PFBlockerNG not working.



  • Hey guys I have been trying for days to get PFblocker NG working wiht no success I have tried numerous guides and such, nothing, it wont block anything.

    I scrapped the whole OS updated to 2.4 and still. no go. This time I get this error

    "There were error(s) loading the rules: /tmp/rules.debug:183: macro 'pfB_BlackList' not defined - The line in question reads [183]: block log quick on { igb4 } inet from $pfB_BlackList to any tracker 1770008546 label "USER_RULE: pfB_BlackList auto rule"
    @ 2017-09-03 10:17:38"

    Any ideas how to fix this?

    Oh igb4 is Wan btw.

    Edit: got the error Again this time more detailed.

    There were error(s) loading the rules: /tmp/rules.debug:183: macro 'pfB_BlackList' not defined - The line in question reads [183]: block in log quick on $WAN reply-to ( igb4 8.8.8.8 ) inet from $pfB_BlackList to any tracker 1770008546 label "USER_RULE: pfB_BlackList auto rule"
    @ 2017-09-03 10:32:34

    (Changed my actual DNS to google DNS for the readout)



  • You may have to do a Force Reload all to rebuilt the aliases



  • @RonpfS:

    You may have to do a Force Reload all to rebuilt the aliases

    Will do,

    EDIT:

    Done that, the error seems to have gone away.

    However it is still not working lol, I have cross referenced about 6 guides and all my settings are the same as theirs and it just doesn't work :(.

    This is what my error logs look like.

    
    [ DNSBL FAIL ] [ Skipping : Ads ]
    
    [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
    
    [ DNSBL FAIL ] [ Skipping : PiHole ]
    
    [ DNSBL FAIL ] [ Skipping : AdBlockList_custom ]
    
    [ DNSBL FAIL ] [ Skipping : Ads ]
    
    [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
    
    [ DNSBL FAIL ] [ Skipping : Ads ]
    
    [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
    
    [ DNSBL FAIL ] [ Skipping : Ads ]
    
    [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
    
    [ DNSBL FAIL ] [ Skipping : Ads ]
    
    [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
    
    [ DNSBL FAIL ] [ Skipping : Ads ]
    
    [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
    
    [ DNSBL FAIL ] [ Skipping : Ads ]
    
    [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
    
    

    Update: Tried a diffrent list, and…..

    [ DNSBL FAIL ] [ Skipping : yoyo ]
    
    [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
    
    


  • You have to use DNS Resolver not DNS Forwarder



  • @RonpfS:

    You have to use DNS Resolver not DNS Forwarder

    I am using DNS resolver, not forwarder.

    Also I just went to the firewall gui to check for that and make absolutely sure. The error message from the OP is there again, 3 More times, since I forced reloaded. DNS forwarder is Disabled and DNS resolver is enabled.

    All of my devices, are using OFsense for DNS afaik from there IPConfigs.

    The guides all had me set up my resolver as needed ( pretty much default) and even trying to remove PFblocker with the script also fails. Which I tried 6 times, deleting and rewriting the config.

    Either I am missing something or PFblocker doesn't work with 2.4.



  • @cyberlocc:

    The error message from the OP is there again, 3 More times, since I forced reloaded.

    Which OP ?

    @cyberlocc:

    and even trying to remove PFblocker with the script also fails. Which I tried 6 times, deleting and rewriting the config.

    Which script ? If you want to remove pfblockerNG, go to System / Package manager

    Did you also run a Force Update ?



  • @RonpfS:

    @cyberlocc:

    The error message from the OP is there again, 3 More times, since I forced reloaded.

    Which OP ?

    This OP.

    I did a force update, when you said to do that. And then later coming back to the GUI, I had a bunch of

    "There were error(s) loading the rules: /tmp/rules.debug:183: macro 'pfB_BlackList' not defined - The line in question reads [183]: block log quick on { igb4 } inet from $pfB_BlackList to any tracker 1770008546 label "USER_RULE: pfB_BlackList auto rule" @ 2017-09-03 10:17:38"

    messages again.

