what ever list you added your domain to, make it primary in the settings. so it will be applied first.
and mybe you can post this on reddit r/pfBlockerNG
bbcan will reply to pretty fast.

@BBcan177 @RonpfSI was able to trace it down to an open source firmware(gargoyle router firmware) on my wireless router that was not playing nice with my pfsense box. I do not know exactly how, or why, but the domain information that is used to get the blocks on the report page was not being forwarded correctly(or something else equally weird) to the pfsense box. When I reverted to the stock firmware on the router, it immediately began to report the domain blocks on the reports tab in pfblocker. Was strange, and unexpected.

I have to thank BBcan177 so much for taking time out of his busy schedule to teamviewer with me today to continue to troubleshoot this issue. Thank you RonpfS as well for helping me in this matter.

@BBcan177 said in PfBlockerNG Not Blocking Porn:

Blocking porn is really difficult with DNSBL… There are millions of domains ....

This you can do:

Enable the TLD option, and add "xxx" to the TLD Blacklist customlist.... Then it will block any domain in the "xxx" TLD...

In EasyList, there are Adult Popups that are blocked, but that just removes the Adult AD popups, and not the Adult sites themselves...

A Proxy will be the best option to filter that type of content... SquidBlacklist/UT1 have some Adult categories which list quite a few Adult domains... Its not foolproof either.... Just be careful about MITM SSL issues...
I would recommend OpenDNS. By the way, on Google you can do this: http://www.google.com/preferences.

@RonpfS Thanks for that. Looking good!

forgot to mention im using the devel release and i have tld enabled. found another thread that mentioned pinging the site should return the dnsbl vip address. when i ping www.pornhub.com i get back their actual address. when i ping pornhub.com i get back 0.0.0.0 . this is not the dnsbl vip address.

any help would be great . thanks

Well yes, ofcourse it works if I disable DNSBL, and it also works if I whitelist e1151.e12.akamaiedge.net (which is my current workaround).
I know pfb_dnsbl.conf is created at update time, but currently the akamai entry is included in the config because it is present in the SBL_ADs feed (Hence my need to whitelist it).
So I still don’t quite get what you are reffering to - as far as I can tell it is an Apple issue because iOS the second time around decides to lookup the original A record (akamai) for which www.anandtech.com is a CNAME. It seems my PC continues to lookup www.anandtech.com.

@BBcan177 thanks for your reply.

I solved the resolving of clients myself, when the pfSense appliance is not inline (e.g. router/firewall), you have to specifically allow access to the DNS Resolver to allow for DNS requests from outside (menu: Services \ DNS Resolver \ Access Lists).

You might be right for the redirection page (I am on 2.4.4-p3), it does not show a page. The client webbrowser just hangs. As @zonda describes the reporting of DNSBL stats does not work either.

So there is still some work to do. Anyone got reporting to work on a pfSense appliance that is not inline, but installed locally on the network with one interface (LAN) only?

@BBcan177 Fantastic thank you!

Anything that is blocked is visible in the Alerts Tab. You will need to view the reports tab while browsing to see what is getting blocked. You can whitelist from the Reports Tab. Also in pfBlockerNG-devel there is a lock/unlock icon that you can use to temporarily whitelist a domain to help determine if that domain is causing your issue. Keep in mind that you might need to clear the OS/Browser cache to remove any existing blocked domains.

@fvultee When you created PRI2-4, Alias did you enable the individual Feeds? and set the "Action" setting?

@mark-mora See this thread:
https://www.reddit.com/r/pfBlockerNG/comments/azwpu2/dnsbl_webserver_https/

I did some troubleshooting and I honestly don't know exactly what the issue was but here is a list of steps I took to get it working again:

General Setup Set loopback address on top followed by DNS IP(s) or leave everything blank if only using Unbound DNS Server Override unchecked Disable DNS Forwarder unchecked DNS Resolver Network Interfaces > only select local ints including LAN. DNS Query Forwarding unchecked DHCP Registration checked Static DHCP checked DHCP Server set your DNS Server to the LAN's IP int On each of your DHCP Clients Renew lease or perform a network reset On each of your Static Clients Use the IP int as DNS address

@provels said in Devel Version GeoIP Tutorial:

If I deny a country but the traffic is blocked by default anyway, either way the FW has to make a call. Same/same?

That was what I was writing. It makes no sense to "double block". On the other hand I see no sense - for example - in allowing only certain countries access to an OpenVPN port. If that is configured properly there shouldn't be that much more hits or traffic or connection attempts than normal port probing anyway.

@provels said in Devel Version GeoIP Tutorial:

I find the ad blocking extraordinary as well as the default outbound blocks to suspect hosts/IPs

I agree, that's two use cases I see pfBNG perform very well. Also logging those requests against suspect IPs is a good start in finding out if a box is just noisy or perhaps compromised. A client of ours was "protected" (aka lucky) to have it as one user got himself a crypto-trojan and it couldn't contact the control server so stayed dormant. Not a huge protection bonus but more like a "small additional line of defense". :)

@RonpfS I asked BBcan177 on reddit if he recommends this instead, as the next fix I believe will not be out for a while. Maybe BBcan177 could chime in on this thread?

Regardless, thanks for fix!

EDIT: per BBcan177: I have a PR to fix this and its waiting on the pfSense devs to approve and merge. So either way will work until the next version is available.

I had reset the configuration and I think it was the one to remove the modification made, however now it works as before, I thank everyone.

NAT happens before firewall rules are applied so if you are port forwarding, say, WAN address:80 to 192.168.1.100:80 you need to pass traffic to 192.168.1.00:80 on WAN.

The automatically-generated rules on a port forward will always do the right thing.

If your resolving and having problems - you need to figure out where your having problem following down from roots..

Do a dig +trace to find out where your problem is.. That returns a cname, which then would have to be resolved as well

$ dig feeds.megaphone.fm ; <<>> DiG 9.14.1 <<>> feeds.megaphone.fm ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8931 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;feeds.megaphone.fm. IN A ;; ANSWER SECTION: feeds.megaphone.fm. 3599 IN CNAME cds.f3d9q2w8.hwcdn.net. cds.f3d9q2w8.hwcdn.net. 3600 IN A 69.16.175.42 cds.f3d9q2w8.hwcdn.net. 3600 IN A 69.16.175.10 ;; Query time: 513 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Sun May 19 20:50:02 Central Daylight Time 2019 ;; MSG SIZE rcvd: 115

@HansSolo Configuration is listed under Firewall\pfBlockerNG. Status is listed under Status\Services. I'm using the Devel version which is much more plug/play than the Release version.

@NogBadTheBad

Yeah I can promise you for sure that people that run tor exit sites might also be members of the ntp pool.. NTP doesn't limit who can join - your IP just needs to provide stable time.. Which is checked and if your score drops below 10 then your IP is removed from the pool until its score goes above 10, etc..