A long-standing thing at home: the kids who come over to play with my eleven-year-old bring devices. Switches and tablets, mostly. They default to YouTube together rather than actually playing together. I can’t supervise that in the moment — I’m usually with the smaller kids — and the smaller kids walk past whatever YouTube has decided to autoplay next.

The only intervention point that scales across an evolving roster of guest devices is the network.

I had a Pi-hole group set up for this previously called Switches, with five YouTube regexes attached. The first time round I’d missed a particular Switch and a tablet, and youtubei.googleapis.com wasn’t on the regex list. The group needed extending.

So I asked Claude to do it.

The whole session was a chat window against the Pi-hole API. Re-enable the regexes. Add the missing one. Add the missing devices. Rename the group from Switches to Guest Devices, because it had outgrown the original label. No admin UI.

What broke

I set up a NAS as a test client to verify the rules were firing. They weren’t.

Spent the next thirty minutes through group filtering, MAC versus IP client identification, regex syntax, FTL session limits, and three different ways to restart the resolver. Claude reading logs, proposing the next move, applying it, me re-testing. It came right eventually. The fix isn’t the interesting part.

The bigger takeaway

I probably need a separate guest network for kids to connect to — one that doesn’t require typing a thirty-character alphanumeric Wi-Fi password, and that automatically puts them onto a managed network.

The shape I’m maintaining right now is a list of devices that grows every time someone visits. New Switch, new tablet, new MAC, new admin from me. That’s the wrong job for the tool.

A guest SSID with managed DNS attached pushes the policy down a layer. Devices join the obvious network. The policy follows. No per-visit admin.

The Pi-hole group doesn’t go away. It moves — from the policy I maintain device by device, to the policy bound to the network those devices are on.

Next

• Cheapest hardware shape for a guest SSID with custom DNS? UniFi guest network with a DNS override, OpenWrt on a dedicated AP, or a second Pi running its own dnsmasq?
• Does the SSID name itself do work? Visiting parents see whatever I label it as. Guest-Kids says one thing; Family says another.
• Is there a way to make joining the guest SSID the path of least resistance — a QR code on the fridge — so the question of which network to join doesn’t even come up?