Like any good homelabber, I sometimes get the urge to “just try something” late at night. This time, that “something” was AdGuard Home, a DNS-level ad blocker and filtering service. My plan was simple: spin up AdGuard in Docker, point pfSense at it, and bask in an ad-free, privacy-respecting LAN.
Spoiler: I ended up taking down my entire WAN, angering every device in my house, and performing a full Google Home WiFi factory reset at 1 AM. (Because when else are you going to "test" things that impact your entire home network?)
The Setup
- Hardware: Proxmox host running a Docker LXC
- Target: Deploy AdGuard Home with a dedicated LAN IP using a macvlan network
- Router/Firewall: pfSense
- WiFi: Google Nest WiFi mesh
Everything looked good at first. AdGuard spun up fine, I could hit the web UI, and pfSense started handing it out via DHCP. Then came the tricky part: making sure both LAN and WAN devices were resolving through AdGuard.
The Problem
Here’s where things unraveled.
Google Nest WiFi doesn’t play nicely if you’re running it in a mesh setup. Bridge mode is disabled if you have multiple pucks. That meant the Nest router insisted on being a full-blown NAT gateway, complete with its own DHCP and DNS opinions.
I figured, “No big deal — I’ll just tweak the DNS settings in the Google Home app back to Automatic and let pfSense + AdGuard handle the rest.”
Except… every time I tried, the app barked at me:
“Make sure you have internet connectivity.”
I flipped, reflipped, flushed caches, and rebooted. At some point I broke DNS so badly that the entire WAN effectively dropped. No streaming. No smart devices. Nothing.
The Midnight Realization
After half an hour of trial and error, I realized I had painted myself into a corner:
- pfSense was happy to use AdGuard.
- AdGuard was happy to resolve.
- But Nest wouldn’t stop insisting on managing DNS, and every time I toggled things, it demanded to “phone home” first to validate.
With the WAN dead, it couldn’t phone home. Catch-22.
The Nuclear Option
At 12:30 AM, tired and frustrated, I did the only thing left: hard factory reset on every Google Home WiFi device.
- Held down the button on each puck until the light flashed.
- Reconfigured the entire mesh from scratch in the Google Home app.
- Rejoined every device in the house.
By 1:30 AM, WAN was back online, Nest was happy, and I was exhausted.
Lessons Learned
- Don’t test WAN-wide changes at midnight. Seriously. Future me, please read this before breaking production WiFi again.
- Google Nest WiFi is hostile to advanced setups. If you want pfSense to be the one true router + DHCP/DNS server, Nest in mesh mode just won’t cooperate. Bridge mode is only allowed on a single router puck.
- AdGuard Home itself worked fine. The problem wasn’t AdGuard — it was my topology. Once pfSense and AdGuard were paired, they behaved exactly as expected.
- WAN downtime = instant homelab humility. It’s all fun and games until family devices start complaining: “Why isn’t the internet working??”
What’s Next
For now, I’ve accepted that WAN devices on my Google mesh won’t all be forced through AdGuard until I replace Nest with proper APs that support bridge mode. UniFi, Omada, or even Eero-in-bridge are on the shortlist.
But AdGuard Home is staying. For the LAN clients behind pfSense, it works beautifully. And next time I test changes? I’ll do it at noon on a Saturday, not midnight on a weeknight.
Closing Thought
Homelabbing is fun because you will break things. The trick is turning the breakage into stories — and in this case, a very caffeinated reminder that my “production network” deserves a little respect.