Yeah, I would use auto generated aliases in user created rules personally. That gives you complete control with all the benefits of auto updating.

@Gertjan I specifically chose my list of public DNS servers becasue they do support DNSSEC, I've seen what DNS poisining can do. I don't need to see a movie I've lived it. Did I mention damned near 30 years in the business? BTW, doing just a root hint forward doesn't do DNSSEC as root hint servers are not DNSSEC complaint yet that.

BTW, in the beginning of the post packet forwarding was being stopped, not just DNS being blocked when pfBlocker was enabled. Through a lot of reboots I was able to get the packet forwarding going again with pfBlocker going, but then found the DNS block.

I did use ICMP from the firewall itself to validate the lack of packet forwarding. I wish the logs would indicate which rule has the "offending" match that caused the block, but it sounds like the process roles all the lists up into a single firewall rule.

I really don't want to tear down all of pfBlocker and start over, but it sounds like I will have to do that. Need to see if I can pull all the data out of a backup so that I have all my lists then can just recreate them as needed.

I'm going to look more into what @BBcan177 mentioned, although I think I am already there since I have disabled all my lists, just not 100% sure.

@jlw52761 Yes, I followed the suggestions in the answers and started disabling the feeds one by one and found the culprit. I checked the logs and found which feeds were mentioning the DNS address ( there were about 8) then just disabled them one at a time and found the one blocking DNS traffic.

@thuizt You can create them as Alias Native format (eg mot Deny) and it only creates aliases not rules.

@jlw52761 Unfortunately i didnt find a solution with pfblocker(ng). My current solution is to have switches back to my pihole setup and dont use pfblocker. Its still frustrating because of my dns force i dont have dns in lan when my server is off due to running pihole in a docker on the server.

@fireodo Somehow this one escaped me.
Didn't notice it until I updated to CE 2.8.
Anyway, much appreciated.

@lohphat https://forum.netgate.com/topic/190285/changes-to-snort-org-talos-intel-ip-block-list-affecting-pfblockerng

I think this thread's bug is the reason our backup router had so many extra config files...seems like at some point pfB was updated, removing the manual code change, so the cron jobs on the primary and backup were removing and adding a (defunct) list as they ran.

@The-Party-of-Hell-No said in Add Domain [......] to DNSBL: Where is this list?:

look for the group you created

Afternoon, when I clicked on the + it did not ask to create anything it just (I'm guessing) did something without tell me what it did it anything at all. I checked all the existing groups and nothing was added to their DNSBL Custom_List.

So assuming nothing happen, I hope, because I don't remember what domain it was. 😐 🤔

@The-Party-of-Hell-No
Listo amigo ya quedo, lo que pasa es que tenia dns asignados a la vlan dejando el nativo se soluciono

@Unoptanio said in I don't receive emails ONLY on Apple devices:

Mail cannot function in IOS 18.2 if iCloud Private Relay is blocked at a network level

https://discussions.apple.com/thread/255916395?sortBy=rank

This reference is/was out of date. The linked discussion referrers to a specific bug introduced iOS 18.2 (December 11, 2024), which was corrected in iOS 18.3 (January 27, 2025). Apple stopped signing of 18.2.X a week later, almost 2 months before this thread began.

UPDATE: I found the problem, I created the file on my local system instead of pfSense. 😊

Thanks for your feedback!....

@purleigh

Your post is 'lost' 😊
It's a question about the pfSense GUI package pfBlockerng :

21726789-53e4-4943-9485-c5df3e3207d4-image.png

Better : The answer can be found somewhere in that forum 😊
And yes, it's probably a little short-coming, aka bug.

I posted about this a while ago, and proposed a work around.
So, I've a patch :

Open /usr/local/pkg/pfblockerng/pfblockerng.inc
and find

// Collect static DHCPv6 hostnames/IPs

Convert it into comments :

// // Collect static DHCPv6 hostnames/IPs // foreach (config_get_path('dhcpdv6', []) as $dhcpv6) { // if (is_array($dhcpv6['staticmap'])) { // foreach ($dhcpv6['staticmap'] as $smap) { // $local_hosts[$smap['ipaddrv6']] = strtolower("{$smap['hostname']}"); // } // } // }

and then paste just behind it :

// Collect static DHCPv6 hostnames/IPs ## 2024-11-25 Gertjan foreach (config_get_path('dhcpdv6', []) as $ipv6_interface =>$dhcpv6) { if (is_array($dhcpv6['staticmap'])) { $pdsubnet = ''; foreach ($dhcpv6['staticmap'] as $smap) { if (strpos($smap['ipaddrv6'],'::',0) !== false) { if (get_interface_track6ip($ipv6_interface)) { $track6ip = get_interface_track6ip($ipv6_interface); $pdsubnet = gen_subnetv6($track6ip[0], $track6ip[1]); // remove '::' from prefix $pdsubnet $pdsubnet = substr($pdsubnet,0,strpos($pdsubnet,'::')); } } $local_hosts[$pdsubnet.$smap['ipaddrv6']] = strtolower("{$smap['hostname']}"); } } }

This issue is : you use probably 'IPv6 Prefix tracking", like me.
In that case, static FHCPv6 lease are configured like :

5375144e-1ce3-454b-bf69-db16fe98cd82-image.png

and that shorted IPv6 notation isn't the real IPv6.
Or, pfBlockerng uses the IPv6 SRC IP to reverse find host names. And that will fail.

