@johnpoz LOL no I am just blind, I'm not sure how since I read through the entire list like 5 times, maybe I am just tired. I was looking for "Netherlands" instead of "The Netherlands" and was only looking at things I hadn't selected already, so I guess I skipped it when reading. Anyway, it is there, apologies for creating a post for something so silly lol. Much appreciated!

@reberhar I played with pfBlocker and watched the updates for CARP from that window. BBcan is very deliberate about making sure that the CARP VIPs are configured with the /32 mask. I think I understand why. When I fudged it the /24, of course it worked. But when the night updates happen it is set back to /32. CARP then failed on that node. I set it back to /24 and the process repeated itself. But even with the mask at 32 the next day CARP is again down on that node. I will keep trying. Tonight I will clear the state tables.

@KKIT Is it when an pfBlocker update happens?

I agree it is bad as well. I had to reinstall again and restore my config. I'm going to run it on ufs this time instead of ZFS and see if that has any impact on it.

@floppypen Ok, nice, so it's more then probable that Firefox uses the resolver to resolves stuff. Did you test ? I'll give an example : My settings : [image: 1719392588086-ffb980da-263d-4148-926f-5d593404e7da-image.png] This is dnsbl file : [image: 1719392645930-cf9a1ef2-64be-4163-8a94-aa8ae2f482d6-image.png] Let's pick one : [image: 1719392684613-0f71f2fd-819c-44cc-a2b8-08a08cf9a599-image.png] So, I set up a tailer : (SSH or console mode - No (never) GUI command line please): [24.03-RELEASE][root@pfSense.bhf.tld]/root: tail -f /var/unbound/var/log/pfblockerng/dns_reply.log | grep 'americanskinheads.com' This command 'tails' de main dns_reply.log log file : every DNS request thatw as parsed by pfBlockerng (the python (!) mode parser). Now I visit this site - and no surprise : [image: 1719392918639-67b0a7d9-ef70-4604-93ed-38b2be236c62-image.png] and the logs showes me : DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,2a01:cb19:907:dead::c7,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,192.168.1.6,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,2a01:cb19:907:dead::c7,ServFail,unk DNS-reply,Jun 26 11:00:00,servfail,AAAA,AAAA,Unk,americanskinheads.com,192.168.1.6,ServFail,unk Btw : 192.168.1.6 and ,2a01:cb19:907:dead::c7 are the IPs my PC with the web browser is using. Recap : My wanted to visit a site using a host name. The local PC DNS cache didn't have that hostname / IP in it's cache, it was asking unbound (pfSense). Unbound filtres everything trough the pfBlockerng python loop, that uses a big DNSBL database : it found a match (no surprise) and unbound answered back to my PC : my browser : the the IP that stands for "don't know that IP so here you have 10.10.10.1" which points to the pfBklockerng web server that showed me in turn : that domain you wanted to visit is blocked.

@Bob-Dig Got it, THX, i tried for IPv6 always de_rep, but i had to choose only de. Now it works, it was a littlebit confused, but it works now, exactly as i want. THX for the Tip and Photo!

@jc1976 running Snort or Suricata by chance?

@Gertjan yeah.... but I'm 57 now and my late nights of coding or sysadmin work are behind me. (former 4.2BSD user, 4.3BSD... SunOS 3.2... BSD/OS..... FreeBSD-3.2 and onwards) :)

