Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFblocker blocks countries it should not block

    Scheduled Pinned Locked Moved pfSense Packages
    13 Posts 5 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gerard64
      last edited by

      After many years of using m0n0wall I started using PFsense 2.1. I builded a new system voor pfsense with a Supermicro X7SPA-H board 4gb ram ssd drive etc realy nice system. Why pfsense 2.1 and not 2.0? Because 2.0 did not see my usb dvdrom drive 2.1 did see the usb dvddrive.

      I'm considering te downgrade to pfsense 2.0 because to many problems with 2.1. For example there are always problems with the captive portal I have on one of the vlans most of the time the captive portal just doesn't work and my wlan is open for everbody :S

      PFblocker blocks countries it shouldn't block. It even blocks pfsense.org and about.com wich are located in North Amerika wich I didn't block afcourse.

      Are there more people with those problems or am I doing something wrong? I realy like pfsense 2.1 i don't know pfsense 2.0. Should i downgrade to 2.0 or not? I have never run pfs2.0 so i don't know if its more or less like 2.1 without the problems. Since i have to setup everything again from the start wen downgrading i want to know by forehand if its smart or just keep going with 2.1 till its stable.

      What are the big differences between 2.0 and 2.1?

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        @Gerard64:

        there are always problems with the captive portal I have on one of the vlans most of the time the captive portal just doesn't work and my wlan is open for everbody :S

        What build are you running? There ws a long standing bug where captive portal didn't start but it was corrected maybe a couple of moths ago.

        @Gerard64:

        PFblocker blocks countries it shouldn't block. It even blocks pfsense.org and about.com wich are located in North Amerika wich I didn't block afcourse.

        What evidence do you have that access is blocked by pfblocker?

        From which system are you attempting to access pfsense.org and about.com - pfSense or a downstream system. On that system what do you see if you nslookup pfsense.org then whois the IP address returned by nslookup. For example, on a Linux system downstream of my pfSense box I see

        $ nslookup pfsense.org
        Server:		127.0.0.1
        Address:	127.0.0.1#53
        
        Non-authoritative answer:
        Name:	pfsense.org
        Address: 69.64.6.21
        
        $ whois 69.64.6.21
        #
        # The following results may also be obtained via:
        # http://whois.arin.net/rest/nets;q=69.64.6.21?showDetails=true&showARIN=false&ext=netref2
        #
        
        # start
        
        NetRange:       69.64.0.0 - 69.64.15.255
        CIDR:           69.64.0.0/20
        OriginAS:       
        NetName:        BLUEGRASSNET
        NetHandle:      NET-69-64-0-0-1
        Parent:         NET-69-0-0-0-0
        NetType:        Direct Allocation
        RegDate:        2003-07-29
        Updated:        2012-03-02
        Ref:            http://whois.arin.net/rest/net/NET-69-64-0-0-1
        
        OrgName:        BLUEGRASS.NET
        OrgId:          BRAS
        Address:        321 E Breckinridge ST.
        City:           Louisville
        StateProv:      KY
        PostalCode:     40203
        Country:        US
        RegDate:        2001-09-28
        Updated:        2011-06-02
        Ref:            http://whois.arin.net/rest/org/BRAS
        
        OrgAbuseHandle: TG41-ARIN
        OrgAbuseName:   Galla, Thomas P.
        OrgAbusePhone:  +1-502-515-1760 
        OrgAbuseEmail:  sysadmin@bluegrass.net
        OrgAbuseRef:    http://whois.arin.net/rest/poc/TG41-ARIN
        
        OrgTechHandle: TG41-ARIN
        OrgTechName:   Galla, Thomas P.
        OrgTechPhone:  +1-502-515-1760 
        OrgTechEmail:  sysadmin@bluegrass.net
        OrgTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
        
        OrgNOCHandle: TG41-ARIN
        OrgNOCName:   Galla, Thomas P.
        OrgNOCPhone:  +1-502-515-1760 
        OrgNOCEmail:  sysadmin@bluegrass.net
        OrgNOCRef:    http://whois.arin.net/rest/poc/TG41-ARIN
        
        RTechHandle: TG41-ARIN
        RTechName:   Galla, Thomas P.
        RTechPhone:  +1-502-515-1760 
        RTechEmail:  sysadmin@bluegrass.net
        RTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
        
