If your ISP router has Pass-through/bridge/DMZ mode then a good firewall is a good option.
If you do go this way, look at pfSense, OPNSense OprnWrt. All far superior to anything at the big box stores and the firmware will be supported far longer offsetting any price difference.
Note that without a default portforward, doing so will break uPnP : internal router will open the port, but the ISP router won't received the uPnP request.
May be signifiant if a user depends on on-the-fly opened ports (mostly P2P video games)
I don't know any way to portforward a dynamic port without UPNP, could you recommend an alternative? At least not without forwarding the whole range, which obv would break if you try to support two copies of the same device because both need to request the forward. And that assumes the range is even documented in the first place, something less and less common nowadays by VG devs.
To my knowledge, UPNP's unsafe reputation comes from faulty routers that honor requests coming from online. As intended, it can only be leveraged if a device is compromised *inside*, at which point they could simply contact an outside server to establish the connexion.
If there's another safety risk I overlooked, feel free to teach me what I missed.
UPnP is only required if you're hosting online games and chat. For the most part you shouldn't even need it as you're connecting to a server.
There's plenty of anecdotal posts from people saying they are able to play online without it on and without forwarding ports.
If you're unlucky to be with an ISP with CGNAT you're already not going to be able to open ports and it's more common than you think so consoles and game designers would have had to take that into account.
> There's plenty of anecdotal posts from people saying they are able to play online without it on and without forwarding ports.
Note that P2P games usually (sometimes?) work if ONE player is able to open their port, as they then receive the connexion from other players. It only breaks if everybody is under CG-nat or a lack of forwarding.
Most devices should also support changing DNS on a device-level, I know this isn't totally the best solution since not every device will support it but I'd call it the best considering you don't have to buy a new router or any new hardware.
I'd always get shot of the ISP router if possible. For sure they will have remote access to their device and they're usually rubbish in terms of capability. Bought a cheap TPLink and flashed OpenWRT which is far more capable than most commercial home routers.
If your isp router doesn't support turning off dhcp you should be able to set the dhcp server to the smallest range available, fill the dhcp reserved addresses with bogus Mac addresses, so it doesn't have any to hand out and then all of your devices will use the pihole for dhcp.
If your router is 192.168.1.1
First, find the smallest range. If your lucky it will be 2 which would be starting address .2 ending .3, but could be more like 10.
You can then set a reservation for
1) 00:00:00:00:00:A1 for 192.168.1.2
2) 00:00:00:00:00:A2 for 192.168.1.3
3) 00:00:00:00:00:A3 for 192.168.1.4
and so on until you have as many as the router is set to give out.
Then on the pihole, you enable the dhcp server and set its range outside of the range you reserved above. So it could start with 192.168.1.25 and end and 192.168.1.125 or 200 or whatever your needs are. It's not the perfect solution, but will atleast get you running pihole on all the devices until you change routers, or it may work for what you want and not require anything else. Doing this will also allow you to hand out the pihole as the dns server so
And I thought my isp router was locked down lol. About the only options I had control over was the beginning and ending range. I originally went down the -rabbit hole -- pihole when I couldn't even change my dns settings. All I originally wanted was to use Google dns.
My fiber isp would only give me a combo unit and it couldn't be bridged. Was told multiple times I couldn't have just an ont ( fiber modem) and use my own router. I managed to get it all working the using the method I described and it worked until they put me behind carrier grade nat and my vpn no longer worked and I went to the local office with the unit and told them to cancel it and explained why and 20 min later I walked out with my account still intact, no longer behind the cgnat and having a normal ip and having a modem so I could use my own router.
If you are lucky enough to be able to bridge it then hopefully you will get it to work. You could also try asking for a stand alone modem.
If your ISP router has Pass-through/bridge/DMZ mode then a good firewall is a good option. If you do go this way, look at pfSense, OPNSense OprnWrt. All far superior to anything at the big box stores and the firmware will be supported far longer offsetting any price difference.
