@iTestAndroid said in i7 4GHz CPU + 128GB RAM, still slow when I load a large list in DNSBL:

@tman222

Yes. Actually, with pfBlocker and list of around 400-500k, it works flawlessly, its super fast and blocks most ads. When I turn on all lists I have, the total count adds up to ~1.4M and that's when things start to go south. Otherwise both DNS resolver and pfBlocker works fine. So when 1.4M entry is added to pfBlocker, things get slow and some DNS requests hangs.

DNS Query Forwarding -> Enabled
Use SSL/TLS for outgoing DNS queries -> Enabled
Custom Options:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 9.9.9.9@853

server:include: /var/unbound/pfb_dnsbl.*conf

These are the DNS server addresses listed there
1.1.1.1
1.0.0.1
9.9.9.9

I have gigabit internet, RTT is acceptable:
ping cloudflare.net
PING cloudflare.net (104.16.208.90) 56(84) bytes of data.
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=1 ttl=57 time=2.73 ms
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=2 ttl=57 time=2.60 ms
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=3 ttl=57 time=2.43 ms
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=4 ttl=57 time=2.37 ms
64 bytes from 104.16.208.90 (104.16.208.90): icmp_seq=5 ttl=57 time=2.53 ms

@provels
Yes, I have both enabled and each of them have size of 4096MB (4GB)

Hi @iTestAndroid - do you see any difference if you take out 9.9.9.9 and just use Cloudflare's 1.1.1.1 and 1.0.0.1 servers? Do you have DNSSEC checked or unchecked? I'm still not quite convinced this is a pfBlockerNG issue -- 1.4M is really not that big and you have got some pretty powerful hardware too.

Hope this helps.

@RonpfS said in Embeeded youtube clips won't work. Firefox detected a potential security threat and did not continue to www.youtube-nocookie.com:

Remove your Whitelisting of the domain, Force Reload All, then whitelist it using the Alert Tabs to see what pfblockerNG will whitelist. www.youtube-nocookie.com is a CNAME : youtube-ui.l.google.com that need to be whitelisted as well.

Thank you now it works! It added the following to the whitelist:

.www.youtube-nocookie.com .youtube-ui.l.google.com # CNAME for (www.youtube-nocookie.com)

pfBlockerNG-devel already has ASN support in the IP State setting. Also Radb registry isn't very accurate. The package is using bppview.io instead.

https://api.bgpview.io/ip/<IP>

Your local device could have had the entry cached. Normally I will also disconnect my device from the network, and back on to force the device to flush local cache. Sometime a /flushdns on windows helps too.

@NasKar said in Access to my VPN and Plex Server while abroad:

I would like to access my VPN to make changes to my firewall just in case and my Plex Server.

Trust me, it's not a good idea to change your firewall through VPN. Make the changes before you go.

@Koent said in curl error 7 on all downloads:

analyse the FW daily

Me neither.
But I do check 'basic' operations when changing 'major' things like interfaces that deal with outgoing traffic.
In this case : because the NIC called WAN (actually : PPPoE) now faces the Internet directly. Before, pfSense was probably hidden behind another router (no standard, but normal for a DHCP client mode). Now, it's time to re check and double check your WAN rules : typically none should be there exception NAT rules.

I tried to add

/usr/local/bin/php /usr/local/www/pfblockerng/pfblockerng.php update >> /var/log/pfblockerng/pfblockerng.log

as a shellcmd, but it still ran too early. I don't know how to make it sleep for a couple minutes.

Thank you both for sharing...I learned about Shodan for the first time.

So their servers or cluster at each pop can handle 65k users - yeah find that unlikely ;) This just a perfect example of how misuse of ipv4 space ran us into a shortage of ipv4 way before it should of ever happened..

Network space should be assigned appropriately for the amount of devices that will be using that space.. Even when inside rfc1918 space (which has limits as well) Sure you allow for growth and such.. But come on their 8 core 10ge box could handle anywhere close to even 8k users? That would leave you at most 1.25mbps each user ;) Let alone 64k users ;)

@provels They can be used as whitelists instead

Those are the default settings now... If none of those Auto rule settings work for your needs, you can always use "Alias Type" Action settings and manually create the firewall rules to suit. Click on the blue infoblock icon for the Action setting for more details.

Perhaps @BBcan177 can add them to the feed list in one of the next sub-versions?

Yeah if your MS shop using AD, its prob best to let MS be your dhcp and dns... Then just have your AD dns use pfsense/pfblocker for your dns to external domains.

You can put in a domain override in pfsense so it can resolve your PTRs for networks and the like.

Hi,

He (@BBcan177 ) already spoke about it here (the DNS forum).

Thanks for the reply. I found a way to get it to work...

At the bottom of the Custom Address List, there is a drop-down menu with the option "Update Custom List" -- selecting that item and then forcing an update fixed the issue and the address was correctly blocked.

What's odd is that I've never had to select that before. I've always just added the address, forced an update and literally watched as no more targeted traffic made it through the firewall.

I'm not sure what changed, but at least I was able to get it working.

Thanks again!
-Michael

@skilledinept said in What does "SFS_Toxic_BD" mean? – Is Zoho bad?:

Just to be clear, I'm not blaming anyone or anything, it's only curiosity and, I did install the developer version. The whole UI change threw me for a loop so I followed the little walkthrough just enough to get filtered DNS and left the rest for later.

Those in the know install the developer version ☺

https://www.reddit.com/r/pfBlockerNG/comments/chsajn/cant_get_geoip_to_block_foreign_countries/

@Koent
When you run a "Reload" it uses the previously downloaded feed if it was previously downloaded.
Goto the Log Tab, view the file in the "dnsbl" folder, and delete it, then run a Force Reload/Update