Mesh Wifi with good parental controls: porn blacklisting

I have been using Pihole to block porn/gambling/gore/etc sites for a while now and it seems pretty effective. I found some dynamic adlists I think posted on the Pihole forums for all that stuff and just dropped it into there.
For all their PC's, turn off DoH (secure DNS) on all installed browsers. Chrome and Firefox have that in the settings. Depending on their aptitude, they may have the ability to turn it back on though. More advanced firewalls (like pfSense) have the ability to block some of that, but it's not a perfect science.

And finally, I hope they don't figure out how to use public VPN's....
They can also just change their local DNS settings to 8.8.8.8/8.8.4.4 or whatever to bypass your Pihole. Fortunately my kids barely know what an IP is still, let alone how to change one on a device. Though my son has a phone now and knows he can just tether off of it whenever I block him on the home network (for not doing chores or whatever), so I have to physically take his phone when it comes to that point. There's no technical way for me to keep them from using other networks aside from putting some kind of MDM software on their phone.
 
Last edited:
I have been using Pihole to block port/gambling/gore/etc sites for a while now and it seems pretty effective. I found some dynamic adlists I think posted on the Pihole forums for all that stuff and just dropped it into there.

They can also just change their local DNS settings to 8.8.8.8/8.8.4.4 or whatever to bypass your Pihole. Fortunately my kids barely know what an IP is still, let alone how to change one on a device. Though my son has a phone now and knows he can just tether off of it whenever I block him on the home network (for not doing chores or whatever), so I have to physically take his phone when it comes to that point. There's no technical way for me to keep them from using other networks aside from putting some kind of MDM software on their phone.

The Phone is an issue for sure, unless you don't get an unlimited plan and hope they have a conscience. In that case, one overage and take the phone away.

If you have a good enough firewall, you can intercept any DNS queries on udp/53 to anywhere (like 8.8.8.8) and force it back to your PiHole.
 
The Phone is an issue for sure, unless you don't get an unlimited plan and hope they have a conscience. In that case, one overage and take the phone away.

If you have a good enough firewall, you can intercept any DNS queries on udp/53 to anywhere (like 8.8.8.8) and force it back to your PiHole.
Thanks, I'll check out the firewall options on my Edgerouter X, not sure how robust it is (probably not that great).
 
The Phone is an issue for sure, unless you don't get an unlimited plan and hope they have a conscience. In that case, one overage and take the phone away.

If you have a good enough firewall, you can intercept any DNS queries on udp/53 to anywhere (like 8.8.8.8) and force it back to your PiHole.
Or don't get your kids a phone. Or just get a flip phone.
That's my solution when the time comes. My parents' rule, and I think it was a good one, was "you can get a phone when you can afford one with the data plan." Once I got a job, I ended up getting this sweet Kyocera slider on Virgin Mobile prepaid.
1657800824785.png

It honestly was a great phone.

I think I'll amend it to, "you can get a smart phone when you can afford one yourself with the data plan." Combined some enforcement of rules with an impetus to getting a job with reliable pay.
 
If they're just little kids, they don't really need a phone. Sure, they'll want a "device" of some kind, so get them a Wifi-only iPad or similar.
 
If they're just little kids, they don't really need a phone. Sure, they'll want a "device" of some kind, so get them a Wifi-only iPad or similar.
We're lucky. Except for the basic $150 laptops I got them for covid school they now use for Minecraft once a week, they don't really ask for much screen time because they read so much.
But it's coming eventually. They're 9 and 7 now.
 
I have been using Pihole to block porn/gambling/gore/etc sites for a while now and it seems pretty effective. I found some dynamic adlists I think posted on the Pihole forums for all that stuff and just dropped it into there.

