Not sure of a "perfect setting"? But I suspect the "faster" your hardware and the more RAM the quicker it will run…you don't need software as it is a pfSense package. What I have discovered is what can make pfBlocker the best is the quality of your lists be them IPv4 or DNSBL lists.

https://forum.pfsense.org/index.php?topic=125996.0 https://forum.pfsense.org/index.php?topic=120253.0

OK, I got it… thanks for clarifying that for me.

What does the Status / System Logs / System / General Status / System Logs / System / DNS Resolver Status / System Logs / Firewall shows ?

@BBcan177: Anything that is blocked is reported to the Alerts Tab… So that is where I saw it being blocking by an IBlock ADs feed... You might not have that Feed enabled? But could be in another feed.... The "Auto" rules won't work for everyone.... There are some common boiler plate options, and if they don't fit your network design, then you need to use "Alias Type" rules and manually create the rules as required. Click on the blue infoblock icons in the IPv4 tab on how to do that... Suppressing the IPs (Only for /32 or /24 blocks) is the best choice.... so that you don't need the permit rule. But if you require the Permit whitelist, then you need to find a rule order option that puts the permit above the block... or use Alias type rules... There is a trick where you can edit all the pre-defined pfBlockerNG rule "descriptions", and change the prefix to "pfb_" lowercase. Then Disable the package. Edit all of the IPv4/6/GeoIP aliases to be "Alias type" Then re-enable the package… This way the rules are created by the package initially so that you don't need to manually create them all... Any rules that start with "pfB_" are managed by the package on each cron or Force command. Thanks, I did as you said. Replacing all the pfB_ with pfb_ in the descriptions. However, when I went to re-enable DNSBL, I don't see rules for it (including the floating one). I might of forgot to lowercase the rules associated with DNSBL… How would I get back the rules for DNSBL including the floating rule for the VIP? Enabling/Disabling DNSBL has no effect. Also after this modification when I disable pfB I get tons of notifications, am I doing something wrong here?

Follow up: Works like a charm! For the lists: Deny on both inbound and outbound, and logging enabled. Advanced inbound: UDP/TCP and a port definition alias which contains my open WAN ports. Also added the most common ports and ranges which UPNP opens for devices on the inside. Result is a very tidy firewall and alert log with kept logging for all outbound traffic trying to connect to nasty stuff and logging for anything trying to reach my open WAN ports. So, mission complete. Brgs,

You can create "Alias type" aliases which will just create the IP table of IPs… Then you can manually create your firewall rules associating the applicable aliastable. You could also try to use the "Adv. In/Out" settings to fine tune the rules.

Thank you for clean answer. About not same feeds, yes it only mistake of copy-paste, this list was not alias native, but I asked about alias native in clarifying question.  :)

Thank you. I'll give that a try and post back if there are other issues. Thanks again.

Yes pfSense is a stateful firewall and the WAN is default deny….  When a device on the LAN makes a request outbound, it creates a firewall state, and this state allows the IP to come back thru the WAN to your LAN (IPv4).... So protect the Outbound... and if you open specific ports on the WAN, then you can add rules for those open ports only... If you add Deny Both or Deny Inbound, and there are no open ports, then all your doing is logging all the traffic that is hitting your WAN interface but it already being blocked by the default WAN Block rule... So all your doing is filling your widget and firewall/alerts logs with entries.... Best to actually review what is getting blocked without all the noise... The DNSBL IP is used when DNSBL Feeds contain IPs... It collects them and puts them into a firewall rule, as Unbound cannot block on an IP, it blocks via a domain name. So follow the same philosophy as above for this also.

See here:     https://forum.pfsense.org/index.php?topic=135257.msg764291#msg764291

@BBcan177: What does this command report: host -t A github.com You can also check if there are any subdomain being blocked. grep "github.com" /var/unbound/pfb_dnsbl.conf If there are other subdomains listed, you can prepend a "." to the domain in the whitelist and follow that with a Force Reload DNSBL. I got the same problem. This fixed the problem with github. Thanks!

@frankvh: Looks a lot like this: https://forum.pfsense.org/index.php?topic=124945.0 Reviewing that thread, it definitely seems like I input it for that reason. I modified the rule to specifically have destination 127.0.0.1 and my app works again. That seemed less harsh than modifying the code. Plus, I created the code modification (w/o updating destination in the rule) and it wouldn't let the app function. However, it seems to be working fine now, thanks again!

Thanks for your help BBcan177.  That explains it!  Sorry for taking so long to respond.

Using the command line, you can search for the domain in PfBlockerNG's DNSBL config: grep "SEARCH STRING HERE" /var/unbound/pfb_dnsbl.conf For IP, I imagine the same would work for whatever *.conf file holds that.

The feeds which are included in lvl1: A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons spamhaus_drop spamhaus_edrop sslbl zeus_badips ransomware_rw) So instead of using lvl1, find those original feed urls and add those to a new IPv4 alias. The lvl1 feed includes bogons which should not be used to block outbound traffic.

If you do nslookup doubleclick.net Serveur :  pfsense.somewhere Address:  172.47.18.71 Nom :    doubleclick.net Address:  10.10.10.1 you should see your pfsense box replying. If not then either your pfsense configuration for DNS service is incorrect, or your lan device use another DNS server for answer. Check your device DNS configuration, if you are using Internet Security like AVG, maybe they override DNS resolution. Hake a look at @BBcan177: @xphiles: so after much troubleshooting and trying things at the firewall level, i disabled my full avg protection and it works on the host(s) in question. so I have to granularly figure out which service in AVG is messing up my dns I think this is what you were looking for:     https://help.avg.com/en/avg_free/17/securityantivirus_securedns.html You can configure pfsense DCHP server to provide the correct DNS/DNSBL server for devices

I know it is a pain but I periodically have gotten pfBlockerNG DNSBL issues, I have rsolved it by: making sure "Keep settings" is not checked, then saved, running a cron "Force" reload and then rebooting firewall. I then deinstall pfBlockerNG and then reinstall…. it then works. A little harsh but seems to work... I am running DNSBL with pfBlockerNG and 2.4.1 and all is working...

I have very similar setup as you and it works for me. Not really sure. I say double-check everything again. Have you tried rebooting the system after making those changes?