@opie
I like that solution a bit better than the one in the article.
I also wonder why you couldn't just isolate problem devices and forward ports originating from only those specific MACs?
My one "smart" device is a Samsung TV (2016), and the default DNS is 8.8.8.8 but it allows you to change it. I have verified that it does in fact use my pi-hole when I tell it to, because the pi-hole logs show the tons of blocked requests from it, and its app store will not work unless I revert to 8.8.8.8.
mixing layer-2 and layer-3/4 is not universally supported, so saying "I want to do a layer-4 redirect from these layer-2 sources to this layer-3 destination" is likely not going to be an available configuration option
the nature of my network is such that if the firewall receives a UDP/53 packet to be forwarded, it needs to be redirected, so only "problematic" devices get snagged by that bit
@opie
What's your opinion on a separate VLAN dedicated to IoT devices? More work than its worth?
big supporter of isolation...all my "things that aren't laptops or servers" are on isolated VLANs/subnets
additionally...many of my laptops and servers are also on isolated VLANs/subnets, but that wasn't the question...
😁
@opie
You strike me as a person who chambers a round when a Windows device asks if you would like to enable file and printer sharing. 😆
If you had any Windows devices...
@voltronic 👍🏿
'allowing them to simply ignore your local network’s DNS server entirely'
That's why I never give them the network password. If they're so smart let them figure it out themselves. 🤣
@voltronic
chromecasts ignore the DNS servers handed out via DHCP and use 8.8.8.8 & 8.8.4.4 regardless
since they refuse to cooperate, I redirect all port 53 requests to my DNS servers