Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker and Paramount +

    Scheduled Pinned Locked Moved pfBlockerNG
    6 Posts 4 Posters 99 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Online
      cburbs
      last edited by

      Besides excluding a roku/Shield from PfBlocker has anyone been able to define all the whitelist items for playback to work properly?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Offline
        Gertjan @cburbs
        last edited by

        @cburbs

        With excluding you mean adding the IP of the device here :

        bbbc514d-916c-4912-9bcf-f8cf06970fb1-image.png

        ?
        Be ware that adding a policy like that has side effects.
        Like : when the device asks for host name to be resolved, like an add server, this host name will now be avaible ... for all your LAN devices, as it's now part of the resolver's cache.

        If a white list would exist, I would use it into a black list ^^
        The thing is : Paramount employees read this forum as well, so the list wouldn't age very well / becomes useless in a short time.

        If you use DNSBL to blocks "to much", use the device, and track all the block requests from the device, and use the black round + button to white list them.

        0b5c0c5e-1172-4096-962d-452d722e0022-image.png

        Ones a host name is white listed, it will be whitelist for all your LAN network devices.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        C 1 Reply Last reply Reply Quote 0
        • C Online
          cburbs @Gertjan
          last edited by

          @Gertjan

          Correct on excluding the IP as that is the only place I know where to do it is in the Python Group Policy.

          Can you expand on - Like : when the device asks for host name to be resolved, like an add server, this host name will now be avaible ... for all your LAN devices, as it's now part of the resolver's cache.

          Ones a host name is white listed, it will be whitelist for all your LAN network devices. Correct and this is why I wish a knew of a way to just do exclusions for a single device.

          S GertjanG 2 Replies Last reply Reply Quote 0
          • D Offline
            DirtyRat
            last edited by

            Not sure what you're struggling with, but I was having Disney+ issues at my home. Could not visit the website, no devices would connect. If I used cell data, I could login to their website, but from the home I'd get a "Try again later" message.

            I called Disney tech support, explained what was happening. He asked for my WAN IP and zip code, once I provided that, all my problems disappeared. They had some sort of locational block on my account for some reason.

            1 Reply Last reply Reply Quote 0
            • S Offline
              SteveITS Rebel Alliance @cburbs
              last edited by

              @cburbs said in PfBlocker and Paramount +:

              exclusions for a single device

              Unbound has "views" but I've generally used it to block access for one device, to override DNS. In that case in Custom Options in unbound/DNS Resolver settings, one would put:

              server:
access-control-view: 10.1.1.4/32 blockyoutube

view:
name: "blockyoutube"
view-first: yes
local-data: "youtube.com. 900 IN A 127.0.0.2"
local-data: "www.youtube.com. 900 IN A 127.0.0.2"

              Perhaps you can find a way to forward or resolve correctly for the specified IP.

              Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
              Upvote 👍 helpful posts!

              1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @cburbs
                last edited by Gertjan

                edit : I found this post, created hours ago, not posted. So I finished it up and posted.
                Basically, what @SteveITS said above ^^

                @cburbs said in PfBlocker and Paramount +:

                Like : when the device asks for host name to be resolved, like an add server, this host name will now be avaible ... for all your LAN devices, as it's now part of the resolver's cache.

                Ones a host name is white listed, it will be whitelist for all your LAN network devices.

                The "use the pfBlockng Python Group Policy" function (list with requesting IPs) will short circuit the DNSBL handling.
                Example :
                A device wants to resolve "horrible-add-server.com", so it sends a request to the upstream DNS, pfSense = unbound.
                Unbound will receive the requests, and checks its local cache if it wasn't already resolved = locally known. If it is, answer is returned straight away to the requesting LAN device. Take note : no DNS resolving was needed, a cache hit will return the answer direct.

                If the host name "horrible-add-server.com" isn't available locally, the resolve process kicks in.
                It's this process that first calls a local unbound plugin = our pfBlockerng script. The plugin interface doesn't use shell, PHP, LUA, or a binary, no, it uses Python. hence the name 'Python mode'.
                This Python script starts by checking if the requester is listed under "Python Group Policy", and if it is, "Ok" is returned right away : resolving starts and the answer is return to the requesting device.
                Take note : and the answer is placed in the local unbound cache.

                Now you understand that if a whitelisted "Python Group Policy" that will request "horrible-add-server.com" will make the resolved result avaible to all LAN networks.

                ... and this is why I wish a knew of a way to just do exclusions for a single device.

                I think there is.
                It's called "views".

                Go here : Services > DNS Resolver > General Settings and look at this page from top tho bottom.
                ( Have a look at the Advanced Settings page )

                The good news is the bad news. Read this ....
                And now you know there are more possibilities - waaaay more possibilities.
                Probably most of the are accessible with this :

                d62cadd5-b3a4-4fa8-91c0-d67b73c498ee-image.png

                Like the good old days : you have to create your own 'extended unbound config', and you'll need the manual.
                You'll discover that 'views' exist, so you can use these to have unbound work for differently on a network (LAN) level and even device level - never tested this myself though, but others did.
                Some examples are present here on this forum.

                So, you want special things 'just for you' : that's ok, but you have to go outside of what the pfSense (and pfBlockerng) GUI can do for you. A GUI can only offer a small percentage of all the available possibilities (of unbound).

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.