        # end
        
        # start
        
        NetRange:       69.64.6.0 - 69.64.6.255
        CIDR:           69.64.6.0/24
        OriginAS:       AS4261
        NetName:        BGN-VOICE
        NetHandle:      NET-69-64-6-0-1
        Parent:         NET-69-64-0-0-1
        NetType:        Reassigned
        RegDate:        2010-09-28
        Updated:        2010-09-28
        Ref:            http://whois.arin.net/rest/net/NET-69-64-6-0-1
        
        CustName:       bgn-heyburn
        Address:        321 e breckinridge st
        City:           louisville
        StateProv:      KY
        PostalCode:     40203
        Country:        US
        RegDate:        2010-09-28
        Updated:        2011-03-19
        Ref:            http://whois.arin.net/rest/customer/C02595726
        
        OrgAbuseHandle: TG41-ARIN
        OrgAbuseName:   Galla, Thomas P.
        OrgAbusePhone:  +1-502-515-1760 
        OrgAbuseEmail:  sysadmin@bluegrass.net
        OrgAbuseRef:    http://whois.arin.net/rest/poc/TG41-ARIN
        
        OrgTechHandle: TG41-ARIN
        OrgTechName:   Galla, Thomas P.
        OrgTechPhone:  +1-502-515-1760 
        OrgTechEmail:  sysadmin@bluegrass.net
        OrgTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
        
        OrgNOCHandle: TG41-ARIN
        OrgNOCName:   Galla, Thomas P.
        OrgNOCPhone:  +1-502-515-1760 
        OrgNOCEmail:  sysadmin@bluegrass.net
        OrgNOCRef:    http://whois.arin.net/rest/poc/TG41-ARIN
        
        RTechHandle: TG41-ARIN
        RTechName:   Galla, Thomas P.
        RTechPhone:  +1-502-515-1760 
        RTechEmail:  sysadmin@bluegrass.net
        RTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
        
        # end
        
        #
        # ARIN WHOIS data and services are subject to the Terms of Use
        # available at: https://www.arin.net/whois_tou.html
        #
        
        $ 
        
        
        1 Reply Last reply Reply Quote 0
        • G
          Gerard64
          last edited by

          @wallabybob:

          @Gerard64:

          there are always problems with the captive portal I have on one of the vlans most of the time the captive portal just doesn't work and my wlan is open for everbody :S

          What build are you running? There ws a long standing bug where captive portal didn't start but it was corrected maybe a couple of moths ago.

          The build I use is "2.1-BETA1 (i386)
          built on Wed Dec 19 15:46:20 EST 2012"

          @wallabybob:

          @Gerard64:

          PFblocker blocks countries it shouldn't block. It even blocks pfsense.org and about.com wich are located in North Amerika wich I didn't block afcourse.

          What evidence do you have that access is blocked by pfblocker?

          Wen I disable pfblocker and wait a moment. I visit the before blocked sites again with no problem anymore then i can visit the pages normaly.

          @wallabybob:

          From which system are you attempting to access pfsense.org and about.com - pfSense or a downstream system. On that system what do you see if you nslookup pfsense.org then whois the IP address returned by nslookup. For example, on a Linux system downstream of my pfSense box I see

          $ nslookup pfsense.org
          Server:		127.0.0.1
          Address:	127.0.0.1#53
          
          Non-authoritative answer:
          Name:	pfsense.org
          Address: 69.64.6.21
          
          $ whois 69.64.6.21
          #
          # The following results may also be obtained via:
          # http://whois.arin.net/rest/nets;q=69.64.6.21?showDetails=true&showARIN=false&ext=netref2
          #
          
          # start
          
          NetRange:       69.64.0.0 - 69.64.15.255
          CIDR:           69.64.0.0/20
          OriginAS:       
          NetName:        BLUEGRASSNET
          NetHandle:      NET-69-64-0-0-1
          Parent:         NET-69-0-0-0-0
          NetType:        Direct Allocation
          RegDate:        2003-07-29
          Updated:        2012-03-02
          Ref:            http://whois.arin.net/rest/net/NET-69-64-0-0-1
          
          OrgName:        BLUEGRASS.NET
          OrgId:          BRAS
          Address:        321 E Breckinridge ST.
          City:           Louisville
          StateProv:      KY
          PostalCode:     40203
          Country:        US
          RegDate:        2001-09-28
          Updated:        2011-06-02
          Ref:            http://whois.arin.net/rest/org/BRAS
          
