Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Custom Client Lists in pfBlockerNG

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 4 Posters 671 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      engkirk
      last edited by

      Hello:
      Is there a method to ,as the title suggests, create different blocking groups within pfsense so that I may:

      1. Have a group with a client list which blocks everything by default?
      2. Have a second group with blocking as in 1. above but with certain exceptions or whitelists to allow some clients access to specific sites?

      Thanks.

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @engkirk
        last edited by

        @engkirk
        Nope, pfblockerNG is an all or nothing DNSBL system.
        The best you can do is to either..
        1)Not use pfsense as your DNS and instead use something like pihole or adguard where you can apply different blocklists per subnet

        2)Continue to use pfsense for DNS and pfblockerNG for sinkholing but enable python mode. In that mode you can whitelist IPs that will not have any DNS filtering applied. IMO, this is quite useless if you are using malware blocking but if your intention is content filtering then this may work for you. YMMV

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        E 1 Reply Last reply Reply Quote 0
        • E
          engkirk @michmoor
          last edited by

          @michmoor
          Right thanks. I thought I had read somewhere that the functionality I wanted would be coming in a future release of pfblocker.
          I have Pihole currently doing what I want but had wanted to simplify or consolidate the functionality in a single device.
          Thanks for your feedback again.

          S 1 Reply Last reply Reply Quote 1
          • S
            smolka_J @engkirk
            last edited by smolka_J

            @engkirk If you're using pfSense in virtual machines you can accomplish this down to one device. I run my main pfSense instance bare metal as my head router then have a second box with a few virtual machines running pfSense on it, instead of Pihole/Adguard, as additional DNS server/pfBlockerNG DNBL configurations so each VLAN/subnet/or ALIAS group of IPs gets their own DNS.

            Following along on this blog by n8henrie and his follow-up post if you have enough ports and RAM available it may be possible to get a few additional pfSense instances or even Pihole/Adguard installed in VMs inside of pfSense using FreeBSD's bhyve hypervisor on top of a bare-metal pfSense setup, bhyve is already installed in pfSense. Haven't tried this route myself, I'm waiting for pfSense's move to the Linux kernel that's coming down the road soon before consolidating down to this approach since it would mean changing to a different hypervisor and likely needing to rebuild VMs. Will be easier once things like Proxmox can be installed native inside of pfSense to manage VMs instead of just by command-line.

            E N 2 Replies Last reply Reply Quote 1
            • E
              engkirk @smolka_J
              last edited by

              @smolka_J
              Thanks.
              For now I have resorted to using PiHole to accomplish what I want. The implementation is simpler.
              Also I wanted to use my work computer on its own VLAN while still using Pihole as the DNS server while Pihole was on a separate VLAN without allowing responses from more than 1 hop away.
              Anyway I got it working so until pfsense allows similar functionality I’ll just stay with PiHole.

              1 Reply Last reply Reply Quote 0
              • N
                nimrod @smolka_J
                last edited by

                @smolka_J said in Custom Client Lists in pfBlockerNG:

                I'm waiting for pfSense's move to the Linux kernel that's coming down the road ...

                Im sorry, what ?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.