@sweety i am here because I have similar problems. Mine is:

ug(Removed due to SafeSearch conflict)
uk(Removed due to SafeSearch conflict)unicom|university|uno|uol|ups|
uy(Removed due to SafeSearch conflict)
uz(Removed due to SafeSearch conflict)va|vacations|vana|vanguard|
vc(Removed due to SafeSearch conflict)

...so dumb. There's NO CONFLICT! What's that have to do with FireFox's dumb DNS lookup in the browser if it's to be blocked? FFS these browsers are getting aggressive. So my white lists aren't working either as a result of this feature.

TLD Whitelist - Missing data | mailchi.mp | No IP found! |

For you to use your Windows DNS servers you simply need to setup your network like this:

PC's = your windows DNS servers as their DNS servers
Servers = your PFSense as their DNS servers
PFSense = your outside DNS provider like OpenDNS, Google, Quad 9, etc, etc.

It's not terribly difficult.

Good luck!

@ronpfs said in pfBlockerNG-devel v3.0.0_9:

@fireodo I am with Unbound Python mode, so I can't verify the difference in file between mode.

But this may be normal,

Hmmm, if I deactivate the DNS over HTTPS/TLS Blocking the Whitelist is reduced to 3 (in the pfblocker Widget - and also in the pfbdnsblsuppression.txt)

@teamits said in If i use pfBlockerNG will that take first hit before Suricata?:

@cool_corona I reread your post and I understand your point. I guess I don't particularly care "who" is port scanning if they can't get in. I just assume "outside is bad." :) (also I missed that you weren't the OP, from the emailed notification)

As I understand you, uour usage case is that someone scanning 10000 ports would get blocked before they get to the one open port, vs. if there was only one port open the LAN instance of Suricata wouldn't detect that as a port scan. It would trigger only if they sent a packet that would be forwarded by the one open port and blocked by the LAN instance. In that case the LAN instance is double scanning the packets, so I'm not sure there is as much benefit of scanning there? The LAN alerts might still be more useful for finding the LAN IP of outgoing traffic.

Possibly, a way to reduce the double scanning would be to have only rules for port scanning enabled on WAN?

Exactly the way I am doing it :)

@tac57 https://www.reddit.com/r/pfBlockerNG/comments/ldzsh3/can_no_longer_whitelist_ips_bug_or_user_error/

@srig Hi! The only domain I whitelisted for the Ikea gateway to work was webhook.logentries.com.
But now I got rid of the Ikea gateway. I hate it when a device will not work when you block all the telemetry and "phone-home" domains.

So I have multiple subnets, as follows:

VLAN30 (10.27.200.0/24) - LAN (Servers, no DHCP)
VLAN202 (10.27.202.0/24) - IoT
VLAN204 (10.27.204.0/24) - DHCP (Clients, non-server devices)

All my devices that are not servers connect to VLAN204, except my AppleTV and any IoT devices (including IP Cameras), these are on VLAN202.

I have an ANY* rule from VLAN30 and VLAN204 to all other VLANS. VLAN202 can only talk out of the WAN interface and are blocked from communicating with VLAN30, but can talk to VLAN204, with the exception of DHCP, DNS, and mDNS, those can talk to VLAN30. I have pfBlocker Outbound rules set for VLAN30, 202, and 204, and Inbound for WAN. I have no NAT to the IoT network. I also don't use this firhol, which is most likely a huge difference.

So, one thing is that since my iPhone, on VLAN204 can talk to my Phillips Hue on VLAN202, and vice versa, and I have mDNS reflection enabled, I think that is the key. The Homekit hub is only needed when the client device (iPhone) cannot directly talk to the IoT device, it then routes through iCloud.

I'm not sure where you are applying the alias to, I will try to duplicate you setup if possible and see if I break things (the wife would be happy for sure).

@j24 I added a NAT rule that redirects the DNS requests from the VLAN to a known DNS e.g. 8.8.8.8. It's not the best solution I hope someone can help us separate pfBlocker from the other VLANs.

@chrisling said in pfblocker not working over OpenVPN:

I have the following setup:
ISP modem --> Netgear wifi router R7000 --> pfSense WAN --> LAN (homelab) | OPT1 (home wireless network)
The top layer R7000 is taking the (mostly static) public IP address assigned by my ISP, and then the pfSense WAN is on a RFC1918 compliance network space, i.e. 192.168.0.0/24, same local network with R7000.
I am running some web services demos from time to time on my homelab (pfSense LAN) so I do need to open some ports like 80, 8080, 443, etc. on LAN subnet.

You have a router after router set-up.
Tis means that NAT rules on pfSense have to be repeated on the upstream Netgate router.
Doing so will permit you to add as many routers as you want before your pfSense, but you have sync the NAT rules on all the routers.

I'm sure Lawrence (I'll ask) did said somewhere :
For home setups, by far, prefer a "something" as a modem device connected to your pfSense. Do not keep a router after router setup ** It works, but is tedious to maintain. And you have to understand that you have to build the chain of NAT rules in all your outer devices. Pretty ok if you want to amuse yourself. Not if you can't make these NAT rules "with your eyes closed".

Also : you have a router before your router, so incoming WAN traffic on pfSense can only be traffic that is using ports 80 and any port you've NATted on your upstream Netgear. if you don't want that "Asian" IP's visit your site, you could use the pfBlockerNG blocking rules on your WAN interface (or on the floating tab, and make them work on WAN).

In that case, put your web server NAT rules and your VPN rule after the WAN floating rules .... (but I don't know if floating rules take precedence here.... to be checked).

