Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFBlockerNG not working.

    Scheduled Pinned Locked Moved pfBlockerNG
    19 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyberlocc
      last edited by

      Hey guys I have been trying for days to get PFblocker NG working wiht no success I have tried numerous guides and such, nothing, it wont block anything.

      I scrapped the whole OS updated to 2.4 and still. no go. This time I get this error

      "There were error(s) loading the rules: /tmp/rules.debug:183: macro 'pfB_BlackList' not defined - The line in question reads [183]: block log quick on { igb4 } inet from $pfB_BlackList to any tracker 1770008546 label "USER_RULE: pfB_BlackList auto rule"
      @ 2017-09-03 10:17:38"

      Any ideas how to fix this?

      Oh igb4 is Wan btw.

      Edit: got the error Again this time more detailed.

      There were error(s) loading the rules: /tmp/rules.debug:183: macro 'pfB_BlackList' not defined - The line in question reads [183]: block in log quick on $WAN reply-to ( igb4 8.8.8.8 ) inet from $pfB_BlackList to any tracker 1770008546 label "USER_RULE: pfB_BlackList auto rule"
      @ 2017-09-03 10:32:34

      (Changed my actual DNS to google DNS for the readout)

      1 Reply Last reply Reply Quote 0
      • RonpfSR
        RonpfS
        last edited by

        You may have to do a Force Reload all to rebuilt the aliases

        2.4.5-RELEASE-p1 (amd64)
        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

        1 Reply Last reply Reply Quote 0
        • C
          cyberlocc
          last edited by

          @RonpfS:

          You may have to do a Force Reload all to rebuilt the aliases

          Will do,

          EDIT:

          Done that, the error seems to have gone away.

          However it is still not working lol, I have cross referenced about 6 guides and all my settings are the same as theirs and it just doesn't work :(.

          This is what my error logs look like.

          
          [ DNSBL FAIL ] [ Skipping : Ads ]
          
          [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
          
          [ DNSBL FAIL ] [ Skipping : PiHole ]
          
          [ DNSBL FAIL ] [ Skipping : AdBlockList_custom ]
          
          [ DNSBL FAIL ] [ Skipping : Ads ]
          
          [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
          
          [ DNSBL FAIL ] [ Skipping : Ads ]
          
          [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
          
          [ DNSBL FAIL ] [ Skipping : Ads ]
          
          [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
          
          [ DNSBL FAIL ] [ Skipping : Ads ]
          
          [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
          
          [ DNSBL FAIL ] [ Skipping : Ads ]
          
          [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
          
          [ DNSBL FAIL ] [ Skipping : Ads ]
          
          [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
          
          

          Update: Tried a diffrent list, and…..

          [ DNSBL FAIL ] [ Skipping : yoyo ]
          
          [ DNSBL FAIL ] [ Skipping : Blocks_custom ]
          
          
          1 Reply Last reply Reply Quote 0
          • RonpfSR
            RonpfS
            last edited by

            You have to use DNS Resolver not DNS Forwarder

            2.4.5-RELEASE-p1 (amd64)
            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

            1 Reply Last reply Reply Quote 0
            • C
              cyberlocc
              last edited by

              @RonpfS:

              You have to use DNS Resolver not DNS Forwarder

              I am using DNS resolver, not forwarder.

              Also I just went to the firewall gui to check for that and make absolutely sure. The error message from the OP is there again, 3 More times, since I forced reloaded. DNS forwarder is Disabled and DNS resolver is enabled.

              All of my devices, are using OFsense for DNS afaik from there IPConfigs.

              The guides all had me set up my resolver as needed ( pretty much default) and even trying to remove PFblocker with the script also fails. Which I tried 6 times, deleting and rewriting the config.

              Either I am missing something or PFblocker doesn't work with 2.4.

              1 Reply Last reply Reply Quote 0
              • RonpfSR
                RonpfS
                last edited by

                @cyberlocc:

                The error message from the OP is there again, 3 More times, since I forced reloaded.

                Which OP ?

                @cyberlocc:

                and even trying to remove PFblocker with the script also fails. Which I tried 6 times, deleting and rewriting the config.

                Which script ? If you want to remove pfblockerNG, go to System / Package manager

                Did you also run a Force Update ?

                2.4.5-RELEASE-p1 (amd64)
                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                1 Reply Last reply Reply Quote 0
                • C
                  cyberlocc
                  last edited by

                  @RonpfS:

                  @cyberlocc:

                  The error message from the OP is there again, 3 More times, since I forced reloaded.

                  Which OP ?

                  This OP.

                  I did a force update, when you said to do that. And then later coming back to the GUI, I had a bunch of

                  "There were error(s) loading the rules: /tmp/rules.debug:183: macro 'pfB_BlackList' not defined - The line in question reads [183]: block log quick on { igb4 } inet from $pfB_BlackList to any tracker 1770008546 label "USER_RULE: pfB_BlackList auto rule" @ 2017-09-03 10:17:38"

                  messages again.

                  @RonpfS:

                  @cyberlocc:

                  and even trying to remove PFblocker with the script also fails. Which I tried 6 times, deleting and rewriting the config.