          OrgAbuseHandle: TG41-ARIN
          OrgAbuseName:   Galla, Thomas P.
          OrgAbusePhone:  +1-502-515-1760 
          OrgAbuseEmail:  sysadmin@bluegrass.net
          OrgAbuseRef:    http://whois.arin.net/rest/poc/TG41-ARIN
          
          OrgTechHandle: TG41-ARIN
          OrgTechName:   Galla, Thomas P.
          OrgTechPhone:  +1-502-515-1760 
          OrgTechEmail:  sysadmin@bluegrass.net
          OrgTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
          
          OrgNOCHandle: TG41-ARIN
          OrgNOCName:   Galla, Thomas P.
          OrgNOCPhone:  +1-502-515-1760 
          OrgNOCEmail:  sysadmin@bluegrass.net
          OrgNOCRef:    http://whois.arin.net/rest/poc/TG41-ARIN
          
          RTechHandle: TG41-ARIN
          RTechName:   Galla, Thomas P.
          RTechPhone:  +1-502-515-1760 
          RTechEmail:  sysadmin@bluegrass.net
          RTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
          
          # end
          
          # start
          
          NetRange:       69.64.6.0 - 69.64.6.255
          CIDR:           69.64.6.0/24
          OriginAS:       AS4261
          NetName:        BGN-VOICE
          NetHandle:      NET-69-64-6-0-1
          Parent:         NET-69-64-0-0-1
          NetType:        Reassigned
          RegDate:        2010-09-28
          Updated:        2010-09-28
          Ref:            http://whois.arin.net/rest/net/NET-69-64-6-0-1
          
          CustName:       bgn-heyburn
          Address:        321 e breckinridge st
          City:           louisville
          StateProv:      KY
          PostalCode:     40203
          Country:        US
          RegDate:        2010-09-28
          Updated:        2011-03-19
          Ref:            http://whois.arin.net/rest/customer/C02595726
          
          OrgAbuseHandle: TG41-ARIN
          OrgAbuseName:   Galla, Thomas P.
          OrgAbusePhone:  +1-502-515-1760 
          OrgAbuseEmail:  sysadmin@bluegrass.net
          OrgAbuseRef:    http://whois.arin.net/rest/poc/TG41-ARIN
          
          OrgTechHandle: TG41-ARIN
          OrgTechName:   Galla, Thomas P.
          OrgTechPhone:  +1-502-515-1760 
          OrgTechEmail:  sysadmin@bluegrass.net
          OrgTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
          
          OrgNOCHandle: TG41-ARIN
          OrgNOCName:   Galla, Thomas P.
          OrgNOCPhone:  +1-502-515-1760 
          OrgNOCEmail:  sysadmin@bluegrass.net
          OrgNOCRef:    http://whois.arin.net/rest/poc/TG41-ARIN
          
          RTechHandle: TG41-ARIN
          RTechName:   Galla, Thomas P.
          RTechPhone:  +1-502-515-1760 
          RTechEmail:  sysadmin@bluegrass.net
          RTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
          
          # end
          
          #
          # ARIN WHOIS data and services are subject to the Terms of Use
          # available at: https://www.arin.net/whois_tou.html
          #
          
          $ 
          
          

          I use a workstation on LAN subnet. Wen I try to nslookup pfsense.org it can't by found. If i disable pfblocker nslookup pfsense.org works normal.

          Server:  wlan2-router.mydomain.tld
          Address:  10.10.10.65

          Niet-bindend antwoord:
          Naam:    pfsense.org
          Addresses:  2605:8000:d:1::167
                   69.64.6.21

          I did not enabled north amerika, europe and oceania the rest is set to deny both.

          1 Reply Last reply Reply Quote 0
          • G
            Gerard64
            last edited by

            I installed the latest build of december 26 just now for testing. Captive portal does not work. I restarted the service over and over again. Then I restored the build of december 19. Now captive portal is working, kind of.  Allowed ips are not allowed.

            Pfblocker is not blocking pfsense but about.com can't be reached.
            Wen I nslookup about.com
            Server:  wlan2-router.mydomain.tld
            Address:  10.10.10.65

            Niet-bindend antwoord:
            Naam:    about.com
            Address:  207.241.148.80

            Wen I disable pfblocker about.com can be reached normaly. The ip of about.com is located in the US. I did not block north amerika in pfblocker.

            1 Reply Last reply Reply Quote 0
            • M
              Metu69salemi
              last edited by

              What device is running DHCP & DNS on that Captiveportal network?

