Custom Client Lists in pfBlockerNG

engkirk

Hello:
Is there a method to ,as the title suggests, create different blocking groups within pfsense so that I may:

1. Have a group with a client list which blocks everything by default?
2. Have a second group with blocking as in 1. above but with certain exceptions or whitelists to allow some clients access to specific sites?

Thanks.

michmoor

@engkirk
Nope, pfblockerNG is an all or nothing DNSBL system.
The best you can do is to either..
1)Not use pfsense as your DNS and instead use something like pihole or adguard where you can apply different blocklists per subnet

2)Continue to use pfsense for DNS and pfblockerNG for sinkholing but enable python mode. In that mode you can whitelist IPs that will not have any DNS filtering applied. IMO, this is quite useless if you are using malware blocking but if your intention is content filtering then this may work for you. YMMV

engkirk

@michmoor
Right thanks. I thought I had read somewhere that the functionality I wanted would be coming in a future release of pfblocker.
I have Pihole currently doing what I want but had wanted to simplify or consolidate the functionality in a single device.
Thanks for your feedback again.

smolka_J

@engkirk If you're using pfSense in virtual machines you can accomplish this down to one device. I run my main pfSense instance bare metal as my head router then have a second box with a few virtual machines running pfSense on it, instead of Pihole/Adguard, as additional DNS server/pfBlockerNG DNBL configurations so each VLAN/subnet/or ALIAS group of IPs gets their own DNS.

Following along on this blog by n8henrie and his follow-up post if you have enough ports and RAM available it may be possible to get a few additional pfSense instances or even Pihole/Adguard installed in VMs inside of pfSense using FreeBSD's bhyve hypervisor on top of a bare-metal pfSense setup, bhyve is already installed in pfSense. Haven't tried this route myself, I'm waiting for pfSense's move to the Linux kernel that's coming down the road soon before consolidating down to this approach since it would mean changing to a different hypervisor and likely needing to rebuild VMs. Will be easier once things like Proxmox can be installed native inside of pfSense to manage VMs instead of just by command-line.

engkirk

@smolka_J
Thanks.
For now I have resorted to using PiHole to accomplish what I want. The implementation is simpler.
Also I wanted to use my work computer on its own VLAN while still using Pihole as the DNS server while Pihole was on a separate VLAN without allowing responses from more than 1 hop away.
Anyway I got it working so until pfsense allows similar functionality I’ll just stay with PiHole.

nimrod

@smolka_J said in Custom Client Lists in pfBlockerNG:

I'm waiting for pfSense's move to the Linux kernel that's coming down the road ...

Im sorry, what ?