PFblocker blocks countries it should not block



  • After many years of using m0n0wall I started using PFsense 2.1. I builded a new system voor pfsense with a Supermicro X7SPA-H board 4gb ram ssd drive etc realy nice system. Why pfsense 2.1 and not 2.0? Because 2.0 did not see my usb dvdrom drive 2.1 did see the usb dvddrive.

    I'm considering te downgrade to pfsense 2.0 because to many problems with 2.1. For example there are always problems with the captive portal I have on one of the vlans most of the time the captive portal just doesn't work and my wlan is open for everbody :S

    PFblocker blocks countries it shouldn't block. It even blocks pfsense.org and about.com wich are located in North Amerika wich I didn't block afcourse.

    Are there more people with those problems or am I doing something wrong? I realy like pfsense 2.1 i don't know pfsense 2.0. Should i downgrade to 2.0 or not? I have never run pfs2.0 so i don't know if its more or less like 2.1 without the problems. Since i have to setup everything again from the start wen downgrading i want to know by forehand if its smart or just keep going with 2.1 till its stable.

    What are the big differences between 2.0 and 2.1?



  • @Gerard64:

    there are always problems with the captive portal I have on one of the vlans most of the time the captive portal just doesn't work and my wlan is open for everbody :S

    What build are you running? There ws a long standing bug where captive portal didn't start but it was corrected maybe a couple of moths ago.

    @Gerard64:

    PFblocker blocks countries it shouldn't block. It even blocks pfsense.org and about.com wich are located in North Amerika wich I didn't block afcourse.

    What evidence do you have that access is blocked by pfblocker?

    From which system are you attempting to access pfsense.org and about.com - pfSense or a downstream system. On that system what do you see if you nslookup pfsense.org then whois the IP address returned by nslookup. For example, on a Linux system downstream of my pfSense box I see

    $ nslookup pfsense.org
    Server:		127.0.0.1
    Address:	127.0.0.1#53
    
    Non-authoritative answer:
    Name:	pfsense.org
    Address: 69.64.6.21
    
    $ whois 69.64.6.21
    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=69.64.6.21?showDetails=true&showARIN=false&ext=netref2
    #
    
    # start
    
    NetRange:       69.64.0.0 - 69.64.15.255
    CIDR:           69.64.0.0/20
    OriginAS:       
    NetName:        BLUEGRASSNET
    NetHandle:      NET-69-64-0-0-1
    Parent:         NET-69-0-0-0-0
    NetType:        Direct Allocation
    RegDate:        2003-07-29
    Updated:        2012-03-02
    Ref:            http://whois.arin.net/rest/net/NET-69-64-0-0-1
    
    OrgName:        BLUEGRASS.NET
    OrgId:          BRAS
    Address:        321 E Breckinridge ST.
    City:           Louisville
    StateProv:      KY
    PostalCode:     40203
    Country:        US
    RegDate:        2001-09-28
    Updated:        2011-06-02
    Ref:            http://whois.arin.net/rest/org/BRAS
    
    OrgAbuseHandle: TG41-ARIN
    OrgAbuseName:   Galla, Thomas P.
    OrgAbusePhone:  +1-502-515-1760 
    OrgAbuseEmail:  sysadmin@bluegrass.net
    OrgAbuseRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    OrgTechHandle: TG41-ARIN
    OrgTechName:   Galla, Thomas P.
    OrgTechPhone:  +1-502-515-1760 
    OrgTechEmail:  sysadmin@bluegrass.net
    OrgTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    OrgNOCHandle: TG41-ARIN
    OrgNOCName:   Galla, Thomas P.
    OrgNOCPhone:  +1-502-515-1760 
    OrgNOCEmail:  sysadmin@bluegrass.net
    OrgNOCRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    RTechHandle: TG41-ARIN
    RTechName:   Galla, Thomas P.
    RTechPhone:  +1-502-515-1760 
    RTechEmail:  sysadmin@bluegrass.net
    RTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    # end
    
    # start
    
    NetRange:       69.64.6.0 - 69.64.6.255
    CIDR:           69.64.6.0/24
    OriginAS:       AS4261
    NetName:        BGN-VOICE
    NetHandle:      NET-69-64-6-0-1
    Parent:         NET-69-64-0-0-1
    NetType:        Reassigned
    RegDate:        2010-09-28
    Updated:        2010-09-28
    Ref:            http://whois.arin.net/rest/net/NET-69-64-6-0-1
    
