• pfb_dnsnl (pfBlockerNG DNSBL) service won't start

    25
    0 Votes
    25 Posts
    3k Views
    K

    @jrey turns out i also had to update , i feel so silly thx for the troubleshoot

  • nixspam is history

    1
    0 Votes
    1 Posts
    128 Views
    No one has replied
  • 0 Votes
    3 Posts
    201 Views
    U

    @Gertjan Belated thank you. He'd probably just VPN around it anyway. Sigh...

  • Scheduling blocking on DNSBL

    1
    0 Votes
    1 Posts
    95 Views
    No one has replied
  • pfblockerNG CA root certificate untrusted

    1
    0 Votes
    1 Posts
    133 Views
    No one has replied
  • ip_block.log timestamp lagging behind

    2
    0 Votes
    2 Posts
    112 Views
    GertjanG

    @milonic

    Running processes, like syslog, don't keep their own time. The use a system call to get the exact time when needed.
    That time, you can see it on the command line, just type

    date

    That is the "time stamp" syslog uses when it writes a log line.

    The time is normally counted by a real time clock on the system motherboard. This chip, or the power (remember the famous BIOS RAM battery - it's the same ?)
    Added to that, pfSense processes a ntp = a real time service, so even if the local real time facilities is bad or worse, the system will will get synced every minute or so so it compensates for the loss ( normally less then some nano seconds )

    You have the ntp service activated, right ? By default, it is.
    Just checking : Status > NTP :

    3ac5ce55-f1a7-491f-b828-6768ee125630-image.png

    The NTP is normally configured with host or pool name - I use

    a9428efe-3b28-4b96-b6b7-8493eeaf70b3-image.png

    and this host name points to a pool with mixed IPv4 and IPv6 IPs.
    One is chosen, and the others are backups.

    If you managed to find a pfBlockerng IP list that has these (time server) IPs on the list, and you use the list to block for outgoing connection, then yeah, you've aligned the nearly impossible :
    Using a device with a bad real time clock - this happens more often nthen you thing, stuff just dies .... that's normal.
    Adding extra software (pfBLockerng), and use it to block IP that you actually need : the time server your NTP has selected... now the system time will derail.

    And yes, a good accurate time isn't that important for syslogging (that is, I would consider it a security issue), but becomes very important for simple DNS requests (DNSSEC)à ... or just TLS, also used by pfSense itself.

    So : pfBlockerng : check your IP feeds you've chosen. You should always do this. Just think about it : what happens if you start to use that list that contains all the windows update IP's of Microsoft - and you use this list for blocking outbound connection ? Your PC will not receive any updates anymore, as it can't contact to 'Microsoft' anymore. That's ... dono, not great ?!
    Or you got the list that contains all the IPs of the servers that contain the lists of all the other IP lists and DNSBL (yes, that has been done already) : pfBlocker can't download (update) the other lists anymore ... also great ...
    So, to make a long story short, sorry to say, but do not trust anything that comes from the internet. Use it, and check it. If doubts, don't use it.

    With pfBlockerng taken care of, your NTP server should now sync up your real time.

  • Problem with update pfBlockerNG-devel 3.2.0_18 to 3.2.0_20

    12
    0 Votes
    12 Posts
    797 Views
    GertjanG

    @Seeking-Sense said in Problem with update pfBlockerNG-devel 3.2.0_18 to 3.2.0_20:

    if (is_array($dhcp['staticmap'])) {

    Ok, thanks.

    Still, for my own curiosity, I still cant see why it failed.

    The line above states :

    // Collect static DHCP hostnames/IPs foreach (config_get_path('dhcpd', []) as $dhcp) { if (is_array($dhcp['staticmap'])) {

    The foreach asks for the list of array() in <dhcpd>
    It should return a list with <staticmap> </staticmap>, as these are your static lease entries.

    So, no need to test inside the foreach loop if arrays exist, as if there were none, the inner loop couldn't be reached in the first place.

    My question : do you have an invalid entry somewhere inside the <dhcpd> .. </dhcpd> section ?

