Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get pfBlockerNG to block pornhub.com

    Scheduled Pinned Locked Moved pfBlockerNG
    56 Posts 13 Posters 25.7k Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ Offline
      JonathanLee @fullauto
      last edited by JonathanLee

      @fullauto

      Have you tried regular expressions for the URL?

      Screen Shot 2022-03-25 at 7.37.04 AM.png

      (Image: Most of my blocks are for learning purposes and for my research with my degree)

      I don't like prankdial, hotjar, rubygems, docker, and some other ones that seemed to cause me some issues. I am sure a lot of mine do not need to be blocked, but how can you learn if you don't test stuff out? Here is an example.

      I always have had issues with Doubleclick.net they caused me so many issues with devices and human interaction with mouse and keyboards, I found all my items work better with them blocked. Notice ^.URL.com.$ try that.

      Also check your Target rules if they are whitelisted it will override items by order like ACLs.

      Screen Shot 2022-03-25 at 7.39.50 AM.png

      Also enable encrypted DNS

      Screen Shot 2022-03-25 at 7.48.32 AM.png

      If the DNS is encrypted and using SSL it can't be hijacked, I would cry if they hijacked the update servers.

      Make sure to upvote

      JonathanLeeJ 1 Reply Last reply Reply Quote 0
      • JonathanLeeJ Offline
        JonathanLee @JonathanLee
        last edited by JonathanLee

        @jonathanlee

        Screen Shot 2022-03-25 at 7.51.58 AM.png

        You can see it blocking all the variations of doubleclick.net now, it does not matter what differences are in the URL if the main part is the same it blocks it forever.

        Make sure to upvote

        1 Reply Last reply Reply Quote 0
        • LPD7L Offline
          LPD7
          last edited by

          I have read through this thread but still unclear as to what the resolution would be. I too would like to block sites such as facebook, tik-tok, etc and thought I had it licked by creating a custom list in DNSBL but the sites are not getting blocked. I have squid installed but not running as I had some issues in the past where it locked up the system which I think were related to bad memory which I have resolved. I am new to this and still getting my feet wet so would like to get clarity on how to accomplish this. I am sure this has been talked about quite a bit so if there is a thread or instruction that covers the topic feel free to post the link and I will give it a shot. Thank you.

          Intelligence is not a substitute for common sense.
          Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
          Putting legacy equipment into service and out of landfills.

          S 1 Reply Last reply Reply Quote 1
          • S Offline
            SteveITS Galactic Empire @LPD7
            last edited by

            @lpd7 Can you provide details? nslookup results, etc. Are you blocking DoH? If not most browsers will bypass the configured DNS servers. Did you run an update in pfBlocker after changing settings?

            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
            Upvote 👍 helpful posts!

            LPD7L 1 Reply Last reply Reply Quote 0
            • LPD7L Offline
              LPD7 @SteveITS
              last edited by

              @steveits said in Can't get pfBlockerNG to block pornhub.com:

              @lpd7 Can you provide details? nslookup results, etc. Are you blocking DoH? If not most browsers will bypass the configured DNS servers. Did you run an update in pfBlocker after changing settings?

              New to pFS and pFB so bear with me as I track down the info and educate myself as well.

              Not sure which nslookup results you want to see so please elaborate, happy to provide.

              Yes blocking DoH
              2e10d220-ce71-424b-97d5-284d745c74e7-image.png

              and selected all options in the blocking list
              db7df275-d95b-45d7-85e2-3f1dc0811298-image.png

              I usually run Cron after making changes but ran the Update twice just to make sure.

              Intelligence is not a substitute for common sense.
              Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
              Putting legacy equipment into service and out of landfills.

              JonathanLeeJ S 3 Replies Last reply Reply Quote 0
              • JonathanLeeJ Offline
                JonathanLee @LPD7
                last edited by JonathanLee

                @lpd7

                I don't know if this helps, I use Squidguard as it is designed for use with Squid Proxy. Here is some photos of it in action.

                I feel this system should be simplified for parents and have scripts created to make this install with ease. You must have static addresses to make this work correctly. So it should have a quick install where you manually connect each device so it can auto populate the static addresses.

                After it should create your certificates for you and let you install them.

                After it should walk you threw how to set up WPAD this is a must for auto proxy use.

                https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-wpad.html

                Screen Shot 2022-06-02 at 1.19.05 PM.png

                Just edit a path to the file and save it. This is needed for use with windows and other devices to find the proxy automatically.

                Next you need your websites you want blocked. Example of how it works for me.

                Screen Shot 2022-06-02 at 1.06.30 PM.png

                (Image: Url Blocker working under Squidguard Table)

                Screen Shot 2022-06-02 at 1.06.45 PM.png

                (Image: Once package is installed use SquidGuard Proxy Filter)

                Screen Shot 2022-06-02 at 1.06.14 PM.png

                (Image: What happens when the URL is tested)

                Screen Shot 2022-06-02 at 1.07.28 PM.png

                (Image: Target Categories)

                Screen Shot 2022-06-02 at 1.08.01 PM.png

                (Make a Profile and attach the IP addresses of the system you want blocked for adult websites, you must also have a dummy profile for it to work that takes the place of position one)

                A nice how to guide I have found to get this system to work.

