Per-client blocking question

After setting up groups and applying them to domains, do I need to "refresh" or do anything to apply settings? The configuration I'm trying for is blocking "" from "Everyone" except for my computer. Here's how I have it setup: Screen Shot 2020-04-06 at 1..., where "Everyone" is my default Group, and "Brian" is devices that belong to me. Those devices only belong in the "Brian" group. I'm having trouble getting this to work because is blocked from my devices.

I'm thinking because "Everyone" is being blocked, that includes ALL Clients, even if the client isn't part of that group: Screen Shot 2020-04-06 at 2... Is this correct? When I remove "Everyone" from the domain and only apply it to specific groups, it seems to allow from "Brian" group devices, although I haven't tested whether or not the groups that have been applied are currently blocking

No, the web interface triggers the necessary update automatically for you.

Your screenshots do not show all devices' setting as the popup is hiding some. If you want to block youtube for all devices but Brian, you need to remove Brian from the group "Everyone". This because every device in this group will block youtube.

If you have:

Domain is member in Everyone
Client Brian is member of Brian (but not Everyone)

It should work.

An alternative is to create another group like Everyone besides Brian and put there.
Then add client Brian to Everyone and Brian but not this new group.

I hope this makes things clearer. We have discussed a lot about how to implement per-client blocking into Pi-hole and after going through a large number of actual examples, we've come out with the current implementation as being the only one that can serve any possible combination.

It may be a bit complicated to wrap your head around it, initially, however, once you grasped it, it is actually really simple. In the end, you just have to make sure clients do not see domains by being member of groups which have them.

Thank you for the response and for explaining how this works in detail. First of all, I just wanted to say how excited I am about Client-specific rules in Pi-hole! Been wanting this feature since I set up Pi-hole. If I understand you correctly, this is what my setup looks like:

Everyone - This is all devices. There are times where new devices are added to my network that I can't stay on top of the Groups/Clients in Pi-hole, so I need to be able to apply rules to "Everyone". In my setup, I just renamed the default group. This is the group that can't be deleted under Groups. I'm assuming all new devices are part of this group.

Brian - These devices are specific to me. My phone, my laptop, etc. I set these specific Clients under Clients. These clients do not belong to Everyone. Only Brian.

Now, when I go to Domains, if I add to Blacklist, and choose "Everyone", the devices under the Brian group are still blocking Based on what you said, should only be blocked for Clients in Everyone, but Clients in Brian should still be able to access However that doesn't appear to be the case. Brian Clients cannot access when Blacklisted for only Everyone.

Couple of other notes:

  • When I blacklist from the Groups > Domains page, the domain shows up under the main "Blacklist" menu, which is a little confusing. That list seems to be "global blacklist", but I'm not sure that's the case, but it's just a little confusing.
  • I just got an error " Error, something went wrong! While executing: database is locked" when trying to change the Domain Groups - This may need to be a separate thread. - Also, a side note, the error goes away VERY quick so it was difficult to read/copy/paste.

Thanks again for your support! I love Pi-hole!

If the Brian device is part of the Everyone group then domains on the Everyone blacklist will apply to them.

So Brian is a Group, but also none of the devices in the Brian group are in the Everyone Group. (See screenshot: Screen Shot 2020-04-14 at 9...)


New clients are automatically added to this group. If you remove their membership later, Pi-hole will honor your decision and won't add the group another time.


This should work!

What does the query log say concerning the blocking reason?
Maybe you have in a regular blocking list or one of your regex match accidentally. Can you provide screenshots of the other pages as well?
If there is a bug with this, we'd certainly like to fix it before the (closer and closer) final release of v5.0.

I'm confused now as well. Please expand your description so we can exactly follow what you are talking about. Screenshots might be helpful here as well.

Erm, not good. We can surely extend the timeout. Please try a pihole restartdns.

It says "Blocked (exact blacklist)" -

- This is all the information I know how to retrieve. Let me know if there's more I'm not seeing that I can send you.

Here are my blocklists (adlists) -

(I can post this in text format if it helps)


- Mostly just for organization purposes, I'm really only using "Everyone" and "Brian" at the moment.


- All clients are in "Everyone" except for the top 4, which are only in "Brian". I have 24 total clients, some just could grouped by device type (Example: Nest Hello could be in the "House" group)
Domains: - This is the relevant portion of this list. Where it says "2 selected", I have "Everyone, Brian", the others are only applied to the "Everyone" group.

So, I added to the blacklist from the Groups > Domains interface

Then, if I visit the main "Blacklist" page, shows up in the list, even though that's not where I added it.

There are no identifiers on this page showing that is blocked only in certain groups, it just shows up as "blacklisted". If this list is applying to all requests "globally", then maybe this is where the problem lies. Otherwise, it's just a User Interface issue where it's not clear these domains have group policies applied to them. Ideally, this list is a global blacklist, that does apply to everything (sort of like your own personal adlist), and anything added from Groups > Domains does not show up in this list. Does that make sense?

Everything seems to be working fine now, so I haven't run this command, but if I do see the error in the future, I will try this. Thank you!

edit @DL6ER Inserted imaged from links to make the post more readable

Note - in this forum you do not have to link to pictures - you can paste a picture directly into a reply. This makes it easier for all of us to see what you are seeing, as additional links don't have to be opened.

