New pfblockerNG install Database Sanity check Failed
-
@BBcan177 so next step is a new package for pfSense?
-
@Maltz said in New pfblockerNG install Database Sanity check Failed:
@marchand-guy I manually made the change to the shell script that BBcan177 described.
Ok, done as well.
Thanks -
Thanks, @BBcan177.
Some clear confusion ITT re pfSense system version and pfBlockerNG package version numbers. For posterity:
pfSense 2.7.2 CE - Database Sanity check issue not present, because
pfBlockerNGandpfBlockerNG-develpackages are both on "RELENG_2_7_2" branch ofpfSense / FreeBSD-PortspfSense 2.8 CE - Database Sanity check regression, possibly because branch updated to "devel" for both packages?
(
RELENG_2_7_2branch:pfBlockerNG/pfBlockerNG-devel)
(develbranch:pfBlockerNG/pfBlockerNG-devel)I think that's what's happened. Maybe someone can give me a sanity check.
The package version numbers appear to have been realigned in pfSense 2.8 CE however. The last package versions of
pfBlockerNGandpfBockerNG-develon pfSense 2.7.2 CE were3.2.8and3.2.0_20respectively.But under 2.8 CE, both packages are now currently on version
3.2.8(pfBlockerNGandpfBlockerNG-devel).Will both packages continue to be maintained separately and we should expect version numbers to potentially diverge again?
-
@tinfoilmatt Is there a fix or patch being published for this? Still waiting.
-
@madmaxpr I'm sure there will be, but @BBcan177's manual patch can be applied in the meantime.
File to edit is
/usr/local/pkg/pfblockerng/pfblockerng.sh, Line 1232 on my 2.8 CE/package version 3.2.8 system. -
@tinfoilmatt There are a few things that are not quite right in there... but the short version is that this has always been broken, it seems, but the check doesn't actually do anything apart from display the alert anyway.
In pfSense 2.7.2, pfBlockerNG and devel were at versions 3.2.0_8 and 3.2.0_20, respectively. In pfSense 2.8.0, they are both at v3.2.8.
Note that 3.2.0_8 ≠ 3.2.8
Versions 3.2.0_8 (and 3.2.0_20?) had two issues with the Database Sanity check. The first one broke the check entirely and it always showed PASSED no matter what. The second one was that the check was checking against "masterfile" instead of "mastercat"
The first problem was fixed in v3.2.8, which exposed the second problem. The second problem is fixed by the change BBcan177 described above.
And for those worrying about a patch - Since BBcan177 created the fix himself, I assume it'll be fixed in the next release. Also, this issue is strictly cosmetic, so there's not an urgent need for a new release to fix it. But if your OCD can't let it go (and I can relate lol) then just apply BBcan177's fix manually while we wait.
-
@Maltz said in New pfblockerNG install Database Sanity check Failed:
Versions 3.2.0_8 (and 3.2.0_20?) had two issues with the Database Sanity check. The first one broke the check entirely and it always showed PASSED no matter what. The second one was that the check was checking against "masterfile" instead of "mastercat"
The first problem was fixed in v3.2.8, which exposed the second problem. The second problem is fixed by the change BBcan177 described above.
Solid recap. So when all is said and patched, two relevant lines of
/usr/local/pkg/pfblockerng/pfblockerng.shshould read...Line 1232 (needs manual change until patch released):
s1="$(grep -cv ^${ip_placeholder2}$ ${mastercat})"Line 1281 (should already be present in package version 3.2.8):
if [ "${s1}" == "${s2}" ]; then -
here: running pfSense 2.8.0-RELEASE and pfBlockerNG 3.2.8-dev
Made the suggested change to line 1232.
Still same issue showing DNSBL (unbound mode) out of sync.
Should I revert the channge to ensure that the patch when available works correctly?
Thanks for nay help.
-
I had the same issue
make the suggested change on line 1232
then go to general
uncheck- pfBlockerNG Enable
- Keep Settings Enable
save
wait for it to save
then
check
- pfBlockerNG Enable
- Keep Settings Enable
save
wait for it to save
then
force reload all
-
-
@Laxarus This worked for me as well. Though I had to search the web how to edit the file (the easiest way).
