Yup, "test.com" was in one of my lists. That explains it! pfblocker was doing its job. Thanks!

Sure it's not the stuff listed about the console here? https://www.netgate.com/docs/pfsense/install/upgrade-guide.html?highlight=upgrading#upgrading-from-versions-older-than-pfsense-2-4-4

Hi @BBcan177, Yes, i did. I also tried deselecting either one and disabling and re-enabling it. @reilos said in Checked "DNSBL Firewall Rules" however no floating rule added?: I have pfBlocker running on 2 interfaces, which i have selected in the list behind the checkbox.

Hi everybody, I found indeed a solution to my problem and would like to share it here. It is not perfect, but what in this word is? My solution does not directly use pfSense. pfSense is only used to ... a) configure a special DNS server address for selected DHCP clients (smart TVs and the like) b) block access to the (uncensored) DNS resolver running on pfSense form said clients using the firewall The special standalone DNS server (a Raspberry Pi in my case) runs the dnsmasq service. dnsmasq has two very handy configuration options. The magic incantations are the "server" directive and the "address" directive. (Note: One could also run dnsmasq on pfSense - but in my setup I already use unbound on pfSense and didn't want to risk messing with everybody elses DNS resolution just for this.) With the server directive one can specify an address which we want to be resolved by a certain DNS server. The trick here: '#' as the target resolver means "use your configured standard server to forward the request to". Meaning: resolve normally. Im my case for Netflix I have: server=/netflix.com/# server=/netflix.ch/# server=/nflxext.com/# server=/nflximg.com/# server=/nflximg.net/# server=/nflxvideo.net/# server=/nflxso.net/# server=/netflix/# server=/cloudfront.net/# server=/d179kwmlpc4o47.cloudfront.net/# server=/d2s336w63pl2vv.cloudfront.net/# (the details seem to depend on geographic location - note I have a blanket "allow" for all of cloudfront.net here - the cloudfront host names are not necessarily stable) The "address" option can then be used to implement the "DNS black hole" functionality: address=/#/192.168.x.y OR - address=/#/ The first version makes dnsmasq return a fixed (fake) IP address for any DNS request not whitelisted using a server directive. The second returns NXDOMAIN instead of a wrong IP. I use the first. Look at the manpages of dnsmasq and dnsmasq.conf for details! For some of my "smart" devices to function, I need to allow additional domains. One Samsung TV for example needs access to the domain time.samsungcloudsolution.com (among others). Otherwise it will not believe that it has internet access and will simply refuse to start the Netflix app - stupid "smart" thing!! My solution kind of works, but adding a new "smart" device is always a hassle. And if you want to use another video streaming service, you have to find out the necessary domains to whitelist first. This is the solution I am using. I hope this will help someone. Andy

@bbcan177 The list with which I am familar is pulled by uBlock Origin, but I cannot determine which exact list it is. I did find the following lists, and I expect one is the list pulled by uBO: https://www.zoso.ro/pages/rolist.txt https://www.zoso.ro/pages/rolist2.txt

@akong77 said in Upgrade to newer pfblockerng have get error.: Hello, I upgrade lastest pfblockerng have got error.I use some command fix php error. ,,, ssh to pfsense cd /usr/local/lib/php/ ln -s 20170718/ 20131226 That is not a fix, it just messes up things more. https://forum.netgate.com/topic/135895/package-update-triggers-only-half-2-4-4-update

@aritus On my box I have selected WAN for Inbound, and LAN for Outbound.

Ok, to anyone else running into this issue you need to ensure the "Keep Settings" is unchecked in the General Tab and then uninstall the package. Once that is done reinstall the package and it should work.

Oh, I see what you mean now! Thanks again.

@BBcan177 P.S. after your post I launch update to devel version, and all goes smooth like a charm - need only to launch cron update from pfBlockerNG menu (i'm not use easylists), new menus, autocomplite for GeoIP, ASNs and other functions is awesome!

Thanks

Thanks, works perfectly now.

No, you do not.

I was able to get DNS resolver errors above corrected with this post https://forum.netgate.com/topic/106011/solved-pfblockerng-reloading-unbound-fails/11 After the above, resting Resolver settings (just clearing all setting then adding back the same settings) and a reboot it appears to be working again. Thanks for the help!

@cgeo said in GeoIP and NAT: But my point remains. Shouldn't this be visible in the firewall logs ? You have the source IP alias already in the NAT rule, so it will not process the port redirect from IPs not covered in that alias. As such the firewall simply sees a connection from your LAN to your WAN address, this is allowed by the default LAN-to-any rule (if it still exists in your config), and so it wont be logged. With this config you simply try to connect to pfSense on a port that is likely not in use.

@bbcan177 Thanks BBcan177. This fixed it for me

Great, thanks! Completely overlooked it. I'll have a look at threat look up thing. I won't hesitate in the future to open a GitHub issue with the maintainers if after some investigation it turns out to be a false positive.

With all the changes in PHP7, a commit was added to the installer code that created some empty XML tags. <config></config> This will be fixed in the next version which should be out soon. However, you can follow these steps below to fix this issue now: First make a backup of the config.xml from the: pfSense Diagnostics > Backup & Restore Tab: Then paste the following PHP code which will cleanup the empty XML tags into: pfSense > Diagnostics > Command Prompt > Execute PHP Commands: $upgrade_type = array('pfblockernglistsv4', 'pfblockernglistsv6', 'pfblockerngdnsblsettings', 'pfblockerngafrica', 'pfblockerngantarctica', 'pfblockerngasia', 'pfblockerngeurope', 'pfblockerngnorthamerica', 'pfblockerngoceania', 'pfblockerngsouthamerica', 'pfblockerngtopspammers', 'pfblockerngproxyandsatellite'); foreach ($upgrade_type as $type) { if (is_array($config['installedpackages'][$type]['config'])) { if (empty($config['installedpackages'][$type]['config'][0])) { unset($config['installedpackages'][$type]['config'][0]); print "\n| Removed | {$type} | Empty XML Tag"; } } } write_config('pfBlockerNG - Fix empty XML tags'); Then hit the Execute button for the code to run.

@BBcan177 so I have "Mem: 5293M Active, 734M Inact, 3236K Laundry, 1055M Wired, 742M Buf, 764M Free Swap: 3881M Total, 94M Used, 3787M Free, 2% Inuse" This is a Qotom mini pc with one sodium memory slot. 8 gig was the max I could get. It seems to idle around 81% not sure if that will go up as more users are on my network. I am just wondering if it's hits 100% for some periods of time if this will cause issues. I remove squid as well and it went down to about 71% but I like squid for the built in virus scanner. I don't really need the proxy as I have a fast fiber internet connection but it's part of the package... If it stays at near 100% I will need try what you suggested with TLDs cn or ru... etc Thanks for the tips