                  Which script ? I you want to remove pfblockerNG, go to System / Package manager

                  The script from BBcan177, when you uninstall PFblocker, it doesn't remove it, all the files stay, you just remove the package and reset some config if you check the option, but alot remains, from what I read, and there was a script to fully remove it. That script doesn't work.

                  So I tried that, https://forum.pfsense.org/index.php?topic=88443.0, again script dont work, thread is old maybe no longer applies.

                  @RonpfS:

                  Did you also run a Force Update ?

                  Yep immediately after your post suggesting it, since then the errors have returned and service hasn't worked.

                  Here are all the settings I think matter, maybe you can catch something I am not.

                  services.PNG
                  services.PNG_thumb
                  DNS.PNG
                  DNS.PNG_thumb
                  ![DNS fowarder.PNG](/public/imported_attachments/1/DNS fowarder.PNG)
                  ![DNS fowarder.PNG_thumb](/public/imported_attachments/1/DNS fowarder.PNG_thumb)
                  ![DNS Resolver.PNG](/public/imported_attachments/1/DNS Resolver.PNG)
                  ![DNS Resolver.PNG_thumb](/public/imported_attachments/1/DNS Resolver.PNG_thumb)
                  PFblobker1.PNG
                  PFblobker1.PNG_thumb
                  PFblock2.PNG
                  PFblock2.PNG_thumb
                  DSNBL1.PNG
                  DSNBL1.PNG_thumb
                  DSNBL2.PNG
                  DSNBL2.PNG_thumb

                  1 Reply Last reply Reply Quote 0
                  • RonpfSR
                    RonpfS
                    last edited by

                    @cyberlocc:

                    The script from BBcan177, when you uninstall PFblocker, it doesn't remove it, all the files stay, you just remove the package and reset some config if you check the option, but alot remains, from what I read, and there was a script to fully remove it. That script doesn't work.

                    So I tried that, https://forum.pfsense.org/index.php?topic=88443.0, again script dont work, thread is old maybe no longer applies.

                    This is a very old script, pfblockerNG changed since then.

                    So if you goto package manager you can not uninstall pfblockerNG? Can you reinstall it ?
                    I guess you will have to edit the config.xml and fix any leftover from pfblockerNG.
                    Then try to reinstall again.

                    Force update is to update any change made to pfblockerng configuration or feeds.
                    Force reload is to rebuilt the table and database.

                    2.4.5-RELEASE-p1 (amd64)
                    Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                    Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                    1 Reply Last reply Reply Quote 0
                    • C
                      cyberlocc
                      last edited by

                      @RonpfS:

                      @cyberlocc:

                      The script from BBcan177, when you uninstall PFblocker, it doesn't remove it, all the files stay, you just remove the package and reset some config if you check the option, but alot remains, from what I read, and there was a script to fully remove it. That script doesn't work.

                      So I tried that, https://forum.pfsense.org/index.php?topic=88443.0, again script dont work, thread is old maybe no longer applies.

                      This is a very old script, pfblockerNG changed since then.

                      So if you goto package manager you can not uninstall pfblockerNG? Can you reinstall it ?
                      I guess you will have to edit the config.xml and fix any leftover from pfblockerNG.
                      Then try to reinstall again.

                      Force update is to update any change made to pfblockerng configuration or feeds.
                      Force reload is to rebuilt the table and database.

                      I have uninstalled it, and just did so 1 more time :). Following yet another different guide I will report back. (this one is very very new)

                      1 Reply Last reply Reply Quote 0
                      • RonpfSR
                        RonpfS
                        last edited by

                        Also your DNSBL Virtual IP is 100.10.100.1, maybe you meant 10.10.100.1.

                        2.4.5-RELEASE-p1 (amd64)
                        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                        1 Reply Last reply Reply Quote 0
                        • RonpfSR
                          RonpfS
                          last edited by

                          And you should uncheck DNS Server Override and DHCP Registration

                          DHCP registration will trigger a reload of Unbound and if it takes 30 sec to reload, you will get constant DNS service disruption.

                          You could probably keep Static DHCP as it will only trigger unbound reload when you add a host, not something that happen often.

                          On the IP side, maybe you should check De-Duplication, CIDR Aggregation, Suppression.

                          2.4.5-RELEASE-p1 (amd64)
                          Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                          Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                          1 Reply Last reply Reply Quote 0
                          • C
                            cyberlocc
                            last edited by

                            @RonpfS:

                            And you should uncheck DNS Server Override and DHCP Registration

                            DHCP registration will trigger a reload of Unbound and if it takes 30 sec to reload, you will get constant DNS service disruption.

                            You could probably keep Static DHCP as it will only trigger unbound reload when you had a host, not something that happen often.

                            On the IP side, maybe you should check De-Duplication, CIDR Aggregation, Suppression.

                            Okay so a reinstall seemed to fix it. However now I got more issues and questions lol. It is working now though, more on that in a second.

                            I can turn off DNS server override (it turned that on not me :P.)

                            I need DNS Server Registration, I will have 12 servers behind this thing when its all working the way I want, some of those need local access with hostnames. Or are you saying just use the static, I guess that could work. (EDIT: ya that works, so I disabled the Registration.)

