this post was submitted on 13 Jul 2025
42 points (100.0% liked)

Selfhosted

49470 readers
901 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
42
Pi-hole client filtering without DHCP? (lemmy.world)
submitted 2 days ago* (last edited 1 day ago) by PlutoniumAcid@lemmy.world to c/selfhosted@lemmy.world
34 comments fedilink hide all child comments
 

Hi all - please tell me if I'm doing this wrong:

My 12yo spends all day on YouTube shorts. I want to block it, but can only block YouTube entirely. Blocking for everyone would upset my 15yo, so I need per-client domain filtering.

That was easy on Pi-hole. But my Raspberry died and I heard praise for Adguard Home so now I run that as a Docker container.

  1. I can't figure out how to block YouTube for only some devices. Is that not possible with Adguard? Claude gives me complicated nonsense; you can easily do better.

I want to ditch Adguard and go back to Pihole. The caveat is that I must let Pihole run the DHCP server, in order to get correct per-client blocking. That's a pity, as I have a neat UniFi network set up.

  1. Can I get Pihole's per-client blocking without Pihole as DHCP?

I don't mind setting it all up in Pihole again (as yet another container) because I know it works (it's how I had it before the Raspberry died). But I would love to know if I am going about this the wrong way? Thank you!

all 35 comments
sorted by: hot top controversial new old
[–] Im_old@lemmy.world 24 points 2 days ago (2 children)

Just so you know, you can run pi-hole as a container as well

About dhcp, I don't know about unifi, but I guess in the firewall you can configure static dhcp leases. So son1 devices always get same ip. Then you can configure a hairpin port forwarding, so any requests for ports tcp/udp53 from his devices get forwarded to pi-hole. That is assuming that in the "general" dhcp config you assign an external dns.

Otherwise you could try creating two different dhcp pools, one with pi-hole (and make sure son1 devices get a static lease in there) and one for everyone else.

As a side note, I recommend looking into self hosting your piped instance, so even son2 can enjoy YouTube without all the ads! (And the tracking)

[–] cannedtuna@lemmy.world 3 points 2 days ago (1 children)

Posting here so I remember to share my UniFi setup later. Off the top of my head UniFi manages my DHCP leases like normal, and I set my DNS to my Pihole server with I forget what logging option on so I get full metrics in Pihole of what clients are what for each DNS request.

[–] AliasVortex@lemmy.world 3 points 2 days ago

That sounds pretty similar to how I have my network setup:

  • PiHole has conditional forwarding configured (true,192.168.0.0/24,192.168.1.1,lan note: .lan is optional here, I uss it for my internal TLD) to get device names from router
  • PiHole uses Unifi as the upstream DNS and DHCP
  • Unifi uses cloudflare as the upstream DNS
  • Unifi hands out the PiHole as the DNS via DHCP config

That way I get stats in all the places and can use Unifi for DHCP.

[–] nul9o9@lemmy.dbzer0.com 2 points 2 days ago

I have it running in a container in my closet server. It's got It's own IP address using a macvlan setup.

[–] CompactFlax@discuss.tchncs.de 8 points 2 days ago* (last edited 2 days ago) (1 children)

Just create a dhcp reservation in unifi.

[–] SheeEttin@lemmy.zip 3 points 2 days ago (3 children)

That'll work great up until the kid finds out about changing the MAC address.

[–] cecilkorik@piefed.ca 15 points 2 days ago

Do it the other way around then. All devices have youtube blocked by default UNLESS you have a reserved DHCP where it is allowed. I imagine if the former is possible, the latter should be possible too.

[–] CompactFlax@discuss.tchncs.de 12 points 2 days ago

Good; incentive to go learn something. Have a plan in place to deal with it though.

Firewall rules don’t replace parenting.

[–] Oisteink@feddit.nl 1 points 2 days ago (1 children)

Or uses a device that rotates mac

[–] jonathan@piefed.social 5 points 2 days ago

They rotate them across different SSIDs to make it harder to track you. in a residential setup they should basically never rotate.

[–] irotsoma@lemmy.blahaj.zone 6 points 2 days ago* (last edited 2 days ago)

I set up separate VLANs for devices that do or don't get filtering with different DNS servers assigned. And I have two different wifi SIDs on my access point for the different VLANs as well as having ports on my primary switch aligned to one or the other VLAN. I did end up having one other switch that has devices from both VLANs in a different area and had to set up one port on the primary switch with a couple of MAC-based filters for assigning the VLAN for just devices on that remote switch, but those are static devices, so that wasn't an issue. I don't attach any other devices to that.

[–] starshipwinepineapple@programming.dev 5 points 2 days ago (1 children)

Pihole can set up "groups" for different blocklists. You specify client by IP or MAC address so it doesnt matter what the dhcp server is, so long as there's a static IP or static MAC address. My pihole server doesn't have dhcp set up and I'm able to do this fine

Though from personal experience this just becomes a game of cat and mouse, and if you have a motivated teenager then they will find a way to circumvent this. For example android can rotate MAC addresses, and IP addresses are trivial to spoof as well.

[–] etchinghillside@reddthat.com 2 points 2 days ago (1 children)

Just curious - what’s the progression if they setup client allowlisting to require manually approving new ips or macs.

