Get the top HN stories in your inbox every day.
anthropodie
car
Wow, was debugging a dockerized Pi-Hole when I saw this comment.
Now I'm running AdGuardHome on an EdgeRouter-POE, very slick install via script!
Happy to move on from constantly handholding Pi-Hole. I had to move it from a Raspberry Pi to an Intel NUC earlier, since the raspi SD-card had crapped out.
Yay for efficient programming!
Edit: Also great to see that AGH has secure DNS built in. My Pi-Hole solution required cloudflared [0] for that.
undefined
t0bia_s
AdGuard is a Russian company with headquarters in Cyprus since 2014. Cyprus hasn't a good reputation for business.
anthropodie
Just because it's Russian does not mean it's bad. Jetbrains is also Russian.
ct0
Jetbrains moved out of Russia.
konaraddi
JetBrains was founded in Czechia and its HQ is in Czechia.
t0bia_s
I didn't say that.
undefined
pandemic_region
Agreed, the fact that it's a single binary made me switch from pi-hole. I don't need to run an extra device now, AdGuard runs directly on my edgerouter-x.
AnIdiotOnTheNet
> You don't need docker or LAMP stack. Just pull binary and run it.
It's almost like there's a lot of needless overhead in modern software or something.
MehdiHK
Came here to write about AdGuardHome too. I was PiHole user until I found this. So much polished, so much better. This folks deserve more publicity.
NegativeLatency
Agreed, I recently migrated from pihole to adguard and the reliability and general ease of use has been much better
pseudoramble
This is cool. I was planning on setting up a PiHole soon, but maybe I'll try this instead. Are there any downsides you've noticed?
Also, I'm cool with a paid product, but it looks like this one is open source? I know they have paid products, but I can't figure out if it relates to this at all?
ct0
Check out nextdns if you don't want to host your own.
voidee
Agreed! I switched to a Gli.net Flint router which has AdGuard built in. It’s incredibly simple to setup compared to a separate pi-hole and easy to edit a custom Allow/Block list. No hesitation in recommending this to non-technical people too.
kingsloi
I used a Pi-Hole for all devices in my house, including my work MacBook. They manage their MacBooks with JamF, so most things are pretty locked down (including DNS settings in System Preferences). Sudo access is only possible if you open up the Self Service app, login, and issue yourself sudo/admin access for 6 hours. Once it expires, you have to issue yourself admin/sudo access again. No sudo = no changing DNS.
I set it and forgot it, until I went to Estes Park, Colorado over the Christmas holidays one year. I travelled with my MacBook just in case anything popped off... and it did. I logged into my MacBook, but quickly realised although I could connect to WiFi as normal, no DNS would resolve (it was pointed to 192.168.1.100 of my home network), and I couldn't connect to anything - including logging in the Self Service app to re-issue sudo access, to change the DNS. I had to walk a new colleague how to handle the scandal over the phone, driving through the mountains... thank goodness for good cell service!
mig39
The trick is to have the pi-hole in your home network, and have your router's DHCP server give it out as the DNS server.
That way when you're home, you get the pi-hole, but when on the road, you get whatever DNS is given for the network you're connected to.
msravi
The best config I've found is to have the pihole use NextDNS as its upstream server and have the DHCP server on the router hand out the pihole's ip as the DNS server. Have tailscale set up on the pihole as a subnet router so it gives you access to your home network on the move. Then have your tailscale dns point to the tailscale ip of your pihole.
All machines on your local net now use the pihole as dns as handed out by the router, and when you roam tailscale routes your dns to your pihole.
If you're travelling overseas though, it makes sense to reconfigure tailscale to use NextDNS directly so its faster.
shepherdjerred
Why have pihole at all if you have NextDNS?
t0bia_s
Well... If you trust NextDNS and Tailscale. Basically you add man-in-middle to your DNS queries.
c0nsumer
Yes, this. Although it's not so much a trick and more managing your home network so it's like any other. Computers connected to the network should automatically detect everything they need to work normally, so no manual settings are needed.
Otherwise, as the parent poster realized, moving the device to another network will require manual changes. And then changes again when you get back.
vdqtp3
The real trick is to run WireGuard and always be on your home network, benefiting from PiHole
t0bia_s
MikroTik's Router OS is able to have pi-hole in container directly on router, as well as Wireguard that is now in OS by default.
