pfBlocker DNSBL blocking and config with two pfBlocker instances



  • Hello everyone. I'm trying to implement content filtering and force safe search on part of my network and I'm not having mixed results. I know I can segment with VLANS and serve OpenDNS IPs over DHCP, but I want to also incorporate the google and YouTube DNS restrictions as well as include some of the pfBlocker filtering.


    Current setup

    primary pfSense (pf01.local.lan) running:
    multi-WAN
    multi-LAN (IP Camera, AdminLAN, GuestLAN, DMZ with webserver)
    pfBlocker to block (block malicioous sites/crypto mining, Non-domestic IPs, etc)
    WiFi serving VLANs to support Admin and Guest LAN via Unifi APs


    New requirement

    Add more restrictions to GuestLAN
    Additional DNS entries to force restricted YouTube and force google safe search
    Additional pfBlocker to block ShallaList group (porn, warez, etc.)


    Attempted but not working

    Installed second pfSense box (pf02.local.lan) on Admin LAN (no WAN connected)
    Setup instance of pfBlocker with Shallalist groups, DNS resolver with Safe Search
    On Primary pfSense server (pf01.local.lan) set GuestLAN DHCP to give out IP of pf02 DNS
    Set pf02.loal.lan's DNS (System - Admin- DNS Server Settings) to use pf01.local.lan


    Observations

    YouTube restrictions and Safe Search are working in attempted configuration.
    The pfBlocker content filtering on pf02.local.lan is not working as expected.
    An nslookup from a host connected to the GuestLAN will report the expected pfBlocker DNSBL response IP (10.10.10.1), but when attempting to visit the blocked site from the same host the blocked site is not blocked.

    I'm sure there is something simple I've overlooked here, but it's not coming to me at the moment. Has anyone ran across this?



  • With a little more troubleshooting I found the issue. I neglected adding in a firewall rule to allow the client access to the DNSBL VIP over ports 443 and 80.