@oever pfblocker vs just blocking by resolving to say 0.0.0.0 likes to point to a block page - that says hey this site is blocked. But if your looking for something specific loaded off that IP, 10.10.10.10 I think is default vip that is used.. But I think at some point there was recommendation to use something different.. Anywho - yeah block page is just hosted on pfsense off whatever the IP you use (vip on pfsense) to serve up the page to tell you hey that site is blocked. But if you try and load some specific resource off that httpd, like favicon.ico then sure yeah that could be loaded. Glad I could help you get some sleep ;)

@Cabledude I was using M0n0wall in the past, as it offered a 'captive portal' and I was looking for some answers. I've used my IRL first name to create an account here, just to ask some question. I had my answers quickly, from what I recall, my questions were just "wrong", and I've installed pfSense. Still using it today. edit : forgot about the most important one : I'm still learning.

@deveals Danny I'm also a newbie, and we're using pfBlockerNG with a custom list. Our custom list is derived and compiled from a combination of sources, including AbuseIP.com, local fail2ban, and others. The custom list contains about 100k addresses. pfSense gets list updates a few times each day by a cron task. The activity against this list is easily visible. There's a pfBlockerNG widget for the pfSense GUI dashboard that gives summary data. If you need more granular data using the GUI, go to Firewall, Rules, WAN, select and edit the custom rule, scroll to bottom of page and note the Tracking ID number. Also make sure logging is enabled for this rule. Log = tick. Then use Status, System logs, Firewall, Advanced Log filter (enabled in System, General Setup, Log Filtering), and enter the Tracking ID in the filtering criteria. Apply Filter. Now you see all the traffic actioned by your custom rule. If there's a better way to do this, I hope somebuddy with more experience will chime in with correction/s and/or suggestion/s. HTH

@jrey I don't even have the file anymore, I'm using what you provided and substituted my URL and it's been working perfectly. Thanks again for your help, really appreciate it!

I have some pfBlocker generated rules as floating/quick. Some of which protect a few forwarded ports on the WAN interface. I have logging turned on for these rules and, whilst it works as expected. one thing puzzles me: The logged DST IP is sometimes the WAN interface and sometimes the internal forwarded-to IP. I don't understand why this variation occurs. Is it a consequence of 'floating' rules? Whilst the rules concerned are 'floating', they're assigned only to the WAN interface. It seems as if the rule can be evaluated before or after NAT occurs?

I ended up deleting pfblocker, restarting, and re-installing it. It seems to be working now.

@reynold well that could be problematic - since when you forward a returned IP being rfc1918 would be a rebind.. So with your client be it nslookup or dig or host, whatever your fav dns client is from cmd line. Do a query to pfsense IP, do you get back local resources that your DNS is resolving? When you forward to some other NS, you prob want to allow for rebind from it, create a private-domain entry in your unbound config. See here https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html But if was a rebind pfsense would not return an IP for some fqdn query, so how would you end up on pfsense IP? What is more likely is your browser is doing doh, and getting some public IP that is say pfsense wan, to how your getting the pfblocker dnsbl cert.. But you should actually validate that is working.. But if your running your own DNS, all your clients should really point directly to that IP for dns..

@Cylosoft said in pfblocker in AD domain with local dns server: Then in the PF DNS Resolver settings we add domain overrides for the local domain. So "whatever.local" uses lookup server IP Address of the AD domain controller IP. I did it and yellow warning disappeared

@reynold [image: 1693311499282-7be14a83-29e8-43da-b367-87b7a89be9d9-image-resized.png] NM, didn't see your last post.

@NogBadTheBad thx I did it

@Summer quoted in pfBlockerNG-devel pfsense 23.05.1: when you install and start pfSense the first time, and your ISP used IPv4 and DHCP Not true in "every" case. your connection could have been a static IP and DHCP would not be in play in that case. (don't really recall you saying ISP or connection type until the question was asked) The line of questioning was more to lead on the path of thinking about how things work in your specific case. (Learning) Without getting into the details of how or why, my DNS for example, is all local (internal, behind the wall), fully isolated from the internet. Blazing fast DNS response times. I currently have 40-50 devices behind the 2100 - and it doesn't even have to work hard. It's all about how you approach things, with a specific goal in mind. Plan it out. I'd would like, if you don't mind, to cycle back on what was perceived to be a long download time for you and the file. (because yes that ~30min time for you ahowed does seem excessive) what kind of speed is your WAN? I, for example, typically download this file in 1-2 seconds max - even on a "congested" day it might take 4 seconds (yes, the file only downloads when needed, but still ) (start) Thu 24 Aug 2023 11:26:38 EDT % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6671k 100 6671k 0 0 17.0M 0 --:--:-- --:--:-- --:--:-- 17.3M (end) Thu 24 Aug 2023 11:26:38 EDT

Hi all, I really learned some nice things today so thanks to you all, I really appreciate it.

Because no one answered I guess now that it must be de-duplication. So I mark this solved.

@Stellir You mean : you have a pfSense LAN using some IP range - most surely RFC1918, and this RFC1918 is in the list you have selected ? Plan A : most straight forward solution : ditch this list - it was a wrong pick. Plan B : whitelist the IP or even entire networks. Still, the question is a bit strange : to allow my IP into the router? You control pfSense, right ? So you control who accesses your LAN (into pfSense), or whatever interface. Please add more details to the question.

@jrey I applied the original patch and started getting ASN entries in thr report. So some advance. Guess will have to wait for the dev to completely fix this.

@keyser ah got it I understand it now. Thank you!

Hi, your screen shot is for pfBlockerNG IP settings, you have to check in Firewall/pfBlockerNG/DNSBL if OpenVpn interface is included in Permit Firewall Rules. In auto create firewall rule for DNSBL see if all desire interfaces are present. Also in order pfBlockerNG to work for your OpenVPN clients you have to push all client's internet traffic /OpenVpn server settings Redirect IPv4 Gateway and DNS Server enable have to be enabled/.

@SteveITS said in pfBlocker updater blocked by itself: There are no floating rules being generated? I have some match rules in floating but to me it seems pfBlocker is checking on all blocked IPs and then is refusing updates from them, which is not good, especially for geoblocks.