@ronpfs The Master is running 2.5.1 and all the child boxes were running 2.4.5. I upgraded the child pfsense that's failing to the same version as the master, but I'm still getting the

/usr/local/www/pfblockerng/pfblockerng.php: New alert found: A communications error occurred while attempting to call XMLRPC method merge_installedpackages_section:

error when I force a reload on the master.

@pfosten

btw, I mixed up the version numbers when writing this, headline must be:

"Removal of pfblockerNG 2.1.4 and installation of 3.0.0_16 + config via wizard leaves me with crippled DNSBL"

and inside text it must be:

"I was following the proposal by Lawrence Systems and simply

disabled the pfblockerNG old version 2.1.4 removed 2.1.4 package"

Sorry for the confusion.

I was also looking for a new guide for 2021 and I found this guide, and has lots of pictures and talks about the steven blacklist. This one worked for me.
How to Block Ads on pfsense with pfblockerng

Thanks for the quick reply :)

I don't know if IoT is the exact category, it's older home automation hardware from 10 years ago, that isn't that clever. It did cost a few pennies, so upgrading it won't be an option for a while.

I will use your solution for now, and maybe contact the manufacturer (or by asking on their forum) if there is a better/safer option to be able to control it from the outside.

@nollipfsense I saved and reloaded the changes. Im getting the correct 10.10.10.1 address when I attempt dns lookups. Thanks though.

@westlos said in pfBlocker and VPN Client:

I wanted to check if pfBlocker functions when one uses a VPN Client where all traffic is directed to the VPN Client.

Hi,

This cannot be a question, because the answer is yes 😉

pfBlocker-NG does, what you tell it to do
(The settings in the pictures are not real, I took them out on purpose, blue highlight bar - this is a clear starting point)

0afb6574-ec48-49ac-8b42-7990bda361e8-image.png

and f.e.:

1c8863db-3dba-414d-87e8-ed72d5809549-image.png

DNSBL:

9c09869c-6056-45a8-93e6-796f4657d7e5-image.png

@rogermct Please see below:

https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html

https://forum.netgate.com/topic/88575/pfblockerng-how-to-sync-ipv4-filterlists-between-carp-boxes

I was seeing odd behavior after the upgrade so I just started over with a clean config for pfBlockerNG-devel things are working again.

I suspect that there's "config rot" over time which requires occasional need to flush the config and start over.

Not only for packages, I've had to reset standard base config settings after the upgrade to get things to work.

Since then, things have been running smoothly with low CPU and memory usage.

@petrt3522 said in PfBlockerNG Alerts tab stalls - Any Arguments:

Is 18 seconds in norm for a search. My SG4860 has a msata 120GB drive.

The time will depend on the size of log files. Some search will timeout with a 504 error after 5 minutes. However the search is still running on the pfSense for up to 20 minutes, so use with caution.

@90ninety If your looking to block adult domain names, you can also add one of the Chad Mayfield lists. They're under Firewall > pfBlockerNG > Feeds > Firebog_Other (all the way at the bottom of the feeds list). There are two you can choose from.

Thinking about it logically, most using pfBlocker's DNSBL feature are probably using the actual DNS blocklists, so I bet the widget is looking for those items and they don't exist if only the SafeSearch feature is being used. Hence the error/warning.

To think out loud for the forum, we could use the feed and do something like either:

set Windows DNS to forward to pfSense set pfSense to forward to desired DNS (e.g. Quad9) set Deny Outbound rule to block using DoH feed

or

set Windows DNS to forward to desired DNS create rule to allow Windows DNS to query desired DNS create rule to deny to DoH feed (using Alias Native, so one can set an order with a custom rule)

Most of our clients use Windows AD; the smaller ones just query the pfSense directly, so we can just block DoH using the feed.

Edit: the Windows AD domain of course can be listed as a domain override pointing back to those servers on LAN.

@runevn I use only two DNS that is openDNS. What Tzvia suggested should help.

@bbcan177
Thank you for your patience. I just could not imagine it being so hard to achieve this.

I have some experience with Squid, where URL blocking/whitelisting is relatively easy. But i want to migrate away from it and pfBlockerNG seemed like a good alternative.

@mods @CTMarsh @BBcan177 @bldnightowl

I wish there were some way for me to change the title of this topic. At the time I wrote the original post, pfBlocker seemed to be the culprit, but as we have all learned, it was the OS upgrade on the SG-3100.

I reverted to 2.4.5_p1 and am holding there until something positive happens with the new OS.