    This is what I have ( I removed some info ) :

    <dhcpd> <lan> <range> <from>192.168.1.70</from> <to>192.168.1.200</to> </range> <defaultleasetime>21600</defaultleasetime> ..... babla <numberoptions></numberoptions> <staticmap> <mac>00:4e:01:ac:ca:9c</mac> <cid>bureau2</cid> <ipaddr>192.168.1.2</ipaddr> <hostname>bureau2</hostname> .... more blabla <uefihttpboot></uefihttpboot> <numberoptions></numberoptions> </staticmap> <staticmap> <mac>ac:15:a2:02:d0:0b</mac> <cid>TL-SG108E</cid> <ipaddr>192.168.1.3</ipaddr> <hostname>TL-SG108E</hostname> .... bla goes on <nextserver></nextserver> <filename32></filename32> <filename64></filename64> <filename32arm></filename32arm> <filename64arm></filename64arm> <uefihttpboot></uefihttpboot> <numberoptions></numberoptions> </staticmap> <mac_allow></mac_allow> <mac_deny></mac_deny> <nextserver></nextserver> <ddnsdomainprimary></ddnsdomainprimary> <ddnsdomainkeyname></ddnsdomainkeyname> .. more dhcp general setting <ddnsdomainsecondaryport></ddnsdomainsecondaryport> <dnsregpolicy>default</dnsregpolicy> <earlydnsregpolicy>default</earlydnsregpolicy> <ntpserver>192.168.1.1</ntpserver> </lan> <opt1> .... and here we go again, for the second interface (if it exists) ..... </opt1> <dhcpd>

    Btw : I now also see that the original issue, some error in the dhcpd IPv4 list of static leases was not the same as I had.
    My errors came from the <dhcpdv6> section, which comes just after line 5347.
    The array list with static lease info was correct, but the indic=vidual IPv6 address were plain wrong, like "::c6" instead of a complete, real IPv6 : example

    <staticmap> <duid>00:01:00:01:1e:6a:44:de:64:00:6a:8b:f1:b3</duid> <ipaddrv6>::c9</ipaddrv6> <hostname>bureau</hostname> <descr><![CDATA[Bureau]]></descr> <filename></filename> <rootpath></rootpath> </staticmap>
  • Error on pfblockerng.inc:5310 pfBlockerNG-devel 3.2.0_5

    25
    0 Votes
    25 Posts
    3k Views
    S

    @jazzl0ver Thanks. That seemed to fix it for me as well.

    Current System

    2.7.2-RELEASE (amd64) built on Wed Dec 6 15:10:00 EST 2023 FreeBSD 14.0-CURRENT pfBlockerNG-devel 3.2.0_20

    Wondering if this is error / issue in found when running pfBlockerNG?

  • pfblockerNG Question(s)

    26
    0 Votes
    26 Posts
    1k Views
    D

    I recently added the ISC_Miner list and looks like it may be dead too.

  • allow fb messenger but

    2
    0 Votes
    2 Posts
    176 Views
    GertjanG

    @publictoiletbowl said in allow fb messenger but:

    but no luck. because in pihole it works

    No luck because it works ? 😊 Isn't it the other way around ?
    It works with pi-hole, so ... can you discover why it works for pi-hole ?

    Btw : what is 'facebook' ?
    You means their web site ?
    Whatsapp ?
    Messenger ?
    Other ?
    And also :
    From a web browser ?
    From an app on a pad or phone ?

    The nasty thing about facebook : (and Google, Apple, Microsoft, Amazon and this list is very long)
    They use (own) thousands of IP addresses. These addresses change all the time.
    A fact is that a browser access will use destination port 443 as it is https only.
    Apps can use any port they want.

    The good news is ; they own their own networks, or AS and pfBlockerng can block these, but that means nothing will work anymore, not even the web browser access.

    So, I'm curious, who does pi-hole does it ?

  • pfBlocker still not working even in 24.11 version

    13
    0 Votes
    13 Posts
    520 Views
    GertjanG

    Hummm.

    @Gertjan said in pfBlocker still not working even in 24.11 version:

    Copy past the Log that will show up (it's text, so copy text please).

    I missed that.
    In that log there can be info related to any issues. Issues you're looking for.

