Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Loose ablility to access internet with pfBlockerNG?

    Scheduled Pinned Locked Moved pfBlockerNG
    7 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bw0123
      last edited by

      I'm running pfsense 2.4.1 with pfBlockerNG version 2.1.2_1.  For some reason, after a little bit of use, i lose the ability to even get to the internet for a few minutes.  Then it comes back and works as it should.  After some time again.  Same thing.  I lose the ability to get to the internet.  Has anyone had these issues?  What am i doing wrong?

      I just started using pfsense a couple of weeks and decided have pfBlockerNG take over the duties of my pi-hole but it seems it isn't stable.  If i disable pfBlockerNG and use my pi-hole instead, i have no issues.

      When I say I lose the internet, I don't just lose blocked sites.  I can't even get to any site, blocked or not.  If I ping a known blocked site like doubleclick, it doesn't even get out for a response.

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        First step is to enable the DNS Resolver (Unbound) and ensure that its working (in Resolver mode or forwarder mode) without the package enabled. Sometimes DNSSEC can cause issues if your using Forwarder mode depending on what External DNS server you defined. Not all external DNS Servers support DNSSEC.

        Then make sure that all your LAN devices are pointing to pfSense only for its DNS settings.

        Then enable pfBlockerNG DNSBL.

        If you have a multi-segmented LAN (ie: vlans), enable the DNSBL permit firewall rule option so that all of the lan Subnets can access the DNSBL vip address. This option will create a Floating Permit rule for the applicable interfaces that you define in that option.

        So each LAN device should be able to:

        1. ping the DNSBL VIP address and get a reply
        2. Browse to the DNSBL VIP and get the 1x1 pix

        Hope that helps!

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • B
          bw0123
          last edited by

          I have 1 WAN, 1 LAN.  Nothing complicated.

          LAN device is only pointing to pfSense for DNS settings.

          pfBlockerNG DNSBL is enabled.

          When i ping DNSBL VIP address, i do get a reply.  As noted before, it works just fine half the time.

          Pinging 10.10.10.1 with 32 bytes of data:
          Reply from 10.10.10.1: bytes=32 time<1ms TTL=64

          When working, I can ping, doubleclick.net and that works too and is blocked.

          C:\Users\bw0123>ping 10.10.10.1
          Pinging doubleclick.net [10.10.10.1] with 32 bytes of data:
          Reply from 10.10.10.1: bytes=32 time<1ms TTL=64

          The issue I have is, after some time of browsing the web, everything about getting to the internet stops working and when i ping anything, i just can't do it.

          C:\Users\bw0123>ping doubleclick.net
          Ping request could not find host doubleclick.net. Please check the name and try again.

          C:\Users\bw0123>ping google.com
          Ping request could not find host google.com. Please check the name and try again.

          If i wait a couple of minutes, everything returns to normal and pings/internet access works.

          After some more time, it doesn't work again.  Rinse, repeat, etc.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            It looks like either an issue on the LAN side or the gateway… Can you test from a different lan device?

            Do you have any clues in the pfSense system log or the resolver log?

            In the Resolver adv settings, increase the log verbosity to "3" to get more detailed resolver logs...

            And [  [i]ipconfig /all  ] lists the correct LAN interface settings?

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • B
              bw0123
              last edited by

              Yes, when I ipconfig /all, I get all the correct settings on my machine.  Whenever I make any changes on the router that I know DNS might change, I do a ipconfig /renew.  I don't have another windows to machine to try from but the loss of internet also happens on my android phones and tablets which might be harder for me to figure things out.

              I might add that when I can't get out anywhere, I can still ping the VIP and get a reply from 10.10.10.1.

              I will change some settings to get more logging.  Although this is my home network, the wife and kid isn't happy when I take the network down to play…lol.

              I appreciate you helping.  Thanks.  I'll post more logs when I can.

              1 Reply Last reply Reply Quote 0
              • B
                bw0123
                last edited by

                In the routing log, I get the below which also shows up when things are working.  I think it might be an ipv6 thing.

                Nov 4 17:55:24  radvd 41975  sendmsg: Permission denied

                For the DNS resolver log, the below.

