@purleigh

Your post is 'lost' 😊
It's a question about the pfSense GUI package pfBlockerng :

21726789-53e4-4943-9485-c5df3e3207d4-image.png

Better : The answer can be found somewhere in that forum 😊
And yes, it's probably a little short-coming, aka bug.

I posted about this a while ago, and proposed a work around.
So, I've a patch :

Open /usr/local/pkg/pfblockerng/pfblockerng.inc
and find

// Collect static DHCPv6 hostnames/IPs

Convert it into comments :

// // Collect static DHCPv6 hostnames/IPs // foreach (config_get_path('dhcpdv6', []) as $dhcpv6) { // if (is_array($dhcpv6['staticmap'])) { // foreach ($dhcpv6['staticmap'] as $smap) { // $local_hosts[$smap['ipaddrv6']] = strtolower("{$smap['hostname']}"); // } // } // }

and then paste just behind it :

// Collect static DHCPv6 hostnames/IPs ## 2024-11-25 Gertjan foreach (config_get_path('dhcpdv6', []) as $ipv6_interface =>$dhcpv6) { if (is_array($dhcpv6['staticmap'])) { $pdsubnet = ''; foreach ($dhcpv6['staticmap'] as $smap) { if (strpos($smap['ipaddrv6'],'::',0) !== false) { if (get_interface_track6ip($ipv6_interface)) { $track6ip = get_interface_track6ip($ipv6_interface); $pdsubnet = gen_subnetv6($track6ip[0], $track6ip[1]); // remove '::' from prefix $pdsubnet $pdsubnet = substr($pdsubnet,0,strpos($pdsubnet,'::')); } } $local_hosts[$pdsubnet.$smap['ipaddrv6']] = strtolower("{$smap['hostname']}"); } } }

This issue is : you use probably 'IPv6 Prefix tracking", like me.
In that case, static FHCPv6 lease are configured like :

5375144e-1ce3-454b-bf69-db16fe98cd82-image.png

and that shorted IPv6 notation isn't the real IPv6.
Or, pfBlockerng uses the IPv6 SRC IP to reverse find host names. And that will fail.

The path shown above test for the shortened ::xx IPv6, and if it finds wone, it prepends the prefix of that LAN interface.

Afaik, the issue isn't listed here.

@SJKS said in Custom DNSBL group list errors:

custom group: vpn_ip

Group ?
I see 3 files that look like valid lists.
The first one, adguard.txt with a line format like

||cdnexpress.art^ ||openips.cc^ ||pointed.cc^ ||rounds.cc^ ||should-licence.cc^ ...

doesn't seem right. I said seem, as I, as a human, don't parse files ^^
So yes, your right, it should be pre parsed.

Only that "adguard.txt" has an issue ? All 3 of them ?

ip.txt is an IP list, not a DNSBL list.

edit :
What is the URL you use to download the hostname.txt file ?
This one - the raw one - works for me :
https://raw.githubusercontent.com/az0/vpn_ip/refs/heads/main/data/output/hostname.txt
any other URL probably downlaod the web page and yeah, taht will fail.
Check here : /var/db/pfblockerng/dnsblorig/* where you can see what pfBlockerng actually downloaded.

4d90ca54-d6e8-46b6-939a-8e770ed0db09-image.png
The green marked lines are the IP and DNSBL list. The loaded just fine.

@m2av This would massively improve pfB's DNSBL functionality—the ability to utilize a feed as a whitelist.

Hi there,

pinging from the FW itself works all. No matter if domain or IP.
pinging from devices behind the FW: nothing works.

unfortunately changing the dnssec to disabled does also not change the problem.

Restarting the DNS Resolver is also not changing anything if stuck in the situation.

