@Gertjan
I wasn't sure if I could upgrade pfsense to 24 on my Netgate 5100. Has anyone else done this upgrade on Netgate's 5100 appliance? Would appreciate if I knew that someone has succeeded in upgrading a 5100 to the latest pfsense version. Any do's and don't's appreciated.

@Albertopfsense

pfSense (pfBlocker) fails ...
What happens when you use the URL in a web browser ?
Same test, from another WAN IP ?

And yes, it happens, there are moments that server have issues, or are in maintenance mode, etc.

@jrey I've finally managed to roll back to 24.3 after 2 days of messing around and re-install pfb 3.2.0_10 from scratch. Now all is dandy again with much more lists active than under 24.11.

@FrostElara Activate the TLD in pfblockerng and add it to the blocklist. pubgmobile.com I solved it by adding the address. Of course, it works by blocking external DNSs.

@smolka_J said in Different block list for different users:

… pfSense instance once the project migrates over to the Linux kernel as announced at the beginning of the year

I think that was a 1 April inspired post

@Gertjan Just a friendly poke -- I took your post as "funny, as it is meant to be" - others it appears, assumed you were serious about avoiding it because it is "free". I'm a "paid free" user as well, with real netgate gear, but that wasn't the point. The person raising the question has a configuration (or other issue) it has nothing to do with it being product or list being "free" or "spam".

@chrcoluk

Yep.
Is known : Problem with Python Group Policy - Cached Domains

Hit the same issue myself, everything ran fine for years, but two things happened.

Letting neighbour use my network currently, as they got no broadband, and they have a TV that is absolutely unreal in terms of DNS traffic, hence recently all me doing stuff on pfblockerng.

Decided to change pfblockerng cron from hourly to daily as I had nothing updating more often than daily anyway.

This combination seems to have unsettled the pfblockerng web server, I wouldnt personally call this a sinkhole as its a webserver responding to requests, a sinkhole is a null route like replying with 0.0.0.0.

Obvious solution is to stop using the VIP filtering, if that keeps all the dnsbl logging then no issue, but I read in the thread VIP, stats only accrue from VIP traffic.

I see a ton of states in fin wait, so looking to see if the time outs can be reduced, seeing also if the web server is actually caching content or fetching its index from storage every time.

I see its configured with 4096 bit keys, over kill for this sort of thing and also a top end EC.

The index.php seems to be deliberatly configured to not cache, but I can see why, as its used for logging stuff, which would break if cached by the client, I think I will just move some stuff of the web server.

I have made an observation with the speedtest android app, it looks like it does sneaky DoH queries to bypass your network's DNS, after I added a DoH blocklist, the app will report connectivity issues with the go button a red colour, however any tests still run fine, so it does fall back to system DNS.

@UncleBilly Ah, right! Apologies for the unproofed reply. The infoblocks are always key wherever they appear.

@Bob-Dig Super; thank you for taking the time to help. This has been driving me bananas.

@Antibiotic
I assume, you're talking about a VPN service provider to access the internet. So yes, then you have to select your LAN.

pfBlockerNG adds rules for outbound traffic to the internal interface, e.g. LAN, likewise as you manually can restrict the outbound traffic by rules.

@tinfoilmatt @Yoe777
Update from what I found on my end, FTP site is down again at least for me saying connection refused when it was working fine over the past week, likely meaning my IP is blacklisted temporarily from doing too many updates/reloads in too short of time period as I was throwing together a replacement for Shallalist I may try to get up on GitHub. I got my UT1 downloading and processing again by changing the feed URL for UT1 in two files:

/usr/local/pkg/pfblockerng/ut1_global_usage ``` as well as in ``` /usr/local/www/pfblockerng/pfblockerng.php

changed both to the https URL

https://dsi.ut-capitole.fr/blacklists/download/blacklists.tar.gz

followed with then going to the DNSBL Category tab to save settings so that it updates the config.xml. Then run a force reload all. On update/re-install of pfBlockerNG those two files will need updated again because they will be overwritten

@Antibiotic Oh, sorry finally found this option. Can close this question))

@ephedan
In short, pfsense is not a content filtering device. pfblocker is very limited in this regards in that there are not per interface dnsbl rules. Any vlan that uses pfsense for DNS is subject to the same content policy on pfblockerng.
If this is a home situation, my advice would be to use Adguard or Pihole which has greater functionality.

@aivxtla Here you are:

s3.amazonaws.com s3-1.amazonaws.com # CNAME for (s3.amazonaws.com) .github.com .githubusercontent.com github.map.fastly.net # CNAME for (raw.githubusercontent.com) .gitlab.com .sourceforge.net .fls-na.amazon.com # alexa .control.kochava.com # alexa 2 .device-metrics-us-2.amazon.com # alexa 3 .amazon-adsystem.com # amazon app ads .px.moatads.com # amazon app 2 .wildcard.moatads.com.edgekey.net # CNAME for (px.moatads.com) .e13136.g.akamaiedge.net # CNAME for (px.moatads.com) .secure-gl.imrworldwide.com # amazon app 3 .pixel.adsafeprotected.com # amazon app 4 .anycast.pixel.adsafeprotected.com # CNAME for (pixel.adsafeprotected.com) .bs.serving-sys.com # amazon app 5 .bs.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com) .bsla.eyeblaster.akadns.net # CNAME for (bs.serving-sys.com) .adsafeprotected.com # amazon app 6 .anycast.static.adsafeprotected.com # CNAME for (static.adsafeprotected.com) google.com www.google.com youtube.com www.youtube.com youtube-ui.l.google.com # CNAME for (youtube.com) stackoverflow.com www.stackoverflow.com dropbox.com www.dropbox.com www.dropbox-dns.com # CNAME for (dropbox.com) .adsafeprotected.com control.kochava.com secure-gl.imrworldwide.com pbs.twimg.com # twitter images www.pbs.twimg.com # twitter images cs196.wac.edgecastcdn.net # CNAME for (pbs.twimg.com) cs2-wac.apr-8315.edgecastdns.net # CNAME for (pbs.twimg.com) cs2-wac-us.8315.ecdns.net # CNAME for (pbs.twimg.com) cs45.wac.edgecastcdn.net # CNAME for (pbs.twimg.com) cs2-wac.apr-8315.edgecastdns.net # CNAME for (pbs.twimg.com) cs2-wac-us.8315.ecdns.net # CNAME for (pbs.twimg.com) cs45.wac.edgecastcdn.net # CNAME for (pbs.twimg.com) .pfsense.org .netgate.com