Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Blocking specific websites with pfBlockerNG

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jkalber
      last edited by

      I support a company that has employees that are constantly streaming music via Spotify, Youtube, Pandora etc and I am wanting to block access to these sites because it is taking up bandwidth (we are on a 100mbps circuit). Every so often I have some employees that will stream movies on their lunch breaks via Hulu and or Netflix, I'd like to block access to those as well. Can someone point me in the right direction on how to accomplish this or provide some type of documentation? I currently just installed pfBlockerNG. Any help would be greatly appreciated - cheers!

      S 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        There is a sub-forum here specifially for pfBlockerNG and pfBlockerNG-devel users. Here is a direct link: https://forum.netgate.com/category/62/pfblockerng.

        You may get a quicker and more complete response posting directly there.

        The answer to your question is that it is possible to block most of this activity (but not always 100%). At the least you can make it so hit-or-miss for the users they will likely just give up. The problem is that services like those use giant third-party CDNs (content delivery networks) to stream their service. Those CDNs are also shared by many other things you might not want to block, so you have to tread carefully. The basic process is to create a pfBlockerNG-devel alias based on the network ASN of the providers you want to block. Another method some use is the DNSBL (DNS Blacklist) feature of pfBlockerNG-devel. Examples of what other users are doing can be found in the sub-forum I posted a link to.

        I do not use pfBlockerNG, so I'm not expert in setting it up. I'm just familiar with the basics at a high level.

        1 Reply Last reply Reply Quote 1
        • S
          SteveITS Galactic Empire @jkalber
          last edited by

          @jkalber Another quick and dirty way is to set up a domain or host override in the DNS Resolver. Then anything that wants to connect to (www.)spotify.com will get the address you put in, like 127.0.0.1 or whatever. Nowadays DNS over HTTP will bypass that so also need to disable DoH.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 2
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.