>It seems to me that the bulk of the market for a PiHole is as an appliance. Enthusiasts can get one up and running fairly quickly, at a low cost, and not have to mess too much with other devices in their environment.

Spot on. In early 2017 I had to replace the media server/DVB-T receiver as DVB-T2 was introduced and I was somewhat torn between getting a Pi as media server including TV channels via LAN and an Android box capable of receiving OTA DVB-T2 including PVR persisting, serving up media files via Kodi and accessing the net like any normal Android device.

Went with Android, as it offered more baked-in functionality with almost no effort (just install from play store) at 20% more cost.
Still not a bad decision, but as reports surfaced that sizeble percentage of chinese boxes were configered with ADB port accessible from outside I was happy to have it sit behind 2 NATs and became reluctant to use "internet functionality" with it...
Dedicated small packages are probably more secure and Pi/other ARM based cigarette boxes do not cost much to run.

>Running it as a VM has obvious attractions but there are some drawbacks:
>- must leave the host running, which may be less reliable than a hardware Pi and use more electricity

Laptop is running constantly if I am home (big machine draws even more power and is used by offspring to game on in his subnet when here...I use it almost only if I have looong runs that need local debug, as our centered machines are beasts, but MSTSC debugging is the pits) and since it currently affects only my machines, not that bad - switching DNS in router is less than 30s if I need to work on laptop HW or play with the RasPI install.

>- PiHole VM can only serve devices on it subnet, or downstream

Yupp. But for testing sufficient and I have it "on board" if I am abroad.
Embolded: I know you realize that, but perhaps not all lurkers - the subnet Al is talking about is NOT the host internal, which can be set to connect all running VMs, but the subnet the host machine is a member of. So any other device connected to the router your VM host machine is connected to (via LAN or WLAN) will have PiHole scrubbed internet access.

>- it's probably easier to reconfigure an environment with it running as an appliance. If it's a VM on a host, there may be other limitations on how that host can be configured - and therefore guest VMs

Not certain I get your drift here. Most of the PC-like VMs are isolated by intent, if I need C/S or only SMB server functionality I can create VM subnet inside host or bridge all relevant machines.

>Your post is not that cryptic, covers the main points pretty well. As you point out, for PiHole to be useful at all running as a VM, networking must be bridged in VirtualBox. This basically turns off NAT so the guest is on the same subnet as the host.

thx ;-)

>You can set up a static IP reservation on the DHCP server based on the PiHole's virtual MAC address. Annoyingly, when you do that with some older Windows Server OSs you get event log warnings that the server doesn't have a static IP address, I imagine Linux is smarter than that.

You are totally on target - no problem there, not even a need to remember ifconfig (Linux ipconfig) as it shows on start ;-)

[reordered...]
>Another issue I'm starting to see is that some business and home office networks are getting ISP service that consumer grade routers can't handle i.e. when plans offer 150Mbps, 300Mbps or higher. There's a better chance that a business class device can keep up e.g.
https://community.ui.com/questions/ERX-linespeed-performance-with-Hardware-offloading/f55fca84-25aa-472f-8eda-16a2db4b7936

Yupp, been offered interesting plan last month - cable based, higher speed and 1 local fixed IP6. Was tempting, but consumer plans over here have the option of Fonero-like access abroad if home router connected to WAN endpoint may open up tertiary disconnected WLAN for other customers of same network.
In inner city areas (buildings near street and most of sporting more than 2 upper floors) I do not need cell phone internet, but am automatically VPN tunneled via my provider network with other WLAN in those streets, also (AFAIK) safe from MIM dangers often around open WLANs found on airports, train stations or coffee houses. Even at friends homes there is a 60% chance of not needing their access codes, so safe from anything some black hat installed in their subnet.
Downside is, that while you are here now legally free to connect own routers at endpoint, only those types offered by provider as net endpoint will give you Fonero-style service.
The old Fonero routers established such access when included anywhere in your LAN-tree (at the cost of sharing your bandwidth as well, which my current setup prevents - Provider guest WLAN has own download bandwidth)

>Speaking of cable chaos, I'm beginning to think that for typical small business environments where security is not paramount, that routers with actual routing capability are a good alternative to cascaded consumer-grade routers. Something like the Ubiquiti ER-X (about C$90) can be used to set up multiple isolated subnets. The good folks at Gibson Research have put out a paper about configuring one that way: https://www.grc.com/sn/files/ubiquiti_home_network.pdf
>Most consumer routers have security holes, which are not usually patched after a relatively short support period. Ubiquiti is business class and has ongoing support/firmware updates. The ER-X in particular is about 4 years old and relatively stable. How good is subnet isolation within a single device like an ER-X compared to cascaded consumer routers - I don't know. But I'm guessing reliability of software and hardware in 1 business class device is better than multiple consumer grade ones.
>Overall, I'm quite impressed by the capabilities of the Ubiquiti ER-X at its price point.
>
Having somewhat parallell ideas... Next enhancement was already by 66% not another small home router just for subnet, but at least 8 ports with option to install OpenWRT to be installed in net topology like Ubiquity.
Even if using Ubiquity, probably 1 switch (as shown in picture) at least exchanged with already owned small router to pile on bumps for hackers ;-)
With OpenWRT I am severed from vendor not updating older machines, but saddled with responibility to do so myself.
Your tip gives recommended alternative, always good to have something to compare with, and cost is totally reasonable.
Marked down, thx.

>As for YouTube ads, for a while now I've been using the "Enhancer for YouTube" add-on for FireFox. I've never - not once - seen an ad that was not part of the content itself. Videos start up without delay and there are no breaks or stutters where ads would normally appear in the middle of the playback. Very highly recommended. https://www.mrfdev.com/enhancer-for-youtube . It's very easy to enable or disable the add-on, so you can have it active only when you're on YouTube if you're concerned it might be spying on you. With the Enhancer the YouTube experience is so improved, that if you ever have to watch a video without it, the experience is distasteful.

Will try - Youtube habit not strong here, was used as it was demonstrated in the video.

>Interestingly, the PiHole uses underlying technology that can be used for good or bad. In the black hat world, DNS poisoning or man-in-the-middle attacks are serious threats. The PiHole uses the same idea for good (as long as you're not an advertiser ;)) Similarly, advanced malware and anti-virus software are technically the same thing, just used for different purposes.

Had already thought about that - but if somebody is inside your net (as will be all "professional" hackers targeting YOU, compared to script kids using shotgun/scatter shot tactics) you have lost already and depend on physically separated backups.
Secrects best kept between analog microphones in wetware...

regards

thomas