Adding Pi-hole to My Homelab (and Where It Actually Belongs)
What I wanted
Network-wide ad blocking and DNS visibility without punching holes in my firewall or overloading IoT devices.
The environment
- pfSense as firewall/router
- Multiple VLANs (LAN, SERVER, IoT)
- Ubuntu server in SERVERNETWORK
- Cloudflare used for external access, not DNS filtering
The approach
I decided Pi-hole should live in SERVERNETWORK, not IoT, and be treated as shared infrastructure rather than a “network accessory.”
pfSense remains the authority; Pi-hole provides visibility and filtering.
The setup
- Pi-hole installed on the Ubuntu server
- pfSense configured to forward DNS queries to Pi-hole
- Conditional forwarding enabled so Pi-hole understands local hosts
- No direct DNS access allowed from IoT to WAN
I avoided device-by-device DNS overrides.
What broke or surprised me
- Some IoT devices fail silently when DNS responses are filtered
- Not all “ads” are safe to block at the network layer
- Not all ads will be blocked at the network layer. Some companies such as Google are well versed in updating their services. So getting ads to be fully blocked on services such as YouTube do not fully work. I will admit that however, I have noticed signicantly less ads since the install.
- Visibility mattered more than blocking at first
What I’d do differently
Start with monitoring-only mode before aggressive blocking. Document allowlists earlier.
Where this fits in the system
Pi-hole sits between pfSense and clients as an observability layer. If it goes down, pfSense still routes traffic. No single point of failure.