Hi all - please tell me if I’m doing this wrong:
My 12yo spends all day on YouTube shorts. I want to block it, but can only block YouTube entirely. Blocking for everyone would upset my 15yo, so I need per-client domain filtering.
That was easy on Pi-hole. But my Raspberry died and I heard praise for Adguard Home so now I run that as a Docker container.
- I can’t figure out how to block YouTube for only some devices. Is that not possible with Adguard? Claude gives me complicated nonsense; you can easily do better.
I want to ditch Adguard and go back to Pihole. The caveat is that I must let Pihole run the DHCP server, in order to get correct per-client blocking. That’s a pity, as I have a neat UniFi network set up.
- Can I get Pihole’s per-client blocking without Pihole as DHCP?
I don’t mind setting it all up in Pihole again (as yet another container) because I know it works (it’s how I had it before the Raspberry died). But I would love to know if I am going about this the wrong way? Thank you!
You must log in or # to comment.
AdGuardHome is also self-hosted and does have this feature.
Actually in my cases, I have to block Facebook on all of my devices, but want to allow it for rest of my family members. So, I know its possible in AdGuardHome.
https://github.com/AdguardTeam/AdGuardHome
Don’t do this at a network level. Do it on the device
Adguard Home can do per-client filtering, if you go to Settings > Client Settings, then add a client and you can choose all the options.
No need for DHCP on Adguard to be enabled to do that.
I set up separate VLANs for devices that do or don’t get filtering with different DNS servers assigned. And I have two different wifi SIDs on my access point for the different VLANs as well as having ports on my primary switch aligned to one or the other VLAN. I did end up having one other switch that has devices from both VLANs in a different area and had to set up one port on the primary switch with a couple of MAC-based filters for assigning the VLAN for just devices on that remote switch, but those are static devices, so that wasn’t an issue. I don’t attach any other devices to that.
Just so you know, you can run pi-hole as a container as well
About dhcp, I don’t know about unifi, but I guess in the firewall you can configure static dhcp leases. So son1 devices always get same ip. Then you can configure a hairpin port forwarding, so any requests for ports tcp/udp53 from his devices get forwarded to pi-hole. That is assuming that in the “general” dhcp config you assign an external dns.
Otherwise you could try creating two different dhcp pools, one with pi-hole (and make sure son1 devices get a static lease in there) and one for everyone else.
As a side note, I recommend looking into self hosting your piped instance, so even son2 can enjoy YouTube without all the ads! (And the tracking)
Posting here so I remember to share my UniFi setup later. Off the top of my head UniFi manages my DHCP leases like normal, and I set my DNS to my Pihole server with I forget what logging option on so I get full metrics in Pihole of what clients are what for each DNS request.
That sounds pretty similar to how I have my network setup:
- PiHole has conditional forwarding configured (
true,192.168.0.0/24,192.168.1.1,lannote:.lanis optional here, I uss it for my internal TLD) to get device names from router - PiHole uses Unifi as the upstream DNS and DHCP
- Unifi uses cloudflare as the upstream DNS
- Unifi hands out the PiHole as the DNS via DHCP config
That way I get stats in all the places and can use Unifi for DHCP.
- PiHole has conditional forwarding configured (
I have it running in a container in my closet server. It’s got It’s own IP address using a macvlan setup.
I run AdGuard as an addon to Home Assistant. If you want to stick to AdGuard you can go to Settings > Client Settings and set a per-client filtering rule. There is a tab in the client settings that can be used to filter specific services with a click. Setting an IP reservation for your child’s device in the DHCP settings of Unifi or your router will help ensure the IP address stays consistent.
For the PiHole option, you don’t actually have to let the PiHole handle DHCP. You just need to tell your DHCP server what DNS server to use. For example, my router is .1 and my Raspberry PI is .2. The DHCP server, my router, tells all devices .1 is the gateway and .2 is the DNS server. You may also need to set these settings on the individual devices to prevent them from ignoring your DNS settings, but that can be done from the network settings. Avast had some safe networking “feature” that would force my DNS settings to be ignored, same with my Android phone.
Of course, the downside to all of this is that any different device, different IP, device from a friend, or mobile data could bypass these restrictions. You may soon be in an arms race with your child and chances are they can get more clever that you can in a shorter time frame.
Just create a dhcp lease in unifi.
That’ll work great up until the kid finds out about changing the MAC address.
Do it the other way around then. All devices have youtube blocked by default UNLESS you have a reserved DHCP where it is allowed. I imagine if the former is possible, the latter should be possible too.
Good; incentive to go learn something. Have a plan in place to deal with it though.
Firewall rules don’t replace parenting.
Or uses a device that rotates mac
They rotate them across different SSIDs to make it harder to track you. in a residential setup they should basically never rotate.
Pihole can set up “groups” for different blocklists. You specify client by IP or MAC address so it doesnt matter what the dhcp server is, so long as there’s a static IP or static MAC address. My pihole server doesn’t have dhcp set up and I’m able to do this fine
Though from personal experience this just becomes a game of cat and mouse, and if you have a motivated teenager then they will find a way to circumvent this. For example android can rotate MAC addresses, and IP addresses are trivial to spoof as well.
Just curious - what’s the progression if they setup client allowlisting to require manually approving new ips or macs.
- Custom DNS servers specified on the device to circumvent the pihole
- dns over https or tls
- hotspot from approved device
- alternative YouTube front ends
These are just off the top of my head. Best case scenario the blocking does work and the teen never tries to bypass it. They’ll still just move onto “wasting” time on something else. This is treating the symptom and not the root cause.
You are correct - this isn’t a tech issue at its root. But it is one of the arrows in the quiver.
Parental controls on YouTube work decent.
We’re running a grandfathered Google Workspace for the whole family. Parental tools don’t exist in Workspace :'(
Ah, ouch.
Don’t think you need a Google account to view Shorts, though?
With Android, you can set a timer on YouTube
I mean, the kids don’t need to log in YouTube to view Shorts. What’s the purpose of setting up anything account related? I missed anything.
I am definitely not the best at networking, but can’t you do that through your current dhcp client?
I think he wants to do server side, not client. And that the dns filter picks up those ip addresses or ranges, and let some through.
If I keep UniFi DHCP then Pihole will not show individual clients, making it hard to put blocks on those individual clients.
In the past, the only solution I found was to let Pihole provide DHCP instead of UniFi.
Oh that’s just a config change needed, in your DHCP server you need to set the DNS server (option 6) to the Pihole/adguard IP.
Then you’ll have Unifi DHCP but with clients using pihole/adguard for DNS directly so you get per-client blocking and proper stats.
Pretty sure you can unblock per device in Adguard, so maybe block it first then unblock from the logs for the clients you want to allow?
Adguard has a clumsy text-based block&unblock method, so it’s tedious to do. And given that we all have several devices, I’d have to (un)block a lot. Which is why Pihole seems more useful at the moment.
deleted by creator
