Well I am not running your version of pfblockerNG
So concentrate on the infoblock under your table.

Under IPv4 Source Definitions you can use local files. Clic on the infoblock to get more info.

However the files need to be present when pfblockerNG run Update.

Thanks for the advise, everything is working now@RonpfS:

Looks at the Alerts tab to figure out what to whitelist. Do a Force Reload DNSBL once you have enuf whitelist done.

Press F12 in your browser to determine what's not loading as well.

Don't know about the syslog option, but I am emailing the dnsbl.log using the mailreport package.  Once installed choose Status-Email Reports-Add New Report.  Name it, save it, then edit and add this command:
cat /var/log/pfblockerng/dnsbl.log

This is assuming email is already working, configured on the system-advanced-notifications page.

You might get more sense if you filter the wire shark capture on port 53 (dns).

That will tell you what addresses it is trying to look up.

Also pfBlocker has a tab where you can see blocked traffic, it’s worth a look.

@tagit446:

I was getting the same errors with those list so I gave up.

I did however get this one to work:
https://raw.githubusercontent.com/CHEF-KOCH/NSABlocklist/master/HOSTS

Thank you Tagit446…that worked.

I work with firewalls all day long and every other major brand out there (CheckPoint, Fortinet, Palo Alto) implements geo-blocking as a separate process outside of firewall rules, otherwise you get the things I complained about.

But with pfSense, I guess I'll have to re-order and manipulate things to get what I want.  Obviously it works fine with blacklisting, but with whitelisting, allowing North America does nothing to block Russia.

Then change it to a rule that blocks everything except your work IP.

I didn't need to do that before I implemented GeoIP blocking.  It was already assumed by my original rule.  Now I need to add a bunch more.

That's one way, the nice way.  Another way is to simply put in a firewall block on port 53 except for pfSense and let your kids figure out why they can't get anywhere.

Try going into pfBlocker - updates - force reload both IP & DNSBL.

Can you access those lists from a client on the network?

You'll need to look at all the domains the page loads and see what they are.

The comments are blocked on mine too, and I took a quick look and saw requests go from one article to subdomains of:-
optimizely.com
googleapis.com
googletagservices.com
twitter.com
tiqcdn.com
typekit.net
addthis.net

That list may not be exhaustive, but if you use the debug tools of your browser (I happen to be using MS Edge for this, use the F12 dev tools -> Network, then open the page) you should be able to see what sites requests are going to and can work through them one by one.

I have mailed BBCAN177 and asked about whitelisting list domains automatically and his response was whitelisting them would be unexpected behaviour for end users and I agree that it would be a bad thing.

He did suggest that theoretically as the whitelisting can now be done instantly that code to temporarily whitelist domains and then revert them afterwards could be possible at some point in the future.

Without knowledge of what blocking you have in place it's difficult to say what you could do reliably.  If you're ok with web-based proxies then that is one option.  That way pfBlocker would only see the request to the proxy domain, not the blocked domain which is either part of the URL or encrypted/obfuscated entirely.

For example I put a list I use into one proxy site and got this URL back…

https ://www.sitenameredacted.com/browse.php/jFq3YZ2gvRvXF3vBTEqKxhzEqhrhb9TNwIVIO6BD649KAQxY7W0fRByEs2TrB8Z5uRyDQTRJxht5weSttltrT64_3D/b29/fnorefer/

..so long as the proxy site is not blocked then your lists will be accessible to pfBlocker.  Obviously you have to trust that proxy not to MITM your traffic or otherwise break stuff, which is why I've not included the name here.

@BBcan177:

I don't think this has anything to do with pfBlockerNG….  Try to post in the "Installation/Upgrade" forum and I'm sure someone will be able to help there...

The latest version should be fine now for DNSBL and 2.4...

There is a PR which will increase the memory for PHP which seems to fix the issues for some...

This was merged today...

https://github.com/pfsense/pfsense/pull/3881

Hope this helps!

It's work thanks :)

For now, the only automatic whitelisting option is with TOP1M.

To automate DNSBL whitelisting, more code would need to be added.

So for now, you will have to update the DNS Whitelist when the ebates-cash-back-shopping.txt list change.

Thanks, Grimson, I missed that on the first page.

I will give that a try.

Not familiar with your hardware but if your Asus router can handle VLANs in AP mode you should be good. I am sure others have more experience with this…its likely good for a single WLAN.

You have a Managed switch which can handle VLANs (although some have expressed concern with TPlink...I am sure it is fine!)

As mentioned it looks like your pfbox works...nice RAM(32G)!

The Unifi AP is well regarded and super easy to setup for VLANs. Again find out if your ASUS supports VLANs before spending the $100.

Not a huge value in GeoBlocking I also share the same concern...TOR, VPN, hijacked PC are likely the hackers route. I only suggested getting IPv4 and GeoBlocking as a way to get started with pfBlockerNG. The real prize, I found is with DNSBL in the blocking of ads but it requires you to make sure your DNS Resolver is set specifically.

Make sure you can navigate to the DNSBL Virtual IP...if not it won't work. Also go to the alerts tab and see if you get an alert after navigating to the DNSBL Virtual IP....

OK, I think I have it.  I had to disable all of the other GeoIP rules and only chose the two United States rules.  I then did a "Deny Inbound", and then chose the "Inverse" in the advanced options.  This seems to be working now.

This might be a stupid question, but is your DNSBL working?

I see this behavior since DNSBL doesn't work for me because I'm also using OpenVPN.

So far I can't find a way to make them work together in a secure way.