@BBcan177 I'm on 25.11.1 and noticed this issue resurfaced for me on 25 Feb 2026 after I fixed it last fall. I updated pfB to 3.2.14 and performed the uncheck-save-reload-check-save-reload but still have "Masterfile Count [ 87007 ] Deny folder Count [ 87006 ]". I update once/day so fortunately the logfile is still available. I have not yet checked the syntax in the earlier mentioned pfblockerng.sh and since I've updated to 3.2.14 I don't even know if the line #1232 is correct any longer.

@revengineer I recommend RAM disk to protect your SSD: https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#ram-disk-settings

@lakhdar said in DNSBL WEB SERVER NOT WORKING: default VIP 10.10.10.1:8081 8081 ? Try 10.10.10.1:80 (http mode) and try 10.10.10.1:443 (hhtps mode) Read this : https://forum.netgate.com/topic/200269/pfblocker-thrashing-ssd and discover that you actually don't want to use the pfBlockng fonctionality, as it's something of the past. Or do you need it ? May I ask why ? Most of your traffic is http ? Are you sure ?

@tsberry901 I think they're working on "quick" in pfB...there were changes in 25.11 in how quick works, too, which may affect behavior. If you click the little blue (i) icon pfB explains them but it does seem unclear. For instance "alias with dedupe and reputation" might be better than "alias deny." And I still don't know the difference between alias permit and match. I find the behavior of dedupe in pfB a little wonky (it works across lists/rules) so always use Native. There is a "DoH/DoT/DoQ Blocking" checkbox (and one must select hostnames to block) but it's on the SafeSearch tab, not the parent DNSBL tab. A pointer does seem helpful. Also for reference, https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html#dns-over-tls.

@robert1993 I doubt that.

Line is 3957 in package version 3.2.14, for anyone wanting to use System Patches to do the needful: --- /usr/local/pkg/pfblockerng/pfblockerng.inc +++ /usr/local/pkg/pfblockerng/pfblockerng.inc @@ -3957,6 +3957,6 @@ if (isset($pfb['rfc7231'][$http_status])) { if ($logtype < 3) { - pfb_logger(". {$pfb['rfc7231'][$http_status]}", 2); + pfb_logger(". {$pfb['rfc7231'][$http_status]}", $logtype); } else { pfb_logger(" {$file_dwn}\t\t{$pfb['rfc7231'][$http_status]}\n", $logtype); } Probably best to just wait for Netgate to publish a package update, since to-date, 11 other commits have been made since 3.2.14.

@SteveITS said in pfblockerNG firewall aliases: @ivica.glavocic Often a step that's missed is to edit that location/list, and select the desired countries: [image: 1770677161373-0170351c-d3fe-4a60-aef3-5f54aa6a7038-image.png] That. Now I have automatically created firewall URL aliases. Thanks.

@fperloff FYI, "Localhost" (i.e., interface lo0) is the system loopback interface. Just sharing a technicality. You can see this if you run the command ifconfig from a shell. You can also assign whatever address you like from the loopback reserved address block of 127.0.0.0/8. But 127.0.0.1 is perfectly fine.

@Gertjan So why one tunnel and not the other, but running from the same Virtual IP out of the same WAN link?

@areckethennu Do I need a VIP configured? Is DNSBL deprecated? It's needed for DNSBL to work. The Virtual IP (VIP) allows pfBlockerNG to run a small local website that it can use as a replacement for all those other websites you don't want your devices to connect to. I don't understand why VIP isn't configured automatically with the upgrade. It is on some systems, but not on all. It isn't configured automatically for some systems because of the nature of how upgrades work on them. And on those systems it's only an issue between the old and new version of pfBlockerNG. Now that you've configured the VIP on pfSense, it won't be removed with future upgrades. I don't understand what I'm doing nor why I'm doing it or even if I should be doing it. Imagine you have the privilege of a home with a second floor. There's a master lightswitch on the bottom floor to control the stairs light, so when the bottom one is off you can't toggle the light from the upstairs switch. You want to avoid accidentally tripping one day due to not being able to turn the light on so you get an electrician to wire it up so you can control the light from each switch individually. Except in this case you're also the electrician. That's a very bad analogy of what and why you're doing it... ChatGPT could probably give you a better example .