#################
IPv4 lists
#################

–-----------------------------------------------------------------------------
Alias Name: Deny_Both, Action: Deny_Both, Frequency: ?? Alias Name: Deny_Inbound, Action: Deny_Inbound, Frequency: ?? Alias Name: Deny_Outbound, Action: Deny_Outbound, Frequency: ?? Alias Name: Whitelist, Action: Permit_Both, Frequency: ??

Ok, so you do live with ADs ;D

Which DNSBL Listening interface did you assign in the DNSBL Tab? 
Do you use HA/CARP?

You would need to create rules to allow those GeoIPs to access the services …  When people are traveling, you can just re-enable those permit rules to let them in...

Thanks BBCAN…love the functionality! I managed to get it working! Keep up the great work...

Thank you BB!
I've often wondered what lists you specifically use, and perhaps why those specific lists.
Thank you!

thanks!  I'm also having WAN drop issues since upgrading to 2.3.4-p1 so I might just re-install with 2.4 and try that out as well.

It's just a home firewall so not like I have massive rules/etc set :)

When you are interleaving your rules like that, its very difficult to auto-generate the order…. I would recommend to use "Alias type" rules and then manually create the rules as required.  Click on the blue infoblock icon in the IPv4 tab to get more details....

Its not recommended to use the LVL1 feed to block Outbound since it contains Bogons. Also IBlock doesn't seem to be maintained very well… I'd not recommend to use Feeds that are not maintained.

@killmasta93:

Hi,
I was wondering if someone else has had this issue before? Recently users been complaining about slow internet speeds. Right now its configured as windows server DNS root are pointed to pfSense and the DNS on pfSense are 8.8.8.8. So Im guessing it might be a DNS issue for the request. I checked the unbound DNS cache and seems to be allright, What i also been noting at times on chrome shows that the page connection is not private but if i reload it again it shows normal the website. My question is there to troubleshoot the issue by checking DNS speed from pfBlockerNG to the roots of the windows server?

Thank you

If browsing is slow it could be one of two things generally…

You Lan segments cannot access the DNSBL VIP address... to test, try to ping the DNSBL VIP address, and try to browse to the DNSBL VIP address from each of your LAN Segments. If that doesn't work then ensure that you have selected the DNSBL Permit option to allow those subnets to access the DNSBL VIP address... You can also check your NAT/Limiter rules to see if something is interfering with the access...

When a LAN segment cannot access the DNSBL VIP, it will timeout the browser as its still looking to access the blocked domain.

One of the blocked domains is causing the browser to timeout...

Your LAN devices should have there DNS settings set to your MS AD/DNS Server only. Then the AD/DNS should have its Forwarders set to pfSense which will then be filtered via DNSBL.

Another thing to keep in mind, is that when you try to open a web page that is blocked via DNSBL via HTTPS, the browser will show a certificate error since the browser sees that the DNSBL certificate does not match the Domain that was blocked.... Its safe to ignore...

Check the Firewall rule order… To overcome a GeoIP blocklist, you need to have the Permit rules above the Block rules.  The Rule order setting is in the General tab.

To confirm, can you ping 10.10.10.1 from each VLAN, and can you browser to 10.10.10.1 and get the 1x1 pix from each VLAN?

@David127:

Hi Xentrk.

Can you make a screenshot of all general settings and post it here?
That would be helpful.

What did you choose in DNSBL under DNSBL Listening Interface?

Thank you.

No problem. Let me know if I can be of further assistance. I recall the days of reading every post in the pfBlockerNG forum before trying to set it up and struggling with getting it working. Hang in there!

Regards, Xen

pfBlockerNG-General.PNG
pfBlockerNG-General.PNG_thumb
pfBlockerNG-DNSBL.PNG
pfBlockerNG-DNSBL.PNG_thumb

From the general tab of pfBlockerNG what is the 'Firewall auto rule order'

You can ping the domain and get a reponse, does nslookup return the expected address?

What does the alerts tab of pfBlockerNG show once you try and visit the website.

Thanks!

I realized that too after mucking around and READING lol.  Thanks for the link…I'll figure out how to decode it with a script too if I need it.  It's a minor issue.

I'll chime in here.  For me & what I do is:

1 - Have all my BL's on a web server
2 - Make a "whitelist.txt" BL
3 - Add all my IP's and networks to it I want to whitelist.txt
4 - Add the URL and allow it in the ipv4 tab + get it once per hour + move it to the top of the list although I don't think moving it to the top does anything :P
5 - Cront reload

Done…now I just manage the single whitelist.txt file and sometime within an hour it gets updated.  I have a substantial list of networks and IP's in that white list now.

I believe this even overrules any geo IP / country block in place...it allows it out.

So… I've run into this issue a few times. Only solution is to white list the ad sites that Amazon uses, and unfortunately it's not just amazon domains. I will generally tail the log and grep only on the device i'm monitoring. Try these to start...

fls-na.amazon.com # amazon app
watson.telemetry.microsoft.com # amazon app
modern.watson.data.microsoft.com.akadns.net # CNAME for (watson.telemetry.microsoft.com)

But basically yeah, what you're doing is the only way...

Just to confirm that I had the same problem, I disabled PFBlockerNG and did a force reload as RonpfS suggested then enabled it again and all OK now.

Solution - (worked for me, anyway, needs to be adapted for your situation)

I recently had and solved the same problem. I had false positives on a block list. The iblocklist blocked akami as a hijacked site. Hulu was stopped out for me as a result. pfBlockerNG sorted out my alias pass list in the wrong place by only using the drop box with the sort orders.

After going back and forth on the forum, I devised my own solution which appears to work well. I put it in another posting in this area, but here's a cut and paste of the relevant part.

The key is to move pfBlockerNG into the floating rules section. This causes the LAN and WAN rules to be ignored when pfBlockerNG sorts them out according to the drop box. The only sorting occurs in the floating rules section.

Anyway it works for me. You may need to adapt the following a little to match your own situation.

Put false positive IP addresses in an alias list Add alias to floating rules as a pass, choose proper interface and direction, check apply immediate box Tell pfBlockerNG to apply all rules as floating rules by checking the box on the general tab Use the dropdown box to tell pfBlockerNG to sort rules with pfsense pass rules first. Reload your rules just to see if they sort out correctly on ALL rule tabs Test

Apparently, since pfBlockerNG is told to put everything on floating rules, the rules reordering ignores the LAN and WAN rules. According to pfSense documentation, floating rules execute first.

Edit: Removed many iblocklists from pfBlockerNG. No Bluetack lists are updated any longer and hijacked sites was one of them.

FireHOL offers several lists. It appears to be a list aggregator. They seem to take pride in staying current. I added a few fireHOL lists.

fireHOL also blocks some LAN multicast / broadcast addresses. I used the above technique to put them on a false positive list. I prefer it over pfBlockerNG custom lists because they are immediate. No forced updates required.

So - in summary - the hijacked sites list was bad because it was outdated. The problem it created forced me to develop a technique to block false positives. It also, indirectly, prompted me to find better block lists. This technique can be adapted to probably any need for persistent lists to bypass pfBlockerNG reordering that may cause firewall problems.

https://forum.pfsense.org/index.php?topic=133609.0

I had a similar problem recently and this topic describes it and a possible solution. I'm still testing the fix but it seems to work.

The fix for your problem is a simple adaptation of my solution. Good luck.