    Also - probably not related :
    b1d657a2-1801-4468-8747-b577b8cca361-image.png

    so delete for the moment :

    7819b6d2-a93d-464e-9ab8-4067b18b0cea-image.png

    and then delete the error message with :

    8b37e6df-6238-4480-a903-547af1730cdc-image.png

    edit :

    Did you conclude that you didn't loose any Internet access while reloading ?

  • pfBlockerNG not blocking ADs

    16
    0 Votes
    16 Posts
    1k Views
    W

    @Gertjan
    Looks like the issue is resolved. changing from "fall back to remote" to "ignore remote". I also made sure that there was NO other references for external DNS servers.

    I've also been working on making sure that all of the downloads are working. I have found that some have changed policies or paths.

    THANK YOU!

  • 0 Votes
    10 Posts
    517 Views
    R

    @reberhar SUCCESS

    After the latest upgrade for pfBlocker I started to have the same problems all over again and none of my other methods fixed it.

    I finally got onsite and have learned some useful things.

    First I have 2 Netgear GS108PEs, and one worked properly in this situation and the other did not. After thinking about it I realized that the one that functioned had 802.1q VLAN enabled. So I enabled 802.1q VLAN on the one that was not functioning correctly and the problem disappeared. No I didn't make any VLANs on the second unit, although the first unit I mentioned does have them. I just enabled 802.1q VLAN.

    I reasoned that perhaps multicast was somehow involved in this. (duh) So I worked through enabling multicast on my Ubiquiti 24 port smart switch that had failed with this challenge earlier. It actually involved the Cloud Key as well.

    This I did just on the two ports I am using for HA, not the entire switch.

    That worked too and is still working.

    😊

    Yes I know, multicast is mentioned in the HA diagnostics write up. I guess I was just not following through. Actually, I was just a little unsure how to proceed. I have other very smart switches that have been testy in this pfBlockerng / HA environment. I am excited to try this approach with them.

  • pfBlocker configuration for MaxMind GeoIP

    2
    0 Votes
    2 Posts
    294 Views
    GertjanG

    @Jabiru

    Be aware that this exists : Update Frequency of GeoIP do you can't update their lists xx hours, you will be punished (== blocked). As most lists don't even change each week, a weekly update is more then enough.

    Also, visit the https://www.maxmind.com/en/account/sign-in and check your account. Didn't they change something last year, so you had to 'redo' ( ? ) your registration (get new codes etc - can't recall )

    edit : this :

    @Jabiru said in pfBlocker configuration for MaxMind GeoIP:

    401 Unauthorized

    smells like a account problem.

  • pfBlocker message error and DNSBL not working

    5
    0 Votes
    5 Posts
    164 Views
    C

    @Gertjan This is Noted, and Thank you

  • [Solved] pfBlockerNG-devel Not Downloading ASN Information

    24
    0 Votes
    24 Posts
    2k Views
    GPz1100G

    @jrey Thank you for clarifying.

    The asn is downloading (I did have to do the above shell command to force it first time), but the expectation was it would download immediately upon a first save or update that included asn.

    Once primed, once per day more than enough. After all, how often do asn assignments actually get changed?

  • PfBlockerNG duplicating WAN rules on update/reboot

    2
    0 Votes
    2 Posts
    637 Views
    M

    @JClayton
    I'm having the same issue with pfsense 2.6 and the last pfblockerng package
    did you find any solution?
    thanks

  • Troublesome IP getting though pfBlocker

    16
    0 Votes
    16 Posts
    511 Views
    F

    @johnpoz Got it. Many thanks.

  • Is pfBlockerNG 3.2.0_16 functioning ok on 24.11?

    4
    0 Votes
    4 Posts
    314 Views
    K

    @Gertjan My main point is that 24.11 is not able to run the same setup that 24.3 had no issues with on an SG1100. I have rolled back to 24.3 and all is fine. 24.11 isn't able to run even a fraction of the feeds that 24.3 is able to. If you're on a small SG1100 I'd stay away from 24.11 for now.

  • whitelisting pictures in bsky.app ?

    11
    0 Votes
    11 Posts
    360 Views
    K

    @Gertjan Yeah, I'm aware.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.