@roveer said in pfBlockerNG v3.2.0.8 giving This Connection Is Not Private on all apple devices, but not PC's: Is there a solution to this? There never will be, as its not a problem. For example : your browser found a host called "ad.doubleclick.net" on a web page and this host name was 'blocked' by pfBlockerng. What happened is : your browser asks the local DNS (pfSense) : what is the IP address of ad.doubleclick.net ? And your local DNS, the resolver will use pfBlockerng to test every DNS request. pfBlockerng will compare the requested host name "ad.doubleclick.net" with a list of 'forbidden' host names, the DNSBL feeds you've installed into pfBlockerng. And guess what : there was a match ! 'ad.doubleclick.net' was present on some DNSBL list, so the resolver stops doing it work (resolving 'ad.doubleclick.net') and it will return to the browser the IP : (pfBlockerng default) "10.10.10.1". Ok, the browser is happy, now it will connect to that IP, and show the user what it has to 'say'. Meanwhile, the way how browsers connect to web servers has changed since the last century. Entering TLS, or what is "https" ? https is http, with and s added to it. It's the http protocol, encrypted (secured) with TLS. Before : the browser would connection to the server IP, and ask on port '80' : "gime the page" - and done. These days : the same thing but over a secured communication link. This means that the browser gets a certificate from the web server first. Lets take the example of the certificate of this web site 'forum.netgate.com' : embedded in the certificate (check for yourself) you can find : [image: 1718192520333-ce574356-2a73-4988-824a-8e4f47bec1da-image.png] Your browser, before accepting the connection with 'forum.netgate.com', will compare what it found in the certificate from the forum.netgate.com web server, with what it tries to contact : does 'forum.netgate.com' match '*.netgate.com' ? And it does !! so the connection has a pad lock, and the browser is happy. All is well. Many children, Bright future. etc. Now, wind back to our our 'ad.doubleclick.net ' and 10.10.10.1 answering. Will '10.10.10.1' be able to produce a certificat to the browser that says "'I am 'ad.doubleclick.net' " ? Of course not. Now your browser will yell at you .... as it want to connect to a server called 'ad.doubleclick.net' and it got an answer back from an other server called (I don't know, but not 'ad.doubleclick.net') ... that is bad ! Massive errors will show up. Users are panicking. "Internet is broken again" To make the long story short : and @dave14305 is right, forget about the pfBlockerng build in web server that will show the user a pfBlockerng web page if he's trying to visit a web site that is blocked. It is impossible to redirect https traffic - period. The pfBlockerng web server was nice to have when web sites were 'http' only (last century). And that doesn't exist anymore. Set up the “Null Block (no logging)” option, and be done with it. Some day, our browser will make the 'error' shown more 'clear' to the end user. Maybe .... Btw : I've a load of "apple products ipad & iphone" in use here, I'm even using one right now to write this post. I didn't saw any "This Connection is not private" issues. That is, it is still complaining that my Wifi isn't encrypted but I don't care ???!! Everything (mostly) is already flowing over the Wifi (radio waves) using TLS so what is the risk ? I could of course activate WPA2 for my wifi (and now I have to deal with the passwords). I could, as soon as the wifi is activated, fire up a VPN. And now I have a secured connection in a secured connection in a secured connection. Now I buy safely my new thin foiled hat.

@johnpoz I'm running pfblockerNG 3.2.0_10 on pfsense 24.03. I have been doing the updates through a vpn, which has been working without a problem. I changed it to force the update out the wan, which worked. Taking a look at the vpn logs, it has started showing some udp write errors, although the vpn channel would come up and appear to function properly. Since it works through the WAN, it must be the vpn causing the problem. Will have to take a closer look at that. I appreciate your help! I wouldn't have suspected the vpn, if you hadn't asked the question.

@JeGr said in pfBlocker locked me out of my pfSense web-managment !!!: I'm more in agreement when it comes to DNSBL - that feature set I can easily see being cloned by Pihole or Adguard. But the IP stuff is way more useful than many realize. although i generally agree, having pfblocker be granular enough to dnbl based on networks is way more useful than the way its implemented today. Deploy pfsense in a SOHO or school that doesn't want to purchase a separate DNS server but wants filtering, you need granularity which pfblocker doesn't support. So that would be a use case for the extensibility.

@Vatreni Just thinking out loud : what about getting an ISO from 'whatever' open source project ? FreeBSD or Debian etc. Copy what you find under /etc/ssl/. edit : forgot about the most obvious one : get the latest pfSense !!!!! ( as you need it even when you don't install it !!) and get the latest ca-root certs out of it. Btw: having troubles with expired certs if the top of the ice-berg(problem).

@mattch it downloads the alias for each rule I think. Or at least processes it. There’s one trick we found, at least for our purposes …instead of using the alias as a NAT source, allow any and control the access using one firewall rule for all applicable ports. So, disable the automatic rule creation and create your own. That way the alias is not on the NAT tab and is listed once on the interface tab.

@Gertjan I get pfB_PRI1_v4 - Talos_BL_v4 ] Download FAIL but this started to take place only recently.