pfblockerng ASN aliase rule doesn't seem to work



  • Hello,

    pfsense :: 2.4.5
    pfblockerng :: 2.1.4_22

    I am trying to use ASN to block access to certain websites during a period of time but somehow I don't think I configure ASN properly. I set ASN as alias native so I can use it as a rule on my lan interface. My rule is fairly simple:

    source host: one IP is block to dest my ASN aliase which is NetFlix as a test, however I dont see any hit on the rule. If I invert it everything is blocked. I did check the forum for the past week to see if I could find an answer but I didn't see anything close to my problem. I am not sure how to troubleshoot this. It's almost like the ASN is not working for me somehow.

    Thank you for looking into this post and any feedback you have to provide,



  • @ahtos First thing you should do is update to pfblockerng_devel. I know it says devel but that is just a by product of the development cycle moving to 2.5. It's as solid as any release version.

    edited to add: make sure you have your System->Update repositories set correctly for the version of pfsense you have installed. You can end up in a bit of mess otherwise.

    Then you could do something like this:

    Screen Shot 2020-04-19 at 09.47.07.png

    Screen Shot 2020-04-19 at 09.47.19.png

    Screen Shot 2020-04-19 at 09.47.42.png

    Screen Shot 2020-04-19 at 09.51.01.png

    You can then use those resulting rules in a schedule as you require.



  • @jwj Thank you for your response. I will try it out. As for the devel version, I tried it a few times and end up with a 502 nginx gateway error each time after a cron update. I didn't flag it as I can never get back to pfsense to see any logs... I just reinstall pfsense again...

    Thank you again for your input.



  • By using deny outbound seems to work for browser but not for the APP. Is there a different ASN for the APP? I tried to search for it but it seems to all redirect to 2906.

    Thank you again for your help!



  • @ahtos I'm not sure if they use different servers for browsers and their apps. You could have a peek by doing a packet capture and seeing what's what.

    You could also try the same setup but just blocking by domain, netflix.com, and seeing what happens.

    I have limited netflix access for the kids devices, but since we are an all apple family I used screentime. Gave up on the tech approach and just asked them to limit netflix and the like to certain hours. So far so good. I'm lucky!



  • @jwj Thank you again for your inputs, it doesn't seem to make any difference with domain or ASN. I will try packet capture and see what's up with it. I wish I could give up on the tech approach, teenager girl doesn't listen well in a lock-down situation. We asked a few times and that did not work at all. The idea is to block everything at 2300 and allow her to use Spotify, Netflix and Youtube only as she complains she cant go to sleep without music or something. Anyhow, I think I regress here. Much appreciate you took the time to response and point me to the right direction! I hope you and your family/entourage are safe in this unusual situation.



  • @ahtos It's difficult times for everyone. I wish I could say that I did such a great parenting job and that's why things are easy. Not so. My daughter has always been easy. She's 10. She's going to high school next year, whenever the next school years starts ;) She just has something in her, must have gotten it from her mom. I know I haven't earned enough karma to account for this good luck.

    I'll fire up Netflix in both the app and browser and have a look at what's going on and report back. We'll compare notes and come up with something...

    John



  • @ahtos I blocked these AS numbers which I learned from here:
    https://bgp.he.net/search?search[search]=netflix&commit=Search

    2906 #Netflix
    55095 #Netflix
    40027 #Netflix
    394406 #Netflix
    136292 #Netflix

    The app on IOS loads, I can browse around but it doesn't stream anything. It's also a no go in the browser.

    I haven't tested using that as a pass rule followed by a block any to any to allow only netflix and the others based on AS number.

    Packet capture show connections on the 45.57.0.0/17 and the 198.38.96.0/19 blocks. Probably changes with location..