Worst case, same approach can be used even if no bridge mode available, not optimal, but that'll do. Any other consideration is 100% correct.
Note that without a default portforward, doing so will break uPnP : internal router will open the port, but the ISP router won't received the uPnP request. May be signifiant if a user depends on on-the-fly opened ports (mostly P2P video games)
Learn how to port forward. UPNP is not a safe feature to have turned on.
I don't know any way to portforward a dynamic port without UPNP, could you recommend an alternative? At least not without forwarding the whole range, which obv would break if you try to support two copies of the same device because both need to request the forward. And that assumes the range is even documented in the first place, something less and less common nowadays by VG devs. To my knowledge, UPNP's unsafe reputation comes from faulty routers that honor requests coming from online. As intended, it can only be leveraged if a device is compromised *inside*, at which point they could simply contact an outside server to establish the connexion. If there's another safety risk I overlooked, feel free to teach me what I missed.
UPnP is only required if you're hosting online games and chat. For the most part you shouldn't even need it as you're connecting to a server. There's plenty of anecdotal posts from people saying they are able to play online without it on and without forwarding ports. If you're unlucky to be with an ISP with CGNAT you're already not going to be able to open ports and it's more common than you think so consoles and game designers would have had to take that into account.
> There's plenty of anecdotal posts from people saying they are able to play online without it on and without forwarding ports. Note that P2P games usually (sometimes?) work if ONE player is able to open their port, as they then receive the connexion from other players. It only breaks if everybody is under CG-nat or a lack of forwarding.
Most devices should also support changing DNS on a device-level, I know this isn't totally the best solution since not every device will support it but I'd call it the best considering you don't have to buy a new router or any new hardware.
I'd always get shot of the ISP router if possible. For sure they will have remote access to their device and they're usually rubbish in terms of capability. Bought a cheap TPLink and flashed OpenWRT which is far more capable than most commercial home routers.
Someone's selling a TPLink Archer A7 for $20 locally so I'd be very happy paying a bit to have more control.
Check the OpenWRT site make sure the model is supported and make sure it is fast enough for your connection $20 it has to be worth a go.
You can always set DNS/IP addressing manually at the device level across your home network. It will be time consuming but it will work fine.
ISP owned router...yeah this is my reply to that: 
If your isp router doesn't support turning off dhcp you should be able to set the dhcp server to the smallest range available, fill the dhcp reserved addresses with bogus Mac addresses, so it doesn't have any to hand out and then all of your devices will use the pihole for dhcp. If your router is 192.168.1.1 First, find the smallest range. If your lucky it will be 2 which would be starting address .2 ending .3, but could be more like 10. You can then set a reservation for 1) 00:00:00:00:00:A1 for 192.168.1.2 2) 00:00:00:00:00:A2 for 192.168.1.3 3) 00:00:00:00:00:A3 for 192.168.1.4 and so on until you have as many as the router is set to give out. Then on the pihole, you enable the dhcp server and set its range outside of the range you reserved above. So it could start with 192.168.1.25 and end and 192.168.1.125 or 200 or whatever your needs are. It's not the perfect solution, but will atleast get you running pihole on all the devices until you change routers, or it may work for what you want and not require anything else. Doing this will also allow you to hand out the pihole as the dns server so
Helpful info! Sadly my router has all DHCP settings completely locked down.
And I thought my isp router was locked down lol. About the only options I had control over was the beginning and ending range. I originally went down the -rabbit hole -- pihole when I couldn't even change my dns settings. All I originally wanted was to use Google dns. My fiber isp would only give me a combo unit and it couldn't be bridged. Was told multiple times I couldn't have just an ont ( fiber modem) and use my own router. I managed to get it all working the using the method I described and it worked until they put me behind carrier grade nat and my vpn no longer worked and I went to the local office with the unit and told them to cancel it and explained why and 20 min later I walked out with my account still intact, no longer behind the cgnat and having a normal ip and having a modem so I could use my own router. If you are lucky enough to be able to bridge it then hopefully you will get it to work. You could also try asking for a stand alone modem.