Fixed the problem by creating a floating rule that allows outbound connection to 142.250.0.0/15, which is the block of IP addresses used by 1e100.net, the umbrella network for Google's servers. What appears to have happened is that Google changed the DNS entries in the Denver area to route traffic over their network. Several common pfBlockerNG blocklists contain 1e100.net, which I'm sure has plenty of servers that host malware. Although I allow the outbound connection, the inbound WAN rules are still in place, which should block the garbage. Fingers crossed. Thanks very much to the illustrious BBcan177 for his Saturday night patience and assistance!

The + button doesn't work at all for me. It asks me to choose a whitelist, but the only choice is to create a new one, and then I get an error message "Cannot create new IP Whitelist! Invalid data!"

@superbree https://www.reddit.com/r/pfBlockerNG/comments/11ax5qj/disabling_suppression_does_not_seem_to_work_in/

@jack37 pfBlocker uses the MaxMind database. There's probably a way to look it up via command line but I generally use a site like iplocation.net which returns values from several places...usually the same but occasionally wildly different. IP blocks do get bought and sold a lot now. I suppose you could try contacting MaxMind. Or just have pfBlocker process the lists as Alias Native, which only creates aliases. Then create your own rules to allow your range then block the desired countries.

@ciroque said in Blocking WeChat and TikTok: I have attempted to get this working, but going to tiktok.com still loads. Don't suppose your ISP gives you a dual stack IPv4 and IPv6 address range? The shots you show block IPv4, but wouldn't block any IPv6 TikTok addresses.

So in the end, I was able to get the device online, uninstall pfBlockerNG, the reinstall it and everything seems to be working just fine. It's now running as my production device. I will keep the other one (the one that had been my production unit before) on the shelf for two weeks just to be sure no hidden issues appear with the new one, then will reinstall and upgrade it too. Thanks for all the help on these forums, and to Netgate for a solid product .

@ncm-com said in pfBlockerNG / pfBlockerNG-devel v3.2.0_3 - pfSense 2.6 Only: @steveits so if I deny all locations on GeoIP and allow one country on IPv4 it will overrule? let's say I need to add only a few countries to the allowed list. On the Geo page use Alias Native and it will create an alias. You can then create your own rules in the order you wish.

I also alsp having the same issue as in post https://forum.netgate.com/topic/165131/service-watchdog-detected-service-dnsbl-stopped-restarting-dnsbl-pfblockerng-dnsbl-web-server after upgrading to pfBlockerNG version 3.2.0_3 just a few days ago. Email notification every minute, had to tell Service Watchdog to stop monitoring dnsbl. Went to the configuration page for dnsbl. Noticed that the box "Wildcard Blocking (TLD)" was unchecked. If I check the box and saved, but it will not save, instead I get this message at the top: The following input errors were detected: • Customlist suppression: Invalid Domain name entry: [ *.googleapis.com ] • Customlist suppression: Invalid Domain name entry: [ *.googleusercontent.com ] • Customlist suppression: Invalid Domain name entry: [ *.xn--9trs65b.com ] • Customlist suppression: Invalid Domain name entry: [ *.1e100.net ] • Customlist suppression: Invalid Domain name entry: [ *.facebook.com ] Seems dnsbl is telling me that the wildcard TLDs that seemingly blocked OK last week are now malformed? If I remembered where the file is located, I would ssh into the box and manually delete those TLDs and try again. I will hunt for it later, else does some one remember the file path? Thanks all.

@skogs yep, all sorted now!

@paul2019 make sure your doing a sniff on the lan side interface at the same time... You really need to see in/out at the same time to validate firewall is dropping something..

@thundergate Found the issue. Also had some issues with affinity checking it's servers. When I enable (check) System > Advanced > Firewall/NAT > 'Clear invalid DF bits instead of dropping the packets' everything is working fine. Don't know why - but it's working now.

@sashli In a quick look, pfB 3.1.0_6 on pfSense 2.6 seems to want a Network alias. In the past I've had to use single IPs in a Network alias and have just used a /32 mask to do so. Looks like we have one for Suricata's pass list set that way.

@katinatez Ah, 2.7 dev is the cutting edge. You probably can't until it's released for that version. @BBcan177 may have an ETA, but for now you'll have to disable the TLD setting.

@katinatez the feeds you supplied worked . Thanks

@helderingor So I'm getting the same problem since updating to 23.01-RELEASE. Any Ideas?

@seeking-sense "maybe"...floating rules are...different. https://docs.netgate.com/pfsense/en/latest/firewall/floating-rules.html#processing-order One issue I just thought of...at one point a pfB update changed the alias names...so we ended up with aliasname_v4_v4 now or something like that. IIRC the rules still existed but the aliases names were wrong so we needed to update the rules to use the "new" name. re: upgrade, it may be too late now but generally we follow Netgate's upgrade guide and uninstall pfBlocker, upgrade pfSense, and install pfBlocker. I run an update manually after installation but haven't had a problem with it creating rules. In many cases we use Alias Native which just creates the alias, and then create our own rules. That allows things like reordering the rules, say to allow an exception.

This is one of the main reasons I finally decided to setup vlans. Using Windows server DHCP, you can set the IOT and guest network to use PFSense for DNS, and hand your AD DNS server info to the domain joined clients. Then just forward to PFSense DNS from the domain DNS servers so that you get the benefit of PFBlocker and any other security settings you enabled in the router. You can even create NAT redirects to redirect the hard coded IOT DNS back to PFSense DNS, and not open port 53 to the internet. You can even use public DNS server lists with PFBlocker to block IOT from using whatever DNS they are hard coded to use even when using DOH (my kindles are hard coded for 8.8.8.8 which would skip PFBlocker if used). It took me a bit to put the pieces together and get it working but I can't stand these crap devices doing whatever they want.