pfBlockerNG

Successful -devel update to 3.2.14_1 on 2.8.1

tinfoilmatt — Sat, 02 May 2026 14:52:57 GMT

Had been putting this package upgrade off for a bit given that I anticipated needing to take the entire LAN 'offline' due to the recent DNSBL webserver VIP changes, which caused the DNSBL service to initially fail to start until the VIPs were manually created and assigned—and a post-upgrade force-reload to ensure DNSBL DB integrity which, with 25+ million domains, ended up running for ~4 hours).

All went smooth and I'm feeling relieved. Big thanks to @BBcan177 and @marcosm!

DNS Cache Flushed during Cron

Nitsuj19 — Fri, 01 May 2026 01:58:42 GMT

@Gertjan I disabled this to get live sync. [image: 1777933054786-2c053751-2894-49ad-9608-9e1515b352c4-image.png] I have not switched back to DNSBL python mode yet. Basically, you are saying the numbers from the command below are not accurate after cron and the cache is somewhere else? Sorry, just trying to understand how python mode works unbound-control -c /var/unbound/unbound.conf stats_noreset | grep total.num

GUI alias and rule changes are not applied to the running PF ruleset ( pfctl -sr / pfctl -t unchanged), causing new firewall rules to not work, likely due to pfBlockerNG overriding tables.

SteveITS — Tue, 28 Apr 2026 18:09:49 GMT

@jacob.simon Just to add on, the issue isn't memory usage overall, it's "I ran out of slots to store things." (table entries) Also since you mentioned geo IP, if you "block the world" that creates much larger aliases than "allow my country." Long ago I'd read, if using pfBlocker, start table entries at 2 million and increase as necessary. YMMV

pfBlockerNG-devel is blocking traffic from an unmonitored NIC

deleted — Wed, 22 Apr 2026 15:25:21 GMT

It works. Thank you all. Those who can read really have an advantage.

Enabling DNSBL in pfBlockerNG with logging turned on breaks DNS resolution

smacdoug1 — Tue, 14 Apr 2026 12:29:14 GMT

@Gertjan I followed an earlier suggestion to reinstall with 'keep settings' disabled. Although I had tried that already, for some reason this time it worked. DNSBL is functioning correctly now.

pfBlockerNG - The DNSBL VIP needs to be configured manually @ 2026-04-07 20:09:33

Waqar.UK — Wed, 08 Apr 2026 17:49:27 GMT

@SteveITS Thanks to all I will try all your solutions. Update: error message has gone away.

Upgrade to 3_2_14_1 causes pfb_dnsbl service to not start

tinfoilmatt — Mon, 06 Apr 2026 15:00:02 GMT

Several changes were made since November 2025 ('-devel' package version 3.2.12; see this GitHub commit) as a response to this bug report—which essentially eliminated automatic DNSBL VIP creation. One must now manually create the VIP and then manually 'assign' it to pfBlockerNG. This has caused a package upgrade issue where the DNSBL service will fail to start if configured with a nonexistent VIP. Since '-devel' package version 3.2.13_1, a warning is thrown during initial package install to account for this change, following this GitHub commit.

How to delete DNSBL feeds?

valnar — Fri, 03 Apr 2026 21:05:42 GMT

@tinfoilmatt There it is! thanks

Feeds from Threatview

fireodo — Fri, 03 Apr 2026 16:00:07 GMT

Hi,

if someone of you is using feeds from threatview.io - their ssl certificate is expired so it generates errors in pfblockerNG. This can be circumvent (until they correct it) by setting the feed to "Flex" (the data is still there).
Edit (05.04.2026): Back to normal :-)
Have a fine time,
fireodo

pfblocker 3.2.14 pf 25.11.1

publictoiletbowl — Tue, 31 Mar 2026 00:45:07 GMT

hi there please ignore my previous port it running now i did reinstall and it works thanks

State of IPv6 DNSBL in 2026?

SteveITS — Tue, 24 Mar 2026 17:33:02 GMT

@tibere86 You may also need to block DoT/DoH: https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html pfB also has a "DoH/DoT/DoQ Blocking" checkbox on the Safesearch tab. Note to select some/all of the DNS servers listed.

pfblockerng_devel on 25.11.1 instability

stephenw10 — Mon, 16 Mar 2026 14:52:25 GMT

The new version is available to all 26.03 installs now.

"unbound mode" vs "unbound python mode"

keyser — Fri, 13 Mar 2026 17:54:39 GMT

@netboy I understand. A good guess since your websites (internetaccess) no longer works is that DNS stops working. That in turn suggests that Unbound (pfSense’s built in DNS server stopped working when attempting to start with the pfBlockerNG integration engaged. Try and check that Unbound have the python integration llisted in its config: [image: 1773438454507-706e4866-9e8e-4e8d-b9e3-55bb35f219bf-image.png] Next thing would be to look into the STATUS -> SYSTEM LOGS -> GENERAL/RESOLVER log and see if Unbound is spitting some usefull info into there

GeoIP classification using registered_country instead of country (GeoLite2-Country)

jeanalain.rodriguez — Tue, 03 Mar 2026 12:28:10 GMT

Hi,

We are observing GeoIP classification behavior that does not match the country field from the GeoLite2-Country database.