I'm just not able to configure custom upstream in pi-hole (ie Unbound or NetDNS). Probably some firewall rule or anything related to setting of container to work with pihole.
ChainOfFools
Wireguard has now been in the kernel for OpenWRT releases since 20.xx (maybe earlier?) so you don't even need a Pi if you have a decently robust router that will take OpenWRT. Netgear R7800s are a sweet spot for this setup, dual core 1.9ghz ARM A15 and they even have an eSATA port.
kingsloi
I've been meaning to look into WireGuard!
sneak
Then you lose all your blocking/filtering when you're least equipped to deal with the noise. I use NextDNS via DoH which a) works the same everywhere and b) encrypts the DNS traffic out of the machine.
twodave
This is why I have my rpi4 set up as 1) a Pi-hole, 2) Wireguard VPN host and 3) DHCP DNS server on on my home network. That as long as I am connected to the VPN from my phone I get no ads. If there's any kind of network issue at my house I can just disable the VPN on my phone. This also has a side benefit that I can use my phone's wi-fi hotspot to remote into my work machine at home as needed.
geerlingguy
And if you use Pi-VPN too, you can connect back to your home network and get the same network experience on the road :D
tristor
Sounds awful, most consumer connections have restricted upstream (like 1200/25 Mbps). Instead just take a travel router (GL-Inet makes nice ones) with you setup to use Wireguard and Mullvad and to internally serve DNS from NextDNS
kingsloi
That was always on my to do list!
zrail
I treat my work laptop as a hostile entity on my network. It connects to a dedicated Wi-Fi network with client isolation enabled and on a dedicated VLAN with no access to other VLANs, just egress to the internet. DHCP serves 8.8.8.8 as DNS.
On the trusted VLAN I use Technitium as DNS and DHCP. I don't use any block lists, though, because I had too many complains from other network users. Technitium is mostly just because it's easy to manage DHCP hostnames and other DNS records in the same UI.
runjake
As a person who manages workplace malwar^Wdevice management software, this is a wise choice. You can gather so much information from home networks, just by passively listening.
eertami
Care to share any concrete examples on "useful" information that has been gathered this way?
Also, FWIW, I'm assuming this hypothetical software is clever enough to only function in jurisdictions where that would be legal? Spying on your employees home network is a massive no-no here, you'd need some very deep pockets if you wanted to attempt it, because when you are found out you'll be paying a lot of compensation for privacy violations.
tristor
Treating it as a hostile entity is definitely the right way to go.
tgamma
Could you please explain what router/access point hardware or software you use to accomplish these VLAN separated WIFIs? Thank you!
zrail
Sure! I use TP-Link Omada access points and a mix of managed L2 switches (TP-Link, Unifi, Brocade, Mikrotik). My router is VyOS running on a used commodity SFF box.
I know you can accomplish the same thing with Unifi access points and security gateway and of course Ruckus, Cisco, Aruba, etc will as well. I don't know of any residential equipment that will but I haven't used residential Wi-Fi gear for almost a decade.
The setup is:
- traffic on a particular SSID gets tagged with a VLAN at the AP
- That VLAN is tagged on all of the switch ports between the AP and the router
- the router's firewall is configured to block the guest subnet from the other local subnets and allow internet egress
artificialLimbs
How do you move files over from work laptop if you want to keep something on homenet?
lolinder
My bet would be that if they're quarantining their work device, they also don't use it for anything other than work, and don't use any other device for work. If that's the case this would never come up.
kingsloi
Interesting! I should do the same!
yjftsjthsd-h
Wait, your work laptop only lets you perform administrative tasks on the local machine if it can connect over the internet to corporate, and that includes being unable to modify certain network settings without first having a working network uplink? That sounds like something that was always guaranteed to break in an awkward way, not a particular problem with the DNS server that you happened to be using that day.
kingsloi
Yeah exactly! Just once (every x hours) but always required for anything sudo, and it's really buggy, too. Restarting stuff, installing some stuff with brew sucks especially, even updating some apps all require sudo. I've resulted to stack the prompts in my lower right corner until I have to do to
gangstead
That's why I ultimately stopped using my pi-hole. It works great most of the time, but there are enough exceptions that other users on my network (wife and kids) weren't able to address. I now use the adguard public DNS service and am quick to toggle it off when connecting to other networks when out and about.
tristor
This is why I recommend folks instead use NextDNS and a DoH resolver proxy on their edge device. Plus Pis have poor resilience to power issues which are commonplace.
