PfblockerNG not working

Mr. Jingles

@RonpfS:

and you have to leave the DNS Server blank in General / Setup.

Thanks Ron, new to me  :P

Especially since in setup/general it says:

When using multiple WAN connections there should be at least one unique DNS server per gateway

I have dual WAN so I can't leave it blank (?)

RonpfS

@Mr.:

@RonpfS:

and you have to leave the DNS Server blank in General / Setup.

Thanks Ron, new to me  :P

Especially since in setup/general it says:

When using multiple WAN connections there should be at least one unique DNS server per gateway

I have dual WAN so I can't leave it blank (?)

I don't have multiple WAN connections at the moment, so I might be wrong.

But with DNSBL everything has to go to the Resolver for DNSBL to function.

In this case there is only one WAN as on my system. By leaving it blank, pfsense will use 127.0.0.1 if the Disable DNS Forwarder  isn't check

By default localhost (127.0.0.1) will be used as the first DNS server where the DNS Forwarder or DNS Resolver is enabled and set to listen on Localhost, so system can use the local DNS service to perform lookups.

Diagnostics / DNS Lookup on the FW will use the Resolver and will redirect to the VIP when a Domain is blocked by pfBlockerNG DNSBL.

If DNS servers are used in the General Setup, the FW bypass the resolver and DNSBL. But clients pointing to the DNS resolver will still have DNSBL blocking.
In this situation you can't use the Diagnostics / DNS Lookup on the FW for debugging DNSBL. You then need to do DNS Lookup on clients that point to the Resolver.

However if the DNS Resolver is configured in "Forwarder mode", the everyone including pfSense will use the DNS settings and bypass the Resolver and DNSBL.

RonpfS

@Mr.:

When using multiple WAN connections there should be at least one unique DNS server per gateway

The recommandation probably comes from pfSense version previous to 2.2, when DNS Forwarder was the default. With the DNS Forwarder, it was good practice to have a DNS server per WAN gateway to provide for redundancy in the event of a gateway going down.

Since 2.2 the default changed to DNS Resolver, so I don't think there is a need to put any DNS Server in General Setup with Enable Forwarding Mode disabled. Unbound will contact the Root Servers and provide name service on it's own.

stan-qaz

I'd like to run pfBlocker with the DNSBLS enabled for one of my LANs but not the rest of them. The reason for that is I have Android tablets and Chromebooks that are nearly unusable for web browsing without external ad-blocking but for my PCs and laptops I want to use blocking software on each machine that is a bit more flexible and simple for the users to work with.

I have the firewall rule system of pfBlocker running on the WiFi LAN that the tablets and chromebooks connect to and it is quite nice. I have experimented with the DNSBL system and it breaks a lot of websites that the PC/laptop software doesn't but it really helps the tablet/chromebook systems. If I could run it just for the problemsystems I'd do that. I could set the PCs and laptops to not use pfSense for DNS but that would make local name resolution a lot more work.

I'm new at this sort of thing but I hope to figure out something that will work for me that won't eat a lot of hours or require a lot of hand-holding for users that hit glitches.

BBcan177

@stan-qaz:

I have experimented with the DNSBL system and it breaks a lot of websites that the PC/laptop software doesn't but it really helps the tablet/chromebook systems.

Review the Alerts Tab and Whitelist the Domains that are causing issues…. You can also F12 in the Browser to load Dev Mode, and goto "Console" to see what's being blocked...  Once you weed out the FPs, you should be fine...

tushar

I would say pfblockerNG working now as it looks to me. blocking ADs mostly and DNS Lookup also working for blocked lists on 127.0.0.1.

here some screenshot for config i did please correct me where ever im wrong.  :)

BBcan177

You only enabled the one Easylist Feed in the EasyList Tab… click the "Add" button to add the second hardcoded EasyList Feed...  (EasyList and EasyPrivacy)

EasyList Feeds are not 100% compatible with DNSBL.... DNSBL requires the Domain to be able to block the DNS request.... ADBlock can manipulate the HTML on a webpage and remove ADverts that way.... So this is why I have only hardcoded the two EasyList Feeds.... I may add some of the other Language specific EasyList feeds in future as time permits.... But the fanboy feed is not compatible at all.... Just open that Feed in your browser and you will see what I mean....

BBcan177

Click the blue Infoblock Icon in the DNSBL Feeds Tab when editing a "Group"….

The "DNSBL Settings" infoblock has this text:

Note:  AdBlock Easylists cannot be used in this Tab.

tushar

BBCan177,

Ok. you mean i have to add both listing EasyList w/o Elements and Easylist privacy.

yes you are correct Fanboy Feed wont work way it coded…

https://easylist-downloads.adblockplus.org/fanboy-social.txt

-box-facebook_
-box-twitter_
-btn-facebook.
-btn-fb-
-btn-instagram.
-btn-pinteres.

tushar

@BBcan177:

Click the blue Infoblock Icon in the DNSBL Feeds Tab when editing a "Group"….

The "DNSBL Settings" infoblock has this text:

Note:  AdBlock Easylists cannot be used in this Tab.

Yes yes im not using ADBlock EasyList… also as you said mentioned there Easylist cannot be used