@michmoor There was a thread several months back…I think it boiled down to the update running (by schedule) on the secondary while the sync was still happening. But I don’t think there’s a way around that because the schedule setting is synced. We see it every couple months. I eventually set the pfB update to be a bit more frequent so it would fix itself.

there it is so as I expected that reboot is causing these 'Unknown' records to be added to the ip_cache database. When the system is starting up the filter starts blocking (as it should).. but the "lists" that pfB would be using are not available (I think this is primarily where tmpfs is memory based - I need to test this on a virtual using disk not ram disk someday - lol) so when the process goes to look it up of course they are Unknown. The problem is the "Unknown" entries are being written to the cache and then subsequent hits from the same IP lookup it up in the cache and find unknown. even if the underlying list might now be available, it will read the "unknown" from cache and use that. - That's the problem There is a better way, pondering, but for now the simple solution is don't cache "unknown" $stmt->execute(); becomes this if ($pfb_query[0] != 'Unknown') { $stmt->execute(); } Now the records won't be cached (still blocked and reported that way during the startup process) but as soon as the underlying data is correct the records start caching with IP address again. - Confirmed by doing... I'm ok with a couple of hundred block records saying unknown during the boot process, but then using the cached "unknown".. not so good. Now it occurs to me as well, that the ip_cache appears to only get flushed on a reboot, but the underlying lists used by pfBlocker could change. An IP that was listed and therefore blocked yesterday, may have been removed from a list and therefore should not be cached against the previous list. ie a) it is not on a list anymore (not blocked) and/or b) it is on a different list and should not be listed against the old one (or both) I'm thinking that when you see this 408 addresses added.337 addresses deleted. you don't need to worry about the "added" ones - they will cache if/when used. but the deleted ones (337 in this case) should be removed from the cache if they are there.. The quick solution here might be simply flush the entire cache and just let it start over, like on a reboot. I'm not seeing that it currently does either.(a seek and delete or a flush) If you reboot often the cache is flushed every time you do, but if you typically run for weeks (like here) the cache will become bloated with IPs that may or may not be what they currently are. The mechanism to remove stale ones and "update" existing one with fresher info doesn't seem to be there/work IMHO Pondering continues.. Still need to look at the reports but I don't believe they use the cache and likely shouldn't, you want to report on what happened at that time (from the record) not what happened from a stale or incorrect cache. etc etc Cheers

@Gertjan Thanks for all the info :) I'll likely follow up with the point of just blocking all http traffic and call it a night.. The curious side of me just keeps on.. wireshark isn't doing much here and results are inconsistent making it hard to pin down. I have limited the scope while troubleshooting, and stayed on the default ports. I have selected only my LAN VLAN 192.168.10.x for the Web Server Interface, along with only allowing LAN for the permit/ping IP floating rules. I can see they are created and are in the right order. There are 2 scenarios that play out here; --After changing Web Server Interface from localhost to LAN, but before Update>Reload>DNSBL-- The VIP page will display with the correct evaluated domain/feed and remains accessible, after i have changed the Web Server Interface from localhost (80/443) to LAN (80/443), browsing both 10.10.10.1 and http://ib.3lift.com/ (StevenBlack_ADs) The VIP page will not display on 127.0.0.1 I cannot ping 10.10.10.1 I cannot curl 10.10.10.1 - terminal hangs I can ping 127.0.0.1 I can curl 127.0.0.1 - output as working previously attached. --After changing Web Server Interface from localhost to LAN, after Update>Reload>DNSBL-- The VIP page no longer displays browsing both 10.10.10.1 and http://ib.3lift.com/ (StevenBlack_ADs) The VIP page will not display on 127.0.0.1 I can ping 10.10.10.1 I can curl 10.10.10.1 - output as working previously attached I can ping 127.0.0.1 I can curl 127.0.0.1 - output as working previously attached. The change seems to happen around the time that the log shows TLD finalize on the reload task (attached) [image: 1724846208168-reload.jpg] [image: 1724846208220-lan-only-before-dnsbl-reload-resized.jpg] [image: 1724846208308-lan-only-config.jpg]

@jrey can you share how you are sending DNS data to graylog ? I've trying to accomplish that without any success.

@pfsense4me1 there is something wrong with the base pfSense install. Take a backup config, install. Do a fresh install and restore the backup config file.

hey @BBcan177, thanks for the reply. no, i mean the feed is long since completely deleted from the pfB instance, doesn't appear anywhere under the Feeds tab—but its name is somehow still being referenced by current logging. that's why i'm trying to determine from where/what that specific field of the unified.log is referencing. where i've indicated "[DELETED CUSTOM FEED NAME]" is where the completely deleted custom feed's old name is printed. (i.e., the 17th value/field of the unified.log line.)

Came across the same issue on one of our boxes. For the time being, have disabled the ASN download and copied over the relevant original files to reload into the affected system.

@mcury Much Ado About Nothing from me, I should have looked in the rules before, everything works right away. Regular cron is rebuilding the files in "log". So Shellcmd does nothing in this regard and is not needed anyways.

and /or turn off apples Private relay in the wifi settings.

@janithahn https://forum.netgate.com/topic/189651/pfblockerng-asn-bgpview-trouble/34 TLDR: As of now blocking ASNs doesn't work. Hopefully a fix is coming but no update yet. As a workaround, you could see what IP blocks NETFLIX has and manual create your list

@Dennis0612 said in Pfblockerng DNSBL not going to the block page: “ libssl.so.30" not found, required by "pkg" so I did some googling and upgraded to 2.7.2 from 2.7.0 and this fixed the issue Classic. You've installed and/or upgrades pfSense packages without updating / upgrading pfSense fist. That breaks things. As soon as you decide to stay behind with pfSense, like keeping 2.7.0 while 2.7.2 is out, you can't / shouldn't update, install, upgrade packages anymore.

@muvaminon The Frequency setting is all that applies to update a feed. The other is a base pfSense setting that is redundant as pfB does the update as needed. Also keep in mind that the Update checks the URL timestamp amd if unchanged will skip the download.

@telserv Hi Bob.Dig So that was the solution. I would never have found it, because I have only configured about six countries in Europe, and four in North America. However, I never argue with things that work. Thanks again!

@rvoosterhout I found the problem , when you create Alias , change type to NETWORK

@stephenw10 this seems to be popping up everywhere - not sure if that post I linked to was the original, or a copy from elsewhere - but seeing the exact article pop up on other security sites. And not one I have seen have bothered to clarify anything.. Like hey this is interesting, but its years old and not to worry.. But good reminder to keep your software updated.. And btw you shouldn't have your gui exposed in the first damn place, etc..

@fireodo thanks

Never mind. Something must have been wrong with the whitelist. I deleted the entire whitelist and readded. Now I can remove IPs as expected.

Hi @Gertjan, thanks for your will to help me! Here are my settings: [image: 1722870086133-d4a72d4e-4fd3-4588-9b01-1cec1b230933-image.png] Phishing group is defined here: [image: 1722870543063-195a7bb4-7c8c-455c-86bd-7b0211d252af-image.png] [image: 1722870207995-4656cfd9-15f2-4ad8-854c-d01aa86eb585-image.png] Nothing is selected under Shallalist and UT1.