To confirm, can you ping 10.10.10.1 from each VLAN, and can you browser to 10.10.10.1 and get the 1x1 pix from each VLAN?

@David127:

Hi Xentrk.

Can you make a screenshot of all general settings and post it here?
That would be helpful.

What did you choose in DNSBL under DNSBL Listening Interface?

Thank you.

No problem. Let me know if I can be of further assistance. I recall the days of reading every post in the pfBlockerNG forum before trying to set it up and struggling with getting it working. Hang in there!

Regards, Xen

pfBlockerNG-General.PNG
pfBlockerNG-General.PNG_thumb
pfBlockerNG-DNSBL.PNG
pfBlockerNG-DNSBL.PNG_thumb

From the general tab of pfBlockerNG what is the 'Firewall auto rule order'

You can ping the domain and get a reponse, does nslookup return the expected address?

What does the alerts tab of pfBlockerNG show once you try and visit the website.

Thanks!

I realized that too after mucking around and READING lol.  Thanks for the link…I'll figure out how to decode it with a script too if I need it.  It's a minor issue.

I'll chime in here.  For me & what I do is:

1 - Have all my BL's on a web server
2 - Make a "whitelist.txt" BL
3 - Add all my IP's and networks to it I want to whitelist.txt
4 - Add the URL and allow it in the ipv4 tab + get it once per hour + move it to the top of the list although I don't think moving it to the top does anything :P
5 - Cront reload

Done…now I just manage the single whitelist.txt file and sometime within an hour it gets updated.  I have a substantial list of networks and IP's in that white list now.

I believe this even overrules any geo IP / country block in place...it allows it out.

So… I've run into this issue a few times. Only solution is to white list the ad sites that Amazon uses, and unfortunately it's not just amazon domains. I will generally tail the log and grep only on the device i'm monitoring. Try these to start...

fls-na.amazon.com # amazon app
watson.telemetry.microsoft.com # amazon app
modern.watson.data.microsoft.com.akadns.net # CNAME for (watson.telemetry.microsoft.com)

But basically yeah, what you're doing is the only way...

Just to confirm that I had the same problem, I disabled PFBlockerNG and did a force reload as RonpfS suggested then enabled it again and all OK now.

Solution - (worked for me, anyway, needs to be adapted for your situation)

I recently had and solved the same problem. I had false positives on a block list. The iblocklist blocked akami as a hijacked site. Hulu was stopped out for me as a result. pfBlockerNG sorted out my alias pass list in the wrong place by only using the drop box with the sort orders.

After going back and forth on the forum, I devised my own solution which appears to work well. I put it in another posting in this area, but here's a cut and paste of the relevant part.

The key is to move pfBlockerNG into the floating rules section. This causes the LAN and WAN rules to be ignored when pfBlockerNG sorts them out according to the drop box. The only sorting occurs in the floating rules section.

Anyway it works for me. You may need to adapt the following a little to match your own situation.

Put false positive IP addresses in an alias list Add alias to floating rules as a pass, choose proper interface and direction, check apply immediate box Tell pfBlockerNG to apply all rules as floating rules by checking the box on the general tab Use the dropdown box to tell pfBlockerNG to sort rules with pfsense pass rules first. Reload your rules just to see if they sort out correctly on ALL rule tabs Test

Apparently, since pfBlockerNG is told to put everything on floating rules, the rules reordering ignores the LAN and WAN rules. According to pfSense documentation, floating rules execute first.

Edit: Removed many iblocklists from pfBlockerNG. No Bluetack lists are updated any longer and hijacked sites was one of them.

FireHOL offers several lists. It appears to be a list aggregator. They seem to take pride in staying current. I added a few fireHOL lists.

fireHOL also blocks some LAN multicast / broadcast addresses. I used the above technique to put them on a false positive list. I prefer it over pfBlockerNG custom lists because they are immediate. No forced updates required.

So - in summary - the hijacked sites list was bad because it was outdated. The problem it created forced me to develop a technique to block false positives. It also, indirectly, prompted me to find better block lists. This technique can be adapted to probably any need for persistent lists to bypass pfBlockerNG reordering that may cause firewall problems.

https://forum.pfsense.org/index.php?topic=133609.0

I had a similar problem recently and this topic describes it and a possible solution. I'm still testing the fix but it seems to work.

The fix for your problem is a simple adaptation of my solution. Good luck.

@BBcan177:

Click on the "i" icon in the Alerts tab to do some research on that domain. Can also Google for "who <domain name="">".</domain>

The blocks from Russia and China are ok according to IPVOID but in my permit alert there are entries from the US coming in that are blacklisted.  I have outgoing Russia and China blocked and allow US incoming.  Guess I'll have the fine tune the incoming.  If you have any links on further reading on that topic I would appreciate it.

There should be a trashcan icon beside the Packets Title.

Thanks for the suggestion. I tried these out, but the level1 list blocks 192.168.0.0/16, which prevents local traffic.

Edit: God, and the webserver one blocked 8.8.8.8, which is Google DNS…

A good source for IP blocklists is http://iplists.firehol.org/

Personally, I use their merged lists since they merge a lot of the actively maintained lists out there:

DENY BOTH

firehol_level1
firehol_level2
firehol_level3
firehol_proxies
firehol_anonymous

firehol_level4 (sometimes I've changed this one to be just DENY INBOUND but whatever.

I believe I got it by adding my server's IP address and doing "Inverse" on the rule.

Thanks for helping out this newb! :)

I'd like to chime in here.  I think the TLD blocking is primarily for "outbound" traffic not inbound.  It's used with unbound DNS resolve.

So if you setup your systems like this you can screen nasty TLD's from your end users like this:  (Block TLD:  .top, .party, .ms <– which blocks skype auth, etc)...

PC DNS points to DNS server > DNS server DNS forwarder points to PFSense which uses Unbound, checks the TLD and decides > PFSense's DNS looks to your ISP or some other DNS provider like OpenDNS, Comodo, etc.

It's mean to protect internal LAN assets not block external ones.

NOW...if you want to block external TLD's form your mail server what type of mail server do you have?

You can block junk TLD's by parsing your log files or sometimes spam filters like mail cleaner let you just put the TLD's in there.  For POSTFIX you can do it like this:  https://whackersforhackers.com/2017/03/08/tld-blocking-in-postfix-mta/

There are more ways to TLD block BUT I'd suggest not using PFSense and TLD blocking in PFBlocker to do it because that's not what PFBlocker is trying to do here (I don't think with respect to TLD's and how DNSBL works).

Good luck!

Remove all those Whitelist entries that you manually added. Then browse to www.icloud.com, then whitelist it from the Alerts tab and see how that goes…

Perfect, that did it!

There are feeds that have a list of malicious IPs and there are feeds that have a list of ADvert domains and/or Malicious domains…

So with IP blocking, you will block the whole IP addresses.
With DNSBL, you will block the DNS request to those domains but this could be circumvented by accessing the literal IP address (unless those IPs are blocked in an IP block list).

Sometimes an IP can host several domains (sometimes hundreds..), so with an IP block it would block access to all the domains on that IP.... But blocking via Domain name, you are limiting the blocking to the known Domains only.

There are plus and minuses for both.... I find it best to block and deal with the False positives as the appear. You can suppress a Blocked IP and/or create a Permit rule to allow a blocked IP before a block rule takes effect. With DNSBL you can whitelist a domain.

YMMV

Thanks for the reply, as for the filter log I have it max out to 2000 and on the /var/log/filter.log
only get around 3.1k of lines which holds around 2 hours of firewall logs

Thank you

Still had to report back that it was solved. Thank you BB  ;D