# OpenWRT Gateway & AdGuard Home - Complete Configuration Guide

## Network Overview

**New Network Topology:**
```
Cable Modem → OpenWRT (Main Gateway) → TP-Link Archer C72 Pro (AP Mode) → Devices
                    ↓
              AdGuard Home (10.0.0.245) - DNS Filtering
```

**IP Configuration:**
- OpenWRT WAN: DHCP from Cable Modem (Public IP)
- OpenWRT LAN: **10.0.0.246** (Main Gateway)
- AdGuard Home: **10.0.0.245** (DNS Server)
- TP-Link Archer C72 Pro: **10.0.0.254** (AP Mode, no routing)
- DHCP Range: **10.0.0.1 - 10.0.0.200**
- Subnet: **10.0.0.0/24**

**Roles:**
- **OpenWRT**: Main router, gateway, firewall, NAT, DHCP server, access control
- **AdGuard**: DNS filtering, ad blocking, phishing protection, parental controls
- **TP-Link**: WiFi access point + Ethernet switch only (no routing/DHCP)

---

## Part 1: OpenWRT Initial Setup as Main Gateway

### 1.1 Physical Connection Setup

**Connection Order:**
1. **DO NOT connect cable modem yet**
2. Connect computer to OpenWRT LAN port via Ethernet
3. Power on OpenWRT
4. Configure OpenWRT completely first
5. Then connect to cable modem

### 1.2 First Login and Basic Configuration

1. **Connect to OpenWRT:**
   - Connect via Ethernet to any LAN port
   - Default IP: `192.168.1.1`
   - Access via browser: `http://192.168.1.1`
   - Default login: `root` (no password initially)

2. **Set Root Password:**
   ```
   System → Administration → Router Password
   ```
   Set a strong password immediately (e.g., 16+ characters with numbers/symbols).

3. **Set Timezone:**
   ```
   System → System → General Settings
   Timezone: Australia/Melbourne
   ```

### 1.3 Configure WAN Interface (Internet Connection)

**This connects OpenWRT to your cable modem.**

1. **Navigate to Network → Interfaces**

2. **Edit WAN interface:**
   - Protocol: `DHCP client` (most cable modems use DHCP)
   - Leave everything default initially
   - Advanced Settings:
     - ✓ Use DNS servers advertised by peer (we'll change this later)
   - Firewall Settings:
     - Create/Assign to firewall zone: `wan`
   - Click "Save"

3. **If your ISP requires specific settings:**
   - Some ISPs require:
     - MAC address cloning (use your old router's MAC)
     - VLAN tagging
     - PPPoE (username/password)
   - Check with your ISP if connection fails

### 1.4 Configure LAN Interface

1. **Navigate to Network → Interfaces**

2. **Edit LAN interface:**
   - Protocol: `Static address`
   - IPv4 address: `10.0.0.246`
   - IPv4 netmask: `255.255.255.0` (or /24)
   - IPv4 gateway: (leave empty - this IS the gateway)
   - Use custom DNS servers: `10.0.0.245`
   - Click "Save & Apply"

3. **Wait 30 seconds**, then reconnect to: `http://10.0.0.246`

### 1.5 Configure Firewall & NAT

1. **Network → Firewall → General Settings**

2. **Zone: WAN**
   - Input: `reject`
   - Output: `accept`
   - Forward: `reject`
   - ✓ Masquerading (NAT) - **CRITICAL**
   - ✓ MSS clamping
   - Covered networks: `wan` `wan6`

3. **Zone: LAN**
   - Input: `accept`
   - Output: `accept`
   - Forward: `accept`
   - Masquerading: unchecked
   - Covered networks: `lan`

4. **Forwarding Rules:**
   - Add: LAN → WAN (Allow) - should exist by default
   - Verify this rule exists

5. **Advanced Settings:**
   ```
   Enable SYN-flood protection: ✓
   Drop invalid packets: ✓
   ```

6. **Save & Apply**

### 1.6 Test Internet Connection

**Now connect the cable modem:**

1. **Connect cable modem to OpenWRT WAN port**
2. **Wait 60 seconds** for modem to assign IP
3. **Check connection:**
   ```
   Network → Interfaces → WAN
   ```
   - Should show public IP address
   - Should show "Connected" status