                            Did the rest, was trying to leave as much off as I could to get it working :).

                            Now maybe you can help me, as I stated I have quite a few servers, and a guest lan, that this blocker needs to leave be (well preferably it would allow different setups for).

                            I got it working, like I said, the issue is its working too well. Its working on interfaces it is not set to be working on, how can I resolve that? And also resolve the Incoming issues. I only have 1 wan, however on that way is 5 VIPs, the guest lan uses a different Public IP then the main lan, as do the servers. The Main lan uses the Wans IP.

                            oh and Yep was trying to use 10.10.100.1, I fixed that in the new install :).

                            1 Reply Last reply Reply Quote 0
                            • RonpfSR
                              RonpfS
                              last edited by

                              Any DNS request to pfsense is filtered by DNSBL when enabled. It replace the "right" IP of a Domain Name with the VIP.

                              There is a Permit Firewall Rules option, if you click the blue "i" infoblock should display something similar to :

                              This will create 'Floating' Firewall rules to allow traffic from the Selected Interface(s) to access
                              the DNSBL VIP on the DNSBL Listening interface. (ICMP and Webserver ports only). This is only required for networks with multiple LAN Segments.

                              2.4.5-RELEASE-p1 (amd64)
                              Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                              Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                              1 Reply Last reply Reply Quote 0
                              • C
                                cyberlocc
                                last edited by

                                @RonpfS:

                                Any DNS request to pfsense is filtered by DNSBL when enabled. It replace the "right" IP of a Domain Name with the VIP.

                                There is a Permit Firewall Rules option, if you click the blue "i" infoblock should display something similar to :

                                This will create 'Floating' Firewall rules to allow traffic from the Selected Interface(s) to access
                                the DNSBL VIP on the DNSBL Listening interface. (ICMP and Webserver ports only). This is only required for networks with multiple LAN Segments.

                                Well the VIPs I was talking about are handled by NAT, I get what you are saying though.

                                So I read that firewall rules differently, I thought that was the ability to enable on a per Lan basis.

                                The way you put it does make sense though.

                                Edit:

                                Ya that dont work, if I apply the firewall rules to other Interfaces, it doesn't care still blocking it.

                                I did notice something though, the first install there was visible rules on the Test interface, now there isnt. When I enable the rules to a,low others, they dont show up in floating either.

                                1 Reply Last reply Reply Quote 0
                                • RonpfSR
                                  RonpfS
                                  last edited by

                                  If you don't enable the rules, the devices won't be able to reach DNSBL service at VIP.

                                  For device that don't need DNSBL blocking, configure their Name services resolution to use another DNS server than the one with pfblockerNG.

                                  2.4.5-RELEASE-p1 (amd64)
                                  Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                  Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    cyberlocc
                                    last edited by

                                    @RonpfS:

                                    If you don't enable the rules, the devices won't be able to reach DNSBL service at VIP.

                                    For device that don't need DNSBL blocking, configure their Name services resolution to use another DNS server than the one with pfblockerNG.

                                    Okay the way I am interpreting that, is to set the device to use Google's DNS ect?

                                    That is not doable. I do not have control the of guests devices and this is hotel WiFi first and foremost. And would elimanate the ability for 90%s of business with the same issue to use this package, there has to be another way.

                                    I need multiple lans like all businesses. Blocking Facebook on employee network is needed, but on guest it isn't and can't be. That is what this was designed to do right? So there has to be a way to do that. In my case I do not need to disable Facebook, just block malicous sites and such and ads, and maybe more for my kids a network. However I cannot block guest users access to anything.

                                    1 Reply Last reply Reply Quote 0
                                    • RonpfSR
                                      RonpfS
                                      last edited by

                                      If the devices get there IP with DHCP, you can configure different DNS servers for guest network.

                                      2.4.5-RELEASE-p1 (amd64)
                                      Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                      Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        cyberlocc
                                        last edited by

                                        @RonpfS:

                                        If the devices get there IP with DHCP, you can configure different DNS servers for guest network.

                                        But I am still only limited to 1 blocking instance?

                                        That's what I am saying I need guest to have no blocking instance. However I need servers to have different sets of blocking instances. Blocking ads on the Lan is cool, but that isn't the point of this package as I was led to believe, and using this to shorten my Suricata workload is more a goal. As well as blocking all ad sites, when I need access to those ad sites on servers, but need to block other things, isn't going to work.

                                        So what I am trying to do is have hosts file A. B. C., I need to A. To apply to local lan only, B. Applys to servers only, C applys to guest only.

                                        This isn't a strange configuration, as I said pretty much every business I ever works for had similar if not more complex DNS blocking, without it this is a glorified ad blocker, which I do not think was it's design intent.  No offense to home users that want ad blocks, but this is a business prodcut first right?

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          cyberlocc
                                          last edited by

                                          Welp said screw it, and went to do your suggestion and just worry about guests, and figure something else for the servers.

                                          Nope lol, doesn't work, well it does work, when I disable the guest captive portal :(. So do I have any other options? I have to have captive portal and I cannot filter their Network.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.