PfBlocker with openvpn



  • Hi

    Having previously setup client openvpn I am attempting to run pfblocker 2.1.1_8 on pfsense 2.3.4.

    However nothing appears to be being blocked.
    In the Pfblocker widget packets remain at zero.

    In Firewall/ pfBlockerNG/ General  - Interface Rules - Inbound and Outbound Firewall Rules , I was expecting to be able to select OpenVPN but it does not appear as an option.

    If I look at Firewall/Rules/OpenVPN then there are no rules defined for this interface.

    Help please as I am very much a novice at this and guess I have missed something in the setup.

    Thanks


  • Moderator

    Did you check the "OpenVPN" checkbox in the General Tab?



  • Hi

    I have checked the the OpenVPN Interface box since OpenVPN did not appear in the 2 boxes immediately above
    (Inbound/Outbound Firewall Rules)


  • Moderator

    What are you attempting to block with the package? GeoIP and/or IPv4 lists?  Maybe you didn't enable the "action" settings in the GeoIP/IPv4/6 tabs?



  • Hi

    All I am trying to do is to block adverts (not geo-locations).
    To this end I have (attempted to) load EasyList w/o Elements and EasyPrivacy.
    I can see an alias (if this is the right term) for each of these in the pfblocker widget with a green up arrow (rules defined??).

    A problem I have here is that I have no idea what I should be able to see (or not see) both in terms firewall rules or other settings, reports of ads being blocked, and reduction in adverts being displayed.

    Is it possible that it is working all along, but is unable to block the ads on the sites I go to - maybe different block list required.
    I notice that one of the aliases has an entry of 60 under the heading of packets - is that the number of packets it has blocked?
    If so is that number reasonable? I would have expected something much larger.

    Anyway thank you for your assistance - and your sig is most apt.
    Unfortunately my experience is zero.



  • I was having a similar issue. This post helped me troubleshoot the PFBNG setup to make sure it was correct: https://www.reddit.com/r/PFSENSE/comments/3x6e7v/pfblockerng_203_not_working_at_all/

    Even after verifying everthing was setup correctly I was still having issues and fixed it by applying the following settings:

    1. In "Services/DHCP Leases/LAN/Server" make sure there are no DNS servers listed.
    2. In "System/General Setup/DNS Server Settings" enter the IP addresses of the DNS servers you want to use.


  • Moderator

    @DaveB:

    Hi

    All I am trying to do is to block adverts (not geo-locations).
    To this end I have (attempted to) load EasyList w/o Elements and EasyPrivacy.
    I can see an alias (if this is the right term) for each of these in the pfblocker widget with a green up arrow (rules defined??).

    A problem I have here is that I have no idea what I should be able to see (or not see) both in terms firewall rules or other settings, reports of ads being blocked, and reduction in adverts being displayed.

    Is it possible that it is working all along, but is unable to block the ads on the sites I go to - maybe different block list required.
    I notice that one of the aliases has an entry of 60 under the heading of packets - is that the number of packets it has blocked?
    If so is that number reasonable? I would have expected something much larger.

    Anyway thank you for your assistance - and your sig is most apt.
    Unfortunately my experience is zero.

    Hi DaveB,

    Take a look at the reply and link that dma_df posted… and read my comments there as it applies to your question...  Let me know if you're still having issues after reading that...



  • Hi

    This is what I have tried so far:-
    (1) Removed the DNS Server settings that I had under Server/DHCP Server/LAN/Servers
          The Servers I wish to use were already entered under System/General Setup/DNS Server Settings

    (2) Removed the DNS servers I was using on my Win7 PC and changed setting to obtain address automatically

    (3) Followed the instructions at "Here are some basic instructions to get started with DNSBL."
        This added another Alias - DNSBL_Ads to the pfBlocker widget
        Ensured Enable DNSBL was checked and that DNSBL Firewall Rule was checked with LAN and Open VPN

    (4) Went to www.aol.com - adverts not blocked - no entries appeared under Firewall/pfBlockerNG/Alerts
        No update to packages count in pfblocker widget.

    So - no luck so far.


  • Moderator

    You need to ensure that the Lan devices have their DNS setting set to the pfSense box address.

    You also need to ensure that the Lan devices can ping the DNSBL IP address. And that the Lan devices can browse to the DNSBL address.

    For any domain that is listed in DNSBL you can test the DNS response with the following command.

    host -t A example.com

    And it should reply as the DNSBL IP address.



  • By George I do believe I have got it !!!

    I believe I have finally got the DNS settings right for my pc.
    The long version for anyone else struggling as I did is:-

    Control Panel / Network and Sharing / Change adapter settings / Local Area Connection / Properties /Internet Protocol Ver4

    Click Use the following IP address

    IP address is that of your PC
    Subnet Mask 255.255.255.0
    Default Gateway is IP for pfsense

    Click Use the following DNS Server Addresses
    Preferred DNS Server 10.10.10.1

    I am highly highly grateful for the assistance received.

    One final silly question.
    While following a guide for setting up pfblocker I have created an alias pfB_DNSBLIP.
    I have no idea what it is but it has the black down arrow indicating there are no rules for the alias.
    Can anyone shed any light on this?

    Anyway thanks again



  • Glad to hear you got it up and running!

    @DaveB:

    One final silly question.
    While following a guide for setting up pfblocker I have created an alias pfB_DNSBLIP.
    I have no idea what it is but it has the black down arrow indicating there are no rules for the alias.
    Can anyone shed any light on this?

    The DNSBL service is used to block domain names only (www.example.com) and not IP addresses (xxx.xxx.xxx.xxx). Sometimes the DNSBL feeds that you set up may contain IP addresses. The pfB_DNSBLIP ailas filters out the IP addresses that are in the DNSBL feeds, thereby creating an alias which can be used by the firewall to act on  the IP addresses that show up in the DNSBL feeds. You still need to apply the firewall rules that will use the pfB_DNSBLIP alias. You can create thoses rules in pfSense at "Firewall/pfBlockerNG/DNSBL/DNSBL IP Firewall Rule Settings"

    If you go to the pfB_DNSBLIP alias rule and then hover over the alias you should not see any IP addresses in the list that pops up. The black down arrow indicates that the alias currently does not contain any IP addresses and there is nothing for the rule to act against. This will most likely change as you add additional DNSBL feeds.