Networking & Firewall
Network Interfaces
Interface Subnet Purpose Primary 192.168.x.x/24 LAN access lo 127.0.0.0/8 Loopback (dnsmasq binds here)
DNS Configuration
AdGuard Home (Primary DNS)
Listens on port 53 (TCP/UDP) — all interfaces
Provides ad-blocking, tracker blocking, and malware protection
Supports DoH (443), DoT (853/8853), DoQ (784), DNSCrypt (5443)
Upstream DNS: Cloudflare (1.1.1.1), Google (8.8.8.8)
dnsmasq (Local Cache)
Listens on loopback only (interface=lo, bind-interfaces)
Provides local DNS caching to reduce external queries
Does NOT conflict with AdGuard Home port 53
Resolution Flow
graph LR
Client --> AdGuard[AdGuard Home :53]
AdGuard --> Cache{Cache?}
Cache -->|Hit| Response[Response]
Cache -->|Miss| Upstream[Upstream DNS]
Upstream --> Response
AdGuard --> dnsmasq[dnsmasq<br/>local cache]
Firewall Rules (firewalld)
Public Zone
# View current rules firewall-cmd --list-all
# Open a port permanently firewall-cmd --add-port=PORT/tcp --permanent firewall-cmd --reload
# Remove a port firewall-cmd --remove-port=PORT/tcp --permanent firewall-cmd --reload Required Ports (by service)
Service Port Protocol Direction Notes AdGuard DNS 53 TCP/UDP Inbound DNS queries AdGuard DoH 443 TCP Inbound DNS over HTTPS AdGuard DoT 853 TCP/UDP Inbound DNS over TLS AdGuard DoQ 784 UDP Inbound DNS over QUIC AdGuard DNSCrypt 5443 TCP/UDP Inbound DNSCrypt nginx 80 TCP Inbound HTTP (proxied via Cloudflare) SSH 22 TCP Inbound Remote management Samba 445 TCP Inbound SMB file sharing NFS 2049 TCP Inbound NFS exports qBittorrent 6881 TCP/UDP Inbound/Outbound BitTorrent
Cloudflare Tunnel
Configuration
Token-based authentication (no config.yml needed)
Service: /etc/systemd/system/cloudflared.service
Auto-update: /etc/systemd/system/cloudflared-update.service
Architecture
graph LR
Internet --> Cloudflare[Cloudflare Edge]
Cloudflare --> cloudflared[cloudflared<br/>outbound tunnel]
cloudflared --> nginx[nginx :80]
Benefits
No inbound firewall ports required
DDoS protection via Cloudflare
Free SSL/TLS certificates
Access control via Cloudflare Access
Works behind NAT/CGNAT
Management
# Check tunnel status systemctl status cloudflared
# View logs journalctl -u cloudflared -f
# Force update systemctl start cloudflared-update.service Port Forwarding (if not using Cloudflare)
If Cloudflare tunnel is unavailable, forward these ports on your router:
External Port Internal IP Internal Port Protocol 80 server-ip 80 TCP 443 server-ip 443 TCP 53 server-ip 53 TCP/UDP
Using Cloudflare Tunnel eliminates the need for port forwarding entirely.