there is nothing to worry about, just make a backup of you configuration from diagnostic / Backup and Restore just in case.
uninstall pfblockerng and install pfblockerng-devel
You probably only need to reconfigure it
there are no particular precautions or particular problems to take into account
the code is just more updated and stable, pfblockerng is old and will be removed in the future

@AKEGEC

i feel ya !

the next step is to block the google crawler ip ranges ;)
if you have an open webserver behind your pfS box ;)

@viktor_g said in Finally found the bug!:

https://docs.netgate.com/pfsense/en/latest/development/bug-reports.html

I can sure do that...

Bug ID #10983

@cayossarian
Thanks! I was having the same issue. Things just werent being resolved to the VIP. Ended up following your above post. Thanks!

@blackops786187 said in Pfblocker Permit Inbound Confusion:

've got the UK geoip whitelist working by using the alias native settings and choosing only the UK countries. I added that alias to the source of the OpenVPN rule and ive confirmed its working as intended

That is how I would do it.. I use geoIP lists in pfblocker to limit could can talk my plex server for example.. And have the port different as well. To cut down on noise..

Thanks for feedback.

I used site.com as an example. did not realize SF had purchased that domain :P

I'm hesitant to start whitelisting sources of ads as that defeats the purpose of having an adblock list. What I ended up doing was blacklisting the source of the JS file that does the validation and puts up a modal disabling the user from using the website. Solves my problem, which was being able to use this website, with ad block, by a user who is on a phone and not technical.

thank you for help!

Yes - changing default values certainly can be a pitfall, but as they are default values at the same time they can/should be changed as default port values are ultimately a standard point of entry and is actually good practice in hardening security - nes pas? Granted that not all scenarious require this, it is still a suggested practice (and has demonstrated it's validity in time). My bad here was not realizing there were 2 services using the same port as no major red flags were raised: what was surprising to me was the non-report of any errors when scrutinizing the default logs. Upon digging further I see I was not the only one in a similar situation as can be read in this post:
https://forum.netgate.com/topic/133712/pfblockerng-devel-2-2-1-upgrade-fails-to-start-pfb_dnsbl-service

While the issue here was an unexpected overlapping of IP ranges, the same anomaly was seen (unable to bind).

The fact that there is nothing immediately reported in the logs is puzzling and only a manual restart from the shell can reveal this as shown; maybe this should be appearing in the standard log for quicker corrective actions (just my humble suggestion) keeping in mind that errare humanum est (sed perseverare diabolicum!).

@mass said in pfblockerNG Error:

Increased Firewall Maximum States size to 500000

I would leave Firewall Maximum States set to default, whatever was there before you changed it

The entry that you need to change is: Firewall Maximum Table Entries to 2000000.

Right now I have the few pri1 I have enabled as permit/logged, I will be checking logs to see if any legit traffic from matched ip's.

201k is ok !

Looking at your dhcp leases should help... Most devices register a name - that should help you identify them.. If its something odd.. Looking up the mac address should tell you who made it, or atleast the nic/wifi card its using.

If wired another way to figure out what a device is, if you have smart switch that will show you the mac address table is look up the mac to what port its on, and then just trace the wire.

Many devices also list their mac on them, or can be found in info screen, etc. If trying to figure out which mac belongs to what - normally a reboot of said device will have it check its lease - so looking in your dhcp log for timestamp of what just asked as you rebooted it.

another option - if all your devices answer ping, some iot devices don't.. Is do a ping sweep for what answers, then turn off some device you don't show in your list, and do your ping sweep again - what was the IP that answered before, and now doesn't ;) What device did you turn off ;)

Thank you! I cannot believe I did not look at that setting. I've ensured safe search redirection, youtube restrictions and firefox DoH blocking are all disabled, which i think is the default.

Problem solved. thank you very much.

I did the upgrade from .35 to .36 today and did not get this problem this time, so it could be that it something unique to my configuration at the time.

My tech guys
Use the notepad++ & m$ excel combo
Means creating 100 and more lines
If /24 doesn't do the trick

Another way round is set an alias in FW rules
For /24 and before that rule allow your Adress range

All is good now. Thank you for your time. Somehow "cat" command got the service started. I don't understand it, but will take it.

Thanks guys this appears to be working.