In the Firewall / pfBlockerNG / IP there is the Firewall 'Auto' Rule Order settings you can configure.

If the settings doesn't fit you needs, then you need to create your own rules.

All issues should be addressed in this PR:
https://github.com/pfsense/FreeBSD-ports/pull/567

Most of them were already in the PR, I just added one more commit tonight.

Hopefully the devs merge this soon before more people move to 2.4.4 RC :)

thanks for your prompt reply.

@bartkowski said in GeoIP policy based routing not working with pfBlockerNG-devel?:

@bbcan177 If I change my rule to Destination: ANY, my traffic is routed via NordVPN. Rule order is the same in this case. Wouldn't it imply something wrong with the alias list created by the package?

You are using Alias type rules, so you are creating your own rules. Either way, pfBlockerNG is just adding IPs to an Aliastable. There has to be something else in your setup that is causing your issue. Check the other rules/nat etc...

There is a Pull Request posted to fix these issues. Just waiting for the devs to approve and merge.

@bbcan177 Hi! I've tried doing this method but I'm still getting blocked on WorkPlace by Facebook. Too many sub domains to try and test by force reloading DNSBL. (I'm blocking them via Manual Custom List as I cant figure out via feed)

Is it probably I'm blocking the wrong subdomains or that's just how Workplace and Facebook works as they correlate?

Thanks!

I never use the vpn provider dns because they have none. Everything is done within DNS resolver. (forwarder is off).

I used DNS over TLS. But it is really surprising to me that devices not connected to openvpn Pfblockerng are blocking ads.

@nesense

Try the pfBlockerNG-devel package, as it now logs all HTTPs blocked domains which wasn't possible in the previous version.

Also review the Reports/Alerts tab for all blocked events. Whitelisting options are available using the "+" icons.

Really hard, if not impossible, to help you without seeing your firewall rules on WLAN.

But there is something to this. It is the combination of both the pass NAT rule and NAT reflection (which is also enabled on the port forward installed by the package).

# NAT Inbound Redirects rdr pass on re0 proto tcp from any to 10.10.10.1 port 80 -> 127.0.0.1 port 8081 # Reflection redirect rdr pass on { re2 enc0 openvpn } proto tcp from any to 10.10.10.1 port 80 -> 127.0.0.1 port 8081 rdr pass on re0 proto tcp from any to 10.10.10.1 port 443 -> 127.0.0.1 port 8443 # Reflection redirect rdr pass on { re2 enc0 openvpn } proto tcp from any to 10.10.10.1 port 443 -> 127.0.0.1 port 8443

re0 is LAN, re2 is OPT1

OPT1 has no rules on it. Can access 10.10.10.1 on 80 and 443. Because the traffic is passed by the port forward.

The ruleset is just doing what it has been told to do.

This is not a NAT issue but a pfBlockerNG issue. Moving there.

Got yea so even if you change the listening interface under the tab dnsbl from Lan to one of the Vlans it doesn't matter because as long pfsense is resolving all DNS queries they will be filtered. Thanks for the info.

@BBcan177 Thanks for pointing that one out to me, I will give it a try. Maybe an idea (but of course it's all up to you) to add this one in feature releases. Thanks for your quick help and of course a great package!!

Cheers Qinn

Is there a compelling reason for you to use floating rules? I only ask because I have a similar configuration, but using interface-specific firewall rules instead of floating, and I don't experience any issue with the "log packets handled by this rule" option being enabled automatically. It sounds like your configuration should work, but if using interface-specific rules instead is an option, it may at least be worth trying.

@bbcan177 Yes I can see so many and I just have seen there is a government one too lol

I shall take a look at the link

Many thanks

@darkopopo said in DNSBL Certificate errors:

I have disable loggin for Facbook in DNSBL Feeads.
Now when I do nslookup www.facebook.com I get addres: 0.0.0.0 and the Firefox error that the page does not exist.
How can I redirect to block page (dnsbl_default.php) ?

You can't... when you null route to 0.0.0.0 it doesn't do any logging, and hence no certificate errors... Next versions will leverage the python integration of Unbound which will allow for more integration, such as improved logging for null routing and logging of all permitted DNS requests but that is a ways off...

Thanks for your reply :D
the last 2 days i am studying how pfblockerng works and it turns out it can block the ad sites and harmful sites perfectly! such a great package and i am glad that i can finish this project finally.

@randomvmteam said in pfblockerNG generating PHP errors:

would it be easier to submit issues I find directly to the github page? (assuming pfsense/pfsense-packages)

Forum would be better.

Hi,

Thanks for your reply. I restored a VM backup up to the time the logging stopped. When reconfiguring pfblocker I made a change to the VIP address to be anything other then ending in a .1 and changed the max lines per log to 1000 instead of 20000. This seems to have solved my problem. Logging works now with all packages I have installed.

@kom O thank you for your help
I just didn't want to mess anything up lol

Thank you very much.

@dgall said in PFBLOCKER DNSBL Shallalist not working when I click on google links:

BBcab177 do you have a recommended list for blocking social media ? Steves list unfortunately blocked many things that had nothing to do with social media.

I would think the Category Blacklist(s) would be the best for that. Either Shallalist or UT1. YMMV

There is Squid Blacklist that is an option, but it is a paid service. You will have to download the Category template seperately in order to configure it:

fetch -o /usr/local/pkg/pfblockerng/squidblacklist_global_usage "https://gist.githubusercontent.com/BBcan177/b91d3c25667d326411b6fc4eb5c1f080/raw"