I set up separate VLANs for devices that do or don't get filtering with different DNS servers assigned. And I have two different wifi SIDs on my access point for the different VLANs as well as having ports on my primary switch aligned to one or the other VLAN. I did end up having one other switch that has devices from both VLANs in a different area and had to set up one port on the primary switch with a couple of MAC-based filters for assigning the VLAN for just devices on that remote switch, but those are static devices, so that wasn't an issue. I don't attach any other devices to that.
this post was submitted on 13 Jul 2025
45 points (100.0% liked)
Selfhosted
49632 readers
488 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
AdGuardHome is also self-hosted and does have this feature.
Actually in my cases, I have to block Facebook on all of my devices, but want to allow it for rest of my family members. So, I know its possible in AdGuardHome.
https://github.com/AdguardTeam/AdGuardHome
I run AdGuard as an addon to Home Assistant. If you want to stick to AdGuard you can go to Settings > Client Settings and set a per-client filtering rule. There is a tab in the client settings that can be used to filter specific services with a click. Setting an IP reservation for your child's device in the DHCP settings of Unifi or your router will help ensure the IP address stays consistent.
For the PiHole option, you don't actually have to let the PiHole handle DHCP. You just need to tell your DHCP server what DNS server to use. For example, my router is .1 and my Raspberry PI is .2. The DHCP server, my router, tells all devices .1 is the gateway and .2 is the DNS server. You may also need to set these settings on the individual devices to prevent them from ignoring your DNS settings, but that can be done from the network settings. Avast had some safe networking "feature" that would force my DNS settings to be ignored, same with my Android phone.
Of course, the downside to all of this is that any different device, different IP, device from a friend, or mobile data could bypass these restrictions. You may soon be in an arms race with your child and chances are they can get more clever that you can in a shorter time frame.
Don't do this at a network level. Do it on the device
You don't need DHCP, you can just use DNS and then set up different blocking groups based on the device.
The problem with this solution is that is it opt in. You would need to change all the wifi settings on each device separately to point to Pi-Hole as the DNS. This is something that could easily be disabled as a 12 year old would probably be able to figure out how to change the settings on their mobile devices or computer with a Google search.
Between my network and the ISP modem, I habe a UniFi router. That's the one I tell to send DNS requests to Pihole.
The only way to get around that is by setting e.g. 1.1.1.1 into the local computer's network settings. My boys aren't that tech literate - yet.
You can also just block YouTube in your unifi firewall/router for that one client.
Neither my UniFi router/gateway nor the ISP modem offers that.
Parental controls on YouTube work decent.
We're running a grandfathered Google Workspace for the whole family. Parental tools don't exist in Workspace :'(
Ah, ouch.
Don't think you need a Google account to view Shorts, though?
With Android, you can set a timer on YouTube
I mean, the kids don't need to log in YouTube to view Shorts. What's the purpose of setting up anything account related? I missed anything.
Adguard Home can do per-client filtering, if you go to Settings > Client Settings, then add a client and you can choose all the options.
No need for DHCP on Adguard to be enabled to do that.
Just so you know, you can run pi-hole as a container as well
About dhcp, I don't know about unifi, but I guess in the firewall you can configure static dhcp leases. So son1 devices always get same ip. Then you can configure a hairpin port forwarding, so any requests for ports tcp/udp53 from his devices get forwarded to pi-hole. That is assuming that in the "general" dhcp config you assign an external dns.
Otherwise you could try creating two different dhcp pools, one with pi-hole (and make sure son1 devices get a static lease in there) and one for everyone else.
As a side note, I recommend looking into self hosting your piped instance, so even son2 can enjoy YouTube without all the ads! (And the tracking)
Posting here so I remember to share my UniFi setup later. Off the top of my head UniFi manages my DHCP leases like normal, and I set my DNS to my Pihole server with I forget what logging option on so I get full metrics in Pihole of what clients are what for each DNS request.
That sounds pretty similar to how I have my network setup:
- PiHole has conditional forwarding configured (
true,192.168.0.0/24,192.168.1.1,lannote:.lanis optional here, I uss it for my internal TLD) to get device names from router - PiHole uses Unifi as the upstream DNS and DHCP
- Unifi uses cloudflare as the upstream DNS
- Unifi hands out the PiHole as the DNS via DHCP config
That way I get stats in all the places and can use Unifi for DHCP.
I have it running in a container in my closet server. It's got It's own IP address using a macvlan setup.
Just create a dhcp reservation in unifi.
That'll work great up until the kid finds out about changing the MAC address.
Good; incentive to go learn something. Have a plan in place to deal with it though.
Firewall rules don’t replace parenting.
Do it the other way around then. All devices have youtube blocked by default UNLESS you have a reserved DHCP where it is allowed. I imagine if the former is possible, the latter should be possible too.
Or uses a device that rotates mac
They rotate them across different SSIDs to make it harder to track you. in a residential setup they should basically never rotate.
Pihole can set up "groups" for different blocklists. You specify client by IP or MAC address so it doesnt matter what the dhcp server is, so long as there's a static IP or static MAC address. My pihole server doesn't have dhcp set up and I'm able to do this fine
Though from personal experience this just becomes a game of cat and mouse, and if you have a motivated teenager then they will find a way to circumvent this. For example android can rotate MAC addresses, and IP addresses are trivial to spoof as well.
Just curious - what’s the progression if they setup client allowlisting to require manually approving new ips or macs.
- Custom DNS servers specified on the device to circumvent the pihole
- dns over https or tls
- hotspot from approved device
- alternative YouTube front ends
These are just off the top of my head. Best case scenario the blocking does work and the teen never tries to bypass it. They'll still just move onto "wasting" time on something else. This is treating the symptom and not the root cause.
You are correct - this isn't a tech issue at its root. But it is one of the arrows in the quiver.
I am definitely not the best at networking, but can't you do that through your current dhcp client?
I think he wants to do server side, not client. And that the dns filter picks up those ip addresses or ranges, and let some through.
If I keep UniFi DHCP then Pihole will not show individual clients, making it hard to put blocks on those individual clients.
In the past, the only solution I found was to let Pihole provide DHCP instead of UniFi.
Oh that's just a config change needed, in your DHCP server you need to set the DNS server (option 6) to the Pihole/adguard IP.
Then you'll have Unifi DHCP but with clients using pihole/adguard for DNS directly so you get per-client blocking and proper stats.
Pretty sure you can unblock per device in Adguard, so maybe block it first then unblock from the logs for the clients you want to allow?
Adguard has a clumsy text-based block&unblock method, so it's tedious to do. And given that we all have several devices, I'd have to (un)block a lot. Which is why Pihole seems more useful at the moment.