Wrt lan deny all for the fam, it’s mostly hard on gamers cuz games tend to use wide port ranges and outbound IPs are potentially home isp networks not the game servers. But yeah it takes some time and research to really lock it down.

Most stuff is running through web protocols though. So right off the bat you create allow rules for any LAN device to hit ports: 80, 8080, 443, 8443 which are your common http and https ports. That’s gonna get most ppl what they need.

I do ASN based allows for certain applications like Google, Facebook, etc.

For consoles they’re pretty locked down so just give them full allow to the Internet. I don’t do that actually but it’s probably the better way.

IOT devices get only the ports they need to the IPs they need.

when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right?

No I mean my unbound resolves DNS for something like microsoft.com all by itself. It calls up the root name servers, finds the com nameservers, then asks the com nameservers for Microsoft. And for any subdomains it asks the MS name servers. This is instead of relying on external forwarding services like 8.8.8.8 or 1.1.1.1 or quad 9 or whatever. At least the former two are sure to be aggregating this data.

Additionally I do not allow devices on my network to reach out to external port 53, or 853 to circumvent lookups on my unbound by reaching out directly, which would then bypass the DNSBL. Anything for port 53 gets NAT’d to the unbound server. You can’t redirect TLS attempts so those get hard blocked.

Curious to your IDS solution

Securicata is what opnsense uses. Pretty easy to set up.