    CustName:       bgn-heyburn
    Address:        321 e breckinridge st
    City:           louisville
    StateProv:      KY
    PostalCode:     40203
    Country:        US
    RegDate:        2010-09-28
    Updated:        2011-03-19
    Ref:            http://whois.arin.net/rest/customer/C02595726
    
    OrgAbuseHandle: TG41-ARIN
    OrgAbuseName:   Galla, Thomas P.
    OrgAbusePhone:  +1-502-515-1760 
    OrgAbuseEmail:  sysadmin@bluegrass.net
    OrgAbuseRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    OrgTechHandle: TG41-ARIN
    OrgTechName:   Galla, Thomas P.
    OrgTechPhone:  +1-502-515-1760 
    OrgTechEmail:  sysadmin@bluegrass.net
    OrgTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    OrgNOCHandle: TG41-ARIN
    OrgNOCName:   Galla, Thomas P.
    OrgNOCPhone:  +1-502-515-1760 
    OrgNOCEmail:  sysadmin@bluegrass.net
    OrgNOCRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    RTechHandle: TG41-ARIN
    RTechName:   Galla, Thomas P.
    RTechPhone:  +1-502-515-1760 
    RTechEmail:  sysadmin@bluegrass.net
    RTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    # end
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    
    $ 
    
    


  • @wallabybob:

    @Gerard64:

    there are always problems with the captive portal I have on one of the vlans most of the time the captive portal just doesn't work and my wlan is open for everbody :S

    What build are you running? There ws a long standing bug where captive portal didn't start but it was corrected maybe a couple of moths ago.

    The build I use is "2.1-BETA1 (i386)
    built on Wed Dec 19 15:46:20 EST 2012"

    @wallabybob:

    @Gerard64:

    PFblocker blocks countries it shouldn't block. It even blocks pfsense.org and about.com wich are located in North Amerika wich I didn't block afcourse.

    What evidence do you have that access is blocked by pfblocker?

    Wen I disable pfblocker and wait a moment. I visit the before blocked sites again with no problem anymore then i can visit the pages normaly.

    @wallabybob:

    From which system are you attempting to access pfsense.org and about.com - pfSense or a downstream system. On that system what do you see if you nslookup pfsense.org then whois the IP address returned by nslookup. For example, on a Linux system downstream of my pfSense box I see

    $ nslookup pfsense.org
    Server:		127.0.0.1
    Address:	127.0.0.1#53
    
    Non-authoritative answer:
    Name:	pfsense.org
    Address: 69.64.6.21
    
    $ whois 69.64.6.21
    #
    # The following results may also be obtained via:
    # http://whois.arin.net/rest/nets;q=69.64.6.21?showDetails=true&showARIN=false&ext=netref2
    #
    
    # start
    
    NetRange:       69.64.0.0 - 69.64.15.255
    CIDR:           69.64.0.0/20
    OriginAS:       
    NetName:        BLUEGRASSNET
    NetHandle:      NET-69-64-0-0-1
    Parent:         NET-69-0-0-0-0
    NetType:        Direct Allocation
    RegDate:        2003-07-29
    Updated:        2012-03-02
    Ref:            http://whois.arin.net/rest/net/NET-69-64-0-0-1
    
    OrgName:        BLUEGRASS.NET
    OrgId:          BRAS
    Address:        321 E Breckinridge ST.
    City:           Louisville
    StateProv:      KY
    PostalCode:     40203
    Country:        US
    RegDate:        2001-09-28
    Updated:        2011-06-02
    Ref:            http://whois.arin.net/rest/org/BRAS
    
    OrgAbuseHandle: TG41-ARIN
    OrgAbuseName:   Galla, Thomas P.
    OrgAbusePhone:  +1-502-515-1760 
    OrgAbuseEmail:  sysadmin@bluegrass.net
    OrgAbuseRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    OrgTechHandle: TG41-ARIN
    OrgTechName:   Galla, Thomas P.
    OrgTechPhone:  +1-502-515-1760 
    OrgTechEmail:  sysadmin@bluegrass.net
    OrgTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    OrgNOCHandle: TG41-ARIN
    OrgNOCName:   Galla, Thomas P.
    OrgNOCPhone:  +1-502-515-1760 
    OrgNOCEmail:  sysadmin@bluegrass.net
    OrgNOCRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    RTechHandle: TG41-ARIN
    RTechName:   Galla, Thomas P.
    RTechPhone:  +1-502-515-1760 
    RTechEmail:  sysadmin@bluegrass.net
    RTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    # end
    