@chrisling said in pfblocker not working over OpenVPN:

I don't know much about how effective GeoIP is these days, as I'm also new to the game and just trying things out.

I won't say its worthless. it might work.
False positives might exist. Can't tell.

I have a dedicated server somewhere in France, in a big data centre.
It's a simple setup : a power cord, a mother board with the usal stuff, a hard disk, and a Ethernet connector. No screen, no keyboard - I never saw my own server as I don't have physical access to it (you pay but have no visit rights ...).
I use a classic OS : Debian. A classic web server : Apache2. 6 IPv4 and a couple of domains. Some web sites (company and private). A mail server for my domains. The classic DNS domain name server bind. As said : as vanilla as it gets.
No firewall.
Everybody on planet earth can visit my server.
This works just fine since last century (21 years now ...).

Important to know is that my server is being (physically) maintained, 24/24 and 7/7.
And the data centre owner, one of the biggest in the world, uses special routers that can detect and negate DDOS hassle. Something you can never do @home. Worse ; you host a server @home and you get DOSSsed ? Your ISP pulls the plug - or throws YOU out.

My dedicated web server has a 1 Gbyte / sec connection guaranteed, so for a couple of simple Wordpress sites it's doing close to nothing. If needed, it can do much more.
And it's protected for the - what i think - the real dangers.
"Asian" IP's are not the real danger (IMHO). I tend to say :"they" made you believe that.
Russian ? => lol. They are not interested in me. I've no valuable data on my server, like loads of mail addresses, or credit card info, or forums loaded with Kevins and other trolools.
Start Youtube, and do some, as they call it now : fact checking. Take an afternoon to see who hacks who with what, and what the hacker did to the victim when he found out - the hacker was using what ? Never use one Youtube video as the truth : see it as a person's opinion. Add them all up, divide by the number of them and try to found the common central point. Now you're aligned to a point that might be true. Now apply the what if phase, and keep this phase up until the end (take this literally).
Stay away from the adds. They make you think you can buy security. You can't. You have to make it yourself. Its more a state of mind, I guess.

Example :
You and I are today capable of writing a FY letter, and put it in an envelop, addresses it, put a stamp on it and send it by old fashioned mail to some guy.
The guy receives your letter and can not see where it came from.
Even if he calls in a boat load of laboratories and experts. It's as simple as that.
So : yes, Europeans and Amercans will say that the hackers are Russian, Chinese or Tjech. They - the last 3 - are saying its us. And later - if you find out - that is was the son of the jealous neighbour with some stupid hack-script (the kid learned how to type 'make').
Remember the movie from the eighties where the kid typed : "can you play a game" on a terminal ?
Years later, the reality was worse. NORAD wasn't playing - it was a 'ordinary' training simulation. But the missile launch facility agents (in the US) went into isolation mode, opened their red books, and prepared themselves for the final phase.
Because some one (at NORAD ?) forgot to shut down the simulation.

What I want to say, in short : It's the human factor. Its the fault of everybody,start by me (you, etc).

@chrisling said in pfblocker not working over OpenVPN:

i.e. unchecking the floating rules, so that they will be on both my LAN and OPT1 networks such that I can block all and just have the top and bottom line rules on WAN?

Yep. This will populate more rules pfB over all your interfaces, but helps you somewhat to get a nice overview. You can see what happens where when. As soon as everything is set up and tested on your pfSense, you can take advantage of the real strong point of pfSense : let it running by itself so you can do other things ;)
(but keep in mind : pfSense is a giant baby : keep an eye on it, as it is maintained by this stupid guy, like me - and now you ^^).

edit : .... wow, sorry, being to the point doesn't always work out for me.
But hey, I'm only human ;)

@elmnts Yes, I'll certainly re-install when the next version appears, or soon after, probably on a day when I'm at home by myself, and I've got a few hours to do some testing without danger of upsetting my partner's television viewing or internet use!

As I said, it isn't really urgent because I'm not running an environment where there is a particularly high risk of a user going somewhere they shouldn't or being hijacked, but it is nice to know the protection is there, particularly when life gets back to normal and we have visits from the younger family members who are all over social media!

@bbcan177
That was the reason, I had System > Advanced > Protocol set to HTTPs on the first system and to HTTP on the second.

I changed to HTTPs on the second system, ran a PfBlockerNG update and aliases URLs changed to HTTPs too ;-)

Many thanks !

@bbcan177 I get that it's a complicated process, but what is being taxed? Is it all loaded in RAM and it's the RAM speed limiting it? I have the same problem with Quickbooks in every install we've done. It's runs slow but nothing we see is being overly taxed. If I were to build a new system and upgrade from the APU2 units, what would need to be sped up to alleviate the issue?

@viktor_g thanks, but no , that was not it, it was a post that handle cases where maxmind did not work,
it include edit some conf file on pfsense + running some PHP files, to rebuild the DB

@johnpoz done and seems to be working.... thanks

@bbcan177 said in pfBlockerNG & Squid transparent proxy:

localhost

It was already in localhost. pfBlockerNG works with both pfBlockerNG & Squid running. However, Squid 'transparent' proxy is not working. If I can configure proxy settings in my browser then I can see Squid proxy is getting the URL request & virus scanner running. I suspect transparent proxy is conflicting with pbBlockerNG

@talaverde
HA is a complex animal, some interfaces use CARP VIPs and packages use the XMLRPC to sync. XMLRPC has issues where you can use a dedicated user and some vendors(Snort/Cisco) did not think you could do that so they force you to use root/admin to sync your data.