This indicates that you have this domain on a local blacklist. If the domain were blocked by something on one of your blocklists, you would see "blocked (gravity)"

Please generate a new debug log, upload when prompted and post the token here. This will show us the contents of your groups and blacklist/whitelist, etc.

Sorry about that. Was how I normally do screenshots with this app I use.

Here is my debug log:

Thanks again for looking into this.

That's expected. The blacklist is the same. Everywhere, this page is just the "legacy" interface if you want to call it like this. The group information is hidden to not overwhelm users not interested in the per-group features at all. Domains added through this interface are members of the default group (Everyone in your case).

Diagnosis by screenshots:

The client is not known to Pi-hole:

so Pi-hole puts it into the Everyone group which is why is to be blocked (see last row):

1 Like

:+1: This was mainly just feedback. If that's the way it's intended, then it's probably fine.

So, turns out is the address of my Google Wifi. After digging a tiny bit more, it looks like ALL requests on my Pi-hole are coming from this IP. My Pi-hole DNS is set at the Wifi level. How should I have it setup to get this feature to work properly? Or how do I get Pi-hole to see the originating client IP? Is there a HTTP_X_FORWARDED_FOR type value that can be used?

EDIT: Also, is it possible to use a Mac address to identify clients, rather than the IP address? I don't know how likely the case is that my Wifi will change a client's IP address, but seems like it would be more reliable if that were to happen.

DNS requests do not include any HTTP headers.

Your router is apparently telling your clients to use itself as DNS server and then asks your Pi-hole on their behalf. There is nothing that could be done to improve this except telling the clients to use the Pi-hole itself as DNS server (and not the router).

If it turns out that your router is not allowing you to change the DNS to be used, you have two options left:

  1. Disable the DHCP server on the router and use the DHCP server of your Pi-hole (this is what I did), or
  2. Install a new router that allows you to (truly) configure the DNS server to be handed out to the clients.

No, this feature does only work with IP addresseses. It would affect the overall DNS performance notably if we were to make a MAC -> IP/device lookup each time a query arrives. Any non-trivial network should really either use a deterministic DHCP server (handing out the same addresses to the same clients every time), use static DHCP leases or use static address configuration.

1 Like

I found this, does this appear to be the way I need to configure it?

This link says

the problem is that you won’t be able to see the clients individually in the Pi-Hole Dashboard, instead it will be a single IP, that of the router, as in my case, it’s

which is exactly what you're seeing. Option 2 seems to be more what you want, however, I do not see why you should configure it so complicated (two DHCP servers, the router solely responsible for the Raspberry). I assume the DHCP server cannot be disabled on the Google device? In this case, the mentioned option 2 is what you want.

1 Like

I'll give this a shot and report back. Thanks for all your help!

EDIT: Well this could get tricky, because this solution instructions to setup a single IP for DHCP, and I have a switch (old TP Link wifi router) with a few wired devices on my network as well. Hopefully I can get this figured out.

So, if you want to continue to use multiple Google Wifi devices with the wireless mesh, apparently you can't disable DHCP on Google Wifi.

I have setup per the article an IP reservation range of (9 for my TP-Link switch and 10 for Raspberry Pi). The good news is the 1 device hard-wired to my switch (Desktop PC), after re-setting up the client, appears to be working correctly!

After restarting my Google Wifi and re-assigning all the clients in Pi-hole (since everything appears to have a new IP address), I think it's working now!! I was able to get one of my devices to follow the rule while the other device (not re-setup yet) was still being blocked! I think we're all set now. Thanks again for all the help!

So it looks like the one down side to this configuration is I can't see which Google Wifi each device is connected to. They all show up as connected to the Basement. I seriously hope that's not the case and are just reporting that, otherwise it defeats the purpose of having one on each level of my house.

I have a few similar devices on my network (for example Nest Thermostat upstairs and Nest Thermostat downstairs). On the Google Wifi app, it just shows up as "Nest", but I can figure out which is which based on which wifi point they're connected to. After looking through several, I started to realize they ALL say "Basement" now (where the primary AP/Cable Modem are).

I wouldn't think much of it, but on the home screen of the Google Wifi app, there's an "Info" card that reads:

Something is not quite right...

It looks like there's another device on your network acting as a DHCP server. This may impact the ability for your devices to connect to the internet.

I'm mostly posting this information for anyone else running into this issue. I'm not sure yet if it's completely setup correctly, but the good news is the new Pi-hole features are now working.

EDIT: I just reset a lot of my device labels, and now I'm noticing some devices connected to "Master Bedroom", so maybe I was wrong about not seeing which AP each device is connected to.

Try it. Go close to some access point not in the basement (e.g., bedroom). If the signal strength goes to 100%, you're obviously not connected to the basement.

I have confirmed other access points are showing up. My Nest upstairs was reporting connecting to the Basement AP, which is strange, but other devices are connected to "Master Bedroom" and "Kitchen", so it appears to be working. Maybe the Nest needs to be restarted for it to connect to the closer AP. Either way, everything has been working after getting DHCP setup yesterday. Thanks again for all the help!

1 Like