They can also just change their local DNS settings to 8.8.8.8/8.8.4.4 or whatever to bypass your Pihole. Fortunately my kids barely know what an IP is still, let alone how to change one on a device. Though my son has a phone now and knows he can just tether off of it whenever I block him on the home network (for not doing chores or whatever), so I have to physically take his phone when it comes to that point. There's no technical way for me to keep them from using other networks aside from putting some kind of MDM software on their phone.
At that point I would lojack the phone with an MDM of some sort. It's too bad you can't use the built in profiles of iOS by default. They force you into needing a work/school account. The parental controls also don't appear to limit access to WiFi which is fucking stupid.
Thanks, I'll check out the firewall options on my Edgerouter X, not sure how robust it is (probably not that great).
Isn't the Edgerouter X just Debian or something? iptables should work in that case so you can block that stuff that way.
 
At that point I would lojack the phone with an MDM of some sort. It's too bad you can't use the built in profiles of iOS by default. They force you into needing a work/school account. The parental controls also don't appear to limit access to WiFi which is fucking stupid.

Isn't the Edgerouter X just Debian or something? iptables should work in that case so you can block that stuff that way.

He's on Android, but if you know if a good free/cheap MDM solution for kids, I'm all ears. I was using Cerberus until they revoked my one-time paid license and went to a subscription model and that pissed me off so I dropped it. But Cerberus was more for tracking their phone and sending remote commands to it rather than doing any sort of content filtering and config management.

Edgerouters run their "Edge OS" which apparently is a derivative of Debian/Linux. Never tried to install any packages onto it though, I'll look that up and check it out later when I'm home. Thanks.
 
Are you trying to train your kid to be a hacker? This will provide the neccesary motivation.
 
He's on Android, but if you know if a good free/cheap MDM solution for kids, I'm all ears. I was using Cerberus until they revoked my one-time paid license and went to a subscription model and that pissed me off so I dropped it. But Cerberus was more for tracking their phone and sending remote commands to it rather than doing any sort of content filtering and config management.

Edgerouters run their "Edge OS" which apparently is a derivative of Debian/Linux. Never tried to install any packages onto it though, I'll look that up and check it out later when I'm home. Thanks.
I'd look into Google Family Link. https://families.google.com/familylink/
 
Yeah, tried that and Google takes some liberties with their restrictions on that and you can't override them, most notably it restricts your kid to Youtube Kids, which any kid under 10 or so will immediately hate and hate you for. It would be much more useful if I could let them use normal Youtube with restrictive mode enabled (which I've learned you can actually force at a network level). You can kind of sidestep it by having your kid go through the browser instead, but the functionality there is pretty janky relative to the native app.
 
Yeah, tried that and Google takes some liberties with their restrictions on that and you can't override them, most notably it restricts your kid to Youtube Kids, which any kid under 10 or so will immediately hate and hate you for. It would be much more useful if I could let them use normal Youtube with restrictive mode enabled (which I've learned you can actually force at a network level). You can kind of sidestep it by having your kid go through the browser instead, but the functionality there is pretty janky relative to the native app.
What about just using multiple users on the Android device? I have never done it so I don't know what restrictions can be put in place but may be worth looking at.
 
Interesting reading. All my kids are in their mid 30's, but back in the day, I used to modify the HOST file and add ip addresses that I wanted excluded from access. The big one was youtube and other social media web sites were blocked from access; however, I'm sure my kids friends had access and they would go to their house.
 
Networking n00b here asking the same questions.

Here is my network:
20230516_101546.jpg

It's pretty simple, but all told I have something like 30 devices (computers, mobile, and IoT combined).

In my mind, the PiHole device needs to be between the router and modem, but as I read it, that's not correct? Instead, I can run PiHole in a VM on the Unraid server, and then...? Tell the router to look to the PiHole for DNS lookup? So then all devices on the network will ping the UnRaid server for all lookups before going out to the internet?

Unraid server is a Core i3 10100 (4 core 8 thread) with 16 gb ram and a bunch of hard drives and a 480gb SSD (SATA) cache, with a 2060. I assume that's more than enough resources, but will I potentially need to upgrade to a standalone non mobo NIC to handle the traffic? The wired network is gigabit.
 
