Hi,

Look at the pfBlockerNG-devel Reports page. Look at the Alerts and DNSBL lists. Look for the IP your device us using, and then a destination that should have a relation with this "sagepay " (whatever that is).

Note : Feeds used by pfBlockerNG are created by humans like you and me - most often 'just for fun and to help the community'. They could be useful for some one, contain IP's that shouldn't be blocked for others. It's NOT an exact science.

@jot thanks for the info. You are right. Though I do not understand why to force whitelist google and yandex subdomains which are used for ads - ads.google.com|adservices.google.com. I just can not block ads if I enable safesearch option

Resolved.
Just an update on the issue if someone ever face the same problem.
I reinstalled PFSense, then PFBlockerNG-DEV.
I didn't create any auto-rules and only uses native aliases. Maybe it's something obvious, but in my case they didn't play well together. I installed ntopng to find out all the required ASN, there are a few more than just netflix/youtube for the APPs. However, I got a second problem from time to time I wouldn't get an IP from the WAN and many dpinger send-to error 65. The problem was my onboard NIC is a RealTek and not Intel. Moving the WAN to an Intel port seem to fix the issue for me. I understand the recommendation is to use Intel.

Thank you John for your time and help!

In the end I disabled tld blocking since it led to many issues allowing certain sites with their own subdomains. I am maintaining a blocklist of individual sites. This is more effort but more reliable for use.

@johnpoz Well, honestly ... I would love to use the pfBlocker, as this seems to me 'easier' solution as it is already implemented and working. The shallalist is available there as well ... the only thing I am not sure is how I split the filtering for:
parents -> DNSBL, Ads, IP
kids -> all the above + categories
But let's see, maybe someone else comes with some other views.
Thank you.

@johnpoz
Actually when some other agency or corporation gets MinMind customer database plus the ISP databases that nowadays you can bet are automatically available... yes then someone could have a complete picture... it amazes me how people don't care about privacy and don't seem to understand that no privacy means no democracy... Do we still value democracy over money or convenience?
You don't know what actually MinMind is... so I suggest updating pfblockerng to use another geolocation database and prepare it to accept more easily other options. There's always the possibility of a fork.

I am having this same Errors. Did you ever get yours fixed? @Ronpfs Just Because you do not use some thing, Does not means he should not ? THATS pretty backwards thinking!

DoH feature disable is absolutely great

Turns out it is the semicolon causing the issue.
In this post, BBcan177 says there is no parser for the semicolon.

@jeffvogelsang
Well, on PFBLOCKERNG/DNSBL page, there is the TOP 1M WHITELIST. You can choose the Cisco or Alexa list and then choose how many down the list from the top you want to whitelist. Then choose what is to be included in TLD whitelist. I see it as a safety net to catch popular domains that could end up as a false positive in the blacklists. I set mine to the top 2k.

A real pre-packaged 'whitelist' like the blacklists would be very hard to maintain and would obviously need to be very large to really be useful. Consider that for it to have value, you would have to decide what to do with sites that are not on the whitelist. Do you block them? If you don't then what is the point of the whitelist? Thinking someone can figure out, for all the blacklists out there, what the false positives are and then making a whitelist for them and keeping it up to date would be about as daunting. Think about the maintenance involved, ouch.

I rarely have issues where I have to add anything to the whitelist anymore, my list is about 45 domains and some TLD exclusions that have been added over the last couple of years. If I test out a a list and see a large amount of false positives I dump it and use something else.

@maba
Thank you. Makes sense. Just found the button to clear out the counters and reset them!

Screen Shot 2020-05-01 at 7.06.00 PM.png

ok i figure it out ...
for some obscure reason , the line

server:include: /var/unbound/pfb_dnsbl.*conf

in dnsresolver was append at the end of my custom options ... it need to be at the top before them...

The update of pfblocker have broken that.

Hope it stay as it is.

edit: and a better solution : my options just miss one line ...

My "options" begin with:

local-zone: "x.X.X.X.X.X.ip6.arpa" typetransparent

i had to add "server:" just before "local-zone" ... so no more crash , "server:include..." can be at the bottom or at top ... it's working. ;)

So maybe the bug, one more time, was between the chair and the keyboard ;)))

@Jobee Please wait for package update: https://redmine.pfsense.org/issues/9874#note-8