Adding Pi-hole to My Homelab (and Where It Actually Belongs)

What I wanted

Network-wide ad blocking and DNS visibility without punching holes in my firewall or overloading IoT devices.

The environment

• pfSense as firewall/router
• Multiple VLANs (LAN, SERVER, IoT)
• Ubuntu server in SERVERNETWORK
• Cloudflare used for external access, not DNS filtering

The approach

I decided Pi-hole should live in SERVERNETWORK, not IoT, and be treated as shared infrastructure rather than a “network accessory.”

pfSense remains the authority; Pi-hole provides visibility and filtering.

The setup

• Pi-hole installed on the Ubuntu server
• pfSense configured to forward DNS queries to Pi-hole
• Conditional forwarding enabled so Pi-hole understands local hosts
• No direct DNS access allowed from IoT to WAN

I avoided device-by-device DNS overrides.

What broke or surprised me

• Some IoT devices fail silently when DNS responses are filtered
• Not all “ads” are safe to block at the network layer
• Network-level blocking has limits. Services like YouTube change often enough that complete blocking is unrealistic, even when overall ad volume goes down noticeably.
• Visibility mattered more than blocking at first

What I’d do differently

Start with monitoring-only mode before aggressive blocking. Document allowlists earlier.

Where this fits in the system

Pi-hole sits between pfSense and clients as a filtering and observability layer. If it goes down, pfSense still routes traffic, so the network degrades more gracefully than a full outage.