Networking n00b here asking the same questions.

Here is my network:
View attachment 570653
It's pretty simple, but all told I have something like 30 devices (computers, mobile, and IoT combined).

In my mind, the PiHole device needs to be between the router and modem, but as I read it, that's not correct? Instead, I can run PiHole in a VM on the Unraid server, and then...? Tell the router to look to the PiHole for DNS lookup? So then all devices on the network will ping the UnRaid server for all lookups before going out to the internet?

Unraid server is a Core i3 10100 (4 core 8 thread) with 16 gb ram and a bunch of hard drives and a 480gb SSD (SATA) cache, with a 2060. I assume that's more than enough resources, but will I potentially need to upgrade to a standalone non mobo NIC to handle the traffic? The wired network is gigabit.
The only thing thats going on with PiHole is requests are sent to it and then sent back. Essentially your pihole is just looking up addresses and reporting them back. Your router needs to know that the Pihole is your DNS server, so whatever static IP you have it setup as. So no, it doesn't sit between the modem and router.

If it was me, I'd offer up a dedicated NIC for pihole. But the amount of traffic will be minimal I bet. PiHole can be ran off a RaspberryPi, so it's foot print is extremely small. I tested mine on a Pi3.
 
Networking n00b here asking the same questions.

Here is my network:

It's pretty simple, but all told I have something like 30 devices (computers, mobile, and IoT combined).

In my mind, the PiHole device needs to be between the router and modem, but as I read it, that's not correct? Instead, I can run PiHole in a VM on the Unraid server, and then...? Tell the router to look to the PiHole for DNS lookup? So then all devices on the network will ping the UnRaid server for all lookups before going out to the internet?

Unraid server is a Core i3 10100 (4 core 8 thread) with 16 gb ram and a bunch of hard drives and a 480gb SSD (SATA) cache, with a 2060. I assume that's more than enough resources, but will I potentially need to upgrade to a standalone non mobo NIC to handle the traffic? The wired network is gigabit.


Yes you can run pihole off the unraid right where it is. First, stop your VM and Docker, in settings. Go to network and set your Unraids IP to static and assign it an IP on your lan (hopefully same static lease it already has in your router). Input the router IP. Input DNS servers for Unraid to use, NOT the pihole, because you can't point Unraid to itself. Then if needed whitelist DNS at your router from Unraid (this will depend on router and how you are handling requests). Restart VM and Docker. Install the CA app version of Pihole that has DOT and DOH. Set the pihole to its own static IP (one that your router can't give out but on the same ip range), use advanced view on the CA install page to set it, and same IP for pihole server farther down the install.

Next part depends a lot on your router. If it handles DHCP, use a DNS overide to direct it to the pihole. If you can, and want to really enforce it on the entire network, place a port forwarding rule that directs all 53 traffic NOT from Pihole and from Unraid to Pihole. This will catch things like firetvs et al that are hard coded for their own DNS.

Now one caveat of the Pihole DOT/DOH image for unraid is that it uses Cloudflare. My gateway eventually blocked that in its webfilter for DNS avoidance. So I had to create a rule to allow pihole to go to cloudflare. Just a FYI thing I don't think your router will catch or block.

now login to the pihole webUI and update your block lists. green button manage adlists. add the lists from here: https://firebog.net/ then update your gravity database as instructed on that page.

Done, or close I hope, enjoying pihole protection for the whole network, and if you can do the port forwarding rule then protected even when a user (your kids) tries to change their DNS on the device.

I cant answer if you need another NIC or not. I don't have any resource issues, and have a server board with 4 NICs grouped together.
 
Yes you can run pihole off the unraid right where it is. First, stop your VM and Docker, in settings. Go to network and set your Unraids IP to static and assign it an IP on your lan (hopefully same static lease it already has in your router). Input the router IP. Input DNS servers for Unraid to use, NOT the pihole, because you can't point Unraid to itself. Then if needed whitelist DNS at your router from Unraid (this will depend on router and how you are handling requests). Restart VM and Docker. Install the CA app version of Pihole that has DOT and DOH. Set the pihole to its own static IP (one that your router can't give out but on the same ip range), use advanced view on the CA install page to set it, and same IP for pihole server farther down the install.