[–] starshipwinepineapple@programming.dev 4 points 2 days ago (1 children)
  • Custom DNS servers specified on the device to circumvent the pihole
  • dns over https or tls
  • hotspot from approved device
  • alternative YouTube front ends

These are just off the top of my head. Best case scenario the blocking does work and the teen never tries to bypass it. They'll still just move onto "wasting" time on something else. This is treating the symptom and not the root cause.

[–] PlutoniumAcid@lemmy.world 2 points 1 day ago

You are correct - this isn't a tech issue at its root. But it is one of the arrows in the quiver.

[–] Godnroc@lemmy.world 5 points 2 days ago* (last edited 2 days ago)

I run AdGuard as an addon to Home Assistant. If you want to stick to AdGuard you can go to Settings > Client Settings and set a per-client filtering rule. There is a tab in the client settings that can be used to filter specific services with a click. Setting an IP reservation for your child's device in the DHCP settings of Unifi or your router will help ensure the IP address stays consistent.

For the PiHole option, you don't actually have to let the PiHole handle DHCP. You just need to tell your DHCP server what DNS server to use. For example, my router is .1 and my Raspberry PI is .2. The DHCP server, my router, tells all devices .1 is the gateway and .2 is the DNS server. You may also need to set these settings on the individual devices to prevent them from ignoring your DNS settings, but that can be done from the network settings. Avast had some safe networking "feature" that would force my DNS settings to be ignored, same with my Android phone.

Of course, the downside to all of this is that any different device, different IP, device from a friend, or mobile data could bypass these restrictions. You may soon be in an arms race with your child and chances are they can get more clever that you can in a shorter time frame.

[–] DarkSirrush@lemmy.ca 3 points 2 days ago (1 children)

I am definitely not the best at networking, but can't you do that through your current dhcp client?

[–] Oisteink@feddit.nl 4 points 2 days ago (1 children)

I think he wants to do server side, not client. And that the dns filter picks up those ip addresses or ranges, and let some through.

[–] PlutoniumAcid@lemmy.world 1 points 1 day ago (1 children)

If I keep UniFi DHCP then Pihole will not show individual clients, making it hard to put blocks on those individual clients.

In the past, the only solution I found was to let Pihole provide DHCP instead of UniFi.

[–] MangoPenguin@lemmy.blahaj.zone 1 points 1 day ago

Oh that's just a config change needed, in your DHCP server you need to set the DNS server (option 6) to the Pihole/adguard IP.

Then you'll have Unifi DHCP but with clients using pihole/adguard for DNS directly so you get per-client blocking and proper stats.

[–] Tolookah@discuss.tchncs.de 3 points 2 days ago (2 children)

Parental controls on YouTube work decent.

[–] PlutoniumAcid@lemmy.world 3 points 1 day ago (1 children)

We're running a grandfathered Google Workspace for the whole family. Parental tools don't exist in Workspace :'(

[–] Konraddo@lemmy.world 3 points 2 days ago (1 children)

Don't think you need a Google account to view Shorts, though?

[–] Tolookah@discuss.tchncs.de 2 points 2 days ago (1 children)

With Android, you can set a timer on YouTube

[–] Konraddo@lemmy.world 2 points 2 days ago

I mean, the kids don't need to log in YouTube to view Shorts. What's the purpose of setting up anything account related? I missed anything.

[–] possiblylinux127@lemmy.zip 3 points 1 day ago

Don't do this at a network level. Do it on the device

[–] MangoPenguin@lemmy.blahaj.zone 2 points 1 day ago

Adguard Home can do per-client filtering, if you go to Settings > Client Settings, then add a client and you can choose all the options.

No need for DHCP on Adguard to be enabled to do that.

[–] cereals@discuss.tchncs.de 2 points 1 day ago (1 children)

You can also just block YouTube in your unifi firewall/router for that one client.

[–] PlutoniumAcid@lemmy.world 1 points 6 hours ago

Neither my UniFi router/gateway nor the ISP modem offers that.

[–] This2ShallPass@lemmy.world 2 points 1 day ago* (last edited 1 day ago) (1 children)

You don't need DHCP, you can just use DNS and then set up different blocking groups based on the device.

The problem with this solution is that is it opt in. You would need to change all the wifi settings on each device separately to point to Pi-Hole as the DNS. This is something that could easily be disabled as a 12 year old would probably be able to figure out how to change the settings on their mobile devices or computer with a Google search.

[–] PlutoniumAcid@lemmy.world 1 points 6 hours ago

Between my network and the ISP modem, I habe a UniFi router. That's the one I tell to send DNS requests to Pihole.

The only way to get around that is by setting e.g. 1.1.1.1 into the local computer's network settings. My boys aren't that tech literate - yet.

[–] Overspark@feddit.nl 1 points 2 days ago (1 children)

Pretty sure you can unblock per device in Adguard, so maybe block it first then unblock from the logs for the clients you want to allow?

[–] PlutoniumAcid@lemmy.world 1 points 1 day ago

Adguard has a clumsy text-based block&unblock method, so it's tedious to do. And given that we all have several devices, I'd have to (un)block a lot. Which is why Pihole seems more useful at the moment.