Don't use floating I guess. It is not the default anyways.

@mcury Those numbers also look fine. There’s no massive writing anymore. So you are in the clear :-)

@peterlecki I am not sure I understand completely but when you create a geo list the default is Disabled, it says so next to the List Action dropdown.

The point of the comment is that instead of creating IP tables in memory to block 95% of the world, make a default block rule and only allow 5% of the world.

Often what I do is make the list Alias Native which only creates an alias. Then I can use that alias in whatever NAT rule or firewall rule I want.

@keyser So far so good :-)

After the 3.1.0 upgrade my problems have all been addressed:

1: My diskspace is no longer permanently dvindeling until I’m forced to stop/start pfBlockerNG or reboot my firewall. My diskspace seems stable. Every time the Cron job runs the “lost” space during the day is returned, and it seems fine.

2: My widget is once again reflecting hits on both DNSBL and IP lists - including HTTPS hits to the DNSBL VIP

So it seems this version is the golden standard going forward.

Hope it makes it to release/stable version soon.
Would be nice to run this version on production hardware and more speculative/beta like features once again can make it into the -devel version.

Fixed in pfBlockerNG-devel v3.1.0_0

CHANGELOG: ... Fix Unbound Mode logging of HTTPS domains (lighttpd regression)

@mikej47 said in Pfblocker not working after upgrading to Pfsense 21.05.1-RELEASE (arm):

Should I delete my old pfB_Africa_v4, pfB_xxx, aliases now

If you're not using them I would, otherwise (I assume) they would use memory.

@bbcan177 hmm... might work... Things are complicated by the fact that I have a mix of standalone boxes(satellite offices) and HA pairs(main office and multiple data centers). I might be able to figure a way to make it work, it would be helpful if the "Disable General/IP/DNSBL tab settings sync" button were available per target if using the "Sync to host(s) defined below" option.

What are your thoughts on:
I might be able to do a "full" sync from Main Office #1 to Main Office #2(HA paired with Main Office #1), then use "Disable General/IP/DNSBL tab settings sync" to sync from Main Office #2 to DC1 #1, DC2 #1, DC3 #1, and Satellite 1, 2, 3, 4, 5, 6, I could then do "full" sync from DC1 #1 to DC1 #2, DC2 #1 to DC2 #2, DC3 #1 to DC3 #2 and so forth. Does that sound right?

Also, can I get some clarification on the "Disable General/IP/DNSBL tab settings sync" button, am I correct in assuming that the following will/will not sync?

Will not sync:
/pfblockerng/pfblockerng_general.php
/pfblockerng/pfblockerng_ip.php
/pfblockerng/pfblockerng_dnsbl.php

Will sync:
/pfblockerng/pfblockerng_category.php?type=ipv4
/pfblockerng/pfblockerng_category.php?type=ipv6
/pfblockerng/pfblockerng_category.php?type=geoip
/pfblockerng/pfblockerng_reputation.php
/pfblockerng/pfblockerng_category.php?type=dnsbl
/pfblockerng/pfblockerng_blacklist.php
/pfblockerng/pfblockerng_safesearch.php

If the above assumptions are correct, I may be able to make my life even easier, with even less work than my feature request would make.

@gertjan said in Can someone help me understand why is unbound resolving foreign domains (e.g. China)? Is this normal?:

Ask it !

Wow seriously thank you once more! Learned something new once again.

Btw : Having unbound return "10.10.10.1", the (VIP) IP, the pfBlockerNG web server that will try to tell you that the domain is blocked ,is close to completely useless.

Thanks again. I was unsure about it, so I left it as the default. Your explanation definitely cleared that up.

@gertjan said in Bypassing openvpn for Prime video on Android TV device:

@meridium said in Bypassing openvpn for Prime video on Android TV device:

I am using pfSense 2.4.5-RELEASE-p1 with pfBlockerNG-devel 3.0.0_5.

You saw : pfBlockerNG v3.0.0_6 update ?

If you want pfBlockerNG to' work' for some IP's, and not others, then this :

(future update) Add preliminary DNSBL Group Policy configuration that will globally bypass DNSBL for the defined LA
tells me that pfBlockerNG can't do want you want - for now.

Policy routing 'some IP's' to have them using the WAN interface, and other using the OpenVPN cinema hd apk download interface is done without using pfBlockerNG.
I've the impression this policy routing isn't set up correctly.

Thnaks buddy for the great information It really help me!!

@viktor_g thanks, I enabled & updated.

It works better for other categories than my custom feeds. How ever this does not block your traditional triple AAA games and major platforms.

I am eager for a good custom list. thank you.

@steveits We created the new key with your instructions. We also changed after the key, the field: MaxMind CSV Updates. Cleared: Check to disable MaxMind CSV updates. And after updating, the download directory /usr/local/share/GeoIP/cc/ populated with files and can select the countries. Problem solved, thank you Steve!

@johnpoz said in MaxMind configuration to update list GeoIP:

create the alias with the feeds you want to use

John is correct, just wanted to note for you that this is accomplished via "Alias Native" which creates an alias without a deny rule.

@MG85

Here is my regex.
It's more test-of-proof sample for me. I remember finding it somewhere on Reddit.

^(.+[_.-])?adse?rv(er?|ice)?s?[0-9]*[_.-] #Regex RGX1 ^(.+[_.-])?telemetry[_.-] #Regex RGX2 ^ad([sxv]?[0-9]*|system)[_.-]([^.[:space:]]+\.){1,}|[_.-]ad([sxv]?[0-9]*|system)[_.-] #test RGX3 ^adim(age|g)s?[0-9]*[_.-] #Regex RGX4 ^adtrack(er|ing)?[0-9]*[_.-] #Regex RGX5 ^advert(s|is(ing|ements?))?[0-9]*[_.-] #Regex RGX6 ^aff(iliat(es?|ion))?[_.-] #Regex RGX7 ^analytics?[_.-] #Regex RGX8 ^banners?[_.-] #Regex RGX9 ^beacons?[0-9]*[_.-] #Regex RGX10 ^count(ers?)?[0-9]*[_.-] #Regex RGX11 ^mads\. #Regex RGX12 ^pixels?[-.] #Regex RGX13 ^stat(s|istics)?[0-9]*[_.-] #Regex RGX14

Keep in mind : the ending
"Space # text string" needs to be unique.