Next part depends a lot on your router. If it handles DHCP, use a DNS overide to direct it to the pihole. If you can, and want to really enforce it on the entire network, place a port forwarding rule that directs all 53 traffic NOT from Pihole and from Unraid to Pihole. This will catch things like firetvs et al that are hard coded for their own DNS.

Now one caveat of the Pihole DOT/DOH image for unraid is that it uses Cloudflare. My gateway eventually blocked that in its webfilter for DNS avoidance. So I had to create a rule to allow pihole to go to cloudflare. Just a FYI thing I don't think your router will catch or block.

now login to the pihole webUI and update your block lists. green button manage adlists. add the lists from here: https://firebog.net/ then update your gravity database as instructed on that page.

Done, or close I hope, enjoying pihole protection for the whole network, and if you can do the port forwarding rule then protected even when a user (your kids) tries to change their DNS on the device.

I cant answer if you need another NIC or not. I don't have any resource issues, and have a server board with 4 NICs grouped together.
Awesome, thank you!
 
OK. i have it all set up. HOWEVER, it's not blockinig.
I've added some porn specific lists (none were apparently on that Firebog site) but sites are still accessible.

Edit: ok, it is doing something, but the porn sites are redirecting. if I intentionally navigate to one, it gives me an error, but then a few seconds later, the page loads.... hrm... not nearly as effective as I hoped.

Edit 2: Chrome, between safe search at the router, is clean. Edge and Bing search is not. Any video that edge is pulling down into edge search results is still visible.

So far, I'm not impressed. I've sub'd to about 4 different porn lists i could find.

Edit 3: Fine. I blocked ALL of Bing. Not that we lost anything.
 
Last edited:
You need to make sure that the pihole IP is the only DNS server your clients are getting AND make sure that pihole is the only DNS allowed out of your gateway. You must block all DNS from anything other than your pihole server IP.

You need to check Firebog again as there is absolutely a list, at least 2 in fact, there for porn.
 
Last edited:
You need to make sure that the pihole IP is the only DNS server your clients are getting AND make sure that pihole is the only DNS allowed out of your gateway. You must block all DNS from anything other than your pihole server IP.

You need to check Firebog again as there is absolutely a list, at least 2 in fact, there for porn.
Doing some reading, this may be hit or miss with Google Home Mesh networks.
 
Doing some reading, this may be hit or miss with Google Home Mesh networks.
OK, so I set the Google mesh router DHCP to point to the PiHole IP address on the network. It seems to have gotten around the issue of setting your own DNS in the network adapter.
The Bing issue remains. So no more Bing in my household!

Love this stuff. Learning a LOT about my own network and what this Unraid server can do.
 
Don't forget to block all DNS traffic other than what you want to allow. Also lock down devices to prevent DNS changes.
 
Don't forget to block all DNS traffic other than what you want to allow. Also lock down devices to prevent DNS changes.
Yep. I put this in our router, so they hand them out to everything on the network. (y)
 
Yep. I put this in our router, so they hand them out to everything on the network. (y)
Double check. Because ony network if you set the DNS manually on a device, it overrides the router settings.
 
Double check. Because ony network if you set the DNS manually on a device, it overrides the router settings.

This is where gateway capabilities make a difference. For me doesn't matter what the device is set to as I have a rule that redirects all port 53 traffic not using internal dns ip to the internal.
 
This is where gateway capabilities make a difference. For me doesn't matter what the device is set to as I have a rule that redirects all port 53 traffic not using internal dns ip to the internal.
Yea, need to spend some time figuring that out on my network. Currently:

Modem - Google mesh - UnRaid box with PiHole.