Using NextDNS you are getting the same capability served by a global anycasted network of resolvers and it can work even on your phone while away from home (because the mobile web is even more gross).
runjake
I love, use, and subscribe to NextDNS, but round trip times from my house to their nearest Anycast address are large enough to notice a substantial difference loading webpages, over using a local caching DNS server (or 8.8.8.8 Anycast, for that matter).
tristor
Yes, that is true. They don’t have as many PoPs as Google and CloudFlare do. Thus is why I use a local caching resolver in front of it. If you use Firefox on desktop and configure it to use DoH it also internally caches which greatly helps performance.
The benefits outweigh the downsides, and at least in North America the performance is good.
mycentstoo
Have you tried adding yourself to the Sudoers file? My work didn’t see that workaround and now I always have sudo permissions.
chasd00
hate to be "that guy" but you may want to look into the employee consequences of knowingly circumventing the intent of a security control.
feet
You could set up a VPN for cases like that. Just VPN into your home network to have all your usual services and dns
yabones
Wouldn't help here, since most people have to use DDNS to connect back home since residential IPs change constantly. And with no DNS resolver, no DDNS lookup, no phone home.
Best way to handle it is to just reconfigure your router to hand out the pihole dns server to all the clients on your network. That way it's automatic when at home, and doesn't override anything when you're away.
dspillett
Another option is to make your pi-hole semi-public, so you can see it what-ever network you are on. You don't want the world and his dog's flees using your DNS resolver though, so you'd have to arrange some for of port-knocking or other authentication solution to temporarily open up the relevant ports to you (or at least just the network local to you) and not everyone.
Another hack to consider is running pi-hole in a VM or container on the laptop itself, and have it act as a filtering cache for a more public resolver. Though this imparts an administrative load, you no longer have a single pi-hole so either need to configure it separately or arrange for it to be able to sync with config on your main instance.
Both these arrangements will have trouble if you find yourself on a network that blocks DNS requests to anything other than its local resolvers (though for the pi-hole-on-laptop you can always reconfigure pi-hole to look at the local resolvers if/when needed), so the VPN option is better where available. If you have no static IP at your base of operations, there is always the option of a cheap VPS somewhere to be the VPN endpoint – essentially my first paragraph but your “port knocking” is connecting to the VPN, with pi-hole either on that machine or a machine also connected to the same VPN to get around its lack of fixed public address. Though back to the adversarial local network problem: if the network blocks DNS queries to non-local resolvers it is not unlikely to try block VPNs too.
robby_w_g
I think tailscale could handle this problem pretty well: https://tailscale.com/kb/1114/pi-hole/
You can configure the default DNS for devices when they connect to tailscale. This way, pi hole is opt in for users who want to set up tailscale.
Disclaimer: I haven't tried this myself since I have Mullvad ad blocking setup and I'm lazy
HelenePhisher
You could just use Tailscale.
feet
My method is to set up wireguard from my home network to a cheap VPS. I can then VPN into that VPS and get into my home network since the VPS has a static IP
But as others mention tailscale also works
manibatra
To solve this exact problem PI-Hole is setup as the DNS server on my home router. Hence when out and about the DNS is not bound to Pi-Hole. When I am out I use Tailscale to tunnel my DNS queries to Pi-Hole at my home. Easy and reliable ad blocking on the go.
tkuraku
I think the best way to set pihole up is to use the docker image, https://github.com/pi-hole/docker-pi-hole/. run it on a pi or any other computer with docker. Upgrades are painless.
hoherd
I firmly agree, but would make an even more specific recommendation to use the docker-compose setup so that redeploying the same customizations is easy. I do this on two different hosts so I have redundant DNS, and it's been working great for several years.
https://github.com/pi-hole/docker-pi-hole/blob/62ca934d07/ex...
smolyeet
If you’d like a gui, portainer is a nice way to manage all of your docker compose files as stacks
tkuraku
Yes. Docker compose is the way to go.
uzername
I went with the pihole in docker approach with a Ubuntu 22.04 machine. Pretty smooth, I had a few quirks with docker desktop for linux that might not show up otherwise. Definitely my recommendation too.
m0sa
I have my Pis in a swarm and use `docker stack deploy` to deploy my Pi-Hole setup (with cloudflared for DoH etc) remotely from my desktop PC.