Thank you :)

@btspce I'd add another bullet point to it, as it seems very much pfBlocker related:

it seems that the multiple changes pfBlocker triggers in the audit log (see #1) is also the culprit in breaking the audit mechanism of managing the max amount of config.xml copies to archive. We have both nodes of our DC cluster set to 100 steps back to still have a change to get a real user config.xml besides the pfBlocker non-changes. We now had multiple occasions of admins checking the audit logs (Config History) and having to wait for 10+min for the site to load. As we were investigating it was shown, that the /backup dir had around 14000 versions of config.xml instead of the configured 100. After finally loading the page and checking again via

# ls -1 /conf/backup | wc -l

it was down to 102 again. Currently I have a lab machine that wasn't touched at all for months! that reports:

[24.03-RELEASE][admin@pfs-plus-2403.lab.test]/root: ls -1 /conf/backup/ | wc -l 5637

The only thing that one has running continously is pfBlockerNG updating the blocklists. So no logins or config changes whatsoever but still accumulated configs without pfSense itself managing the backup count and rotating/deleting the old ones.

That seems to very much point at pfBlockerNG as it's the only package currently, that creates that much audit logs on the side.

Not wanting to post any blame here! Don't get me wrong. Just wanted to get as much details and infos out so we can squash those bugs :)

Cheers :)

@cryptonym said in Not seeing IP blocks in Alerts area of reports tab. DNSBL shows up properly.:

DNSBL was working, resolving them to 10.10.10.1 but no logs.

What was missing was I left "BNSBL Mode" on Unbound (default) rather than setting it to "Unbound Python mode". That one checkbox and a reload and logging is working perfectly.

God news - and bad news :

I switched from Python to unbound mode :

dd4b7379-bd2d-4636-80a6-ed2ae7b9fc05-image.png

I tested with a listed DNDBL host entry (StevenBlack's list) 010sec.com

Sure enough : using http, not https ....

9ea39967-c05e-4e26-922c-cdeea4422c9a-image.png

and sure enough :

a33a4113-d3bc-423f-b8fe-ef28f369605b-image.png

So Python mode isn't mandatory to make this work.

Btw : I really though everybody had abandoned "unbound mode" by now .... as Python mode is way better/faster/much cooler ^^

That said : imho, you can safely forget about that pFb black web server page that shows up when a visitor visits a site that is blocked.It's something that worked well in the past, when all sites were http based. Because : it needs http sites to actually work - not https.
You know this already : https can't be intercept / redirected - not by me, not by the CIA, not by the NSA, so probably you can't neither ^^
No body is visiting http sites anymore .... Google doesn't index them anymore for years now.
So : the perfect DNSBL setting these days is :

9a91c0b8-e856-4c34-af1a-273f49e945a8-image.png

If you find people on your network still using "http" sites, go have a talk with them, before you throw them off your network. I get it, this is a bit harsh, but these days thsi should be common knowledge of any Internet user. Like : when you drive your car on the road you stay on the 'right' side of the road.

@netblues And you didn't even need to waste your time with this thread. Good job.

Thanks everyone for this. I was having this problem too. It was getting quite frustrating and a search came up with this thread right away. My appreciation for those who take time to publicly ask questions and share answers.

@posix @Gertjan

Replying to this old thread to say thank you. I encountered this same "pfB_PRI1_v4 Cannot allocate memory" errors on my 2100 and it was solved by increasing System/Advanced/Firewall & NAT/Firewall Maximum Table Entries from 400000 to 600000.

The 2100 had been running without issue for many months and the last reboot was for the 24.11 upgrade. What caused me to check the 2100 was I had become unable to screen share when connecting via IPsec VPN from the outside. The IPsec connection was successful but vnc attempts to connect to a machine on the network timed out. After changing the Table Entries setting it immediately started working again.

@manval said in pfBlockerNG blocks Greek IPs from StarLink as IP located in North America:

I disabled cron in pfBlogerNG and it is still running !

The cron task handles also the max log file sizes :

8a399f8d-98e1-4e53-9c3b-1249432f5ceb-image.png

so, imho, if set to disabled, it will still keep care of these files by rotating them.
Not doing so will fill up the disk.