PfBlockerNG/-devel - Normal/unnormal reboot - No Internet (DNS?)

Apache135

Hello all and first of all please excuse if i repost some already solved problem.

I have looked through a lot posts and asked at least two of my preferred LLM's and also a couple hours google but i could not find a valid solution.

The Problem:

I have installed PfBlockerNG (same story with -devel) and enabled the DNSBL and GeoIP.
Now when restarting the Pfsense no matter if a normal reboot from the gui or a power cycle through unplugging the system i get the error of having no internet connection available for my network devices.

Pinging google from the pfsense itself is working.

What i have tried:

Turning off only DNSBL or GeoIp with a following update of PfBlockerNG does not recover the connection.
Only turning of the whole PfBlockerNG by unchecking the "enable" checkbox in the gui brings back the connection After that i can reenable it and everything works fine again.

What i want to cover:

Sometimes when im away on a Business Trip or on Vacation we get Power Outages. I want that my pf sense comes online again after the power is back online and the be able to login though wireguard. Unfortunately the PFblockerNG (bug?, or hopefully just miconfiguration) breaks this setup for me.

Thank you for your patience and for your help.

Regards :-)

PS: If you need any logs or screeenshots/descriptions of any configs let me know.

Edit: All LLM suggested it is highly a booting order issue and caused due to some PfBlockerNG config being loaded before DNS or ISP IP is ready. But i could not figure out the commands or scripts on how to disable the whole service like from the GUI with the checkbox. Disabling only the services from CLI did not make any difference.

SteveITS

@Apache135 [I’d] start by determining if it is a DNS issue or not. Can you ping 8.8.8.8?

Gertjan

@Apache135

When pfBlockerng or -devel is installed, and activated, by default, it does nothing.

pfBlockerng isn't a system process that runs in the background "doing things".

What pfBlocker does :
As per your instructions :
It will download files that contain IP addresses, reformats them, and then places firewall rules on the floating pane or the interface you choose. From now on, these IP addresses are 'blocked".
It will download "DNSBL" files - files with host names - parses them, and create one big file and this file is used by unbound to "shortcut" the DNS resolution, like a DNS override. So, its actually unbound doing the work.

These two processes, PHP scripts actually:

parse constantly the firewall logs and DNSBL logs, so nice stats can be created from them :

It is possible that you've created a setup where it seems that pfBlockerng blocks your internet connection.
For example, if you use an IP list that lists all the Internet IPv4 addresses, from 0.0.0.0 to 255.255.255.25, then yeah, your command will be granted ^^
Or, a much smaller list that contains all the DNS root server : Internet access will be fine, but the resolver (unbound) can't work anymore and this looks like "Internet is broken".
Or, you don't resolve, but forward to for example 1.1.1.1 and this 1.1.1.1 is on one of tyhe IP feeds you use : same result.

Short and fast solution : never ever just click and pray, but actually have a look at the files you use.

DNSBL : same thing : there will be host names like "microsoft.com" that get listed in a DNSBL you use. Suddenly, you can't update your PCs anymore. After checking the pfBlocker's master alerts page :

you'll see what happens, and you need to whitelist this "microsoft.com" - or just don't use the DNSBL feed anymore that listed "microsoft.com".

@Apache135 said in PfBlockerNG/-devel - Normal/unnormal reboot - No Internet (DNS?):

from the gui or a power cycle through unplugging the system

That's like stopping your car by throwing a iron stick in the transmission box.
It will stop for sure. Chances are that it will never boot again, as the file system got corrupted.
(DO NOT !) try this with your phone - remove the battery while it is on, and you'll kill it. That why today's phone don't have user accessible batteries anymore. Same thing for your laptop : remove the power cord, and then remove the battery. Chances are that you 'killed' your PC's file system.

Solution ? Easy : UPS.
The UPS will shut down your pfSense by a controlled manner, and power it back on when the power came back is good.

Apache135

Thank you all for quick replies.

I was using for acouple of years now PiHole running on a docker container. So im already trained in not turning on all i can block just because i think this might be more secure.

I am already using a ups but the problem like described is also appearing on a normal reboot, or shutdown and restart.

What really confuses me is the thing of disabling services and not getting results.
I also tried restarting unbound right after the reboot when the problem appears but the problem does not go away.
Like i said the only thing resolving the problem is disabling and reenabling the pfblockerng from the UI.
The Problem is also only appearing after a Reboot of any Sort not after a update or during the normal run of PFBlockerNG

A little more to my Setup:

I am set to the DNS 9.9.9.9 in pfsense as the default DNS
All my network devices get the DNS 192.168.178.1 (pfsense) as the DNS pushed via DHCP.
Also i have a NAT rule in place to force DNS resolving over pfsense:

My virtual IP Adress for DNSBL is set to: 10.10.10.1

And my Placeholder IP Address for IP Config of PFBlockerNG to: 127.1.7.7

About connections:
From the FW itself everything seems to be fine. I can ping any dns server or any website. Only my Network devices seem to have issues with resolving anything.
Pinging from a Network devices (while the error exists) i cannot ping anything. Not any available dns or any website.

SteveITS

@Apache135 Can you answer:

Can you ping 8.8.8.8?

If you can ping a number and not a hostname then it's not a networking problem it's a DNS problem. If that's the case, I would guess that disabling/enabling pfBlocker is restarting your DNS Resolver service.

Are you forwarding to Quad9? If so then disable DNSSEC, that can cause problems if forwarding, and you already trust your forwarders.

Apache135

Hi there,

pinging from the FW itself works all. No matter if domain or IP.
pinging from devices behind the FW: nothing works.

unfortunately changing the dnssec to disabled does also not change the problem.

Restarting the DNS Resolver is also not changing anything if stuck in the situation.

Thank you :)

jlw52761

@Apache135 Looks like we're having some of the same issues, mine jsut started a month later. Can't say I have any idea on what's going on though outside of pfBlocker having lost it's damned mind.

Apache135

@jlw52761 Unfortunately i didnt find a solution with pfblocker(ng). My current solution is to have switches back to my pihole setup and dont use pfblocker. Its still frustrating because of my dns force i dont have dns in lan when my server is off due to running pihole in a docker on the server.