    @RonpfS:

    @cyberlocc:

    and even trying to remove PFblocker with the script also fails. Which I tried 6 times, deleting and rewriting the config.

    Which script ? I you want to remove pfblockerNG, go to System / Package manager

    The script from BBcan177, when you uninstall PFblocker, it doesn't remove it, all the files stay, you just remove the package and reset some config if you check the option, but alot remains, from what I read, and there was a script to fully remove it. That script doesn't work.

    So I tried that, https://forum.pfsense.org/index.php?topic=88443.0, again script dont work, thread is old maybe no longer applies.

    @RonpfS:

    Did you also run a Force Update ?

    Yep immediately after your post suggesting it, since then the errors have returned and service hasn't worked.

    Here are all the settings I think matter, maybe you can catch something I am not.





    ![DNS fowarder.PNG](/public/imported_attachments/1/DNS fowarder.PNG)
    ![DNS fowarder.PNG_thumb](/public/imported_attachments/1/DNS fowarder.PNG_thumb)
    ![DNS Resolver.PNG](/public/imported_attachments/1/DNS Resolver.PNG)
    ![DNS Resolver.PNG_thumb](/public/imported_attachments/1/DNS Resolver.PNG_thumb)









  • @cyberlocc:

    The script from BBcan177, when you uninstall PFblocker, it doesn't remove it, all the files stay, you just remove the package and reset some config if you check the option, but alot remains, from what I read, and there was a script to fully remove it. That script doesn't work.

    So I tried that, https://forum.pfsense.org/index.php?topic=88443.0, again script dont work, thread is old maybe no longer applies.

    This is a very old script, pfblockerNG changed since then.

    So if you goto package manager you can not uninstall pfblockerNG? Can you reinstall it ?
    I guess you will have to edit the config.xml and fix any leftover from pfblockerNG.
    Then try to reinstall again.

    Force update is to update any change made to pfblockerng configuration or feeds.
    Force reload is to rebuilt the table and database.



  • @RonpfS:

    @cyberlocc:

    The script from BBcan177, when you uninstall PFblocker, it doesn't remove it, all the files stay, you just remove the package and reset some config if you check the option, but alot remains, from what I read, and there was a script to fully remove it. That script doesn't work.

    So I tried that, https://forum.pfsense.org/index.php?topic=88443.0, again script dont work, thread is old maybe no longer applies.

    This is a very old script, pfblockerNG changed since then.

    So if you goto package manager you can not uninstall pfblockerNG? Can you reinstall it ?
    I guess you will have to edit the config.xml and fix any leftover from pfblockerNG.
    Then try to reinstall again.

    Force update is to update any change made to pfblockerng configuration or feeds.
    Force reload is to rebuilt the table and database.

    I have uninstalled it, and just did so 1 more time :). Following yet another different guide I will report back. (this one is very very new)



  • Also your DNSBL Virtual IP is 100.10.100.1, maybe you meant 10.10.100.1.



  • And you should uncheck DNS Server Override and DHCP Registration

    DHCP registration will trigger a reload of Unbound and if it takes 30 sec to reload, you will get constant DNS service disruption.

    You could probably keep Static DHCP as it will only trigger unbound reload when you add a host, not something that happen often.

    On the IP side, maybe you should check De-Duplication, CIDR Aggregation, Suppression.



  • @RonpfS:

    And you should uncheck DNS Server Override and DHCP Registration

    DHCP registration will trigger a reload of Unbound and if it takes 30 sec to reload, you will get constant DNS service disruption.

    You could probably keep Static DHCP as it will only trigger unbound reload when you had a host, not something that happen often.

    On the IP side, maybe you should check De-Duplication, CIDR Aggregation, Suppression.

    Okay so a reinstall seemed to fix it. However now I got more issues and questions lol. It is working now though, more on that in a second.

    I can turn off DNS server override (it turned that on not me :P.)

    I need DNS Server Registration, I will have 12 servers behind this thing when its all working the way I want, some of those need local access with hostnames. Or are you saying just use the static, I guess that could work. (EDIT: ya that works, so I disabled the Registration.)

    Did the rest, was trying to leave as much off as I could to get it working :).

