PfBlockerNG/DNSBL can't get it to work on multiple interfaces.



  • Just set pfBlockerNG/DNSBL the other night to block ads. Its working perfectly and absolutely love it. Problem is i can get it to work on the primary internal interface (LAN) but can't get it to work on the secondary interface (OPT1).  By default the outbound firewall rules were only set to LAN. I added OPT1 as you can see in the screenshot which hasn't had any affect. Any help would be appreciated.

    Edit: also found a setting called "DNSBL Firewall Rule" and tried enabling it and selecting both interfaces there too. That didn't work either.
    ![Screen Shot 2017-05-15 at 7.32.18 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-15 at 7.32.18 PM.png)
    ![Screen Shot 2017-05-15 at 7.32.18 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-15 at 7.32.18 PM.png_thumb)


  • Moderator

    The General Tab Interface settings are only use for the IP portion of the package (IPv4/6/GeoIP/DNSBL_IP).

    You need to add the "DNSBL Firewall Rule" to allow other interfaces to be able to access the DNSBL VIP.

    You should be able to ping (receive a response) and Browse to the DNSBL VIP Address (1x1 pixel).

    Check your NAT and/or Limiters (if you have limiters)…

    Recent Thread about Limiters:
    https://forum.pfsense.org/index.php?topic=129653.0



  • @BBcan177:

    The General Tab Interface settings are only use for the IP portion of the package (IPv4/6/GeoIP/DNSBL_IP).

    You need to add the "DNSBL Firewall Rule" to allow other interfaces to be able to access the DNSBL VIP.

    You should be able to ping (receive a response) and Browse to the DNSBL VIP Address (1x1 pixel).

    Check your NAT and/or Limiters (if you have limiters)…

    Recent Thread about Limiters:
    https://forum.pfsense.org/index.php?topic=129653.0

    @BBcan177:

    The General Tab Interface settings are only use for the IP portion of the package (IPv4/6/GeoIP/DNSBL_IP).

    You need to add the "DNSBL Firewall Rule" to allow other interfaces to be able to access the DNSBL VIP.

    You should be able to ping (receive a response) and Browse to the DNSBL VIP Address (1x1 pixel).

    Check your NAT and/or Limiters (if you have limiters)…

    Recent Thread about Limiters:
    https://forum.pfsense.org/index.php?topic=129653.0

    I appreciate the reply and it helped me quite a bit but i'm still not quite there. Sorry if i ask a lot of question but i'm sure my networking knowledge is limited compared to yours. I had no idea what limiters were (i'm sure i'll look into them later) but unless something else added them i was pretty sure i had none and i checked and there are none. I had some of the issues that you discussed. If i connected to the guest network where adblocking isn't working i could not ping 10.10.10.1 (the VIP address for dnsbl). The reason being is because i blocked all traffic from the guest network from accessing "this firewall (self)" which after my testing confirmed blocked me from ping the VIP address. I don't understand why but for now i've disabled the rule until i get this all figured out.

    I then noticed DNSBl created two firewall NAT rules and i essentially copied them for my OPT1 interface (i've attached a screenshot).

    I noticed on the outbound nat rules that were automatically created that point from 10.10.10.1 to 192.168.1.0/24 but i don't see rules for the opt1 network (attached screenshot).

    ![Screen Shot 2017-05-25 at 9.15.03 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-25 at 9.15.03 PM.png)
    ![Screen Shot 2017-05-25 at 9.15.03 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-25 at 9.15.03 PM.png_thumb)
    ![Screen Shot 2017-05-25 at 9.15.03 PM.png](/public/imported_attachments/1/Screen Shot 2017-05-25 at 9.15.03 PM.png)
    ![Screen Shot 2017-05-25 at 9.15.03 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-05-25 at 9.15.03 PM.png_thumb)


  • Moderator

    Did you enable the "DNSBL Permit Rule" option?  If not, enable that and select all of the LAN Subnets in the select box that need to access the DNSBL VIP. This will create a floating permit rule which will allow those other subnets.

    Floating rules are processed first, followed by the other Interface Rules. Rules are also processed Top to Bottom.

    You don't need those two other NAT Port forward rules.