Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfblocker not working

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 74 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      TomvDCS
      last edited by

      We've recently setup pfBlockerNG on a firewall of countries with traffic we're not expecting via a blacklist alias and blacklist rule:
      f3f6db5d-830e-482c-b3c9-ddf538590d50-image.png
      (Setup using MaxMind's GeoIP service)
      8636be64-5164-496f-94ba-ef72e27581ea-image.png

      However we are still seeing traffic coming through from some countries that are in the rule:af89ff4f-8d58-415c-9886-a25ee3240fdc-feb13781-836d-4680-ac6f-66bb341f7571.png

      Pretty new to this so wanted to ask if there's anything to check that might catch me out?

      Thanks!

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @TomvDCS
        last edited by Gertjan

        @TomvDCS

        Important info is missing.
        The first image : the firewall rules : do we have to presume it is your WAN interface ? Another interface ?
        Let's presume its WAN.

        When you hover the mouse over the third firewall rule, the one with the Source "pfB_Blacklistv4", do you see (the top of) a big list filled with IPs ?
        If so, and all is well, this list should be the list with Geo IPs you want to block.

        If you want to check the "pfB_Blacklistv4" list yourself, you can (I think) find it in this folder : /var/db/pfblockerng/deny/ and then you can check if 102.90.101.220 (the 102.90.108.0/22 network) is in there.
        This rule is actually blocking traffic : the "States" column mentions packets ... (hover the mouse over it).

        Btw : Don't try to block 'the entire Planet', as this would produce a list so big that it can't into the firewall's (the firewall kernel process) working memory anymore. Remember : there are a lot of IPs/networks. And we haven't talked about IPv6 yet.
        Exemple : I created a list with all the IPs of my country, and used that list to allow incoming VPN connection only from my country

        20c37a85-971e-4eea-b17c-495934a9b157-image.png

        What about this solution : create a selection of IPs (countries) that are allowed to connect to your pfSense ?
        And be ware : start blocking the "US" first, as that's the most dangerous country ^^

        If needed, visit : Diagnostics > States > Reset States and reset the current firewall states.

        This one :

        83afe031-4ad2-4b30-8caf-1d1aa779904a-image.png

        needs some thoughts.
        500+ MBytes of incoming traffic using IPs that do not / can not exist ??
        Call your ISP and ask them if all is well ? Your ISP shouldn't even route BS traffic to you ...

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Yes geoip blocking is never 100% accurate.

          Check the alias table in Diag > Tables. Make sure it actually contains the subnets you're trying to block.

          It's often better to pass traffic based on an alias rather than trying to block alias. But that really depends on what traffic you need to serve there.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.