JadoJodo
I managed a Pi-Hole in my house for about 4-years, and then I found NextDNS. I'm not a person who shies away from doing things the complicated way (because it's fun or makes life better), but paying only $19/yr to have everything managed automatically for me was a no-brainer. Not having to worry about my mobile devices using it, too, was icing on the cake.
MattSayar
NextDNS is essentially Pi-Hole as a Service, and I'm really happy with it since I just switched from my Pi-Hole days ago. One of Pi-Hole's biggest limitations is that it only worked on my local network, but NextDNS works anywhere you can specify your DNS settings.
Additionally, my Pi-Hole would frequently (at least once a month) require reboots and troubleshooting. That's the last thing I want to do (with family (im)patiently waiting) after working all day.
Drblessing
How does NextDNS compare to Cloudflare WARP?
404mm
Thanks for this!!
Do they have any “tools” to temporarily allow some blocked content from a device? Or does one have to go to web and adjust the profile?
JadoJodo
It doesn't have the "pause" button, like pi-hole has. But I just check the logs and see why it was blocked, and then whitelist (if needed).
groovybits
This is false. My NextDNS clients on macOS, iOS, and iPadOS devices all feature a Disable toggle that stops all blocking and allows un-blocked DNS resolution.
I don't use Windows at home, but I imagine there is a similar toggle.
404mm
Looks like there is a way to “pause” NextDNS. To have this ability, you have to set it up via their App and not the (recommended) configuration profile. Then you will gain a simple app with Enable/Disable toggle.
piersj225
My NextDNS account is amazing, does anyone else use it with Pi-Hole?
I have my traffic going to Pi-Hole, which forwards it to a stubby instance, which encrypts it and forwards it to NextDNS. When I'm out then my phone just sends it straight to NextDNS
t0bia_s
Pi-hole wont catch your DoH queries that you have if you set up private DNS in phone.
Drblessing
How does NextDNS compare to Cloudflare WARP?
shepherdjerred
NextDNS is pretty good. My only gripe is that it's a chore to unsubscribe from emails because unsubscribe links often have trackers that NextDNS blocks, so I have to go into the NextDNS console and add a temporary exception.
MattSayar
In the Privacy settings tab, there's an option to enable/disable affiliate links: "Allow affiliate & tracking domains common on deals websites, in emails or in search results. Those usually only get called after manually clicking on a link."
fermentation
I feel the same way. With my pi-hole I had an easy button to disable filtering for a few minutes so that I could determine if something broke because of that. NextDNS doesn't have that for some reason.
t0bia_s
Why do you trust NextDNS?
lokimedes
A thing that is needed when combining RPi with Unbound, is a way to resynchronize the system time after power cuts. The standard NTP setup is driven by DNS hosts, and Unbound, at least with DNSSEC validation is time sensitive. The ballet of NORESOLVE is a nightmare. This happens easily due to the lack of a realtime clock on the Pi. A local GPS with PPS, a dirty ip-based set of NTP hosts or a shell script can solve it, but this should be part of an extensive guide, in my pained opinion :)
totalZero
The easiest solution for 90% of unexpected rPi power-down cases is a small uninterruptible power supply.
Sohcahtoa82
Another option is to try to find an old and super cheap laptop and use that instead. Maybe find one with a broken screen or busted keyboard or something that you won't care about.
Laptops basically have a UPS built-in.
dylan604
This is essentially what my MBP with butterfly keyboard has been relegated to in life. The keyboard is unusable, it's too expensive to repair, but it's not a shitty enough computer to just throw away, and there's practically no trade-in value either. So, there it sits in a closet, on a top shelf, just acting as a remote device doing random things as I assign it tasks.
However, cheap is not how I would have described it ;-)
hoherd
Better still, do both. Power your Pi off of your laptop server to get the benefits of its built-in battery acting as a UPS for both devices.
bityard
Are there any you could recommend? Most that I have looked at cost about the same or more as a Pi in the first place and don't even come with batteries.
totalZero
I use a big one (think CyberPower and APC) for a small collection of devices including some network hardware. Smaller ones from those brands or AmazonBasics cost around 50 bucks, battery included. I tried a UPS hat, which would have been the most clean-cut solution, but it failed and the battery bloated.
bombcar
If you power your Pi via USB just use a phone USB bank that works via passthrough. (I don't actually have one to recommend but just one that can charge and discharge at the same time).
dotBen
Tip: don't run Pi-Hole or any of these containers on a Pi, they're underpowered, flakey and now hard to get. I run several docker containers, including Pi-Hole, on a Lenovo ThinkCenter thin client which I run headless next to my router. Purchased "used" for $120 from eBay it was actually overstock and brand new. Tons more processing power and RAM than a Pi, SSD and for basically same price all in as a Pi. Just wipe the old version of Windows and install your favorite *nix flavor.
