Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfblockerNG- tuning needed or do i have an error in config?

    Scheduled Pinned Locked Moved pfBlockerNG
    5 Posts 2 Posters 715 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chris1284C
      chris1284
      last edited by chris1284

      I have installed pfblockerng-devel and enabled many ip and dnsbl's. I am testing the config with this page https://d3ward.github.io/toolz/adblock.html from a client. with pihole in default config i can reach over 70% blocking, with pfblockerng and many lists akiv, i got only 40% and this does not change (most difference in Analytics, Social Trackers) . if my search was correct pihole only uses StevenBlack (StevenBlack_ADs in pfblocker).

      how can i check why the blocking is not working?

      064f2afa-2128-451e-b95d-52f0eebdbf53-image.png
      same for IP/DNSBL

      i had installed pfblockerng first and than uninstalled and installed pfblockerng-devel.
      what i discovered is, that there are no rules added after pfblockerng-devel konfig
      d394a069-7852-4860-a685-0d2ade19d44d-image.png
      2083b6f8-aa0b-4594-b4ca-f108b966d82d-image.png
      0b6799e3-0c3a-49e4-ba8a-bdf259773c95-image.png

      the update log (for me) do not look as its load all list i have added (force option reload All)

       UPDATE PROCESS START [ v3.1.0_6 ] [ 11/16/22 21:34:04 ]

===[  DNSBL Process  ]================================================

 Loading DNSBL Statistics... completed
 Loading DNSBL SafeSearch...  disabled
 Loading DNSBL Whitelist... completed

Clearing all DNSBL Feeds
Stopping Unbound Resolver.
Unbound stopped in 2 sec.
Starting Unbound Resolver... completed [ 11/16/22 21:34:05 ]
DNSBL update [ 0 | PASSED  ]... completed
------------------------------------------------------------------------

===[  GeoIP Process  ]============================================


===[  IPv4 Process  ]=================================================

[ WindowsSpyBlockerIP_v4 ]	 Reload . completed ..
  ------------------------------
  Original Master     Final     
  ------------------------------
  167      167        167         [ Pass ] 
  -----------------------------------------------------------------

[ fireholLevel3_v4 ]		 Reload . completed ..
  ------------------------------
  Original Master     Final     
  ------------------------------
  17334    17334      17334       [ Pass ] 
  -----------------------------------------------------------------

[ DNSBLIP_v4 ]			 Reload . completed ..
[ pfB_DNSBLIP_v4 DNSBLIP_v4 ] No IPs found! Ensure only IP based Feeds are used! ]


===[  Aliastables / Rules  ]==========================================

No changes to Firewall rules, skipping Filter Reload

 Updating: pfB_WindowsSpyBlockerIP_v4
no changes.
 Updating: pfB_fireholLevel3_v4
no changes.

===[  Kill States  ]==================================================

No matching states found

======================================================================

===[ FINAL Processing ]=====================================

   [ Original IP count   ]  [ 17502 ]

   [ Final IP Count  ]  [ 17501 ]


===[ Deny List IP Counts ]===========================

   17501 total
   17334 /var/db/pfblockerng/deny/fireholLevel3_v4.txt
     167 /var/db/pfblockerng/deny/WindowsSpyBlockerIP_v4.txt

====================[ IPv4/6 Last Updated List Summary ]==============

Nov 16	21:03	WindowsSpyBlockerIP_v4
Nov 16	21:03	fireholLevel3_v4
Nov 16	21:03	DNSBLIP_v4

====================[ DNSBL Last Updated List Summary ]==============

Nov 15	23:33	EasyPrivacy
Nov 16	15:36	StevenBlack
===============================================================

Database Sanity check [  PASSED  ]
------------------------
Masterfile/Deny folder uniq check
Deny folder/Masterfile uniq check

Sync check (Pass=No IPs reported)
----------

Alias table IP Counts
-----------------------------
   17501 total
   17334 /var/db/aliastables/pfB_fireholLevel3_v4.txt
     167 /var/db/aliastables/pfB_WindowsSpyBlockerIP_v4.txt

pfSense Table Stats
-------------------
table-entries hard limit   400000
Table Usage Count         17516

 UPDATE PROCESS ENDED [ 11/16/22 21:34:06 ]

      the lists (every list fill checked)
      ce4e4082-62f1-4665-b684-443edbd1dd2f-image.png
      fc13ef2a-07d1-41c1-98e7-15fe005a3f14-image.png

      thx christian

      chris1284C 1 Reply Last reply Reply Quote 0
      • chris1284C
        chris1284 @chris1284
        last edited by

        News: After starting the wizard and doing the config (same feeds) the state on testpage is not better but update looks better and the rules are removed, a new rule was added
        wan
        472198d5-9b90-4188-a875-ef40b10dca8f-image.png

        18de0bdd-e4eb-43c5-8c8b-d9b23cb74d22-image.png

        c15b3861-b28c-455b-bd74-1acbaea2be26-image.png

        chris1284C 1 Reply Last reply Reply Quote 0
        • chris1284C
          chris1284 @chris1284
          last edited by

          I think i have found the error:

          via dhcp i delivered dns server
          192.168.2.1 (lan on pfsense)
          1.1.1.1 (cloudflaredns)
          8.8.8. (google dns)

          the reason for dns 2 and 3 was as backup if 1 is not working. so my client uses the other since pfblocker blocked the content from the testpage. after setting dhcp to only 192.168.2.1 i am reaching 77% (more than pihole). it was a config error

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @chris1284
            last edited by

            @chris1284 The DNSBL feature doesn't add block rules, it answers DNS queries with incorrect info to block the connection. Using other DNS can bypass it, particularly on Windows which uses the "last known good" DNS and does not use an order. Also DNS caching on the PC can come into play.

            There is also DNS over HTTPS or DNS over TLS which bypasses local DNS servers altogether. :)

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            chris1284C 1 Reply Last reply Reply Quote 1
            • chris1284C
              chris1284 @SteveITS
              last edited by

              @steveits said in pfblockerNG- tuning needed or do i have an error in config?:

              There is also DNS over HTTPS or DNS over TLS which bypasses local DNS servers altogether. :)

              I think this could be blocked true the ip feeds for DoH ("ipv4 DoH_IP the Great Wall" for example) and block port 853 for DNS over TLS (DoT) as long as i don't use it.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.