                Configure pfSense as HTTPS \ SSL Proxy filter using Squid and SquidGuard! (n.d.). Retrieved June 2, 2022, from https://forum.it-monkey.net/index.php?topic=23.0

                Make sure you let the loopback and local subnets use the proxy

                Screen Shot 2022-06-02 at 1.14.51 PM.png

                This all works with the HTTP get requests and headers. So no harm done. It is so simple however I worked in IT for over 15 combined years. Yes this needs to be simple for the average Parent and it can be done. There is some great guides for this version, and I for one use it and it blocks what you want blocked. You can even set up timers for no access in the middle of the night.

                Do not forget you must set up your access control lists. This is the packet filter that uses ports and IP addresses also.

                This is mine.

                Screen Shot 2022-06-02 at 1.22.25 PM.png

                Screen Shot 2022-06-02 at 1.23.34 PM.png
                (image: ACLS)

                Screen Shot 2022-06-02 at 1.24.18 PM.png
                (image: NAT Port Forwards for DNS and NTP so the firewall handles all requests)

                Make sure to upvote

                1 Reply Last reply Reply Quote 0
                • S Offline
                  SteveITS Galactic Empire @LPD7
                  last edited by

                  @lpd7 re: nslookup...

                  nslookup pornhub.com pfsense_lan_ip

                  Do you get the real IP there?

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                  Upvote 👍 helpful posts!

                  LPD7L 1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ Offline
                    JonathanLee @LPD7
                    last edited by

                    @lpd7

                    This is a great website it has everything for you and is pretty clear just follow the steps.

                    Configure pfSense as HTTPS \ SSL Proxy filter using Squid and SquidGuard! (n.d.). Retrieved June 2, 2022, from https://forum.it-monkey.net/index.php?topic=23.0

                    Make sure to upvote

                    LPD7L 1 Reply Last reply Reply Quote 0
                    • LPD7L Offline
                      LPD7 @SteveITS
                      last edited by

                      @steveits The ip for the server was the loopback for the pFS box, is this what you should see?

                      dd058454-a1ec-4a68-b9e4-1f263a6996bb-image.png

                      Intelligence is not a substitute for common sense.
                      Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                      Putting legacy equipment into service and out of landfills.

                      S 1 Reply Last reply Reply Quote 0
                      • LPD7L Offline
                        LPD7 @JonathanLee
                        last edited by

                        @jonathanlee Wow great info, much appreciated for the effort. I am going to look this over and see if I cant get it working. Thanks again.

                        Intelligence is not a substitute for common sense.
                        Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                        Putting legacy equipment into service and out of landfills.

                        JonathanLeeJ 1 Reply Last reply Reply Quote 1
                        • JonathanLeeJ Offline
                          JonathanLee @LPD7
                          last edited by JonathanLee

                          @lpd7

                          No problem that pfSense configuration website I sent is my favorite.

                          I tested my firewalls DNS, it will still see that address however, it is blocked on the USER side from accessing it on any browser that is included in the Squidguard blocks USER configured IP addresses to static MAC mappings.

                          Screen Shot 2022-06-02 at 1.40.40 PM.png

                          (Image: Firewall Sees the IP address)

                          Screen Shot 2022-06-02 at 1.42.57 PM.png
                          (Image: End users can not get to it)

                          Keep in mind this is SSL based if I use a HTTP request I have a custom webpage.

                          Screen Shot 2022-06-02 at 1.44.31 PM.png
                          (Image: HTTP site blocked)

                          One more detail you must also block out the IP addresses in the URL to make this fully work this way no one can use dig or use nslookup and grab that IP and plug it in and access the site still. Also block major network atomizers that bypass proxies online.

                          Screen Shot 2022-06-02 at 1.48.03 PM.png

                          (Image: IP block for URL access)

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            SteveITS Galactic Empire @LPD7
                            last edited by

                            @lpd7 said in Can't get pfBlockerNG to block pornhub.com:

                            ip for the server was the loopback for the pFS box

                            ...which means it's working. :) Ensure your PC isn't caching the old DNS...in Windows run "ipconfig /flushdns" to empty the cache, and close your browser.

                            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                            Upvote 👍 helpful posts!

                            1 Reply Last reply Reply Quote 1
                            • LPD7L Offline
                              LPD7
                              last edited by

                              @jonathanlee I have been looking over the instructions both from what you provided and from the link that goes step by step all of which is good stuff.

                              I attempted to start working on it but pulled back as I dont want to foul up my active box and am waiting for a new case so I can get a second box up and running which is what I will use for this build. The question that I have is about vlans....are they a necessity and if so can I use the LAN interface for that purpose?

                              My setup is configured with the WAN coming into one port on the FW and the LAN going out another port to a managed switch which connects various APs and other non managed switches and hard wired computers.