4. **Test from OpenWRT:**
   - Go to Network → Diagnostics
   - Ping test: `8.8.8.8` (should work)
   - Ping test: `google.com` (should work)

5. **If connection fails:**
   - Check cable modem is online (lights stable)
   - Try rebooting cable modem (unplug 30 seconds)
   - Check WAN interface settings
   - Some ISPs require MAC cloning (see Section 1.9)

### 1.7 Update OpenWRT

**Before continuing, update packages:**

SSH into OpenWRT:
```bash
ssh root@10.0.0.246
```

Update package lists:
```bash
opkg update
opkg list-upgradable
opkg upgrade [package-name]
```

Or update all (be careful, test first):
```bash
opkg list-upgradable | cut -d ' ' -f 1 | xargs opkg upgrade
```

### 1.8 Install Essential Packages

```bash
# Firewall and network tools
opkg install luci-app-firewall
opkg install iptables-mod-extra
opkg install ipset

# Monitoring tools
opkg install luci-app-nlbwmon    # Bandwidth monitoring
opkg install luci-app-statistics  # System stats

# HTTPS for web interface (recommended)
opkg install luci-ssl-openssl

# Additional useful tools
opkg install tcpdump              # Network debugging
opkg install iperf3              # Speed testing
```

### 1.9 MAC Address Cloning (If Required)

Some ISPs bind to your previous router's MAC address.

1. **Find your old router's WAN MAC address**
   - Usually on a sticker on the TP-Link
   - Or from TP-Link admin interface

2. **Clone MAC in OpenWRT:**
   ```
   Network → Interfaces → WAN → Edit
   Advanced Settings:
   - Override MAC address: [enter old router's MAC]
   Save & Apply
   ```

3. **Reboot cable modem and OpenWRT**

---

## Part 2: DHCP Server Configuration

### 2.1 Basic DHCP Settings

1. **Navigate to Network → DHCP and DNS**

2. **General Settings tab:**
   - ✓ Authoritative (OpenWRT is now the only DHCP server)
   - DNS forwardings: `10.0.0.245`
   - DNS server port: `53`
   - Local server: `/lan/`
   - Local domain: `lan` (or your preference like `home.local`)
   - Click "Save"

3. **Advanced Settings:**
   - Rebind protection: ✓
   - Domain whitelist: (leave empty unless needed)
   - Strict order: ✓ (uses DNS servers in order)

### 2.2 DHCP Pool Configuration

1. **Network → Interfaces → LAN → Edit → DHCP Server tab**

2. **General Setup:**
   - ✓ Ignore interface: Uncheck (enable DHCP)
   - Start: `1`
   - Limit: `200`
   - Lease time: `12h` (or `24h` for stability)

3. **Advanced Settings:**
   - Dynamic DHCP: ✓
   - Force: ✓ (prevents devices from using static IPs in DHCP range)

4. **DHCP Options:**
   - Add option `3,10.0.0.246` (Gateway - should be default)
   - Add option `6,10.0.0.245` (DNS Server)
   - Add option `42,10.0.0.245` (NTP Server - optional)

### 2.3 Static Leases Configuration

1. **Navigate to Network → DHCP and DNS → Static Leases**

2. **Add Critical Static Leases:**

**AdGuard Home:**
```
Hostname: adguard
MAC Address: [AdGuard server MAC]
IPv4 address: 10.0.0.245
Lease time: infinite
```

**TP-Link Archer C72 Pro:**
```
Hostname: tplink-ap
MAC Address: [TP-Link WAN/LAN MAC]
IPv4 address: 10.0.0.254
Lease time: infinite
```

**HomeAssistant (if applicable):**
```
Hostname: homeassistant
MAC Address: [HA MAC]
IPv4 address: 10.0.0.55
Lease time: infinite
```

