clients being identified and others not, since it solely relies on the clients to provide their names, which a lot don't or does so very poorly (like Sonos, where every devices is named SonosZP). Adding all the clients to the client table in AGH and specifying the MAC and (for now) the IP, allows me to provide names for all my devices. I would rather not have to create static leases for all devices, which is why I'd love to have AGH identify each by the MAC alone.

Having AGH also record new, unknown, clients including their MAC would be great as well. Include that with an option to quickly add the client to the known devices list and assigning it a name would be a killer feature.

[Tazzios]

Any other way of using a MAC address would be unreliable. We can't simply synchronize the IP<->Mac table with the DHCP server, there will always be a time when it's out of sync.

Do not let perfect be the enemy of good. The total AdGuard (and pi hole) solution is not perfect, it can be by passed by; website (proxy the ads), ad host (use IP address for content) and clients on your network (change DNS server or running VPN) but is good!

Filtering by mac address would be a friendly solution for less advanced users. Using AdGuard as a DHCP server increases the single point of failure. I'm pretty know my way, but if I start using AdGuard add DHCP in my house I won't make any friends, because that means that my NAS which runs the VM with Home assistant which has the AdGuard add-on all can't have any downtime.

How does pi hole have the MAC address client implemented?

[DanaGoyette]

PiHole can use the mac address that dnsmasq stuffs into an EDNS option, via the add-mac config option, so AGH could likely do the same thing.

[Bolten88]

Is this an issue wich is going to be resolved? I want to switch from PiHole to Adguard and i don't want to use Adguard as a DHCP server.

[ghahramani]

Another reason I would like to add here to what @WildByDesign mentioned, it seems enabling IPv6 is not as trivial as IPv4 in Adguard Home which it is out of the box config in openwrt, I raised the issue related to DHCP server issue here https://github.com/AdguardTeam/AdGuardHome/issues/5758

[robi052]

Hi,

I use AGH as DNS and DHCP (on rpi). On Client settings when put MAC address Request count is empty. If put current local IP address count is ok. On Query logs if is MAC cannot see client name. Whats wrong?

[developerbuzz]

I would like to be able to identify clients based on mac address without the overhead of using AGH as DHCP. I have a Sophos XG Firewall for DCHP with different DHCP/VNET configuration for IOT, homelab, work and home devices and would like to identify these clients and and block/restrict DNS based on their mac address so I don't have to configure static IP addresses for each and every device.

IP addresses change - mac addresses don't (unless you change the network card of course). Please consider this as a change.

[AnthonyBe]

Agreed. I do not plan on using AGH for DHCP ever. I can appreciate that it is more convenient if AGH is the DHCP server to implement other linked functionality, but making it a requirement should not be the case as this is not is the end-user's overall best interest.

[theschles]

+1 to this as well. I was tearing my hair out trying to figure out why AGH wasn't blocking Clients based upon MAC address. Now I see why.

I'd rather leave the DHCP server on my router, thank you very much. WHY is having AGH as a DHCP server a necessity for configuring Client filters with MAC addresses?

[Sav3k]

Any news on this?

[ainar-g]

No news, since @ameshkov's comment is still relevant. A MAC address is not readily available for clients that aren't also DHCP clients.

[ghahramani]

I am using it as DHCP but still, for IPv6 I cannot filter the user, it seems when a client uses IPv6, the MAC address does not get recognized by Adguardhome, to block the client, I had to define IPv6 for the client.

As you can see in the screenshot, it shows IPv6 instead of MAC Address, therefore, to block the client I have to set IPv6 in client setting which is get changed everytime laptop gets restarted as IPv6 does not work like IPv4 in IP lease

[hayzamjs]

I've created a simple script that can populate IP addresses (both IPv4 and IPv6) based on the MAC address present for a client. I currently run it on an OpenWRT box, and while it may not be the most accurate, it does the job for me. I hope it helps someone else in a similar situation who, for some reason, cannot use AdGuard's built-in DHCP server.

[ghahramani]

I've created a simple script that can populate IP addresses (both IPv4 and IPv6) based on the MAC address present for a client. I currently run it on an OpenWRT box, and while it may not be the most accurate, it does the job for me. I hope it helps someone else in a similar situation who, for some reason, cannot use AdGuard's built-in DHCP server.

How can I specify to update the IP address of a specific client (I want Youtube be open only for one client), by the way, I am using AdguardTeam DHCP with IPv4 and IPv6 but it seems when a device requests with IPv6 Adguard cannot find out about its Mac address therefore it allows it and it does not filter it, it seems it only works with IPv4, your scripts helps to update IPv6 in client UI to set it for filtered clients

[ghahramani]

@ameshkov I would like to report two missing features as well for AGH DHCP

1. set static IPv6 addresses at least the local ones
2. choose between relay mode, server mode or hybrid mode for IPv6

[ingoratsdorf]

Looks like the original request would not be too complicated to implement. It would appear we are already collecting runtime client information and presumably storing it. Looking through the source I see stuff in ARP and I see some info (no MAC though) on the dashbaord under "Runtime clients" with source ARP. Now ARP gives you a MAC to every IP. Can I assume the info is stored somewhere? If it is, can we use that info to match the persistent client info against it? I had a bit of hit and miss with using IPs only. I'd rather prefer to use MACs for obvious reasons. We could add a column "HWAddr" in the "Runtime clients" dashboard table for good measure. And it would also make this whole IPv4 / IPv6 business easier, no?