Can we create a diagnostic sticky?

tagit446

Hello,

I was wondering if a quick reference sticky could be created covering the different methods for diagnosing various issues with pfBlockerNG.

For example, I am experiencing an issue now where it seems like pfBlockerNG is working since things are showing up in the alerts and I can ping 10.10.10.1. I can also browse to 10.10.10.1 and get the 1x1 pixel but at the same time I can browse to domains that are in the DNSBL block list and IP's in the IPv4 block list and not get the 1x1 pixel. To be clear, I can access sites by entering the exact IP or URL in the block list.

I think a sticky that covers steps to verify pfBlockerNG is working correctly or not and diagnosing common problems people run into would be very helpful and possibly cut down on the questions being asked here.

Jailer

Did you do a force update and force reload?

tagit446

@Jailer:

Did you do a force update and force reload?

Several times actually.

I am wondering if it may have something to do with my last reinstall of pfSense.

Before uninstalling pfSense I am pretty sure it was working. I also did a complete backup using the included backup feature in pfSense.

After reinstalling pfSense I also reinstalled the pfBlockerNG package then restored my backup config. After restoring the config I did have 2 pfSense alerts for pfBlockerNG. The alerts did not make sense to me so I marked them as read. Since then no other alerts.

I also had both pfSense and pfBlockerNG updated to the latest versions before saving the config that I restored from.  In other words there are no version differences between my backup config and the current versions I am using now.

I am wishing now that I had documented the 2 alerts I mentioned.

RonpfS

The logs should tell you something

tagit446

@RonpfS:

The logs should tell you something

I do see the following in my DNSBL.Log,

DNSBL Reject,Jan 01 14:31:03,10.10.10.1,192.168.10.10, | / | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/63.0.3239.108 Safari/537.36
DNSBL Reject HTTPS,Jan 01 14:31:03,10.10.10.1
DNSBL Reject,Jan 01 14:31:03,10.10.10.1,192.168.10.10,http://10.10.10.1/ | /favicon.ico | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/63.0.3239.108 Safari/537.36
DNSBL Reject,Jan 01 17:50:07,10.10.10.1,192.168.10.10, | / | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/63.0.3239.108 Safari/537.36

192.168.10.10 is the local address for the PC I am testing on. I am unsure if the above is from me browsing to 10.10.10.1 or the reason pfBlockerNG seems to not be working.

Other than the above I do not see anything I would consider suspicious in any of the other logs.

RonpfS

You are using pfsense DNS Resolver ?
And you PCs are using pfsense for DNS service ?
Maybe post the logs after a Force Reload DNSBL ?

tagit446

@RonpfS:

You are using pfsense DNS Resolver ?
And you PCs are using pfsense for DNS service ?
Maybe post the logs after a Force Reload DNSBL ?

If my settings are correct I should be using the DNS Resolver.

Most all of my connected device are setup with static settings. For each they use the pfSense's interface gateway address for the DNS address. For example, the PC I have been using for testing pfSense has an IP of 192.168.10.10, Gateway is 192.168.10.1 and the DNS is also 192.168.10.1.