  • @jwj Again, I much appreciated the time you take to help me out. I tried the ASN you gave me and it seems to be hit and miss. I believe the App keeps changing his destination. During two capture I saw the destination IP change one to an Apple ASN and the second to AWS. I think, I will have to go a different road. Could you tell me if screentime can block specific apps for a period of time? I am on their website but I don't really see any information in regards to period block. It seems like you can either block or allow it.

    Thank you and sorry for the late reply, I am still learning how to use pfsense.



  • @ahtos

    It can't. It's all or nothing on a schedule. That's what Apple calls downtime. App limits set a time limit for each day. Say only 30 minutes a day using an app.

    You can have downtime mixed with always available apps, so nothing after 11pm except those that are always available...

    I always felt that screentime was a blunt weapon. Too punitive.



  • Maybe @BBcan177 has some insight beyond what I know?



  • @jwj Could you tell me which version on pfsense you are on? Maybe if I set mine as the same as your then I might be able to use pfblockerng-devel. I might have to use an app similar to screentime but seem to be less restrictive called FamiSafe. I was hoping to use a single tool instead of combination oh well, I got to learn new things and got troubleshooting insight from you.



  • @ahtos I'm currently on 2.4.5. Yes, it has issues with pfctl and filter reloads but I was working with the Netgate support folks to replicate the issue. I may go back to 2.4.4-p3 if I can find a moment to take everyone at home offline. pfblockerng-devel has been good for me for a long time now. You can share your pfblockerng-devel error here and see what the package developer @BBcan177 has to say. He's a good guy, super helpful.



  • @jwj The only problem is when I get the error, I can't reach the pfsense anymore... so no logs to look at...



  • @ahtos What hardware are you using? Do you have a physical console? I know it is nessesary to uninstall the old pfblockerng before installing the devel version. It's not an update/upgrade thing.



  • @jwj I do have a physical box but I don't have access to a console cable. I ordered one but it will take sometime with the current situation. I did a backup of the config before I install the pfblockerng package.



  • @ahtos I'm not sure what to say about updating pfblocker other than you do want to get to the devel version.

    Also out of technology suggestions about your other issue. If your at the end of your rope you could just shut off access entirely other than during "school" hours. As I have said I am a much bigger proponent of the carrot than the stick, but sometimes needs demand... :(



  • @jwj At this point, we have no choice but to shut it down. We do need to work the next day even if it is remotely. If we were not in this unique situation, I don't think we would have the discussion. Just trying to make the best out of an unpleasant time. Like you, I don't want to impose austerity and rather have a dialogue and understanding. I recalled someone told me this once " Children are the most beautiful things in the world until they learn to talk back to you ", I thought it was funny at the time, but there are definitely truth in it :-)

    I think, I will put the old router back and set the pfsense on the side so I can work with it. I will try to see if I can get any logs to share.



  • @ahtos Sounds like the best choice. For you and your families sanity all things considered. Though I hated it when I was young there is some truth to "my roof, my rules".

    When time allows you can think through how you want to setup tiered access. I have a full access network, filtered access, and no access. The no access for the naughty IoT devices.



  • @jwj It doesnt look like I can't downgrade psfsense. I will remove the old pfblockerng and add pfblockerng-devel. I was googling the issue and I sees few people seem to have the same issue. I will leave pfblockerng as it and see if after a cronjob I will loose any connection. I will also remove all other packages I have installed.



  • Resolved.
    Just an update on the issue if someone ever face the same problem.
    I reinstalled PFSense, then PFBlockerNG-DEV.
    I didn't create any auto-rules and only uses native aliases. Maybe it's something obvious, but in my case they didn't play well together. I installed ntopng to find out all the required ASN, there are a few more than just netflix/youtube for the APPs. However, I got a second problem from time to time I wouldn't get an IP from the WAN and many dpinger send-to error 65. The problem was my onboard NIC is a RealTek and not Intel. Moving the WAN to an Intel port seem to fix the issue for me. I understand the recommendation is to use Intel.

    Thank you John for your time and help!


Log in to reply