Loose ablility to access internet with pfBlockerNG?
-
I'm running pfsense 2.4.1 with pfBlockerNG version 2.1.2_1. For some reason, after a little bit of use, i lose the ability to even get to the internet for a few minutes. Then it comes back and works as it should. After some time again. Same thing. I lose the ability to get to the internet. Has anyone had these issues? What am i doing wrong?
I just started using pfsense a couple of weeks and decided have pfBlockerNG take over the duties of my pi-hole but it seems it isn't stable. If i disable pfBlockerNG and use my pi-hole instead, i have no issues.
When I say I lose the internet, I don't just lose blocked sites. I can't even get to any site, blocked or not. If I ping a known blocked site like doubleclick, it doesn't even get out for a response.
-
First step is to enable the DNS Resolver (Unbound) and ensure that its working (in Resolver mode or forwarder mode) without the package enabled. Sometimes DNSSEC can cause issues if your using Forwarder mode depending on what External DNS server you defined. Not all external DNS Servers support DNSSEC.
Then make sure that all your LAN devices are pointing to pfSense only for its DNS settings.
Then enable pfBlockerNG DNSBL.
If you have a multi-segmented LAN (ie: vlans), enable the DNSBL permit firewall rule option so that all of the lan Subnets can access the DNSBL vip address. This option will create a Floating Permit rule for the applicable interfaces that you define in that option.
So each LAN device should be able to:
- ping the DNSBL VIP address and get a reply
- Browse to the DNSBL VIP and get the 1x1 pix
Hope that helps!
-
I have 1 WAN, 1 LAN. Nothing complicated.
LAN device is only pointing to pfSense for DNS settings.
pfBlockerNG DNSBL is enabled.
When i ping DNSBL VIP address, i do get a reply. As noted before, it works just fine half the time.
Pinging 10.10.10.1 with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time<1ms TTL=64When working, I can ping, doubleclick.net and that works too and is blocked.
C:\Users\bw0123>ping 10.10.10.1
Pinging doubleclick.net [10.10.10.1] with 32 bytes of data:
Reply from 10.10.10.1: bytes=32 time<1ms TTL=64The issue I have is, after some time of browsing the web, everything about getting to the internet stops working and when i ping anything, i just can't do it.
C:\Users\bw0123>ping doubleclick.net
Ping request could not find host doubleclick.net. Please check the name and try again.C:\Users\bw0123>ping google.com
Ping request could not find host google.com. Please check the name and try again.If i wait a couple of minutes, everything returns to normal and pings/internet access works.
After some more time, it doesn't work again. Rinse, repeat, etc.
-
It looks like either an issue on the LAN side or the gateway… Can you test from a different lan device?
Do you have any clues in the pfSense system log or the resolver log?
In the Resolver adv settings, increase the log verbosity to "3" to get more detailed resolver logs...
And [ [i]ipconfig /all ] lists the correct LAN interface settings?
-
Yes, when I ipconfig /all, I get all the correct settings on my machine. Whenever I make any changes on the router that I know DNS might change, I do a ipconfig /renew. I don't have another windows to machine to try from but the loss of internet also happens on my android phones and tablets which might be harder for me to figure things out.
I might add that when I can't get out anywhere, I can still ping the VIP and get a reply from 10.10.10.1.
I will change some settings to get more logging. Although this is my home network, the wife and kid isn't happy when I take the network down to play…lol.
I appreciate you helping. Thanks. I'll post more logs when I can.
-
In the routing log, I get the below which also shows up when things are working. I think it might be an ipv6 thing.
Nov 4 17:55:24 radvd 41975 sendmsg: Permission denied
For the DNS resolver log, the below.
