Sooooooooooooooo, I figured it out. The problem was (is) me.  pfBlocker was working as it should. The problem was that I have a few NAT / Firewall rules that pick off DNS requests from certain hosts on my LAN. These DNS requests are to be sent to a different DNS server…  a service that I use (GetFlix).  I know that I can use domain overrides within DNS Resolver, but I never could figure out how to send an entire hosts DNS requests using Resolver... so instead, I just use NAT rules to redirect them before they reach resolver. I usually only have my AppleTV and a few other streaming devices in an alias that this rule applies to... however, the desktop I was doing all this testing on (posts above) was in this alias as well. I was doing some testing the other day with the DNS requests being redirected aaaaaaaaaand forgot to take my desktop out of this alias. So I just took it out... retested... bam.  Works like a charm. Thanks for your help, much appreciated.

If you restored a config from a different box, maybe the interfaces are different in this hardware. Check the interface assignments in pfSense, as the package reads those pfSense settings.

And that's where I went wrong.  I thought that by enabling it on the General Tab that enabled everything.  I should have checked the DNSBL tab since, you know, that's the service that wasn't running.  I guess it's because in my previous build it didn't have the extra options.  Am I correct in seeing that pfBlockerNG General is IP and Region blocking and that the DNSBL blocks based on DNS categories like Advertising?  I guess it's changed a lot since my last setup!  I don't usually do the updates since things tend to break when I do but then I get thrown when there are extra things I'm not expecting.  Good Job!

Seemed to work.  Thanks for your speedy reply.

Thanks so much! The more I read the more I realize how little I know.  I'll be doing a gob of reading over the next month.

check these threads, have tons of lists https://forum.pfsense.org/index.php?topic=102470.0 https://forum.pfsense.org/index.php?topic=86212.0

@BBcan177: Is your OpenVPN a "Server" or "Client" configuration?  Do you want both "Inbound" and "Outbound" auto-rules to be created? I have a fix that will add "Outbound" auto-rules for a OpenVPN "Server" config, and add both "In/Outbound" auto-rules for a "Client" configuration…. Typically, with OpenVPN, you assign an interface in the Interface tab, and it will show in the pfBlockerNG In/Outbound Interface options. The checkbox option, is for some corner-cases where there is no interface assigned and there is no Interface listed in the drop-down menu. My OpenVPN is a server configuration (think "road warrior" setup with mobile clients connecting).  So my use case is that I want to apply the same PFBlockerNG outbound rules I use for local clients to road warrior clients connected through the VPN for ad-blocking and content blocking purposes.  So it sounds like your fix would address my problem.

Sent you a PM …

Looks good on today's snapshot. Thanks Chris!

I have been working on some new features, so I will most likely submit it all at once… So it probably won't be for atleast a few more weeks... Been really busy lately...

I chose the first rule. I also created an alias (pfsense, not pfbng) to allow the particular IP's I want and put that as the first rule. Everything works like a charm for an hour, then the CRON job resorts to the Rule Order. Looks like I can accomplish the same thing through pfbng's alias system.  Wasn't aware that's what the ipv4 and ipv6 tabs were for. btw, the help link on the ipv4 tab is broken (https://<url to="" pfsense="">/help.php?page=/pfblockerng/pfblockerng_v4lists.xml) Thanks for your help - I'll tinker from here until I get it.</url>

Confirmed that the DNSBL VIP will not be accessible when Pfsense is in bridge mode even when the Bridge logical interface is used for DNSBL listening. It works fine in Layer 3 mode and DNSBL alerts are visible.

Thank you cmb - you're right it just needed a package list update. Here's to hoping Chinese port scanners never bother me again!

Solved, it's a bug, just upgrade to latest version.

Thanks BBcan177.. That was it. I changed it to: |pfSense Pass/Match | pfB_Pass/Match | pfB_Block/Reject| And it works fine now. I'll look at creating aliases within pfB for my overrides. Thanks again for your help and for your work on this package! Regards, Nate D.

:)  I thought I fixed that… Dok mentioned it to me like over a year ago ... Will get that fixed in the next version...

Once I re-enable it I will report back as to whether or not the service restarts under those conditions. So I got around to enabling DNSBL, and I think I have it working.  ;D  The DNSBL service does indeed remain running now after a CRON or forced update. I did have to add a rule to pass traffic to the DNSBL VIP as you instructed… THANK YOU for that. I do have a question: what should I see in my browser if I navigate to the VIP? All I see is a blank page, but the title bar tells me it is resolved... is that normal? See attached. I would like you to take a look at a sample of the top of my firewall rules (I am a default block guy), and tell me if you see any issues. I wan't sure about my NAT redirect for DNS (as I asked above), so I left it. I also have one VLAN interface where I have the NAT redirect pointing to opendns (my kid's clients), and that seems to still work as well. I am very happy with the adblocking that I see now, and I will be adding to the DNSBL lists as you discussed here: https://forum.pfsense.org/index.php?topic=102470.msg573159#msg573159 Please review the attached sample rule set and let me know if you see any problems with the DNS redirect or otherwise. Thank you so much for your work on this package, and for your help! -Bill [image: 1x1.JPG] [image: 1x1.JPG_thumb] [image: Rules2.JPG] [image: Rules2.JPG_thumb]

I should mention that my VPN is setup as TUN, but all client traffic is forced through the tunnel. Hopefully this will help

Thanks.  That would seem the sensible way to go, particularly as someone has very kindly already done a pull request for it. I couldn't see an option for the RAM disk backup/restore in pfBlockerNG itself, so I'm assuming it's always enabled.  If you have the time, I could see a benefit to implementing the DNSBL backup too if only because it seems anomalous to have some of the settings backed up but not all. Thanks for developing pfBlockerNG by the way - it really is a useful and well-used package for pfSense.