Running pfSense 2.4.4-RELEASE (amd64) and latest pfBlockerNG devel and can confirm this same issue.

Example: "192.168.10.10 - blops3 udp port" which appears to be one of my NAT port forward descriptions.

Thanks, didn't know Feodo lists were hosted by abuse.ch, too. Bit sad to read, that a simple dist-upgrade causes multi-day failures... our customers would kill us for that ;)

@rico said in How to install pfBlockerNG if you don't want to upgrade to pfSense v2.4.4:

Shrew Soft is obsolete, there is not even some official Windows 10 Client.
5 year old VPN client is allowed by IT restrictions but no top of the line and free OpenVPN? Weird company...

-Rico

Had the same restriction with an financial sector customer (SAP consultants) and told them the same things. ShrewSoft is allowed for some IPSec dial-ins (with chosen cipher suites that are equally old as the software, 3DES and such) or - even worse - guys that stubbornly told me, that they used PPTP(!) to "VPN into that bank customer" - sometimes reality is more satirical as any magazine/show/internet blog you can imagine ;)

chrome dns page is blank ☹

@johnpoz

Yup

Upgrade looks like it went really smooth!

Disable service. Keep config ticked. Uninstall package. Reinstall package.

Config was retained and looks like it's fully working (even the locally cron downloaded shallalist-lists are still working). To be modified is the custom feeds, migration to a selection from the predefined list now available.
And lots of new features to spend some time with a see as a padawan! 😊

brgs,

Ah, that explains it!

Quick feedback about that:

In a cluster setup I see that as bit of a problem, as you will setup the standby node with all things you have to setup there at first, then activate sync and then hope you have to never touch it again ;)
In pfBNG terms that would mean you have to not only install the package but also configure it the first time the same time as the primary node because otherwise the standby will throw errors because it can't find the aliases the primary uses in its ruleset (e.g. pri1...). That's something that perhaps you should keep in mind. I'd suggest a slightly different approach: In the wizard screen ask if it is installed on a CARP cluster. If so, tell them to install the package on the standby node first but to NOT run the installer, just let it rest. Then proceed with the installer, let them create the DNSBL IP as Alias on a CARP address they created themself so you don't have to deal with CARP at all and then after the setup do the initial update and sync it to slave. :)

With that the first time pfBNG runs its update, all lists are updated, created etc. and you can then sync all to the standby node. Perhaps than trigger a force update there via XMLRPC so the standby node also gets the IP/DNS lists correctly. After that the cron update is set to - an hour per default? - so that it should be somewhat safe to leave it alone and have it sync only every hour. But I'd go like the freeradius package for example and just push the configs to the slave every time you save it on the primary and only let the cron do the list updating on both, not the syncing. But that would be my opinion only :)

upgrading to the dev version seems to have fixed the problem.

Thank you.

@talaverde said in pfBlocker and High Availability CARP working?:

@jegr Gotcha. So, should I configure both nodes, each pointing to each other? With the main pfSense XMLRPC Sync, only the primary node is configured. Would this be the same with the pfB 'sync' tab? Or, as initially mentioned in this message, should I have both nodes configured to sync to each other? (I hope that makes sense). thanks.

Aye, pfSense Sync is always Master to Standby not the other way round. There's only one case I'm aware (the top part of the HA sync - pfsync settings) that actually speaks with each other rather than master to standby. So configure pfBNG to replicate from master to standby node (use sync settings would be easiest) and the standby node should receive the configuration for the package :)

@rmalla said in pfblockerNG - Do not Block on specific specific Interface:

@bbcan177 Dear BB, first of all, thanks for creating this great package. I've been playing with it for a couple of days but can't seem to find the correct config for me.

I have a kind of specific situation. I have my WAN (which fails regularly), so I have setup a USB Drive from my local cellphone company (which is very reliable, but I only have 5 GB per month quota). I have them setup as a Failover Wan, meaning, when WAN goes offline the USB goes online automatically.

The problem I've had the last couple of months is that my WAN goes offline (we don't even notice when its offline) and my family keeps on using the internet as usual (youtube, netflix, facebook etc etc) so the USB drive runs out in a matter of days.

So I would like to only block all the high bandwith services on the USB Drive (opt1 inteface), so when my wan is offline, everybody is able to use the internet, but not use the high bandwith services.

Is this possible with the current version of Pfblocker?

My bottom line is that I would like to apply the PFBlocker to the opt1, but not to the WAN interface.

Hello All,

Any news on this?

@bbrendon said in Best use of pfBlocker:

@stewart Yea, this is the way I do it. I create an alias in pfblocker and then make rules using it. Basically I say "if packet is not in goodcountries then block". This was the only way to do it a year or so ago and there might be new ways, but I haven't tried.

With pfBlockerNG-devel, you don't need to link the the GeoIP files anymore... it will still work, but you can now change the State field to the new GeoIP option :)

You can also use Auto-Rules and configure the Advanced In/Outbound Rule options to configure more settings for the Firewall Rules.

@tagit446 said in Question about included Feeds:

I could not even imagine all of the effort put into choosing certain feeds to be included. I know there are alot out there and its hard \

I started a new sub-Reddit for pfBlockerNG and started a Thread for Feed Feedback!
https://www.reddit.com/r/pfBlockerNG/comments/9t1w6o/pfblockerngdevel_feed_feedback/

Thank you for all of your hard work, pfBlockerNG is just absolutely brilliant!

Thanks!

@bbcan177
Thank you, that worked great!

@talaverde

Anything that is blocked will be logged to the Reports/Alerts tab. You can also use the Alerts Filter to refine searches. You can also increase the Alert Settings to increase the number of displayed events.

In Chrome, you can use this URL:

chrome://net-internals/#dns

To see the DNS events. Anything blocked by DNSBL will be seen as blocked domains resolve to the DNSBL VIP Address.

@talaverde

I would think you issues might be that IPs/Domains are being blocked. Review the Alerts Tab for more details. You have sufficient hardware to handle pfBlockerNG.

You can also increase the pfSense DNS Resolver Log Verbosity to 2 and review the resolver.log for additional clues to see if there are other issues.

I, also, have been trying to make my DNS as secure as possible while using CARP, pfBlockerNG (devel) and PIA VPN. I tried configuring the Quad9 DNS, but ended up with a large list of DNS responses in dnsleaktest.com. According to the PIA KB / support, they say that as long as you use their DNS servers (209.222.18.222 & 209.222.18.218), your DNS is running inside their encrypted VPN tunnel anyway, so SSL/TLS isn't necessary. That logic seems sound. When properly configured, dnsleaktest.com responses with only one (PIA) DNS server. This is the only configuration I've found to do so. At this point, I've given up on Quad9.

I might be wrong. Having 12 Quad9 DNS servers respond to my DNS test may be better than one PIA VPN DNS server responding. I just don't trust seeing 12+ as I can't keep track of them all and don't like that many servers logging my data, even if they are (supposedly) anonymous.

Further, I've found PIA VPN to be the only one with their own DNS servers. I spent a lot of time testing out ExpressVPN. It's supposedly faster, but I did not find that to be true. Best guess, that is just based on some 'paid for' reviews.