Well, Google Home app just updated and made it easier to find, but networking isn't my jam. Here's the screen it provides when I select my PiHole in the port forwarding screen:
Screenshot_20230606_085731_Home~2.jpg

Not real sure what to select here. Is External Port 53, and Internal Port the PiHole IP?
 
Last edited:
Yea, need to spend some time figuring that out on my network. Currently:

Modem - Google mesh - UnRaid box with PiHole.

Well, Google Home app just updated and made it easier to find, but networking isn't my jam. Here's the screen it provides when I select my PiHole in the port forwarding screen:
View attachment 574900
Not real sure what to select here. Is External Port 53, and Internal Port the PiHole IP?

I think that will just redirect external traffic on a port to your piholes internal port.

What I am doing it port forwarding all internal traffic on 53 to the pihole.


1686056639818.png
 
I think that will just redirect external traffic on a port to your piholes internal port.

What I am doing it port forwarding all internal traffic on 53 to the pihole.


View attachment 574901
Ugh, don't see that kind of control on the Google Mesh. Might have to look at the modem's interface.
 
Ugh, don't see that kind of control on the Google Mesh. Might have to look at the modem's interface.

It is device specific, for how much cobtrol you have. One of the reasons I upgraded my core router was due to this capability.

My modem couldn't do this, good luck with yours.
 
Ugh, don't see that kind of control on the Google Mesh. Might have to look at the modem's interface.
The way I got around that on my Google WiFi was use Pi-hole for DHCP. That way it gives out the DNS to devices and then on my OPNsense firewall I block any DNS request not coming from Pi-hole.

Although before I had the OPNsense, the Google WiFi doled out my Pi-hole DNS (I have 2 of them so I forced a primary and secondary) to devices instead of some public DNS. That seemed to work well enough. I didn't see anything talking without going through the Pi-hole.
 
Double check. Because ony network if you set the DNS manually on a device, it overrides the router settings.
I control all the devices on the network, and it's an enterprise firewall so I'm sure there's some additional stuff to keep other dns queries from happening...or not. I've never did any hardcore testing. I just didn't want the isp's dns servers or google's.
 
Ugh, don't see that kind of control on the Google Mesh. Might have to look at the modem's interface.
I've never seen that level of control on anything other than enterprise stuff. :eek: What is that router?
 
I've never seen that level of control on anything other than enterprise stuff. :eek: What is that router?
Think my d-link router had similar but not as extensive control. Was under advanced lan settings, iirc. Either port-forwarding or routes. Edit: nvm, doesn't appear to support that. Coulda swore, though--maybe was my old zonet router.
 
Last edited:
The way I got around that on my Google WiFi was use Pi-hole for DHCP. That way it gives out the DNS to devices and then on my OPNsense firewall I block any DNS request not coming from Pi-hole.

Although before I had the OPNsense, the Google WiFi doled out my Pi-hole DNS (I have 2 of them so I forced a primary and secondary) to devices instead of some public DNS. That seemed to work well enough. I didn't see anything talking without going through the Pi-hole.
That's what I have set up right now... ish. My PiHole handles DNS. That was pretty easy to set up. (Though see me issues above re content blocking). The issue I have now is that certain content gets around the settings depending on the search engine.

That said, uf, for example, I go into my laptop's own DNS settings and set 1.1.1.1, it circumvents the PiHole.

May have to look at running OPNsense on my Unraid server, then, to get this all working. I have an extra NIC sitting around. I could probably use that and dedicate it to the DHCP capabilities. I think the Core i3 10100 should be up to the task of DNS plus DHCP and all the other things the box does.
I've never seen that level of control on anything other than enterprise stuff. :eek: What is that router?
I have the Nest Wifi Pro: https://store.google.com/product/nest_wifi_pro?hl=en-US&pli=1
3600 sq foot house means a single router just won't work. I had a gen1 Google Mesh until about 3 months back, and LOVED it. Alas, the ease of use and setup does mean some limited options for advanced settings.
 
Back
Top