              1 Reply Last reply Reply Quote 0
              • G
                Gerard64
                last edited by

                I use the DHCP service of pfsense. I run Bind9 DNS service on a linux machine in the DMZ subnet. I use DNS forwarder on pfsense, beceause of that all systems connect to pfsense for DNS resolvement.

                1 Reply Last reply Reply Quote 0
                • M
                  Metu69salemi
                  last edited by

                  Captive portal requires that DNS is runned on pfsense at least on that interface, if i'm not remembering all wrong.

                  1 Reply Last reply Reply Quote 0
                  • G
                    Gerard64
                    last edited by

                    I set it up the same way I always did on m0n0wall wich worked very well for many years. If pfsense captiveportal works the same way as m0n0wall it should work. Besides of that with the build of december 19 is does work except for the allowed ips are not allowed thru. If i use the build of december 26 captiveportal is not working at all.

                    1 Reply Last reply Reply Quote 0
                    • G
                      Gerard64
                      last edited by

                      About pfblocker. I have to disable pfblocker to be able to post here in the pfsense forums. With pfblocker enabled i can't reach pfsense.org and can't access about.com.

                      1 Reply Last reply Reply Quote 0
                      • marcellocM
                        marcelloc
                        last edited by

                        Gé,

                        Pfblocker lists are based on ipblocklist continent ip address. Now this service is paid, what whe have is a few months old database.
                        I'm not sure ip address move from contries, but you can edit pfblocker cidr txt files  on /usr/local/pkg dir and/or apply a whitelist for ips you do not want to block.

                        att,
                        Marcello Coutinho

                        Treinamentos de Elite: http://sys-squad.com

                        Help a community developer! ;D

                        1 Reply Last reply Reply Quote 0
                        • G
                          Gerard64
                          last edited by

                          Thank you Marcello for this information I did not know all that about the ipblocklist. To be honest i don't like to tinker under the hood with pfsense. I like the webbased gui. I could also build a router with iptables and setup up all the services i need. I shoose for pfsense because of the convenience of webbased router pfsense. Befor i used m0n0wall for years with never any problems. Thats why i asked in the start post maybe its better for me to downgrade to pfsense 2.0? And wen i adjust the ipbloclist and update pfsense i have to fix all those things again and again.

                          Wen pfblocker blocks a site i just switch it off. I posted the troubles i have with pfsense beta here with hope someone would fix it because this web gui looks really nice and many many packages and options but some of them just don't work yet.

                          I looked up the ip of pfsense.org on dnsstuff.com:
                          DNSstuff first created a snapshot for 69.64.6.21 (ip of pfsense.org) on Thursday, November 17th, 2011, 1:19:45 PM. We have not seen any changes to the records since that date.

                          As you can see the ip of pfsense.org is at least one year in use and connected to pfsense.org and located in de US and since i didn't block north amerika in the pfblocker gui it proves it just doens't work sadely enough. Does pfsense 2.0 also have those packages like pfblocker radius and so on because i realy like radius, certificate manager, captiveportal and pfblocker if it works that is.

                          I have never seen the gui of pfsense 2.0 so i'm in doubt of i'm going to downgrade from the beta to the stable.

                          Another strange thing is wen i "nslookup pfsense.org ns.mydomain.tld" it can't be found but wen i use "nslookup pfsense.org 8.8.8.8" (dns server of google) it does find the ip. Wen i switch of pfblocker i can use my own dns server again in the nslookup.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mr_bobo
                            last edited by

                            @Gé:

                            Are there more people with those problems or am I doing something wrong?

                            I'm using pfSense 2.0.2 with the pfBlocker package. I have it set to deny incoming for all countries and am not having any problems reaching this or any other site. Both pfBlocker and 2.0.2 have been working flawlessly for me. From my FreeBSD box:

                            $ nslookup pfsense.org
                            Server:        192.168.1.1
                            Address:        192.168.1.1#53

                            Non-authoritative answer:
                            Name:  pfsense.org
                            Address: 69.64.6.21

                            $ nslookup about.com
                            Server:        192.168.1.1
                            Address:        192.168.1.1#53

                            Non-authoritative answer:
                            Name:  about.com
                            Address: 207.241.148.80

                            I have set up additional CIDR lists with data acquired from countryipblocks.net as well.

                            https://www.countryipblocks.net/country_selection.php

                            1 Reply Last reply Reply Quote 0
                            • G
                              Gerard64
                              last edited by

                              Great thank you.
                              Good to know PFsense also has the packages system like the beta version and has also pfblocker package available.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.