Every time I need another containerized app to run I'm up and running in just a few minutes with plenty of headroom left on the small box.
See: https://arstechnica.com/gadgets/2022/11/used-thin-client-pcs...
shasts
I was concerned with the power draw. But as per the article, it looks like the difference is negligible.
I assumed being ARM, pi was supposed to draw lower power. Looks like not the case.
Found another study confirming the same.
https://uni.hi.is/helmut/2021/06/07/power-consumption-of-ras...
eiiot
I’ve had AdGuard Home running on a raspberry pie for about a year, and it’s great. It’s basically a set & forget system, meaning you almost never have to visit the dashboard unless you want to whitelist or blacklist a site. And, I’ve found it to be reasonably effective for blocking ads where ad-blockers can’t, at least on iOS
mattrighetti
I've used both, and I have found AdGuard Home to be slightly more reliable. These are the major things that made me switch to AGH:
1. Incredibly fast and easy to install compared to pi-hole
2. It's easier to update because you don't have to ssh into the raspberry, you can just update the thing through the user interface.
3. From time to time, it happened that the pi-hole hanged up, dns resolution did not work and I needed to reboot the thing to make it work again. I am not sure how widespread this is but I've seen many other users complain about this particular issue (even though it's a once-per-month thing).
(4. Better APIs)
For an in-depth comparison between the two you can take a look at the AGH GitHub Page[0]
[0]: https://github.com/AdguardTeam/AdGuardHome#comparison-pi-hol...
GeekyBear
There are several public DNS servers that have block list functionality built in.
This has the advantage of working on any kind of device that allows you to manually specify a DNS server IP address, without having to install or maintain software.
For example, AdGuard maintains public DNS server IP Address options that: filter nothing, filter out ads and trackers, or filter out ads, trackers and adult content.
bippingchip
I can confirm. Set and forget all the way. Works very well on iOs and also on Samsung smartTV (those are evil without some form of Adblock!)
Hardest part for me in the set up was that ad guard should query my router for local domain, because that one keeps track of which dhcp IP address is owned by which host. (This way I can always use host names on my internal network even for devices that get an address via dhcp. Very convenient if you play with Pi Zero and other toys)
JKCalhoun
I can't figure out from their site if it is free or do you need a registration key for it to be able to access their white/black lists?
anthropodie
AdGuardHome is free but AdGuard is not. What you are looking for is https://github.com/AdguardTeam/AdGuardHome
alias_neo
Pi-Hole is a great starter DNS-blocker, but for anyone that isn't interested in the pretty graphs, and wants more advanced control; I switched to AdGuard Home and found it more capable.
A4ET8a8uTh0
So here is a real question. Is pihole ( or its equivalent ) enough in today's adversarial environment ( everyone wants to track your internet moves )? I have my thoughts on the subject, but I am curious how everyone's setup evolved.
Brajeshwar
I'm, honestly, not so much as trying to avoid being tracked entirely. However, I have moved from Pi-Hole to NextDNS to Adguard/DNS/VPN with Apple Private Relay (ON). One day, I want to revamp and setup a better infrastructure but this works for now.
I'm OK with paying for services that the family uses and get returns out of them, such as the YouTube Premium. So, I'm not fighting tooth-n-nail to avoid ads where I can just buy it out.
I have seen and have even tried browsing the Internet without these basic tools (AdBlockers), and I'm stunned how the world had evolved into and how are people are on the Internet without these basic safeguards.
The only problem I have is with a few government/banks/insurance website that I have to strip out and go in naked to get things done.
t0bia_s
"...and I'm stunned how the world had evolved into and how are people are on the Internet without these basic safeguards."
World is ruled by money. Advertising is big. Anything that ruin this business will never be advertised publicly. Just imagine huge posters or ads in TV in prime time for pi-hole or AdGuard. That would be paradox not just for advertisers but also for product that is mean to work against advertising.
