Loose ablility to access internet with pfBlockerNG?



  • I'm running pfsense 2.4.1 with pfBlockerNG version 2.1.2_1.  For some reason, after a little bit of use, i lose the ability to even get to the internet for a few minutes.  Then it comes back and works as it should.  After some time again.  Same thing.  I lose the ability to get to the internet.  Has anyone had these issues?  What am i doing wrong?

    I just started using pfsense a couple of weeks and decided have pfBlockerNG take over the duties of my pi-hole but it seems it isn't stable.  If i disable pfBlockerNG and use my pi-hole instead, i have no issues.

    When I say I lose the internet, I don't just lose blocked sites.  I can't even get to any site, blocked or not.  If I ping a known blocked site like doubleclick, it doesn't even get out for a response.


  • Moderator

    First step is to enable the DNS Resolver (Unbound) and ensure that its working (in Resolver mode or forwarder mode) without the package enabled. Sometimes DNSSEC can cause issues if your using Forwarder mode depending on what External DNS server you defined. Not all external DNS Servers support DNSSEC.

    Then make sure that all your LAN devices are pointing to pfSense only for its DNS settings.

    Then enable pfBlockerNG DNSBL.

    If you have a multi-segmented LAN (ie: vlans), enable the DNSBL permit firewall rule option so that all of the lan Subnets can access the DNSBL vip address. This option will create a Floating Permit rule for the applicable interfaces that you define in that option.

    So each LAN device should be able to:

    1. ping the DNSBL VIP address and get a reply
    2. Browse to the DNSBL VIP and get the 1x1 pix

    Hope that helps!



  • I have 1 WAN, 1 LAN.  Nothing complicated.

    LAN device is only pointing to pfSense for DNS settings.

    pfBlockerNG DNSBL is enabled.

    When i ping DNSBL VIP address, i do get a reply.  As noted before, it works just fine half the time.

    Pinging 10.10.10.1 with 32 bytes of data:
    Reply from 10.10.10.1: bytes=32 time<1ms TTL=64

    When working, I can ping, doubleclick.net and that works too and is blocked.

    C:\Users\bw0123>ping 10.10.10.1
    Pinging doubleclick.net [10.10.10.1] with 32 bytes of data:
    Reply from 10.10.10.1: bytes=32 time<1ms TTL=64

    The issue I have is, after some time of browsing the web, everything about getting to the internet stops working and when i ping anything, i just can't do it.

    C:\Users\bw0123>ping doubleclick.net
    Ping request could not find host doubleclick.net. Please check the name and try again.

    C:\Users\bw0123>ping google.com
    Ping request could not find host google.com. Please check the name and try again.

    If i wait a couple of minutes, everything returns to normal and pings/internet access works.

    After some more time, it doesn't work again.  Rinse, repeat, etc.


  • Moderator

    It looks like either an issue on the LAN side or the gateway… Can you test from a different lan device?

    Do you have any clues in the pfSense system log or the resolver log?

    In the Resolver adv settings, increase the log verbosity to "3" to get more detailed resolver logs...

    And [  [i]ipconfig /all  ] lists the correct LAN interface settings?



  • Yes, when I ipconfig /all, I get all the correct settings on my machine.  Whenever I make any changes on the router that I know DNS might change, I do a ipconfig /renew.  I don't have another windows to machine to try from but the loss of internet also happens on my android phones and tablets which might be harder for me to figure things out.

    I might add that when I can't get out anywhere, I can still ping the VIP and get a reply from 10.10.10.1.

    I will change some settings to get more logging.  Although this is my home network, the wife and kid isn't happy when I take the network down to play…lol.

    I appreciate you helping.  Thanks.  I'll post more logs when I can.



  • In the routing log, I get the below which also shows up when things are working.  I think it might be an ipv6 thing.

    Nov 4 17:55:24  radvd 41975  sendmsg: Permission denied

    For the DNS resolver log, the below.

