@thebear said in [23.01-RELEASE] pfBlockerNG v3.2.0_1 not ready for DHCP registration with Python mode?: a the text on the pfSense website confuses me Yep I agree. The documentation got ahead of the fix. Its causing confusion. It should be removed until the fix is merged and available for download, imo.

@SteveITS Fixed. For future readers: This is what I did, I do not know if every step was necessary. I am using pfBlockerNG-devel 3.2.0_1 In pfB logs page, I deleted py_error.log and the error.log I then deleted the pfB widget from the dashboard and saved new dashboard. Did a force update of pfB dnsbl. Then reinstalled the pfB widget and it is ok so far.

@mzeid said in need help: pfBlockerNG with L3 switch with multiple subnets on LAN: everything was working fine, but pfBlockerNG is only working with LAN subnet Glad you got it sorted, but this points to design problem to be honest. You should not connect downstream router via "lan" if there are other devices on the lan. Downstream routers should be connected via a transit network (no hosts) or you can run into an issue with asymmetrical traffic flow. Unless you do host routing on the devices on the lan network. Or you downstream router is natting, etc. Unless none of the devices on the lan never talk to downstream devices. [image: 1676544824693-as.jpg] Downstream sends Syn to client on the lan network, the device sends it syn,ack to its default gateway because it has no route to this network. Pfsense never saw the syn, so there is no state.. And traffic is denied. This is a better setup when you have a downstream router [image: 1676545013221-setup.jpg] Maybe devices on lan and your downstream never talk to each other? But whenever you connect routers together, it should be a transit network (no hosts on it only routers) or you can have issue, especially when a stateful firewall is doing the routing.

I am having the same error after the 23.01 upgrade. The pfBlockerNG is not visible in the Firewall tab.

@steveits I use 22.05 with 3.1.0_11. The cron process is not stuck but the pfbkockerng.php comes up randomly. I can kill it via console and later it's back on again - before the cron time. I removed my MaxMind key. For now I haven't experienced cpu spikes.

@gertjan oh wow, awesome, that's exactly what I wanted! Works perfectly! Thank you!

@keyser oh thank you very much for helping! now I feel really dumb, I swear I've looked at that page a dozen times!

Ended up working in this thread https://forum.netgate.com/topic/177212/pfblockerng-devel-v3-1-0_19-10/76 To get resolution and there was a hung upgrade between 23.01 Beta and 23.01 RC that held back the unbound version which kept me on the old python version. Running pkg upgrade via shell and rebooting fixed all of my issues.

@johnpoz Thank you for the quick response, understood, OK, can squid transparent proxy and pfblocker coexist? Would you advise using squid guard or just regular squid? I've never installed the packages before but will try get them to co-exist.

@steveits said in Geoblocking the world except for home: @nogbadthebad Since you showed "alias permit" just be aware that reportedly de-dupes across other permit or deny lists. There was a thread last year sometime where someone pointed out IPs were being removed. Alias Native will leave the lists unchanged. Cheers I've changed them :)

@freph533 @freph533 I think I figured it out after reading some other posts. I was using a "real" domain name in System>General Setup and that was somehow causing this issue. I set it back to "home.apra" and it works fine now. I'm not sure how to get a "real" domain to work. Maybe I need a "Domain Override" or something in the DNS Resolver to get a real domain to work? Anyways, for now, setting back to something like arpa, localdomain, etc worked to resolve this issue. [image: 1675218804211-screenshot.jpg] Hope that helps!

@lk777 That IP is in there. But that is not your isp space.. that is owned by rackspace NetRange: 69.20.0.0 - 69.20.127.255 CIDR: 69.20.0.0/17 NetName: RSPC-NET-4 NetHandle: NET-69-20-0-0-1 Parent: NET69 (NET-69-0-0-0-0) NetType: Direct Allocation OriginAS: AS10532, AS33070, AS19994, AS27357 Organization: Rackspace Hosting (RACKS-8) Your isp owns this space for example NetRange: 69.112.0.0 - 69.127.255.255 CIDR: 69.112.0.0/12 NetName: NETBLK-OOL-6BLK NetHandle: NET-69-112-0-0-1 Parent: NET69 (NET-69-0-0-0-0) NetType: Direct Allocation OriginAS: AS6148 Organization: Optimum Online (OPTO) Your IP that you talk to the forum is in that space - its not in a 69.20/16 And both of those ranges are in the geoio db that pfblocker downloads for US space.. [image: 1674913729538-ranges.jpg] You understand it condenses down ranges the so might not always be a exact cidr match, but your isp space in that range is included in that 69.112/12 (69.112.0.0 - 69.127.255.255) and that other US space you mention that is not your isp, is also included.. As to it being 100% accurate - you understand IP space moves around right.. Global companies, IP space is rented and sold, transferred to other companies... There is no freaking way its 100% https://support.maxmind.com/hc/en-us/articles/4407630607131-Geolocation-Accuracy It is not possible for us to guarantee 100% geolocation accuracy.