pfBlockerNG 3.2.13 - DNSBL disabled: no VIP configured

bigsy

NG5100 running pfSense Plus 25.11

Upgraded from pfBlockerNG 3.2.9 to 3.2.13.

DNSBL doesn't restart and the pfblockerNG log has multiple entries for:

DNSBL disabled: no VIP configured

Removal and reinstallation of the package and reboot doesn't help.

These are the relevant VIPs in a backup older config.xml but they have disappeared following this upgrade:

                <vip>
			<interface>lo0</interface>
			<descr><![CDATA[pfB DNSBL - DO NOT EDIT]]></descr>
			<type>single</type>
			<subnet_bits>32</subnet_bits>
			<subnet>10.99.99.1</subnet>
			<mode>ipalias</mode>
		</vip>
		<vip>
			<interface>lo0</interface>
			<descr><![CDATA[pfB DNSBL - DO NOT EDIT]]></descr>
			<type>single</type>
			<subnet_bits>128</subnet_bits>
			<subnet>::10.99.99.1</subnet>
			<mode>ipalias</mode>
		</vip>

aivxtla

@bigsy the wizard since the 0.13 update now prompts you to manually setup up VIPs in the Firewall -> VIP section but yeah odd that it’s clearing your prior VIP addressees.

bigsy

@aivxtla Thanks, I've manually recreated the VIPs, assigned them in DNSBL Webserver Configuration, and DNSBL appears to be running OK again.

Cylosoft

I just upgraded our first firewall. Ran into the same thing. It lost the VIP IP. Had to go create one and assign it and set things up.

marcosm

Was the config already in place during the upgrade, or did you restore the config after the upgrade? The migration code only runs on upgrade or when installing the package (IIRC not reinstall).

bigsy

@marcosm I upgraded an existing running installation so the config was in place.

marcosm

I just tried an upgrade (ZFS, both with pfBlockerNG and pfBlockerNG-devel) from 25.07.1 to 25.11 and the VIP was migrated correctly. Are you running UFS instead of ZFS?

bigsy

@marcosm This is on ZFS. I had already successfully upgraded from 25.07 to 25.11 last week and the version of pfBlockerNG at this point was 3.2.9 (I think) and was running fine.

This issue occurred this morning with the package upgrade to pfBlockerNG 3.2.13.

Carnivore 0

Not intended to be read as piling on, but yes i see the same issue on my instalation after upgrading this morning.

btspce

Im having the same issue after upgrade from 3.2.9 to 3.2.13. Lots of DNSBL disabled: no VIP configured spamming the update log below:
Issue 2: Table Usage Count went from around 400000 before to 738 after the update !?

** Starting firewall filter daemon **

DNSBL disabled: no VIP configured
DNSBL disabled: no VIP configured
DNSBL disabled: no VIP configured
**Saving configuration**

DNSBL disabled: no VIP configured
DNSBL disabled: no VIP configured
DNSBL disabled: no VIP configured

** Starting firewall filter daemon **

DNSBL disabled: no VIP configured
DNSBL disabled: no VIP configured
DNSBL disabled: no VIP configured CRON  PROCESS  START [ v3.2.13 ] [ 12/16/25 17:30:00 ]

btspce

Im not and have never used DNSBL on this firewall.

marcosm

When updating pfBlockerNG or when upgrading with UFS the package is uninstalled fist which removes the VIP config. Since the new package version code doesn't configure VIPs and there's no longer a VIP config to migrate, DNSBL fails to start. I'm not sure there's any practical solution here given that VIP configuration has been removed from the package and is instead left to the base system. However we can trigger an alert/notice in this case once the new package gets installed to make it more obvious that the VIP needs to be configured.

SteveITS

@marcosm Had it always removed the VIP? Historically, settings have survived reboot so this would be a change (e.g. for anyone the upgrade guide to remove packages):

marcosm

@SteveITS Yes. It used to re-add the VIP on package install too but the package no longer creates/deletes/modifies any VIPs.

Carnivore 0

I re-ran the wizard thinking it would auto create the VIP, but it asked for the VIP to be created during the reinstall. So, its a good learning experience to go through the setup again. Too bad, i had it running really well to!

Mission-Ghost

What is the value-added to removing the necessary vip setup functionality?

SteveITS

@marcosm I see. Having done this a long time I basically don't use the wizards so agree there should be some notice to add it manually.

@Mission-Ghost

What is the value-added to removing the necessary vip setup functionality?

I read it as "pfBlocker intentionally doesn't handle this anymore," so while removing it is normal, as of now not-adding-it-back-again is normal. In the big picture I could see how leaving behind an IP on package removal could be confusing down the road. I would think a "DNSBL VIP needs to be configured" banner would be helpful, with instructions, if DNSBL is enabled.

btspce

@marcosm Why is it warning about "DNSBL disabled: no VIP configured" multiple times when we don't use DNSBL (never have) and it is disabled ? What are we suppose to do when we don't want to use it ?

Cylosoft

@marcosm I've done a couple of upgrades now. It deletes the existing VIP. It just doesn't create. Maybe you mean going forward it won't delete any VIPs.

marcosm

@btspce There's no need to do anything since the log is harmless. Edit: fixed in latest version.

@Mission-Ghost It fixes some issues and avoids the need to maintain a separate implementation of the VIP handling code.