Cannot block dnsbl with OpenVPN

  • Hi all!

    Okey, so my problem is that I cannot block DNSBL list when using OpenVPN. And the thing is that I thing I had this working before updating pfSense to 2.4.2 from 2.4.1  :-\

    I followed this guide to set up OpenVPN and this guide to setup pfBlockerNG

    I have two lists, Malware and Advertising. The packets column on dashboard doesn't increment. But the "Firehole_1" lists seems to work, that column increments  ::)

  • Did you setup an interface for your OpenVPN? Did you select the OpenVPN in general settings on your pfBlockerNG? When you entered your lists in DNSBL did you select outbound on that page?

  • I think this issue is using the VPN's DNS servers. I have the same problem.

    But what other DNS servers would be safe to use that wouldn't leak your DNS?

    Just use Googles? Or is there another way around this?

  • A couple of things going on for both of you…

    A couple of thoughts:

    mricecool - Firehole_1 is a buggy list and I believe it has a tendency to not play well with pfBlocker, however it seems to be working for has RFC1918 IPs that block traffic, not sure thats your problem. I am on 2.4.2 and blocking DNSBL(I am seeing alerts and no ads)

    Tom7755 - Your issue is likely your DNS settings, take a look at these links that helped me out:

    Also take a look at this link for my rules at one point in time:

  • V3lcr0,

    Thank you for your reply.

    First link: I couldn't find anything there related to DNS. Is that what you meant to send? I'm not sure how to use anything there to solve a DNS issue.

    Second link: I found the following steps:

    To do this I have set up my pfSense settings as follows:
    Services -> DNS Resolver -> General settings
    -Network Interfaces - I have only my internal interfaces selected (i.e. LAN and VLANs in my case)…you also need to select "Localhost"
    -Outgoing Network Interfaces - I only have my VPN interface selected

    System -> General Setup

    • DNS Server Override and Disable DNS Forwarder are NOT checked
    • No DNS Servers are selected

    Services -> DHCP Server -> LAN

    • No DNS Servers assigned

    That wiped out all DNS and I couldn't reach any site until I put and back, so I turned off the resolver. Unless that's only a snippet of a larger story, that doesn't seem to work for me. (I wasn't clear about "I only have my VPN interface selected" The closest possibility I had in that list was WAN, but I don't know if that is what was meant. I didn't have any choice related to OpenVPN.)

    Third link:
    I tried to create rules similar to yours, but I wasn't able to replicate those using the menu-driven comments. For example, I couldn't find anything that said IOT_Devices. Also, I wasn't sure which section in the firewall said rules would go as there are 4 possibilities:

  • I currently use OpenVPN through my provider ExpressVPN and also use pfBlockerNG so I assume your setup is similar to  mine but with a different VPN provider.

    I still have a lot to learn about pfSense but I do have OpenVPN working with pfBlockerNG with no DNS leaks.

    Here are a couple of things that worked for me that you could check: (NOTE, I am assuming your VPN is properly setup and working)
    1. Enable the DNS resolver, Disable DNS Forwarder
    2. On DNS resolver page, for "Network Interfaces" choose all your Local Interfaces such as LAN and also choose Localhost, for "Outgoing Network Interfaces" choose just your VPN Interface.
    3. When you setup pfSense the install should have created an allow to anything rule on your LAN. Go to that rule and edit it, choose your VPN gateway in advanced options and save. Do this for each of your local LAN's.
    4. Go to System -> General Setup and make sure "DNS Server Override" and "Disable DNS Forwarder" are unchecked.
    5. Go to pfBlockerNG -> General -> Interface/Rules Configuration. For "Inbound Firewall Rules" choose your WAN and VPN Interface. For "Outbound Firewall Rules" choose all your local interfaces such as LAN.

    With the above settings I can goto and do a DNS leak test with the test results saying I have no leaks. I can also browse to a DNSBL blocked address and get the 1x1 pixel so I know thats working. Again I have a lot to learn and these settings may not be ideal depending on your particular setup but they seem to work for me.

    If you change any of the settings I mentioned above but still have no joy, try rebooting your pfSense box after the changes.

  • Thanks. I'll give that a try over the weekend.

  • Tom7755,
    I did mean to send this link: I added this to my DNS(port 53) rule as a kind of "Kill Switch" for my DNS queries. I was noticing when my VPN went down queries were going out my WAN…not 100% sure its needed but keep it anyway.

