Which one to go with for ad blocking and phishing sites

[meazz1]

I have been using Opnsense for over 6 months or so. Prior to using Opnsense I used Mikrotk and EdgerouterX with Unifi AC-Lite access point.
This is for my home use. I have 4 users, 2 adults and two teenagers. The usage includes average IoT devices, mostly streaming, little work from home and regular browsing.
I'm loving Opnsense and it's performance.
My setup is very simple. I have a 1gig up/down fiber connection, provider's gateway is in pass-thru mode. My router is a fan-less embedded computer X86 box with 2 NICs, Intel i5 2.3 GHz CPU and 8 gig of ram.

My goal is to setup Opnsense with some kind of DNS to block ads, phishing sites etc.
I'm seeking suggestions so I can make a killer setup, lol.

Should I go with?
       1. Pihole
       2. Sensei – Sunny valley plugin
       3. DNS Security / Unbound DNS with DNSCrypt, DoH Plugin for IPv4 + IPv6 ( write up in the forum)

I'm sure there are many more options out there but I'm that unaware of.

[sol]

I use a PiHole due to the fact that white and block lists are really easy to manage.
Sensei can block ads too but I prefer PiHole for this.
Easy to setup and maintain.

[meazz1]

I use a PiHole due to the fact that white and block lists are really easy to manage.
Sensei can block ads too but I prefer PiHole for this.
Easy to setup and maintain.

I tried pihole earlier but could not setup correctly. How did you setup pihole's ip and firewall rules in Opnsense?

[Vlijm]

You don't have to setup anything really.
The easiest thing to do is to advertise the PiHole's IP address as DNS server in the DHCP settings of OPNsense (Services: DHCPv4: [LAN]).

If you want to have client hostnames resolved, you have to check the boxes for "Register DHCP leases" and "Register DHCP static mappings" in Services: Unbound DNS: General.
In PiHole's DNS settings I unchecked "Never forward non-FQDNs" and "Never forward reverse lookups for private IP ranges", checked "Use Conditional Forwarding" (fill in IP + local domain name).
I selected Cloudflare as Upstream DNS Servers.

Works like a charm!

Note: I wanted to have PiHole's protection on my mobile devices, connected to my network through WireGuard. Took me a while I had to set PiHole's interface listening behavior to "Listen on all interfaces, permit all origins". If you just select "Listen on all interfaces", it ignores WireGuard clients.

Hope this helps :)

[meazz1]

You don't have to setup anything really.
The easiest thing to do is to advertise the PiHole's IP address as DNS server in the DHCP settings of OPNsense (Services: DHCPv4: [LAN]).

If you want to have client hostnames resolved, you have to check the boxes for "Register DHCP leases" and "Register DHCP static mappings" in Services: Unbound DNS: General.
In PiHole's DNS settings I unchecked "Never forward non-FQDNs" and "Never forward reverse lookups for private IP ranges", checked "Use Conditional Forwarding" (fill in IP + local domain name).
I selected Cloudflare as Upstream DNS Servers.

Works like a charm!

Note: I wanted to have PiHole's protection on my mobile devices, connected to my network through WireGuard. Took me a while I had to set PiHole's interface listening behavior to "Listen on all interfaces, permit all origins". If you just select "Listen on all interfaces", it ignores WireGuard clients.

Hope this helps :)

Thanks.
I setup as you suggested. It seems to be working right.
One question, did you have to add any firewall rules?

[Vlijm]

I did not have to add rules to the firewall to get this working.