• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfBlockerNG and pfBlockerNG-devel v3.2.0_3

pfBlockerNG
9
18
5.3k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    SteveITS Galactic Empire @Draco
    last edited by Mar 2, 2023, 3:45 AM

    @draco No, pfBlockerNG doesn't proxy traffic. It either sets up firewall rules (via feeds) or blocks hosts via DNS (DNSBL). Is ping failing to connect or is it not resolving the hostname?

    Especially if the latter, most likely you're hitting one of the DNS problems in 23.01 that seem to affect people. If you have forwarding enabled in DNS Resolver, uncheck the option to use DNSSEC. I have also seen one person claim to have multiple routers that don't reliably provide DNS if DNS over TLS is enabled, though that hasn't been my experience. 23.01 seems way more sensitive to having DNSSEC enabled while forwarding.

    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
    Upvote 👍 helpful posts!

    D 1 Reply Last reply Mar 2, 2023, 11:05 PM Reply Quote 0
    • D
      Dobby_ @Draco
      last edited by Mar 2, 2023, 6:03 AM

      @draco

      I'm out of ideas. Any suggestions?

      I was or better must 3 x reboot after the upgrade to get all automatic loading on the start! That were the services;

      • unbound
      • snort
      • clamd

      If I only restart them manually, they will be running for a while and then they must be restarted again owed to the circumstance that the RAM usage was to high and they
      were stopping due to the low available RAM or high RAM
      usage. Applying a patch, restart the services and reboot
      gives me back automatic restarting services after a reboot (that three named above.)

      #~. @Dobby

      Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
      PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
      PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

      S D 2 Replies Last reply Mar 2, 2023, 7:32 AM Reply Quote 0
      • S
        SteveITS Galactic Empire @Dobby_
        last edited by Mar 2, 2023, 7:32 AM

        @dobby_ said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

        RAM usage was to high

        There are a few memory threads for 23.01. One memory "issue" was, at the first 3:00 am after the upgrade, a cron task runs that apparently allocates a lot of ZFS ARC memory. ARC is supposed to be released as needed, but it looks "wrong." The cron is not needed in pfSense. Patch ff715efce5e6c65b3d49dc2da7e1bdc437ecbf12 disables it. That thread also discusses setting vfs.zfs.arc_max a.k.a. vfs.zfs.arc.max.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 1
        • D
          Draco @SteveITS
          last edited by Mar 2, 2023, 11:05 PM

          @steveits said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

          Is ping failing to connect or is it not resolving the hostname?

          Failing to resolve the host name. I do not have forwarding on.

          This has become more than inconvenient. My late-night backups are failing because the DNS names are bounced on the first try.

          S 1 Reply Last reply Mar 2, 2023, 11:21 PM Reply Quote 0
          • D
            Draco @Dobby_
            last edited by Mar 2, 2023, 11:12 PM

            @dobby_ said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

            Applying a patch, restart the services and reboot
            gives me back automatic restarting services after a reboot (that three named above.)

            What patch? And I do not have problems with Unbound shutting down, nor is my RAM usage high. Unbound is just a LOT slower at resolving queries that are not in its cache than it was before, or at least that is what this behavior seems like to me. I looked at the logs for DNS and Unbound is not shutting down, though it is restarting when pfBlocker's CRON job runs (not always, which is consistent with not restarting Unbound if the DNS lists are unchanged).

            1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @Draco
              last edited by Mar 2, 2023, 11:21 PM

              @draco said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

              Failing to resolve the host name

              pfBlocker would either let it resolve and block the outbound connection, or if you have DNSBL and it was blocked, would resolve to the sinkhole IP (10.10.10.1?). So, probably not pfBlocker related.

              Did you see my suggestions above about DNSSEC and DNS over TLS?

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              D 1 Reply Last reply Mar 2, 2023, 11:43 PM Reply Quote 0
              • D
                Draco @SteveITS
                last edited by Mar 2, 2023, 11:43 PM

                @steveits said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

                Did you see my suggestions above about DNSSEC and DNS over TLS?

                Yes, but you said that, "23.01 seems way more sensitive to having DNSSEC enabled while forwarding". I do not have forwarding on. I do have DNSSEC on. I also have TLS on.

                I tried turning DNSSEC off and still get laggy behavior when opening a non-cached site. So I've turned it back on again.

                D 1 Reply Last reply Mar 3, 2023, 7:23 PM Reply Quote 0
                • D
                  Draco @Draco
                  last edited by Draco Mar 3, 2023, 7:24 PM Mar 3, 2023, 7:23 PM

                  As posted in the pfSense forum, I am still finding DNS flakey. No forwarding on. No recording of DHCP leases. I've run overnight with DNSSEC on and DNSSEC off. Still flakey.

                  I'm rolling back to 22.05 using the USB image I have with the config included. Maybe I will be able to upgrade to ZFS while I'm at it.

                  I did not expect a released version of pfSense to have so many problems with Unbound, but that's why I keep an image of my last good config...

                  1 Reply Last reply Reply Quote 0
                  • T
                    teranom
                    last edited by Apr 13, 2023, 4:53 PM

                    Hello, is there an update coming soon to the new maxmind country ip licence number increase for paid version for pfblocker ng ?

                    G 1 Reply Last reply Apr 13, 2023, 6:08 PM Reply Quote 0
                    • G
                      Gertjan @teranom
                      last edited by Apr 13, 2023, 6:08 PM

                      @teranom

                      Euh, lol ?

                      See the pfBlockerng forum, where you nposted, and look at the very first non pinned post called pfBlockerNG 3.2.0_4 !

                      Its out for several days now.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • B BBcan177 unpinned this topic on Sep 6, 2024, 10:18 PM
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.