@bbcan177
Thank you for your patience. I just could not imagine it being so hard to achieve this.

I have some experience with Squid, where URL blocking/whitelisting is relatively easy. But i want to migrate away from it and pfBlockerNG seemed like a good alternative.

@mods @CTMarsh @BBcan177 @bldnightowl

I wish there were some way for me to change the title of this topic. At the time I wrote the original post, pfBlocker seemed to be the culprit, but as we have all learned, it was the OS upgrade on the SG-3100.

I reverted to 2.4.5_p1 and am holding there until something positive happens with the new OS.

@yorke pfBlocker doesn't look at the contents of the packets, just the FQDNS and https packets will be encrypted.

So it's a no.

@gertjan said in CRON stall when reloading UNBOUND:

Live Sync means that pfBlockerNG3 loads unbound with flat DNSBL files.

When enabled, updates to the DNS Resolver DNSBL database will be performed Live without reloading the Resolver.

During Cron Updates, it will update Unbound with only changes using unbound-control, so no interruption and no memory shortage. However Unbound Restart/Reload will check the *.conf files then load all *.conf into it's db, draining memory.

@ronpfs said in Problem after pfBlockerNG-devel 3.0.0_16 update:

@chudak
From any GeoIP tab : Click here for IMPORTANT info --> What's new in GeoIP2

Cool, so far I don't see what's wrong. Do you ?

I had a chat with MaxMind support and one thing jumped at me "it looks like the "registered country" for that IP address range is Germany. I'm wondering if pfSense is looking at that instead of the "country""

That's interesting

It'd be good to have a NordVPN and GeoIP user here to confirm this....

@ronpfs said in Disable action does not work ?:

@chudak said in Disable action does not work ?:

How does permit outbound actually works ? (Need to think about it)

That may contain some answers : https://docs.netgate.com/

I am sure it does ! 😃

Is Permit Outbound default setting for white lists ?

@wolfsden3

See this thread https://forum.netgate.com/topic/162883/disable-action-does-not-work/16?_=1618355648005

Maybe helpful

@ronpfs This does it on the first search every time. I think 2.4.4 -> 2.4.5 might be a good guess as to the timeframe this started. I never get results, and this just returns blank results.

If you notice the page does come back but just no results, even though there would be matches.

Normally, I don't block TLD's as it needs 'huge' quantity of resources.
But ok, let's test :

I tried blocking the tld "today" :

dfaf9bb0-5f17-4176-bdad-c7b2b0fc5fcd-image.png

A test :

C:\Users\Gauche>nslookup 1618250475.site.goapp.today Serveur : pfsense.brit-hotel-fumel.net Address: 2001:470:1f13:5c0:2::1 Nom : 1618250475.site.goapp.today Address: 10.10.10.1

Which means :

1f43da52-b94a-4dfc-a72e-ca841ad3ed91-image.png

Btw : i's very rare to see this "black screen", as no one is (should not) using http:// any more.

@ronpfs
Disabling the package prior updating did the job.

@BBcan177
I had to do a clean install of pfSense to make python mode work. Not sure why. It was a two year old working configuration with multiple updates and never had an issue.

Now with python mode can I let go of unbound dns now or still need to use it? I have an internal well configured BIND dns which I would like to use instead of unbound.

Possible workaround after a brief off-thread conversation: I set GeoIP Top Spammers to Alias Native and then disabled it again. I then manually ran the cron entry "/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php dcc >> /var/log/pfblockerng/extras.log 2>&1" and it didn't log the alert into extras.log like the others. If I don't post back in a month it worked. :) Also there will be an update coming at some point, though we'd have to get current to update.

I can also (kind of) confirm this.

But just to be clear - a speed test will result in full speed.
But some web pages will open very slow, at first i thought my dns is very slow.
As when the page load it does at a normal speed, just very delayed.

As nearly every website is using sources(scripts, ad, tracker,...) from all over the place, its hard to pinpoint.
I think it might be slow if some parts of the page are blocked.

But I don't know if the browser is waiting for a timeout or a js script has trouble.

@bbcan177

Thank you for being so fast in fixing this and the great work you are doing with pfBlockerNG!

With the modifications all is working well :).

@rtw915 said in More frequent CRON interval options:

I am still stuck on this. Under the CRON jobs I tried to edit this from this:

0 * * * * root /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1

to this:

*/15 * * * * root /usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php cron >> /var/log/pfblockerng/pfblockerng.log 2>&1

However, the Updates tab in pfBlockerNG says that the CRON job is missing, and then deletes the job and creates a new one with the hourly update interval.

So this does not work

You should not change these cron entries.
They are set and maintained by the pfblockerng package.

@ertnec said in pfBlockerNG-devel v3.0.0_15 not clearing down tmp files, slowly fills /tmp up.:

@bbcan177 said in pfBlockerNG-devel v3.0.0_15 not clearing down tmp files, slowly fills /tmp up.:

@ertnec
Download an updated script for ASN processing and see how that goes.

curl -o /usr/local/pkg/pfblockerng/pfblockerng.sh "https://gist.githubusercontent.com/BBcan177/3aabea5edf7b40554d93085bff380b6f/raw"

Hi, I've replaced the file you suggested, however, it still seems to be leaving these files alone & /tmp is still filling up.

I can confirm this.
Update: Still present in v3.0.0_16
(I added a cron-job: rm /tmp/pfbt* )

Regards,
fireodo

@rk0
I'd just reinstall if you think you have the 'Save Settings' checkbox marked. You could always just build fresh and restore the config, too.

@tzvia Thank you! I should have thought about adding in-addr.arpa to domain overrides. I added one for each 24-bit subnet, and that did the job.

@cobra_phil
Redirecting the DNS traffic should work anyway.
Possibly unbound sends it's traffic to the ISPs DNS. Or you did something wrong. Since you don't provide your settings, it's hard to say.
You can sniff the packets to see, what's going on.

However, also not clear what the goal of the WAN-LAN bridge is indeed. If you only want your clients to pull network settings from the ISP you can enable the DHCP relay and configure the clients network accordingly.

@gertjan Downloads are instant.
Filtering through 1m takes most of the time.
And no, the pipes are not saturated @100Mbits

And dns doesn't suffer overall.
If I get the dreaded error in resolver logs, no resolution is possible.
Ping with ip works great.

I need to experiment a bit more, but since this is service affecting during normal hours