When computer giving a static ipaddress bfblocker doesnt work
-
On my network of about 10 computers some of them I have to give them a static IP address for security accessing servers and NAS and for logging in from home but when I give them a static IP address it also makes me put in a dns server and when I do that PFblocker stops blocking anything from those computers I'm guessing its something in the way I set up DHCP server or DNS resolver on the 3 attached picture BFblocker works like a champ on Obtain DNS server automatically which I cant do with a set IP address What the heck am I doing wrong
-
Can someone else try to give their computer a static IP address and see if PFblocker still works for them I am stumped
-
@dgall: you simply need to give the static IP address computers the IP address of your pfSense firewall's LAN interface as the DNS server. When you run the DNSBL ad blocking stuff, then the firewall's
unboundDNS resolver should be the DNS server for all of your network devices.So for your static IP machines, set the DNS server to be 192.168.1.1 (the same as their gateway).
-
My windows 10 computers will not accept 192.168.1.1 as that gateway and DNS server and attached are my settings in pfsense I read up and watched about 10 youtube videos on configuring this and from what I see I have done everything by the book go ahead and test bfblocker with a static ipaddress and see if you have the same results
-
@dgall said in When computer giving a static ipaddress bfblocker doesnt work:
My windows 10 computers will not accept 192.168.1.1 as that gateway
That's strange.
I'm using that one for several;decades now. And probably half the planet with me.If you want to use pfBlockerNG, it should receive the DNS requests - so it can 'see' the host name, and act upon it (execute the DNS request, or return 'nothing' if it needs to get blocked).
Yet, you tell your LAN clients to use another DNS, some where on the Internet - this short circuits totally pfBlockerNG :
I advise you to leave all LAN clients on their default DHCP set up.
If some of them need a 'fixed' IP, use the DHCP static lease option.No need to do this :
as it is the default.
-
Got it where I got confused was on the preferred and alternate dns server I tried putting in 192.168.1.1 as both and it would not accept it I put in preferred 192.168.1.1 and alternate 192.168.1.0 and now porn and bad websites are blocked again
-
@dgall worked for two minutes then everything bypassed the firewall I am up for suggestion
-
This :
is an non exiting IP address. If you really have a device with this IP, please chose another one.
No dot 0 and no dot 255, as they are special.
It's normal and Ok if you fill in only one, the 192.168.1.1.and again : stay away from static IP assignment. It's error prone and only exist for very temporary situations where no DHCP server is available.
-
@Gertjan I left the alternatve dns blank and its still not blocking and I like having my network mapped with dedicated addresses when there suspicious ip address is hooked up to the net or someone is hogging the bandwidth I know exactly what computer it is and I have several employees working from home and there ip addresses must stay the same for them to log in and for some reason I have had the ipaddress of the computers change before and I cant have that happen so that is why I want static ip addresses
-
@dgall said in When computer giving a static ipaddress bfblocker doesnt work:
@Gertjan I left the alternatve dns blank and its still not blocking and I like having my network mapped with dedicated addresses when there suspicious ip address is hooked up to the net or someone is hogging the bandwidth I know exactly what computer it is and I have several employees working from home and there ip addresses must stay the same for them to log in and for some reason I have had the ipaddress of the computers change before and I cant have that happen so that is why I want static ip addresses
Don't confuse the DNS setting on the pfSense General Setup page with the DNS Server setting on your clients. We are saying you must put the 192.168.1.1 IP address as the only DNS server for all of your clients (including the static IP ones). When you use DHCP, pfSense is automatically giving your clients the correct DNS server to use and thus ad blocking is working. From your original screen shots, when you configured some clients with a static IP you were giving them other DNS servers out on the Internet, thus they were bypassing pfSense and pfBlockerNG-devel (thus ads were not blocked).
Do you know what DNS caching is? Your Windows client, if not rebooted, will cache a previous DNS response for an amount of time called the TTL (time to live). Each DNS entry will come back with a TTL from its authoratative domain server. So that tells the client how long that name-to-IP lookup is good for, and thus the client does not need to repeat a lookup on that same domain name if it encounters it again (at least it does not need to repeat the lookup until the TTL has expired). So your Windows clients, if not rebooted or if their DNS cache is not flushed, may very well be using cached entries in some cases.
The correct way to configure this is what we have told you. All of your clients, whether using a static IP address or DHCP, must use your pfSense firewall and its
unboundDNS Resolver for DNS in order for pfBlockerNG-devel and DNSBL to work and block ads for you. If any client on your network has a DNS server specified other than your firewall, then pfBlockerNG-devel and DNSBL ad blocking cannot work for that client. -
@bmeeks I think I did have it right PFBlocker is blocking everything in my lists the only thing not working is Shallalist and naturally to test it I was clicking on porn sites only listed in shallalist but when I click on websites in malicious website lists it blocks them perfect
-
@dgall said in When computer giving a static ipaddress bfblocker doesnt work:
@bmeeks I think I did have it right PFBlocker is blocking everything in my lists the only thing not working is Shallalist and naturally to test it I was clicking on porn sites only listed in shallalist but when I click on websites in malicious website lists it blocks them perfect
In your earlier posts it was not clear that only certain pfBlockerNG-devel lists were not working. It sounded like you were saying no pfBlockerNG-devel DNSBL lists were working. The most common use here for DNSBL seems to be ad blocking of one sort or another, so I assumed that's what you were doing.
If you are having issues with a single list, you need to investigate the IP addresses that are bypassing the list and see why (highly likely they are not covered by the IP list). The most common problem with lists that try to block popular things is that the popular services (be they porn, Netflix or even a large news web site) use diverse CDNs (content delivery networks) that use IP address pools and servers from all over the world. So it is possible for a new CDN IP address block to not yet be on an IP block list. Conversely, it is also possible for an IP block that once served say "less legitimate" traffic to now be 100% legit. The result in that latter case is something you want to let in is instead blocked by the IP list. So it cuts both ways.
The very first post in this thread where you showed the static IP clients being assigned the 208.67.220.222 and 208.67.222.220 addresses was incorrect in so far as pfBlockerNG-devel setup goes. Those IPs are OpenDNS servers, and while they do have the ability to filter some objectionable content if you have the proper account with them, it would not have anything to do with pbBlockerNG-devel. When you use those DNS servers on a client, then pfBlockerNG-devel is 100% out of the loop for those clients.
-
Last bug worked out I had a firefox browser bypassing bfblocker and DOH (DNS over HTTPS) was checked as soon as I unchecked that bfblocker also blocked firefox
-
Thanks for reporting back. It's a pain in the butt when your browser goes behind your back and chooses its own DNS server. That will undermine a lot that you try to do on the controlling side.
So it sounds like you had two issues. The first one was the DNS server misconfiguration on the static IP clients (the screenshots in your first post), and the other issue was Firefox doing its own DNS lookups over HTTPS (via DoH).
-
@dgall said in When computer giving a static ipaddress bfblocker doesnt work:
(DNS over HTTPS)
See the very first post in the DHCP and DNS forum.
Normally, this mode isn't activated by default in Firefox ..... -
@Gertjan Yes were correct but the way I had it configured all my browsers bypassed the pfblocker then after I put in 192.168.1.1 as my preferred DNS then only my firefox was was bypassing PFblocker
-
@bmeeks Thank you bmeeks I am somewhat tech savvy but other times I am paint by number type guy I watched abut 6 different videos on how to setup pfblocker and not one of them had anything for putting in the settings for a preferred DNS when doing a static IP address on a computer and out of habit I put in opendns server IP