    Here are a few links that might help you out, some folks were super cool and very helpful when I got started:

    Good luck DNS Resolver (a.k.a. Unbound) is pretty key to getting your network tight.


  • I think I've decided to give up trying to get the ad filter working. My house is full of tech (and not mostly computers and phones) and every time I fixed one thing, two other things broke. I couldn't play music on my Sonos yesterday as something broke that. My Echo dot couldn't turn off my lights. I was ready to jump off the balcony (kidding) but as soon as I pulled this thing off the main line (between router and WAN), everything worked again.

    So I finally decided to put it where I need it–between the weaker links (namely the TV streaming stuff that doesn't need an ad filter) and the router. I don't think it will cause me all of these headaches there.

    That's what I originally bought this for but after reading this site I thought it might be interesting to try this as a whole house filter, but that just isn't working out. I can run Adguard and local VPN when I need it, and I guess the silver lining here is that it is much more convenient to control those things locally from my menubar as I quickly learned.

    That said, thank you tagit446 and V3lcr0 for your assistance!

  • Don't give up! Your likely very close…

    Not to add additional complications but maybe setup a few seperate VLANs networks...i.e. one for guest, 1 for IOT stuff, 1 for your privacy/security.

    Take a break and get back on the horse...don't let the IOT privacy thieves win!

  • Haha… I don't have the slightest idea how to do that. I can't even get it working on a single LAN.

  • Put it this way: I would–very literally--need a complete walkthrough to accomplish that, and I can't even find a basic one for setting up pfBlocker with OpenVPN let alone configuring three separate virtual LANS so that I can still communicate with--say--my thermostat and door locks when I'm in Asia.

    I can't even imagine how complicated that would become given how difficult just getting adblocking working is.

  • Tom7755,
    Not sure of your hardware but I would suggest you reset your box to factory settings and start again. I would get your LAN setup and then dive into VLANs later….start simple. The default settings of pfSense should work out the start...

    In terms of hardware, it sounds like you have a pfSense box but get a Unifi AP (+/-$100) to start...then when you decide to get into VLANs get a smart switch (As little as $40-$50).

    Start with GeoIP blocker, IPv4 lists and then diive into DNSBL(This is the trickest):

    IPV4 lists:

    Use the Top 20 list to start (Biggest mistake I made and others is blocking too many countries)

    DNSBL list:

    Post up screen shots of your settings and I(and others) would be more then happy to help out...might ask for other settings later. But make sure you can at least start with basic connectivety to the net with out pfBlockerNG.

    There are a lot of setting in pfSense which make it overwhelming but key ones to get to know are:
    DNS resolver
    Client Leases
    Firewall logs

    Start a new question in the other sections if you need help beyond pfBlockerNG.

  • The pfSense box is a mini pc as follows:
    CPU:Intel Baswell Processor J3160 qual-core 1.6 GHz, AES-NI
    2G DDR3 Ram 32G Msata SSD NO WIFI
    2 Gigabit LAN+2 HD Video Display+4 usb 3.0+2 usb 3.0

    I have this switch:
    TP-Link 8-Port Gigabit Ethernet Easy Smart Switch Managed Plus (TL-SG108E)


    Are you suggesting that I use the Unifi AP rather than my ASUS router in AP mode?

    What is the point of GeoIP blocking when hackers would typically use VPNs?

  • Not familiar with your hardware but if your Asus router can handle VLANs in AP mode you should be good. I am sure others have more experience with this…its likely good for a single WLAN.

    You have a Managed switch which can handle VLANs (although some have expressed concern with TPlink...I am sure it is fine!)

    As mentioned it looks like your pfbox works...nice RAM(32G)!

    The Unifi AP is well regarded and super easy to setup for VLANs. Again find out if your ASUS supports VLANs before spending the $100.

    Not a huge value in GeoBlocking I also share the same concern...TOR, VPN, hijacked PC are likely the hackers route. I only suggested getting IPv4 and GeoBlocking as a way to get started with pfBlockerNG. The real prize, I found is with DNSBL in the blocking of ads but it requires you to make sure your DNS Resolver is set specifically.

    Make sure you can navigate to the DNSBL Virtual IP...if not it won't work. Also go to the alerts tab and see if you get an alert after navigating to the DNSBL Virtual IP....

Log in to reply