pfBlockerNG and pfBlockerNG-devel v3.2.0_3

Draco

I was running _devel version [edit: ~~3.2.0_3~~ 3.1.0_11] on pfSense 22.05. Just upgraded to 23.01 on my SG-5100. I did not disable pfBlocker before the update.

The only side effect I saw was he pfBlocker Reports were not showing the feeds (or rather had them ~~crossed out~~), which I was able to fix by forcing an update.

Everything else looks good so far.

Thanks @BBcan177 for another solid release!

Draco

I spoke too soon. My DNS resolution is really slow when a website is either first loaded or when the DNS cache ages it out. When I tried a PING or DNS Query from Windows 10 (I've written my own DNS Query app), it either fails or takes a long time. Same thing when FireFox or Chrome load web pages (sometimes I need to reload 2+ times). But when having PING problems, if I PING from within the pfSense Diagnostics / Ping GUI page, no problems.

Does the pfSense Ping go through pfBlocker? I would guess it does, but...

I've gone through the DNS and pfBlocker logs and not seen anything amiss. I tried restarting Unbound and that seems to help... but only for a short while.

I'm out of ideas. Any suggestions?

SteveITS

@draco No, pfBlockerNG doesn't proxy traffic. It either sets up firewall rules (via feeds) or blocks hosts via DNS (DNSBL). Is ping failing to connect or is it not resolving the hostname?

Especially if the latter, most likely you're hitting one of the DNS problems in 23.01 that seem to affect people. If you have forwarding enabled in DNS Resolver, uncheck the option to use DNSSEC. I have also seen one person claim to have multiple routers that don't reliably provide DNS if DNS over TLS is enabled, though that hasn't been my experience. 23.01 seems way more sensitive to having DNSSEC enabled while forwarding.

Dobby_

@draco

I'm out of ideas. Any suggestions?

I was or better must 3 x reboot after the upgrade to get all automatic loading on the start! That were the services;

unbound
snort
clamd

If I only restart them manually, they will be running for a while and then they must be restarted again owed to the circumstance that the RAM usage was to high and they
were stopping due to the low available RAM or high RAM
usage. Applying a patch, restart the services and reboot
gives me back automatic restarting services after a reboot (that three named above.)

SteveITS

@dobby_ said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

RAM usage was to high

There are a few memory threads for 23.01. One memory "issue" was, at the first 3:00 am after the upgrade, a cron task runs that apparently allocates a lot of ZFS ARC memory. ARC is supposed to be released as needed, but it looks "wrong." The cron is not needed in pfSense. Patch ff715efce5e6c65b3d49dc2da7e1bdc437ecbf12 disables it. That thread also discusses setting vfs.zfs.arc_max a.k.a. vfs.zfs.arc.max.

Draco

@steveits said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

Is ping failing to connect or is it not resolving the hostname?

Failing to resolve the host name. I do not have forwarding on.

This has become more than inconvenient. My late-night backups are failing because the DNS names are bounced on the first try.

Draco

@dobby_ said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

Applying a patch, restart the services and reboot
gives me back automatic restarting services after a reboot (that three named above.)

What patch? And I do not have problems with Unbound shutting down, nor is my RAM usage high. Unbound is just a LOT slower at resolving queries that are not in its cache than it was before, or at least that is what this behavior seems like to me. I looked at the logs for DNS and Unbound is not shutting down, though it is restarting when pfBlocker's CRON job runs (not always, which is consistent with not restarting Unbound if the DNS lists are unchanged).

SteveITS

@draco said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

Failing to resolve the host name

pfBlocker would either let it resolve and block the outbound connection, or if you have DNSBL and it was blocked, would resolve to the sinkhole IP (10.10.10.1?). So, probably not pfBlocker related.

Did you see my suggestions above about DNSSEC and DNS over TLS?

Draco

@steveits said in pfBlockerNG and pfBlockerNG-devel v3.2.0_3:

Did you see my suggestions above about DNSSEC and DNS over TLS?

Yes, but you said that, "23.01 seems way more sensitive to having DNSSEC enabled while forwarding". I do not have forwarding on. I do have DNSSEC on. I also have TLS on.

I tried turning DNSSEC off and still get laggy behavior when opening a non-cached site. So I've turned it back on again.

Draco

As posted in the pfSense forum, I am still finding DNS flakey. No forwarding on. No recording of DHCP leases. I've run overnight with DNSSEC on and DNSSEC off. Still flakey.

I'm rolling back to 22.05 using the USB image I have with the config included. Maybe I will be able to upgrade to ZFS while I'm at it.

I did not expect a released version of pfSense to have so many problems with Unbound, but that's why I keep an image of my last good config...

teranom

Hello, is there an update coming soon to the new maxmind country ip licence number increase for paid version for pfblocker ng ?

Gertjan

@teranom

Euh, lol ?

See the pfBlockerng forum, where you nposted, and look at the very first non pinned post called pfBlockerNG 3.2.0_4 !

Its out for several days now.