Time Process PID Message 11/4/2017 17:53 unbound 68012:0 info: implicit transparent local-zone . TYPE0 IN 11/4/2017 17:52 unbound 68012:0 info: lower(secs) upper(secs) recursions 11/4/2017 17:52 unbound 68012:0 info: 0.131072 0.262144 3 11/4/2017 17:52 unbound 68012:0 debug: cache memory msg=66072 rrset=66072 infra=5971 val=67620 11/4/2017 17:52 unbound 68012:0 debug: close of port 21479 11/4/2017 17:52 unbound 68012:0 debug: close fd 35 11/4/2017 17:52 unbound 68012:0 debug: close of port 30368 11/4/2017 17:52 unbound 68012:0 debug: close fd 30 11/4/2017 17:52 unbound 68012:0 debug: close of port 15755 11/4/2017 17:52 unbound 68012:0 debug: close fd 33 11/4/2017 17:52 unbound 68012:0 debug: close of port 54868 11/4/2017 17:52 unbound 68012:0 debug: close fd 53 11/4/2017 17:52 unbound 68012:0 debug: close of port 18489 11/4/2017 17:52 unbound 68012:0 debug: close fd 37 11/4/2017 17:52 unbound 68012:0 debug: close of port 52789 11/4/2017 17:52 unbound 68012:0 debug: close fd 63 11/4/2017 17:52 unbound 68012:0 debug: close of port 56551 11/4/2017 17:52 unbound 68012:0 debug: close fd 23 11/4/2017 17:52 unbound 68012:0 debug: close of port 57953 11/4/2017 17:52 unbound 68012:0 debug: close fd 42 11/4/2017 17:52 unbound 68012:0 info: server stats for thread 3: 32 queries, 13 answers from cache, 19 recursions, 0 prefetch, 0 rejected by ip ratelimiting 11/4/2017 17:52 unbound 68012:0 info: server stats for thread 3: requestlist max 12 avg 7.05263 exceeded 0 jostled 0 11/4/2017 17:52 unbound 68012:0 info: mesh has 14 recursion states (12 with reply, 0 detached), 16 waiting replies, 3 recursion replies sent, 0 replies dropped, 0 states jostled out 11/4/2017 17:52 unbound 68012:0 info: average recursion processing time 0.181934 sec 11/4/2017 17:52 unbound 68012:0 info: histogram of recursion processing times 11/4/2017 17:52 unbound 68012:0 info: [25%]=0 median[50%]=0 [75%]=0 11/4/2017 17:52 unbound 68012:0 info: lower(secs) upper(secs) recursions 11/4/2017 17:52 unbound 68012:0 info: 0.131072 0.262144 3 11/4/2017 17:52 unbound 68012:0 debug: cache memory msg=66072 rrset=66072 infra=5971 val=67620 11/4/2017 17:52 unbound 68012:0 debug: close of port 65343 11/4/2017 17:52 unbound 68012:0 debug: close fd 36 11/4/2017 17:52 unbound 68012:0 debug: close of port 57340 11/4/2017 17:52 unbound 68012:0 debug: close fd 39 11/4/2017 17:52 unbound 68012:0 debug: close of port 14419 11/4/2017 17:52 unbound 68012:0 debug: close fd 25 11/4/2017 17:52 unbound 68012:0 debug: close of port 18073 11/4/2017 17:52 unbound 68012:0 debug: close fd 31 11/4/2017 17:52 unbound 68012:0 debug: close of port 28124 11/4/2017 17:52 unbound 68012:0 debug: close fd 66 11/4/2017 17:52 unbound 68012:0 debug: close of port 18404 11/4/2017 17:52 unbound 68012:0 debug: close fd 24 11/4/2017 17:52 unbound 68012:0 debug: close of port 14335 11/4/2017 17:52 unbound 68012:0 debug: close fd 38 11/4/2017 17:52 unbound 68012:0 debug: close of port 25933 11/4/2017 17:52 unbound 68012:0 debug: close fd 52 11/4/2017 17:52 unbound 68012:0 debug: close of port 18124 11/4/2017 17:52 unbound 68012:0 debug: close fd 34 11/4/2017 17:52 unbound 68012:0 debug: close of port 29341 11/4/2017 17:52 unbound 68012:0 debug: close fd 44 11/4/2017 17:52 unbound 68012:0 notice: Restart of unbound 1.6.6.Not sure what it all means.
-
If you do
nslookup doubleclick.net Serveur : pfsense.somewhere Address: 172.47.18.71 Nom : doubleclick.net Address: 10.10.10.1you should see your pfsense box replying.
If not then either your pfsense configuration for DNS service is incorrect, or your lan device use another DNS server for answer.Check your device DNS configuration, if you are using Internet Security like AVG, maybe they override DNS resolution. Hake a look at
@BBcan177:so after much troubleshooting and trying things at the firewall level, i disabled my full avg protection and it works on the host(s) in question. so I have to granularly figure out which service in AVG is messing up my dns
I think this is what you were looking for:
https://help.avg.com/en/avg_free/17/securityantivirus_securedns.htmlYou can configure pfsense DCHP server to provide the correct DNS/DNSBL server for devices