A4ET8a8uTh0
<< I'm not fighting tooth-n-nail to avoid ads where I can just buy it out.
Agreed. As long as there is an option to avoid it, I am ok with paying for it ( Hulu adfree tier comes to mind ).
<< not so much as trying to avoid being tracked entirely.
Agreed. That might be overkill for the benefit it provides.
<< I want to revamp and setup a better infrastructure
I keep talking about it with my friends, but I can't find enough motivation ( and there is always an excuse not to ).
squarefoot
Pi-Hole does a lot but it acts against DNS queries, that is, requests done in the open through normal name resolution. If a malicious software or piece of hardware wants to pester the user with ads, or spy on them, through connections to hardcoded IPs without using DNS queries then only a properly configured firewall can be effective. At least until said malware decides to use a well known service nobody would block to phone home, for example by having a mail client buried in the code that exchanges encrypted blobs with user data and/or ads through a gmail address; who would ever block gmail? In that scenario, if that is a device that doesn't need mail functionality, for example a Smart TV rather than a PC, a dedicated firewall that blocks any non essential connection to the outside would be mandatory just for that device.
NotYourLawyer
No, but it’s a lot better than nothing. I also browse with JS disabled by default, only enabling it on the sites where I need to and am willing to.
alias_neo
Pi-Hole is just one step in multiple layers when it comes to protecting yourself; I'd say it's main benefit is twofold; ad-blocking, and related benefits, and secondly script/malware blocking.
If also recommend browser based blockers for desktop and mobile, uBlock Origin bring the best in my opinion and couple that with others as required.
Find and use a few different upstream, privacy conscious and providers. I'm not convinced of the efficacy of paid VPNs, but by all means obtain and use one under your own control for when you're out and about on "hostile" (read; not home) networks.
totalZero
No, but it reduces the % of your bandwidth that gets used for loading ads and other junk that clutters and/or slows down your internet experience.
syntaxing
NextDNS has been a game changer. I highly recommend it if anyone wants something similar.
stranded22
I agree with you.
I had nextdns, moved to pihole but the maintenance was frustrating- and I couldn’t use it outside of my home network (without more work with setup).
So went back to nextdns - I have set up different profiles depending on who is using it (so my wife is on a light version, no logging whereas my 9 year old son is on a lockdown down version with logging).
It just makes things simpler and is very reasonably priced
Sohcahtoa82
> I had nextdns, moved to pihole but the maintenance was frustrating- and I couldn’t use it outside of my home network (without more work with setup).
Maintenance? What maintenance?
I set up my PiHole a couple years ago and haven't touched it since.
Granted, I didn't set mine up on a Pi, I set it up on my EC2 box in AWS. That way, I could have ad blocking on my phone without needing to expose my home network.
cshokie
I made the same pihole to NextDNS transition. My pihole worked well for 3 years or so. Well enough that I allowed it to become inaccessible without moving lots of furniture.
Then the SD card died. Instead of digging it out to fix it I tried NextDNS and found it works as good or better while also being less work. Well worth $20 to me.
antihero
How do you use NextDNS with hard-to-configure devices? A lot of its config seems to require DNS-over-HTTPS which I'm not sure my Smart TV would support.
tristor
You run a DoH or DoT proxy on your edge device or a caching resolver that supports DoH on your edge device, serve DNS from the edge device over DHCP and block outbound DNS from other devices on the network at the firewall. Doesn’t fix evil Google devices that intentionally use DoH to bypass DNS blocking, but there are ways (more complicated, unfortunately) to fix that too.
MattSayar
I have my home router pointing to their DNS servers, and then NextDNS links your public IP to your account. This ensures all your local devices are using it.
But what if your IP changes? NextDNS provides a URL you can call manually to resync your IP address. I recycled my PiHole with a cron job to just call it every minute.
mabbo
Does anyone know of a solution that would let me slow down access to certain websites, ideally just for certain devices?
I feel like I wouldn't just default to opening HN and reddit all the time on my phone if I knew it was bandwidth capped to dial-up speeds. But if there was something critical there, I would still have access.
dylan604
How slow of a connection would you need to emulate to get HN to be painful to use? It's just text. I've never done that most evil hacker thing of View Source, but can't imagine it being shockingly bloated.