                              The instructions in the link (https://forum.it-monkey.net/index.php?topic=23.0) doesnt seem to mention vlans so just want to verify this can be done without the use of vlans.

                              I know what vlans are but have no experience with them so am trying to keep a handle on the learning curve, once I master one function then move onto another.

                              Once I get the other box up and running (hopefully by july 4 weekend) I will use that in isolation with a single pc to test the rules/blocking once it all seems to be working I will do the switch over.

                              Thank you.

                              Intelligence is not a substitute for common sense.
                              Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                              Putting legacy equipment into service and out of landfills.

                              M JonathanLeeJ 2 Replies Last reply Reply Quote 0
                              • M Offline
                                michmoor LAYER 8 Rebel Alliance @LPD7
                                last edited by

                                @lpd7 If you are using the pfsense as a dns resolver cant you also just set up a host override pointing to 127.0.0.1 ?
                                That blocks it for sure.

                                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                Routing: Juniper, Arista, Cisco
                                Switching: Juniper, Arista, Cisco
                                Wireless: Unifi, Aruba IAP
                                JNCIP,CCNP Enterprise

                                LPD7L 1 Reply Last reply Reply Quote 0
                                • LPD7L Offline
                                  LPD7 @michmoor
                                  last edited by LPD7

                                  @michmoor I am using dns resolver but am unfamiliar with the remedy you suggest. Based on what I have seen and been told it appears the resolution is a bit more in depth but I can be wrong as there seems to be many schools of thought on this topic.

                                  So to restate:
                                  I want to control/limit access by local devices/clients to web sites of my choosing. I do not want to have to configure each device individually but rather have the FW do the work. This is particularly important for those web sites whose URLs are encrypted (DoT, DoH).

                                  So would the solution proposed by jonathanlee within this thread be the correct path and if so I have a question about vlans.

                                  or

                                  Are the instructions listed at https://forum.it-monkey.net/index.php?topic=23.0 the solution I am seeking.

                                  Appreciate the feedback.

                                  Intelligence is not a substitute for common sense.
                                  Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                                  Putting legacy equipment into service and out of landfills.

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ Online
                                    johnpoz LAYER 8 Global Moderator @LPD7
                                    last edited by

                                    @lpd7 said in Can't get pfBlockerNG to block pornhub.com:

                                    web sites whose URLs are encrypted (DoT, DoH).

                                    Just to correct a misnomer here - the website is not encrypted via dot or doh, your browser is bypassing your dns and looking up the IP of the website via dns through the dot or doh server.

                                    You can still setup an host alias for pornhub.com so that pfsense looks up that fqdn and blocks the IP it finds. This should be the same no matter where its looked up from. While pfblocker can do that, its also just a simple native host alias in pfsense.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    LPD7L 1 Reply Last reply Reply Quote 0
                                    • LPD7L Offline
                                      LPD7 @johnpoz
                                      last edited by

                                      @johnpoz The browsers are using the PFBox for DNS resolution, I have already confirmed that using nslookup within the PF command line. Why is this topic so confusing to get a straight answer to and why do there seem to be so many supposed ways to accomplish this? Seems to me this is something that is core to the system and not something that should be so obscure to accomplish.

                                      Intelligence is not a substitute for common sense.
                                      Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                                      Putting legacy equipment into service and out of landfills.

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • JonathanLeeJ Offline
                                        JonathanLee @LPD7
                                        last edited by

                                        @lpd7 if you are using VLANs you would need to add each of those subnets into the access control list on the Squid Proxy as well as create Access control Lists on the firewall for them. That would be the only difference as they are still going into the firewall. I am not running VLANs as it's just used in my home.

                                        Make sure to upvote

                                        LPD7L 1 Reply Last reply Reply Quote 0
                                        • johnpozJ Online
                                          johnpoz LAYER 8 Global Moderator @LPD7
                                          last edited by

                                          @lpd7 not sure where you going with that statement - its not even your thread. And to be honest I haven't paid to much attention to this whole thread because I agree with you - not being able to get pfblocker to block a domain is clear user error that is for sure.

                                          My point was urls are not encrypted via dot or doh - that is encryption for a dns lookup not the site, etc

                                          If your browser is using dot or doh - you can not block anything via dns, which would be what pfblocker normally does, etc.. Sure it could block via an IP in a rule, just like you can do with an alias.. But if your just telling the browser via a dns look up that some fqdn is 127.0.0.1 or 10.10.10.10 a browser via doh is going to circumvent that.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                          LPD7L 1 Reply Last reply Reply Quote 0
                                          • LPD7L Offline
                                            LPD7 @JonathanLee
                                            last edited by LPD7

                                            @jonathanlee Thank you for that info it makes things a bit clearer and probably simpler to implement. My new case was just delivered so I am going to put together a second box from which to work on this and hopefully with the help from kind souls such as yourself I can get it running as needed. Thanks again and Happy 4th weekend.

                                            Intelligence is not a substitute for common sense.
                                            Intel i5-3427 * 1.80GHz * 8GB Memory * 100GB HDD
                                            Putting legacy equipment into service and out of landfills.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.