    
    Time	Process	PID	Message
    11/4/2017 17:53	unbound	68012:0	info: implicit transparent local-zone . TYPE0 IN
    11/4/2017 17:52	unbound	68012:0	info: lower(secs) upper(secs) recursions
    11/4/2017 17:52	unbound	68012:0	info: 0.131072 0.262144 3
    11/4/2017 17:52	unbound	68012:0	debug: cache memory msg=66072 rrset=66072 infra=5971 val=67620
    11/4/2017 17:52	unbound	68012:0	debug: close of port 21479
    11/4/2017 17:52	unbound	68012:0	debug: close fd 35
    11/4/2017 17:52	unbound	68012:0	debug: close of port 30368
    11/4/2017 17:52	unbound	68012:0	debug: close fd 30
    11/4/2017 17:52	unbound	68012:0	debug: close of port 15755
    11/4/2017 17:52	unbound	68012:0	debug: close fd 33
    11/4/2017 17:52	unbound	68012:0	debug: close of port 54868
    11/4/2017 17:52	unbound	68012:0	debug: close fd 53
    11/4/2017 17:52	unbound	68012:0	debug: close of port 18489
    11/4/2017 17:52	unbound	68012:0	debug: close fd 37
    11/4/2017 17:52	unbound	68012:0	debug: close of port 52789
    11/4/2017 17:52	unbound	68012:0	debug: close fd 63
    11/4/2017 17:52	unbound	68012:0	debug: close of port 56551
    11/4/2017 17:52	unbound	68012:0	debug: close fd 23
    11/4/2017 17:52	unbound	68012:0	debug: close of port 57953
    11/4/2017 17:52	unbound	68012:0	debug: close fd 42
    11/4/2017 17:52	unbound	68012:0	info: server stats for thread 3: 32 queries, 13 answers from cache, 19 recursions, 0 prefetch, 0 rejected by ip ratelimiting
    11/4/2017 17:52	unbound	68012:0	info: server stats for thread 3: requestlist max 12 avg 7.05263 exceeded 0 jostled 0
    11/4/2017 17:52	unbound	68012:0	info: mesh has 14 recursion states (12 with reply, 0 detached), 16 waiting replies, 3 recursion replies sent, 0 replies dropped, 0 states jostled out
    11/4/2017 17:52	unbound	68012:0	info: average recursion processing time 0.181934 sec
    11/4/2017 17:52	unbound	68012:0	info: histogram of recursion processing times
    11/4/2017 17:52	unbound	68012:0	info: [25%]=0 median[50%]=0 [75%]=0
    11/4/2017 17:52	unbound	68012:0	info: lower(secs) upper(secs) recursions
    11/4/2017 17:52	unbound	68012:0	info: 0.131072 0.262144 3
    11/4/2017 17:52	unbound	68012:0	debug: cache memory msg=66072 rrset=66072 infra=5971 val=67620
    11/4/2017 17:52	unbound	68012:0	debug: close of port 65343
    11/4/2017 17:52	unbound	68012:0	debug: close fd 36
    11/4/2017 17:52	unbound	68012:0	debug: close of port 57340
    11/4/2017 17:52	unbound	68012:0	debug: close fd 39
    11/4/2017 17:52	unbound	68012:0	debug: close of port 14419
    11/4/2017 17:52	unbound	68012:0	debug: close fd 25
    11/4/2017 17:52	unbound	68012:0	debug: close of port 18073
    11/4/2017 17:52	unbound	68012:0	debug: close fd 31
    11/4/2017 17:52	unbound	68012:0	debug: close of port 28124
    11/4/2017 17:52	unbound	68012:0	debug: close fd 66
    11/4/2017 17:52	unbound	68012:0	debug: close of port 18404
    11/4/2017 17:52	unbound	68012:0	debug: close fd 24
    11/4/2017 17:52	unbound	68012:0	debug: close of port 14335
    11/4/2017 17:52	unbound	68012:0	debug: close fd 38
    11/4/2017 17:52	unbound	68012:0	debug: close of port 25933
    11/4/2017 17:52	unbound	68012:0	debug: close fd 52
    11/4/2017 17:52	unbound	68012:0	debug: close of port 18124
    11/4/2017 17:52	unbound	68012:0	debug: close fd 34
    11/4/2017 17:52	unbound	68012:0	debug: close of port 29341
    11/4/2017 17:52	unbound	68012:0	debug: close fd 44
    11/4/2017 17:52	unbound	68012:0	notice: Restart of unbound 1.6.6.
    
    

    Not sure what it all means.



  • If you do

    nslookup doubleclick.net
    Serveur :   pfsense.somewhere
    Address:  172.47.18.71
    
    Nom :    doubleclick.net
    Address:  10.10.10.1
    
    

    you should see your pfsense box replying.
    If not then either your pfsense configuration for DNS service is incorrect, or your lan device use another DNS server for answer.

    Check your device DNS configuration, if you are using Internet Security like AVG, maybe they override DNS resolution. Hake a look at
    @BBcan177:

    @xphiles:

    so after much troubleshooting and trying things at the firewall level, i disabled my full avg protection and it works on the host(s) in question. so I have to granularly figure out which service in AVG is messing up my dns

    I think this is what you were looking for:
        https://help.avg.com/en/avg_free/17/securityantivirus_securedns.html

    You can configure pfsense DCHP server to provide the correct DNS/DNSBL server for devices


Log in to reply