                
                Time	Process	PID	Message
                11/4/2017 17:53	unbound	68012:0	info: implicit transparent local-zone . TYPE0 IN
                11/4/2017 17:52	unbound	68012:0	info: lower(secs) upper(secs) recursions
                11/4/2017 17:52	unbound	68012:0	info: 0.131072 0.262144 3
                11/4/2017 17:52	unbound	68012:0	debug: cache memory msg=66072 rrset=66072 infra=5971 val=67620
                11/4/2017 17:52	unbound	68012:0	debug: close of port 21479
                11/4/2017 17:52	unbound	68012:0	debug: close fd 35
                11/4/2017 17:52	unbound	68012:0	debug: close of port 30368
                11/4/2017 17:52	unbound	68012:0	debug: close fd 30
                11/4/2017 17:52	unbound	68012:0	debug: close of port 15755
                11/4/2017 17:52	unbound	68012:0	debug: close fd 33
                11/4/2017 17:52	unbound	68012:0	debug: close of port 54868
                11/4/2017 17:52	unbound	68012:0	debug: close fd 53
                11/4/2017 17:52	unbound	68012:0	debug: close of port 18489
                11/4/2017 17:52	unbound	68012:0	debug: close fd 37
                11/4/2017 17:52	unbound	68012:0	debug: close of port 52789
                11/4/2017 17:52	unbound	68012:0	debug: close fd 63
                11/4/2017 17:52	unbound	68012:0	debug: close of port 56551
                11/4/2017 17:52	unbound	68012:0	debug: close fd 23
                11/4/2017 17:52	unbound	68012:0	debug: close of port 57953
                11/4/2017 17:52	unbound	68012:0	debug: close fd 42
                11/4/2017 17:52	unbound	68012:0	info: server stats for thread 3: 32 queries, 13 answers from cache, 19 recursions, 0 prefetch, 0 rejected by ip ratelimiting
                11/4/2017 17:52	unbound	68012:0	info: server stats for thread 3: requestlist max 12 avg 7.05263 exceeded 0 jostled 0
                11/4/2017 17:52	unbound	68012:0	info: mesh has 14 recursion states (12 with reply, 0 detached), 16 waiting replies, 3 recursion replies sent, 0 replies dropped, 0 states jostled out
                11/4/2017 17:52	unbound	68012:0	info: average recursion processing time 0.181934 sec
                11/4/2017 17:52	unbound	68012:0	info: histogram of recursion processing times
                11/4/2017 17:52	unbound	68012:0	info: [25%]=0 median[50%]=0 [75%]=0
                11/4/2017 17:52	unbound	68012:0	info: lower(secs) upper(secs) recursions
                11/4/2017 17:52	unbound	68012:0	info: 0.131072 0.262144 3
                11/4/2017 17:52	unbound	68012:0	debug: cache memory msg=66072 rrset=66072 infra=5971 val=67620
                11/4/2017 17:52	unbound	68012:0	debug: close of port 65343
                11/4/2017 17:52	unbound	68012:0	debug: close fd 36
                11/4/2017 17:52	unbound	68012:0	debug: close of port 57340
                11/4/2017 17:52	unbound	68012:0	debug: close fd 39
                11/4/2017 17:52	unbound	68012:0	debug: close of port 14419
                11/4/2017 17:52	unbound	68012:0	debug: close fd 25
                11/4/2017 17:52	unbound	68012:0	debug: close of port 18073
                11/4/2017 17:52	unbound	68012:0	debug: close fd 31
                11/4/2017 17:52	unbound	68012:0	debug: close of port 28124
                11/4/2017 17:52	unbound	68012:0	debug: close fd 66
                11/4/2017 17:52	unbound	68012:0	debug: close of port 18404
                11/4/2017 17:52	unbound	68012:0	debug: close fd 24
                11/4/2017 17:52	unbound	68012:0	debug: close of port 14335
                11/4/2017 17:52	unbound	68012:0	debug: close fd 38
                11/4/2017 17:52	unbound	68012:0	debug: close of port 25933
                11/4/2017 17:52	unbound	68012:0	debug: close fd 52
                11/4/2017 17:52	unbound	68012:0	debug: close of port 18124
                11/4/2017 17:52	unbound	68012:0	debug: close fd 34
                11/4/2017 17:52	unbound	68012:0	debug: close of port 29341
                11/4/2017 17:52	unbound	68012:0	debug: close fd 44
                11/4/2017 17:52	unbound	68012:0	notice: Restart of unbound 1.6.6.
                
                

                Not sure what it all means.

                1 Reply Last reply Reply Quote 0
                • RonpfSR
                  RonpfS
                  last edited by

                  If you do

                  nslookup doubleclick.net
                  Serveur :   pfsense.somewhere
                  Address:  172.47.18.71
                  
                  Nom :    doubleclick.net
                  Address:  10.10.10.1
                  
                  

                  you should see your pfsense box replying.
                  If not then either your pfsense configuration for DNS service is incorrect, or your lan device use another DNS server for answer.

                  Check your device DNS configuration, if you are using Internet Security like AVG, maybe they override DNS resolution. Hake a look at
                  @BBcan177:

                  @xphiles:

                  so after much troubleshooting and trying things at the firewall level, i disabled my full avg protection and it works on the host(s) in question. so I have to granularly figure out which service in AVG is messing up my dns

                  I think this is what you were looking for:
                      https://help.avg.com/en/avg_free/17/securityantivirus_securedns.html

                  You can configure pfsense DCHP server to provide the correct DNS/DNSBL server for devices

                  2.4.5-RELEASE-p1 (amd64)
                  Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                  Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.