Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker with openvpn

    Scheduled Pinned Locked Moved pfBlockerNG
    13 Posts 4 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DaveB
      last edited by

      Hi

      Having previously setup client openvpn I am attempting to run pfblocker 2.1.1_8 on pfsense 2.3.4.

      However nothing appears to be being blocked.
      In the Pfblocker widget packets remain at zero.

      In Firewall/ pfBlockerNG/ General  - Interface Rules - Inbound and Outbound Firewall Rules , I was expecting to be able to select OpenVPN but it does not appear as an option.

      If I look at Firewall/Rules/OpenVPN then there are no rules defined for this interface.

      Help please as I am very much a novice at this and guess I have missed something in the setup.

      Thanks

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        Did you check the "OpenVPN" checkbox in the General Tab?

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • D
          DaveB
          last edited by

          Hi

          I have checked the the OpenVPN Interface box since OpenVPN did not appear in the 2 boxes immediately above
          (Inbound/Outbound Firewall Rules)

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            What are you attempting to block with the package? GeoIP and/or IPv4 lists?  Maybe you didn't enable the "action" settings in the GeoIP/IPv4/6 tabs?

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • D
              DaveB
              last edited by

              Hi

              All I am trying to do is to block adverts (not geo-locations).
              To this end I have (attempted to) load EasyList w/o Elements and EasyPrivacy.
              I can see an alias (if this is the right term) for each of these in the pfblocker widget with a green up arrow (rules defined??).

              A problem I have here is that I have no idea what I should be able to see (or not see) both in terms firewall rules or other settings, reports of ads being blocked, and reduction in adverts being displayed.

              Is it possible that it is working all along, but is unable to block the ads on the sites I go to - maybe different block list required.
              I notice that one of the aliases has an entry of 60 under the heading of packets - is that the number of packets it has blocked?
              If so is that number reasonable? I would have expected something much larger.

              Anyway thank you for your assistance - and your sig is most apt.
              Unfortunately my experience is zero.

              1 Reply Last reply Reply Quote 0
              • D
                dma_pf
                last edited by

                I was having a similar issue. This post helped me troubleshoot the PFBNG setup to make sure it was correct: https://www.reddit.com/r/PFSENSE/comments/3x6e7v/pfblockerng_203_not_working_at_all/

                Even after verifying everthing was setup correctly I was still having issues and fixed it by applying the following settings:

                1. In "Services/DHCP Leases/LAN/Server" make sure there are no DNS servers listed.
                2. In "System/General Setup/DNS Server Settings" enter the IP addresses of the DNS servers you want to use.

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  @DaveB:

                  Hi

                  All I am trying to do is to block adverts (not geo-locations).
                  To this end I have (attempted to) load EasyList w/o Elements and EasyPrivacy.
                  I can see an alias (if this is the right term) for each of these in the pfblocker widget with a green up arrow (rules defined??).

                  A problem I have here is that I have no idea what I should be able to see (or not see) both in terms firewall rules or other settings, reports of ads being blocked, and reduction in adverts being displayed.

                  Is it possible that it is working all along, but is unable to block the ads on the sites I go to - maybe different block list required.
                  I notice that one of the aliases has an entry of 60 under the heading of packets - is that the number of packets it has blocked?
                  If so is that number reasonable? I would have expected something much larger.

                  Anyway thank you for your assistance - and your sig is most apt.
                  Unfortunately my experience is zero.

                  Hi DaveB,

                  Take a look at the reply and link that dma_df posted… and read my comments there as it applies to your question...  Let me know if you're still having issues after reading that...

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • D
                    DaveB
                    last edited by

                    Hi

                    This is what I have tried so far:-
                    (1) Removed the DNS Server settings that I had under Server/DHCP Server/LAN/Servers
                          The Servers I wish to use were already entered under System/General Setup/DNS Server Settings

                    (2) Removed the DNS servers I was using on my Win7 PC and changed setting to obtain address automatically

                    (3) Followed the instructions at "Here are some basic instructions to get started with DNSBL."
                        This added another Alias - DNSBL_Ads to the pfBlocker widget
                        Ensured Enable DNSBL was checked and that DNSBL Firewall Rule was checked with LAN and Open VPN

                    (4) Went to www.aol.com - adverts not blocked - no entries appeared under Firewall/pfBlockerNG/Alerts
                        No update to packages count in pfblocker widget.

                    So - no luck so far.

                    1 Reply Last reply Reply Quote 0
                    • BBcan177B
                      BBcan177 Moderator
                      last edited by

                      You need to ensure that the Lan devices have their DNS setting set to the pfSense box address.

                      You also need to ensure that the Lan devices can ping the DNSBL IP address. And that the Lan devices can browse to the DNSBL address.

                      For any domain that is listed in DNSBL you can test the DNS response with the following command.

                      host -t A example.com

                      And it should reply as the DNSBL IP address.

                      "Experience is something you don't get until just after you need it."

                      Website: http://pfBlockerNG.com
                      Twitter: @BBcan177  #pfBlockerNG
                      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                      1 Reply Last reply Reply Quote 0
                      • D
                        DaveB
                        last edited by

                        By George I do believe I have got it !!!

                        I believe I have finally got the DNS settings right for my pc.
                        The long version for anyone else struggling as I did is:-

                        Control Panel / Network and Sharing / Change adapter settings / Local Area Connection / Properties /Internet Protocol Ver4

                        Click Use the following IP address

                        IP address is that of your PC
                        Subnet Mask 255.255.255.0
                        Default Gateway is IP for pfsense

                        Click Use the following DNS Server Addresses
                        Preferred DNS Server 10.10.10.1

                        I am highly highly grateful for the assistance received.

                        One final silly question.
                        While following a guide for setting up pfblocker I have created an alias pfB_DNSBLIP.
                        I have no idea what it is but it has the black down arrow indicating there are no rules for the alias.
                        Can anyone shed any light on this?

                        Anyway thanks again

                        C 2 Replies Last reply Reply Quote 0
                        • D
                          dma_pf
                          last edited by

                          Glad to hear you got it up and running!

                          @DaveB:

                          One final silly question.
                          While following a guide for setting up pfblocker I have created an alias pfB_DNSBLIP.
                          I have no idea what it is but it has the black down arrow indicating there are no rules for the alias.
                          Can anyone shed any light on this?

                          The DNSBL service is used to block domain names only (www.example.com) and not IP addresses (xxx.xxx.xxx.xxx). Sometimes the DNSBL feeds that you set up may contain IP addresses. The pfB_DNSBLIP ailas filters out the IP addresses that are in the DNSBL feeds, thereby creating an alias which can be used by the firewall to act on  the IP addresses that show up in the DNSBL feeds. You still need to apply the firewall rules that will use the pfB_DNSBLIP alias. You can create thoses rules in pfSense at "Firewall/pfBlockerNG/DNSBL/DNSBL IP Firewall Rule Settings"

                          If you go to the pfB_DNSBLIP alias rule and then hover over the alias you should not see any IP addresses in the list that pops up. The black down arrow indicates that the alias currently does not contain any IP addresses and there is nothing for the rule to act against. This will most likely change as you add additional DNSBL feeds.

                          1 Reply Last reply Reply Quote 0
                          • C
                            cayossarian @DaveB
                            last edited by

                            This post is deleted!
                            1 Reply Last reply Reply Quote 0
                            • C
                              cayossarian @DaveB
                              last edited by

                              This post is deleted!
                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.