The path shown above test for the shortened ::xx IPv6, and if it finds wone, it prepends the prefix of that LAN interface.

Afaik, the issue isn't listed here.

@SJKS said in Custom DNSBL group list errors:

custom group: vpn_ip

Group ?
I see 3 files that look like valid lists.
The first one, adguard.txt with a line format like

||cdnexpress.art^ ||openips.cc^ ||pointed.cc^ ||rounds.cc^ ||should-licence.cc^ ...

doesn't seem right. I said seem, as I, as a human, don't parse files ^^
So yes, your right, it should be pre parsed.

Only that "adguard.txt" has an issue ? All 3 of them ?

ip.txt is an IP list, not a DNSBL list.

edit :
What is the URL you use to download the hostname.txt file ?
This one - the raw one - works for me :
https://raw.githubusercontent.com/az0/vpn_ip/refs/heads/main/data/output/hostname.txt
any other URL probably downlaod the web page and yeah, taht will fail.
Check here : /var/db/pfblockerng/dnsblorig/* where you can see what pfBlockerng actually downloaded.

4d90ca54-d6e8-46b6-939a-8e770ed0db09-image.png
The green marked lines are the IP and DNSBL list. The loaded just fine.

@m2av This would massively improve pfB's DNSBL functionality—the ability to utilize a feed as a whitelist.

@btspce I'd add another bullet point to it, as it seems very much pfBlocker related:

it seems that the multiple changes pfBlocker triggers in the audit log (see #1) is also the culprit in breaking the audit mechanism of managing the max amount of config.xml copies to archive. We have both nodes of our DC cluster set to 100 steps back to still have a change to get a real user config.xml besides the pfBlocker non-changes. We now had multiple occasions of admins checking the audit logs (Config History) and having to wait for 10+min for the site to load. As we were investigating it was shown, that the /backup dir had around 14000 versions of config.xml instead of the configured 100. After finally loading the page and checking again via

# ls -1 /conf/backup | wc -l

it was down to 102 again. Currently I have a lab machine that wasn't touched at all for months! that reports:

[24.03-RELEASE][admin@pfs-plus-2403.lab.test]/root: ls -1 /conf/backup/ | wc -l 5637

The only thing that one has running continously is pfBlockerNG updating the blocklists. So no logins or config changes whatsoever but still accumulated configs without pfSense itself managing the backup count and rotating/deleting the old ones.

That seems to very much point at pfBlockerNG as it's the only package currently, that creates that much audit logs on the side.

Not wanting to post any blame here! Don't get me wrong. Just wanted to get as much details and infos out so we can squash those bugs :)

Cheers :)

@cryptonym said in Not seeing IP blocks in Alerts area of reports tab. DNSBL shows up properly.:

DNSBL was working, resolving them to 10.10.10.1 but no logs.

What was missing was I left "BNSBL Mode" on Unbound (default) rather than setting it to "Unbound Python mode". That one checkbox and a reload and logging is working perfectly.

God news - and bad news :

I switched from Python to unbound mode :

dd4b7379-bd2d-4636-80a6-ed2ae7b9fc05-image.png

I tested with a listed DNDBL host entry (StevenBlack's list) 010sec.com

Sure enough : using http, not https ....

9ea39967-c05e-4e26-922c-cdeea4422c9a-image.png

and sure enough :

a33a4113-d3bc-423f-b8fe-ef28f369605b-image.png

So Python mode isn't mandatory to make this work.

Btw : I really though everybody had abandoned "unbound mode" by now .... as Python mode is way better/faster/much cooler ^^

That said : imho, you can safely forget about that pFb black web server page that shows up when a visitor visits a site that is blocked.It's something that worked well in the past, when all sites were http based. Because : it needs http sites to actually work - not https.
You know this already : https can't be intercept / redirected - not by me, not by the CIA, not by the NSA, so probably you can't neither ^^
No body is visiting http sites anymore .... Google doesn't index them anymore for years now.
So : the perfect DNSBL setting these days is :

9a91c0b8-e856-4c34-af1a-273f49e945a8-image.png

If you find people on your network still using "http" sites, go have a talk with them, before you throw them off your network. I get it, this is a bit harsh, but these days thsi should be common knowledge of any Internet user. Like : when you drive your car on the road you stay on the 'right' side of the road.

@netblues And you didn't even need to waste your time with this thread. Good job.

Thanks everyone for this. I was having this problem too. It was getting quite frustrating and a search came up with this thread right away. My appreciation for those who take time to publicly ask questions and share answers.

@posix @Gertjan

Replying to this old thread to say thank you. I encountered this same "pfB_PRI1_v4 Cannot allocate memory" errors on my 2100 and it was solved by increasing System/Advanced/Firewall & NAT/Firewall Maximum Table Entries from 400000 to 600000.

The 2100 had been running without issue for many months and the last reboot was for the 24.11 upgrade. What caused me to check the 2100 was I had become unable to screen share when connecting via IPsec VPN from the outside. The IPsec connection was successful but vnc attempts to connect to a machine on the network timed out. After changing the Table Entries setting it immediately started working again.