@skogs yep, all sorted now! 👍

@paul2019 make sure your doing a sniff on the lan side interface at the same time... You really need to see in/out at the same time to validate firewall is dropping something..

@thundergate Found the issue.

Also had some issues with affinity checking it's servers.

When I enable (check) System > Advanced > Firewall/NAT > 'Clear invalid DF bits instead of dropping the packets' everything is working fine.

Don't know why - but it's working now.

@sashli In a quick look, pfB 3.1.0_6 on pfSense 2.6 seems to want a Network alias.

In the past I've had to use single IPs in a Network alias and have just used a /32 mask to do so. Looks like we have one for Suricata's pass list set that way.

@katinatez Ah, 2.7 dev is the cutting edge. You probably can't until it's released for that version. @BBcan177 may have an ETA, but for now you'll have to disable the TLD setting.

@katinatez the feeds you supplied worked 👏🏾👏🏾👏🏾. Thanks

@helderingor So I'm getting the same problem since updating to 23.01-RELEASE.

Any Ideas?

@seeking-sense "maybe"...floating rules are...different.

https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#processing-order

One issue I just thought of...at one point a pfB update changed the alias names...so we ended up with aliasname_v4_v4 now or something like that. IIRC the rules still existed but the aliases names were wrong so we needed to update the rules to use the "new" name.

re: upgrade, it may be too late now but generally we follow Netgate's upgrade guide and uninstall pfBlocker, upgrade pfSense, and install pfBlocker. I run an update manually after installation but haven't had a problem with it creating rules.

In many cases we use Alias Native which just creates the alias, and then create our own rules. That allows things like reordering the rules, say to allow an exception.

This is one of the main reasons I finally decided to setup vlans. Using Windows server DHCP, you can set the IOT and guest network to use PFSense for DNS, and hand your AD DNS server info to the domain joined clients. Then just forward to PFSense DNS from the domain DNS servers so that you get the benefit of PFBlocker and any other security settings you enabled in the router. You can even create NAT redirects to redirect the hard coded IOT DNS back to PFSense DNS, and not open port 53 to the internet. You can even use public DNS server lists with PFBlocker to block IOT from using whatever DNS they are hard coded to use even when using DOH (my kindles are hard coded for 8.8.8.8 which would skip PFBlocker if used). It took me a bit to put the pieces together and get it working but I can't stand these crap devices doing whatever they want.

@gertjan said in First run pfBlockerNG - false positive?:

But you, as the admin, have added dnsbl feeds (or IP feeds) to pfBlockerng.
Hostnames (or IP's) in these feeds will get blocked.
Did you have a look at these lists ? ;)

Thank you for a nice and informative answer! I will try with the address you suggest, and no... I have not looked at the lists in detail, but looks like a good idea to get a better understandning of this... :)

Thank you for the answer. I should have thought to check there instead of just looking at the normal backup / restore. Appreciate your help.

@jrey I think that’s the “uniq[ue] check.”

Note if using Alias Deny pfB will dedupe across the deny lists, even if used for different rules. Might be what you’re seeing given the label. Alias Native does not.

@steveits said in Cannot access dns resolver settings:

Looks to me like it was restarted on request...settings change? DHCP lease registration?

I have all of my clients are using pfSense for DNS although there are a few on my network where google is programed into the firmware.

There was no manual restart (I did do a manual restart of unbound today but not at that time) nor were any changes to client dhcp being done at that time. That said, I'll use my 7th decade age as an excuse and therefor I'll pay more attention in the future.

You are correct, I'm not using forwarding resolver and I am aware of the DNSSEC requirement to not be used.

These frequent periods of no response (hanging?) were not experienced in 22.04 and pfBlockerNG-devel.

I checked and mine is not using a forwarder but is set to use DNSSEC.

Right now I have a cron job set to simply restart unbound at 02:00 every day. If not seen a recurrence of this issue since doing that.

The overlay for selecting a Alias out of the already created ones does not appear and leave empty. Just entering a "known" alias and try to save lead in a empty field of the "Custom Destination"

@bmeeks Got it. Thanks a lot

@efriedman Snort would see things before pfBlockerNG, I believe...

Update, I just moved from 3.2.0.1 to pfBlockerNG 3.2.0_3, no issues so far. Network throughput, memory and CPU usage all within normal parameters.

Thank you @BBcan177 for all your work on this excellent package!