I realized I was at risk by having smart devices on my normal network, so decided to move them to my guest network.
I don’t like my smart tv, but it’s all I have to work with for now. I want to keep it on my guest network, but still stream using jellyfin. I see on my netgear router there is an option to “let devices on guest network see other devices and access local network” which would probably allow it to see my jellyfin server, but then doesn’t that defeat the point of a guest network? Maybe I need to learn what a reverse proxy is…jellyfin server is currently on windows (not my pc) but could move it to my linux pc if needed.
And yes, I plan to get a media center linux box in the future so I don’t have to deal with the garbage smart tv os!
So most alternative router firmware comes with a feature that can be configured to re-route any hard coded DNS through the pihole. I.e., my Smart TV will switch to Google DNS if it can’t connect through your set DNS. The feature I mentioned will force this to always go through your configured DNS. This is completely solves that issue. I’ve thoroughly tested this and it 100% works. Also routers have a feature that can block a device from accessing the WAN at all, and only allow them to access the LAN. This is just a simple toggle in my router and extremely easy to use. I block certain devices that I don’t want to have intentet at all but that I want to access over the network (i.e. plex)
Just to be clear, my goal with my setup is limiting tracking, telemetry, and ads.
Sure, but that’s not the setup you described in the original post. I think that’s probably where your confusion is coming from - people are responding about a setup that’s just a PiHole, not a PiHole plus router features to ensure that it’s used.
Ultimately any setup that allows the device internet access is going to introduce some opportunities for tracking/telemetry/ads. If the vendor really wants to they could just channel all that data through a single HTTPS connection, along with the useful data you want to let the device access. You won’t have any way to inspect that traffic and selectively block it, so you end up having to chose between blocking everything or blocking nothing.
Your setup sounds like it’s reaching the privacy/functionality trade off that you want.