sticking OPNSense on one of these [1] was probably the best LAN decision i've made, besides a Synology backup NAS.
it acts as a pihole and a lot more (firewall, device vlan isolation, vpn termination, etc). i have these hosts files [2] loaded into its DNSmasq config.