Therefore:
Addition for anyone struggling to find where to edit files on your pfsense system.
Go to Diagnostics --> Edit File --> insert the location of the file:
/usr/local/pkg/pfblockerng/pfblockerng.shGo to line number 1232 by filling it in the Go to line field.
That line should read:
s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})"replace only (leave the rest intact):
masterfileto
mastercatThen follow the above instructions from @Laxarus https://forum.netgate.com/post/1219635
-
A anthonys referenced this topic on
-
Ran into this issue today as well running on 25.07.1 with pfblockerNG-devel 3.2.7. Followed the steps outlined in this thread to edit the
pfblockerng.shfile, then deleted/force reloaded all the lists, and all was well again. Thank you everyone in this thread for your your help and great instructions. -
@BBcan177 said in New pfblockerNG install Database Sanity check Failed:
From:
s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})"To:
s1="$(grep -cv ^${ip_placeholder2}$ ${mastercat})"Is it possible to update the pfSense package with a bug fix version?
-
FYI, this bug is still present on pfSense v2.8.1-RC and pfBlockerNG-devel v3.2.8
-
N nanda referenced this topic on
-
J jrey referenced this topic on
-
N nanda referenced this topic on
-
Same issue on 25.07.1
pfBlockerNG-devel 3.2.7Database Sanity check [ FAILED ] ** These two counts should match! ** ------------ Masterfile Count [ 26379 ] Deny folder Count [ 26378 ] -
Thank you BIG Time! I had the same problem with pfBlocker Database mismatch message, and its now fixed...Again, Thanks!
-
pfBlocker been updated tonight, now the Sanity Check Passes without need of patching!
Thanks to the Developer GREAT! Also other bug fixes been applied with the Update!
-
HI everyone, i have the same issue:
pfBlockerNG-devel 3.2.10
Version 25.07.1-RELEASE (amd64)
built on Wed Aug 20 15:17:00 EEST 2025
FreeBSD 15.0-CURRENT=============================================================== Database Sanity check [ FAILED ] ** These two counts should match! ** ------------ Masterfile Count [ 60322 ] Deny folder Count [ 60323 ] Duplication sanity check (Pass=No IPs reported) ------------------------ Masterfile/Deny folder uniq check Deny folder/Masterfile uniq check Sync check (Pass=No IPs reported) ----------i tried to enable/diable ... uninstall/install but the error is there :(. Can anybody give me an advice. Thank you.
-
@borgotech Hello, the bug, has been fixed with the latest update of pfBlocker. Please, check, if you have the latest version. In Menu System -> Package Manager -> see, if its the latest version (Appears then highlighted in color Orange in Packagemanager) if an Update is avaible.
If all this doesnt help, you can still patch it manually, please read above post by mull0r above here, who replies to Laxarus, he describes how to patch, in short, you have to login to your pfsense via SSH, and then:
sudo nano /usr/local/pkg/pfblockerng/pfblockerng.sh
then look for the line that contains. use ctrl w for to use nano editor search, and paste in:
s1="$(grep -cv ^${ip_placeholder2}$ ${masterfile})"
and change that line to:
s1="$(grep -cv ^${ip_placeholder2}$ ${mastercat})"
then, save it, with ctrl o, and leave nano, then just restart pfblocker, and the problem should be gone (worked for me, before last update been release a week ago approx.)
Thats it. Now, its should be fixed in the new Update of pfblocker, the Trick / Patch, is only necessary if you have a outdatet pfBlocker installed on your System.
Good Luck!
-
@TommyMoo
Thank you very much for the answer, as I mentioned above I am on the latest version of PfblockerNG devel pfBlockerNG-devel 3.2.10 and the latest stable version of PfSense+ Version 25.07.1-RELEASE (amd64). The patch in your post and the previous ones do not work because the changes have already been made to the latest version.
Anyway, thanks again..