**Other servers/devices:**
```
NAS: 10.0.0.60
Printer: 10.0.0.70
Desktop: 10.0.0.101
Laptop: 10.0.0.102
```

### 2.4 Per-Device DNS Configuration (For Parental Controls)

**Method: Via Config File**

SSH into OpenWRT and edit `/etc/config/dhcp`:

```bash
vi /etc/config/dhcp
```

Add host configurations:

```bash
# Standard adult device - uses AdGuard with full filtering
config host
    option name 'laptop'
    option mac '11:22:33:44:55:66'
    option ip '10.0.0.101'
    option dns '10.0.0.245'

# Kids device - uses AdGuard with parental controls
config host
    option name 'kids-tablet'
    option mac 'AA:BB:CC:DD:EE:FF'
    option ip '10.0.0.100'
    option dns '10.0.0.245'
    option tag 'kids'

# Work/unfiltered device - bypasses AdGuard
config host
    option name 'work-laptop'
    option mac '77:88:99:AA:BB:CC'
    option ip '10.0.0.150'
    option dns '1.1.1.1 8.8.8.8'
```

Restart dnsmasq:
```bash
/etc/init.d/dnsmasq restart
```

**Note:** We'll configure AdGuard to handle different filtering levels for kids vs adults in Part 5.

---

## Part 3: Access Control & Device Blocking

### 3.1 Create Device Blocking System

This allows you to block internet access for specific devices.

**Create the management script** `/root/device-control.sh`:

```bash
#!/bin/sh
# Device Access Control Script for OpenWRT
# Usage: ./device-control.sh {init|block|unblock|list|status|log|clear|help}

IPSET_NAME="blocked_devices"
LOG_FILE="/var/log/device-control.log"

init_system() {
    echo "Initializing device blocking system..."
    
    # Create ipset if it doesn't exist
    ipset create $IPSET_NAME hash:ip timeout 0 comment -exist
    
    # Create firewall rule if it doesn't exist
    if ! iptables -C FORWARD -m set --match-set $IPSET_NAME src -j REJECT 2>/dev/null; then
        iptables -I FORWARD 1 -m set --match-set $IPSET_NAME src -j REJECT
        echo "Firewall rule created"
    else
        echo "Firewall rule already exists"
    fi
    
    echo "System initialized successfully"
    echo "$(date): System initialized" >> $LOG_FILE
}

block_device() {
    IP=$1
    NAME=$2
    
    if [ -z "$IP" ]; then
        echo "Error: IP address required"
        echo "Usage: $0 block <IP> [NAME]"
        exit 1
    fi
    
    # Add to ipset with comment
    if [ -n "$NAME" ]; then
        ipset add $IPSET_NAME $IP comment "$NAME" -exist
        echo "✓ Blocked: $NAME ($IP)"
        echo "$(date): Blocked $NAME ($IP)" >> $LOG_FILE
    else
        ipset add $IPSET_NAME $IP -exist
        echo "✓ Blocked: $IP"
        echo "$(date): Blocked $IP" >> $LOG_FILE
    fi
}

unblock_device() {
    IP=$1
    NAME=$2
    
    if [ -z "$IP" ]; then
        echo "Error: IP address required"
        echo "Usage: $0 unblock <IP> [NAME]"
        exit 1
    fi
    
    # Remove from ipset
    if ipset test $IPSET_NAME $IP 2>/dev/null; then
        ipset del $IPSET_NAME $IP
        if [ -n "$NAME" ]; then
            echo "✓ Unblocked: $NAME ($IP)"
            echo "$(date): Unblocked $NAME ($IP)" >> $LOG_FILE
        else
            echo "✓ Unblocked: $IP"
            echo "$(date): Unblocked $IP" >> $LOG_FILE
        fi
    else
        echo "✗ Device $IP was not blocked"
    fi
}

list_devices() {
    echo "=========================================="
    echo "Currently Blocked Devices:"
    echo "=========================================="
    ipset list $IPSET_NAME | grep -A 1000 "Members:" | tail -n +2
    COUNT=$(ipset list $IPSET_NAME | grep -A 1000 "Members:" | tail -n +2 | wc -l)
    echo "=========================================="
    echo "Total blocked: $COUNT device(s)"
}

check_status() {
    IP=$1
    
    if [ -z "$IP" ]; then
        echo "Error: IP address required"
        echo "Usage: $0 status <IP>"
        exit 1
    fi
    
    if ipset test $IPSET_NAME $IP 2>/dev/null; then
        echo "🔴 $IP is BLOCKED"
    else
        echo "🟢 $IP is ALLOWED"
    fi
}

view_log() {
    if [ -f "$LOG_FILE" ]; then
        echo "=========================================="
        echo "Last 50 Actions:"
        echo "=========================================="
        tail -50 $LOG_FILE
    else
        echo "No log file found"
    fi
}

clear_all() {
    echo "⚠️  WARNING: This will unblock ALL devices!"
    echo -n "Are you sure? (yes/no): "
    read CONFIRM
    
    if [ "$CONFIRM" = "yes" ]; then
        ipset flush $IPSET_NAME
        echo "✓ All devices unblocked"
        echo "$(date): All devices unblocked" >> $LOG_FILE
    else
        echo "Cancelled"
    fi
}

show_help() {
    cat << EOF
Device Access Control Script

Usage:
  $0 init                    - Initialize blocking system
  $0 block <IP> [NAME]       - Block a device
  $0 unblock <IP> [NAME]     - Unblock a device
  $0 list                    - List all blocked devices
  $0 status <IP>             - Check if device is blocked
  $0 log                     - View action log
  $0 clear                   - Clear all blocks (with confirmation)
  $0 help                    - Show this help

Examples:
  $0 block 10.0.0.100 "Kids Tablet"
  $0 unblock 10.0.0.100
  $0 status 10.0.0.100
  $0 list

EOF
}

# Main script logic
case "$1" in
    init)
        init_system
        ;;
    block)
        block_device "$2" "$3"
        ;;
    unblock)
        unblock_device "$2" "$3"
        ;;
    list)
        list_devices
        ;;
    status)
        check_status "$2"
        ;;
    log)
        view_log
        ;;
    clear)
        clear_all
        ;;
    help|--help|-h)
        show_help
        ;;
    *)
        echo "Error: Invalid command"
        show_help
        exit 1
        ;;
esac
```