HN looks like it would do well back in the 14.4 dial-up days. Hell, it would probably be okay using an I/O port on an arduino at 9600baud
hunter2_
A traffic shaper can do that, but it would most likely be making decisions based on layer 4 (assuming it's not an SSL decrypting proxy) so it would affect any sites which have the IP addresses you specify. As long as HN and Reddit don't share edge servers with things you want unshaped, it should be straightforward.
The "only for certain devices" part would probably mean putting those devices in a VLAN and only shaping that VLAN's uplink.
A router like pfsense should be able to do all of that.
But I am far from a network engineer, so don't quote me...
Sohcahtoa82
> but it would most likely be making decisions based on layer 4 (assuming it's not an SSL decrypting proxy) so it would affect any sites which have the IP addresses you specify
Not necessarily...if you're not using ESNI, then the traffic shaper could sniff the server name from the client hello message, then use the TCP sequence numbers to track the individual TCP connection.
hunter2_
Oh nice. I knew about SNI but didn't realize there would be a perfectly persistent trail from that packet onward. If a site being shaped and a site not being shaped shared an edge server (say they both use Cloudflare or something) there's no chance that the TCP connection gets shared for both? Not disagreeing, just thinking out loud naively.
1vuio0pswjnm7
Who is currently using ESNI. Cloudflare disabled it.
robohoe
In addition, pfsense can run pfblockerng which can be used to block ads. It uses the same block lists as pi-hole and others.
revolvingocelot
A linux box running squid between you and the open internet? Tailscale (or whatever) on your mobile devices to force them in, too?
I'm just spitballing. My bona fides are nothing more than memories of reading about the upside-down-ternet and fiddling with primitive QoS features on elderly routers, but I'm sure this is the right post on the right forum to get a real solution.
alar44
You'll need something that can do traffic shaping and you'll also have to segment your network somehow. This will cost you roughly $1000 at least in hardware. Unless you really really want to learn about networking, it's likely not worth the effort.
squarefoot
You can have professional level packet filtering by using OpnSense (FOSS) on any not too slow used PC if you are a home or SOHO user, or on new dedicated hardware that costs half of that money or less. If you are ok with consuming more energy by using older hardware, there are many big brand used firewalls converted to OpnSense or PfSense that can be bought almost for peanuts online. Just search for "pfsense" or "opnsense" on Ebay for example.
This is the only European based vendor I'm aware of, aside PCEngines, whose hardware is excellent but not comparable wrt performance for heavy use. I'm sure there are cheaper similar solutions, especially from far east; also some interesting offers from the US and UK although shipping and import fees make them a lot less appealing (for us in the EU).
hunter2_
Pfsense is free (if you already have a server to run it on) and a switch with vlan support (not a managed switch, just a smart switch) can be had in the $100 range. Probably need an AP/SSID per vlan though, assuming the vlan awareness stops at the switch.
But you're spot on regarding effort/learning.
alar44
Yeah it all depends. They may need to buy access points and a switch and a device to run the shaping. Depending on how many ports they need on the switch, it's really easy to hit $1k if you don't buy the cheapest no name stuff you can find.
weare138
I'm not sure where you're getting that price from. If you're already running pi-hole on something like a Raspberry Pi you can just use Linux's traffic shaping tools. That's all you really need for a home network.
alar44
Firewall - $300
2 APs - $200
8 port switch - $150
That's less than I'd spend personally.
If the Pi isn't the gateway (which it likely isn't) that's not going to be trivial. Even if it was, fiddling with iptables isn't exactly easy. How are you going to identify devices? MAC? DHCP reservations? Static IPs? That's not a trivial project.
planb
My Unifi Dream Router does this per device (not network segmentation needed) and costs less than 300€.
ikinsey
I definitely recommend checking out Steven Black's unified hosts file [0] for DNS-level adblocking outside of one's local network. It's the default block list in Pi-Hole.
euroderf
Installs smoothly on mac.
Brajeshwar
Here is the Video of the article - https://www.youtube.com/watch?v=cE21YjuaB6o
ignoramous
https://ghostarchive.org/varchive/cE21YjuaB6o (for where youtube is blocked)
Get the top HN stories in your inbox every day.
No one mentioned AdGuardHome yet?
AdGuardHome is far better than PiHole. It's a single Go binary and I think UI is better. It won't break if you upgrade your system. You don't need docker or LAMP stack. Just pull binary and run it. It will even generate systemd service file for you if you need.
Edit: https://github.com/AdguardTeam/AdGuardHome