    Now maybe you can help me, as I stated I have quite a few servers, and a guest lan, that this blocker needs to leave be (well preferably it would allow different setups for).

    I got it working, like I said, the issue is its working too well. Its working on interfaces it is not set to be working on, how can I resolve that? And also resolve the Incoming issues. I only have 1 wan, however on that way is 5 VIPs, the guest lan uses a different Public IP then the main lan, as do the servers. The Main lan uses the Wans IP.

    oh and Yep was trying to use 10.10.100.1, I fixed that in the new install :).



  • Any DNS request to pfsense is filtered by DNSBL when enabled. It replace the "right" IP of a Domain Name with the VIP.

    There is a Permit Firewall Rules option, if you click the blue "i" infoblock should display something similar to :

    This will create 'Floating' Firewall rules to allow traffic from the Selected Interface(s) to access
    the DNSBL VIP on the DNSBL Listening interface. (ICMP and Webserver ports only). This is only required for networks with multiple LAN Segments.



  • @RonpfS:

    Any DNS request to pfsense is filtered by DNSBL when enabled. It replace the "right" IP of a Domain Name with the VIP.

    There is a Permit Firewall Rules option, if you click the blue "i" infoblock should display something similar to :

    This will create 'Floating' Firewall rules to allow traffic from the Selected Interface(s) to access
    the DNSBL VIP on the DNSBL Listening interface. (ICMP and Webserver ports only). This is only required for networks with multiple LAN Segments.

    Well the VIPs I was talking about are handled by NAT, I get what you are saying though.

    So I read that firewall rules differently, I thought that was the ability to enable on a per Lan basis.

    The way you put it does make sense though.

    Edit:

    Ya that dont work, if I apply the firewall rules to other Interfaces, it doesn't care still blocking it.

    I did notice something though, the first install there was visible rules on the Test interface, now there isnt. When I enable the rules to a,low others, they dont show up in floating either.



  • If you don't enable the rules, the devices won't be able to reach DNSBL service at VIP.

    For device that don't need DNSBL blocking, configure their Name services resolution to use another DNS server than the one with pfblockerNG.



  • @RonpfS:

    If you don't enable the rules, the devices won't be able to reach DNSBL service at VIP.

    For device that don't need DNSBL blocking, configure their Name services resolution to use another DNS server than the one with pfblockerNG.

    Okay the way I am interpreting that, is to set the device to use Google's DNS ect?

    That is not doable. I do not have control the of guests devices and this is hotel WiFi first and foremost. And would elimanate the ability for 90%s of business with the same issue to use this package, there has to be another way.

    I need multiple lans like all businesses. Blocking Facebook on employee network is needed, but on guest it isn't and can't be. That is what this was designed to do right? So there has to be a way to do that. In my case I do not need to disable Facebook, just block malicous sites and such and ads, and maybe more for my kids a network. However I cannot block guest users access to anything.



  • If the devices get there IP with DHCP, you can configure different DNS servers for guest network.



  • @RonpfS:

    If the devices get there IP with DHCP, you can configure different DNS servers for guest network.

    But I am still only limited to 1 blocking instance?

    That's what I am saying I need guest to have no blocking instance. However I need servers to have different sets of blocking instances. Blocking ads on the Lan is cool, but that isn't the point of this package as I was led to believe, and using this to shorten my Suricata workload is more a goal. As well as blocking all ad sites, when I need access to those ad sites on servers, but need to block other things, isn't going to work.

    So what I am trying to do is have hosts file A. B. C., I need to A. To apply to local lan only, B. Applys to servers only, C applys to guest only.

    This isn't a strange configuration, as I said pretty much every business I ever works for had similar if not more complex DNS blocking, without it this is a glorified ad blocker, which I do not think was it's design intent.  No offense to home users that want ad blocks, but this is a business prodcut first right?



  • Welp said screw it, and went to do your suggestion and just worry about guests, and figure something else for the servers.

    Nope lol, doesn't work, well it does work, when I disable the guest captive portal :(. So do I have any other options? I have to have captive portal and I cannot filter their Network.


Log in to reply