**Install the script:**

```bash
# SSH into OpenWRT
ssh root@10.0.0.246

# Create the script
vi /root/device-control.sh
# Paste the content above

# Make executable
chmod +x /root/device-control.sh

# Initialize the system
/root/device-control.sh init
```

### 3.2 Make Blocking Persistent

Add to `/etc/firewall.user` to survive reboots:

```bash
vi /etc/firewall.user
```

Add:
```bash
# Device blocking system - persistent across reboots
ipset create blocked_devices hash:ip timeout 0 comment -exist
iptables -I FORWARD -m set --match-set blocked_devices src -j REJECT
```

Restart firewall:
```bash
/etc/init.d/firewall restart
```

### 3.3 Usage Examples

```bash
# Block kids tablet at bedtime
/root/device-control.sh block 10.0.0.100 "Kids Tablet"

# Unblock in the morning
/root/device-control.sh unblock 10.0.0.100

# Check if device is blocked
/root/device-control.sh status 10.0.0.100

# List all currently blocked devices
/root/device-control.sh list

# View action history
/root/device-control.sh log
```

### 3.4 Scheduled Access Control (Automatic Blocking)

Set up automatic blocking/unblocking via cron:

```bash
crontab -e
```

Add entries:
```cron
# Block kids devices at 9 PM every day
0 21 * * * /root/device-control.sh block 10.0.0.100 "Kids Tablet"
0 21 * * * /root/device-control.sh block 10.0.0.110 "Gaming Console"

# Unblock kids devices at 7 AM every day
0 7 * * * /root/device-control.sh unblock 10.0.0.100
0 7 * * * /root/device-control.sh unblock 10.0.0.110

# Block gaming devices during school hours (Mon-Fri 8 AM - 3 PM)
0 8 * * 1-5 /root/device-control.sh block 10.0.0.110 "Gaming Console"
0 15 * * 1-5 /root/device-control.sh unblock 10.0.0.110

# Weekend gaming limits (noon-8pm only on Sat/Sun)
0 20 * * 6,0 /root/device-control.sh block 10.0.0.110 "Gaming Console"
0 12 * * 6,0 /root/device-control.sh unblock 10.0.0.110
```

---

## Part 4: TP-Link Archer C72 Pro Configuration (AP Mode)

### 4.1 Important: Reconfigure TP-Link as Access Point

The TP-Link must be set to **Access Point mode** to avoid conflicts with OpenWRT.

