Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfBlockerNG IPV4 problem

    Scheduled Pinned Locked Moved pfBlockerNG
    18 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rtkluttz
      last edited by

      I'm having an issue with the IPv4 custom lists in pfblockerNG. I have 2 lists, a whitelist that allows good sites in even if they show up in the geoIP section, and a blacklist that denies all inbound. For some reason the whitelist policy gets a firewall rule created with the proper IP's in it. The blacklist rule always only has 1.1.1.1 despite quite a few more IP's and IP ranges in the ruleset. The only difference I can find between the blacklist and whitelist rule are the action. Deny_inbound vs Permit_inbound.

      For instance.. my IPv4 alias is "BlacklistIPRanges" and it has the following in it:
      45.150.206.0/24
      77.40.2.0/24
      77.40.3.0/24
      141.98.80.79/32

      When I force an update and go look at the rule that gets generated under firewall, the only IP in the rule is 1.1.1.1

      Again, the whitelist rule works perfectly and updates properly.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        I assume it does actually have 1.1.1.1 in it?

        Is that just as a test because that's an odd IP to block inbound?

        Steve

        R 1 Reply Last reply Reply Quote 0
        • R
          rtkluttz @stephenw10
          last edited by

          @stephenw10

          Sorry for the long delay on the answer.

          Yes and no. The IP's in that list are blocked in both directions, not just inbound. So 1.1.1.1 is in there blocked OUTBOUND so that nothing on my network uses DoH. But just to be sure... I took 1.1.1.1 out of the list and ran an update and the rule that gets created still has ONLY 1.1.1.1 in it.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            So the alias is populated correctly but the rule is not generated correctly against the alias?

            Can we see a screenshot showing that?

            How do you have the pfBlocker rule creation configured?

            Steve

            R 2 Replies Last reply Reply Quote 0
            • R
              rtkluttz @stephenw10
              last edited by rtkluttz

              @stephenw10
              Yes. The alias seems to be correct, but the rule only gets generated with 1.1.1.1 even when I have removed 1.1.1.1 from the custom IPV4 list.

              Whoops.. looked at wrong place. I have created a MANUAL alias that does what I need until I get this working. The alias created by the custom IPV4 rule is a url pointing to a file on the pfsense. What is the location of that file so I can check it manually?

              1 Reply Last reply Reply Quote 0
              • R
                rtkluttz @stephenw10
                last edited by

                @stephenw10

                Here are the screenshots you requested.Screenshot_2020-12-07_15-10-59.png Selection_105.png Selection_106.png

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  You can looks in Diag > Tables to see how that URL alias has been populated but it should be the same as the mouse-over which implies it's not populating.

                  You can see the files in /var/db/aliastables/.

                  Run a manual update in pfBlocker and check the logs.

                  Steve

                  R 1 Reply Last reply Reply Quote 0
                  • R
                    rtkluttz @stephenw10
                    last edited by

                    @stephenw10

                    Tables does show only 1.1.1.1. I also ran manual update again... still showing 1.1.1.1. Log is below.

                    Manual update log

                     UPDATE PROCESS START [ 12/07/20 16:14:22 ]
                    
                    Clearing all DNSBL Feeds... 
                    ** DNSBL Disabled **
                    
                    
                    ===[  Continent Process  ]============================================
                    
                    [ pfB_Africa_v4 ]	 exists.
                    [ pfB_Africa_v6 ]	 exists.
                    [ pfB_Asia_v4 ]		 exists. [ 12/07/20 16:14:23 ]
                    [ pfB_Asia_v6 ]		 exists.
                    [ pfB_Europe_v4 ]	 exists.
                    [ pfB_Europe_v6 ]	 exists.
                    [ pfB_NAmerica_v4 ]	 exists.
                    [ pfB_NAmerica_v6 ]	 exists.
                    [ pfB_Oceania_v4 ]	 exists.
                    [ pfB_Oceania_v6 ]	 exists.
                    [ pfB_SAmerica_v4 ]	 exists.
                    [ pfB_SAmerica_v6 ]	 exists.
                    
                    ===[  IPv4 Process  ]=================================================
                    
                    [ WhitelistIPRanges_custom ] exists.
                    [ WhitelistDomainName_custom ] exists.
                    [ BlacklistIPRanges_custom ] exists.
                    ===[  Aliastables / Rules  ]================================
                    
                    Firewall rule changes found, applying Filter Reload
                    
                     UPDATE PROCESS ENDED [ 12/07/20 16:14:24 ]
                    
                    
                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      Sorry, try running full re-load there not update.

                      R 1 Reply Last reply Reply Quote 0
                      • R
                        rtkluttz @stephenw10
                        last edited by

                        @stephenw10

                        Aha, that got it! I still don't know why the cron task ORIGINALLY was not updating the full list. But once I started using my manual disable list, I turned cron off because it kept changing my rule order. I will turn cron back on and make a change to the list then report tomorrow if it updates properly on its own.

                        RonpfSR R 2 Replies Last reply Reply Quote 0
                        • RonpfSR
                          RonpfS @rtkluttz
                          last edited by RonpfS

                          @rtkluttz said in pfBlockerNG IPV4 problem:

                          it kept changing my rule order.

                          If Auto Rules doesn't fit your setup, use Action : Alias and create your own FW Rules with these aliases.

                          2.4.5-RELEASE-p1 (amd64)
                          Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                          Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                          1 Reply Last reply Reply Quote 1
                          • R
                            rtkluttz @rtkluttz
                            last edited by

                            @rtkluttz

                            Ok, the cron ran, but it is not picking up changes to my IPv4 blacklist. I have the blacklist set to update frequency of once per day and the overall cron settings on the general tab is set to once per day. But if I make any change to the custom IPv4 deny list, they don't show up unless I do the force with complete reload option ticked. Is this correct? I don't mind having to do that every time, but it makes me wonder if it is never truly picking up changes from maxmind either unless I hit the reload option.

                            stephenw10S 1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator @rtkluttz
                              last edited by

                              What Cronjob is it running? It certainly should be updating that.

                              R 1 Reply Last reply Reply Quote 0
                              • R
                                rtkluttz @stephenw10
                                last edited by

                                @stephenw10

                                The one that gets enabled by the cron settings on the general tab and the one in the list itself is the only way I know how to answer you.

                                Selection_107.png Selection_108.png

                                BBcan177B 1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Ok so try setting the update interval to something less than the reload interval. Like it says there: 'within the Cron Interval'.

                                  Steve

                                  R 1 Reply Last reply Reply Quote 0
                                  • R
                                    rtkluttz @stephenw10
                                    last edited by rtkluttz

                                    @stephenw10

                                    Ok, to get a faster picture on if it was working... I set the general tabs schedule to once every 2 hours and set the blacklist custom list update time to 1 hour. After making those changes and saving it, I edited the custom list and then left it for 3 hours or so. It still did not update on its own.

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Hmm, check the crontab. You can use the Cron package to do that via the GUI.

                                      1 Reply Last reply Reply Quote 0
                                      • BBcan177B
                                        BBcan177 Moderator @rtkluttz
                                        last edited by

                                        @rtkluttz said in pfBlockerNG IPV4 problem:

                                        Upgrade to pfBlockerNG-devel.

                                        "Experience is something you don't get until just after you need it."

                                        Website: http://pfBlockerNG.com
                                        Twitter: @BBcan177  #pfBlockerNG
                                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                        1 Reply Last reply Reply Quote 1
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.