Example IP: 149.71.96.0

Running mmdblookup against the same GeoLite2-Country.mmdb used by pfBlocker:

mmdblookup --file GeoLite2-Country.mmdb --ip 149.71.96.0

Returns:

country.iso_code = ES
registered_country.iso_code = US

However, pfBlocker places this IP range under the US alias (pfB_US_v4) and blocks it when US is blocked.

It does not appear under the ES alias.

This behavior is consistent across different pfSense and pfBlocker versions (CE and Plus, 2.x and 3.x).

GeoIP database is up to date and tables have been rebuilt.

Questions:

Is pfBlocker generating GeoIP country aliases based on registered_country instead of country?
If so, is this expected behavior?
In cloud/CDN environments, many IP blocks are:
- Physically located in one country (country)
- Registered in another (registered_country, often US)
This causes legitimate EU traffic to be classified as US when blocking by country.
Could you clarify which MMDB field is used internally when building GeoIP country lists?

Thanks.

DNSBL WEB SERVER NOT WORKING

Gertjan — Mon, 02 Mar 2026 13:22:28 GMT

@lakhdar said in DNSBL WEB SERVER NOT WORKING: default VIP 10.10.10.1:8081 8081 ? Try 10.10.10.1:80 (http mode) and try 10.10.10.1:443 (hhtps mode) Read this : https://forum.netgate.com/topic/200269/pfblocker-thrashing-ssd and discover that you actually don't want to use the pfBlockng fonctionality, as it's something of the past. Or do you need it ? May I ask why ? Most of your traffic is http ? Are you sure ?

pfBlocker thrashing SSD

slu — Mon, 02 Mar 2026 03:16:39 GMT

@tibere86 said in pfBlocker thrashing SSD: Any issues running pfBlockerNG with RAMdisk enabled? No issues so far. Maybe you need a reload after reboot pfSense, good point I will have an eye on it next reboot.

pfBlocker GEOIP Failure to Block Suggestion

SteveITS — Fri, 20 Feb 2026 18:00:10 GMT

@tsberry901 I think they're working on "quick" in pfB...there were changes in 25.11 in how quick works, too, which may affect behavior. If you click the little blue (i) icon pfB explains them but it does seem unclear. For instance "alias with dedupe and reputation" might be better than "alias deny." And I still don't know the difference between alias permit and match. I find the behavior of dedupe in pfB a little wonky (it works across lists/rules) so always use Native. There is a "DoH/DoT/DoQ Blocking" checkbox (and one must select hostnames to block) but it's on the SafeSearch tab, not the parent DNSBL tab. A pointer does seem helpful. Also for reference, https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html#dns-over-tls.

New Feeds

fireodo — Sat, 14 Feb 2026 16:02:50 GMT

Hi,

(maybe you already know) IpFire has launched a Bunch of free Feeds that can be integrated in pfblockerNG - I have tried a few (Ads and Phishing).

Feel free to test:
IpFire-Blocklists

Have a nice Weekend,
fireodo

Experiences with Q-Feeds blocklist?

tinfoilmatt — Tue, 10 Feb 2026 17:28:40 GMT

@robert1993 I doubt that.

pfblockerNG firewall aliases

ivica.glavocic — Mon, 09 Feb 2026 15:57:55 GMT

@SteveITS said in pfblockerNG firewall aliases: @ivica.glavocic Often a step that's missed is to edit that location/list, and select the desired countries: [image: 1770677161373-0170351c-d3fe-4a60-aef3-5f54aa6a7038-image.png] That. Now I have automatically created firewall URL aliases. Thanks.

Loopback Interface not available when creating Virtual IP for pfBlockerNG

tinfoilmatt — Sun, 08 Feb 2026 18:32:58 GMT

@fperloff FYI, "Localhost" (i.e., interface lo0) is the system loopback interface. Just sharing a technicality. You can see this if you run the command ifconfig from a shell. You can also assign whatever address you like from the loopback reserved address block of 127.0.0.0/8. But 127.0.0.1 is perfectly fine.

NAT-T IPSec connections fail when pfBlockerNG performs a reload

C-Amie — Sun, 01 Feb 2026 18:08:52 GMT

@Gertjan So why one tunnel and not the other, but running from the same Virtual IP out of the same WAN link?

DNSBL unbound not working - Probably DNS server on Windows?

SteveITS — Thu, 29 Jan 2026 17:51:21 GMT

@dalmirnogueira Windows Server by default uses root servers, unless you set up forwarding in its settings. Which, you can forward to pfSense. Note browsers may bypass local DNS using DoT/Doh, see https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html. If using an AD domain I suggest making a domain override in pfSense pointing to the AD DNS server. I find that helps if IPv6 is provided by pfSense, or something queries it. Or else you can set a DNS server in IPv6 settings.

Failed PF Blocker install due to PHP (SOLVED)

Uglybrian — Tue, 27 Jan 2026 19:08:05 GMT

@SteveITS said in Failed PF Blocker install due to PHP: pkg-static upgrade -fy pfSense-upgrade Thank you Steve, that upgrade solved my problem.