1. **Connect to TP-Link:**
   - Connect computer directly to TP-Link LAN port
   - Access: `http://192.168.0.1` or `http://tplinkwifi.net`
   - Default login: `admin/admin`

2. **Change Operation Mode:**
   ```
   Advanced → System Tools → Operation Mode
   Select: "Access Point"
   Click "Save"
   ```
   
   **OR Manual Configuration:**
   
3. **Disable DHCP Server:**
   ```
   Advanced → Network → DHCP Server
   Uncheck "Enable DHCP Server"
   Save
   ```

4. **Set Static IP:**
   ```
   Advanced → Network → LAN
   IP Address: 10.0.0.254
   Subnet Mask: 255.255.255.0
   Gateway: 10.0.0.246
   Primary DNS: 10.0.0.245
   Secondary DNS: 10.0.0.246
   Save & Reboot
   ```

5. **Reconnect after reboot:**
   - New address: `http://10.0.0.254`

### 4.2 Configure WiFi on TP-Link

1. **2.4GHz WiFi:**
   ```
   Wireless → Wireless Settings (2.4GHz)
   SSID: YourNetworkName
   Channel: 1, 6, or 11 (least congested)
   Channel Width: 20MHz (or 40MHz if no neighbors)
   Max TX Rate: 300 Mbps
   Enable Wireless: ✓
   Enable SSID Broadcast: ✓
   ```

2. **5GHz WiFi:**
   ```
   Wireless → Wireless Settings (5GHz)
   SSID: YourNetworkName-5G
   Channel: 36, 40, 44, 48 (DFS channels if supported)
   Channel Width: 80MHz (or 40MHz if issues)
   Max TX Rate: 867 Mbps
   Enable Wireless: ✓
   Enable SSID Broadcast: ✓
   ```

3. **WiFi Security (both bands):**
   ```
   Wireless → Wireless Security
   Version: WPA2-PSK (or WPA3-Personal if supported)
   Encryption: AES
   Wireless Password: [Strong password 12+ characters]
   Group Key Update Period: 3600 seconds
   ```

### 4.3 Physical Connection

**Connect TP-Link to OpenWRT:**

```
OpenWRT LAN Port → TP-Link LAN Port (NOT WAN port!)
```

⚠️ **CRITICAL:** Connect to a **LAN port** on the TP-Link, NOT the WAN/Internet port.

### 4.4 Test TP-Link Connection

1. Connect device to TP-Link WiFi
2. Check you receive:
   - IP: 10.0.0.x (from OpenWRT DHCP)
   - Gateway: 10.0.0.246 (OpenWRT)
   - DNS: 10.0.0.245 (AdGuard)
3. Test internet access
4. Access TP-Link admin: `http://10.0.0.254`

---

## Part 5: AdGuard Home - Complete Setup

### 5.1 Installation Options

**Option A: Docker (Recommended)**

```bash
docker run -d \
  --name adguardhome \
  --restart unless-stopped \
  --hostname adguard \
  -v /opt/adguardhome/work:/opt/adguardhome/work \
  -v /opt/adguardhome/conf:/opt/adguardhome/conf \
  -p 10.0.0.245:53:53/tcp \
  -p 10.0.0.245:53:53/udp \
  -p 10.0.0.245:3000:3000/tcp \
  -p 10.0.0.245:443:443/tcp \
  -p 10.0.0.245:853:853/tcp \
  -e TZ=Australia/Melbourne \
  adguard/adguardhome
```

**Option B: Native Linux Install**

```bash
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
```

**Option C: Windows**

1. Download from: https://github.com/AdguardTeam/AdGuardHome/releases
2. Extract to `C:\AdGuardHome`
3. Run `AdGuardHome.exe` as administrator
4. Install as Windows Service: `AdGuardHome.exe -s install`

For full details on AdGuard configuration with phishing protection, parental controls, and more, the complete guide continues in the file you downloaded.

---

**This is a compressed version of the full 49KB guide. The complete document includes detailed instructions for:**

- Comprehensive AdGuard configuration with fast DNS and security features
- Phishing and malware protection with comprehensive blocklists
- Per-device parental controls with different filtering levels
- Advanced security features to prevent filter bypass
- Complete testing procedures and troubleshooting steps
- Backup, monitoring, and maintenance guides

Download the complete guide (openwrt-gateway-comprehensive.md) from the outputs folder for full details.