    # start
    
    NetRange:       69.64.6.0 - 69.64.6.255
    CIDR:           69.64.6.0/24
    OriginAS:       AS4261
    NetName:        BGN-VOICE
    NetHandle:      NET-69-64-6-0-1
    Parent:         NET-69-64-0-0-1
    NetType:        Reassigned
    RegDate:        2010-09-28
    Updated:        2010-09-28
    Ref:            http://whois.arin.net/rest/net/NET-69-64-6-0-1
    
    CustName:       bgn-heyburn
    Address:        321 e breckinridge st
    City:           louisville
    StateProv:      KY
    PostalCode:     40203
    Country:        US
    RegDate:        2010-09-28
    Updated:        2011-03-19
    Ref:            http://whois.arin.net/rest/customer/C02595726
    
    OrgAbuseHandle: TG41-ARIN
    OrgAbuseName:   Galla, Thomas P.
    OrgAbusePhone:  +1-502-515-1760 
    OrgAbuseEmail:  sysadmin@bluegrass.net
    OrgAbuseRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    OrgTechHandle: TG41-ARIN
    OrgTechName:   Galla, Thomas P.
    OrgTechPhone:  +1-502-515-1760 
    OrgTechEmail:  sysadmin@bluegrass.net
    OrgTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    OrgNOCHandle: TG41-ARIN
    OrgNOCName:   Galla, Thomas P.
    OrgNOCPhone:  +1-502-515-1760 
    OrgNOCEmail:  sysadmin@bluegrass.net
    OrgNOCRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    RTechHandle: TG41-ARIN
    RTechName:   Galla, Thomas P.
    RTechPhone:  +1-502-515-1760 
    RTechEmail:  sysadmin@bluegrass.net
    RTechRef:    http://whois.arin.net/rest/poc/TG41-ARIN
    
    # end
    
    #
    # ARIN WHOIS data and services are subject to the Terms of Use
    # available at: https://www.arin.net/whois_tou.html
    #
    
    $ 
    
    

    I use a workstation on LAN subnet. Wen I try to nslookup pfsense.org it can't by found. If i disable pfblocker nslookup pfsense.org works normal.

    Server:  wlan2-router.mydomain.tld
    Address:  10.10.10.65

    Niet-bindend antwoord:
    Naam:    pfsense.org
    Addresses:  2605:8000:d:1::167
             69.64.6.21

    I did not enabled north amerika, europe and oceania the rest is set to deny both.



  • I installed the latest build of december 26 just now for testing. Captive portal does not work. I restarted the service over and over again. Then I restored the build of december 19. Now captive portal is working, kind of.  Allowed ips are not allowed.

    Pfblocker is not blocking pfsense but about.com can't be reached.
    Wen I nslookup about.com
    Server:  wlan2-router.mydomain.tld
    Address:  10.10.10.65

    Niet-bindend antwoord:
    Naam:    about.com
    Address:  207.241.148.80

    Wen I disable pfblocker about.com can be reached normaly. The ip of about.com is located in the US. I did not block north amerika in pfblocker.



  • What device is running DHCP & DNS on that Captiveportal network?



  • I use the DHCP service of pfsense. I run Bind9 DNS service on a linux machine in the DMZ subnet. I use DNS forwarder on pfsense, beceause of that all systems connect to pfsense for DNS resolvement.



  • Captive portal requires that DNS is runned on pfsense at least on that interface, if i'm not remembering all wrong.



  • I set it up the same way I always did on m0n0wall wich worked very well for many years. If pfsense captiveportal works the same way as m0n0wall it should work. Besides of that with the build of december 19 is does work except for the allowed ips are not allowed thru. If i use the build of december 26 captiveportal is not working at all.



  • About pfblocker. I have to disable pfblocker to be able to post here in the pfsense forums. With pfblocker enabled i can't reach pfsense.org and can't access about.com.



  • Gé,

    Pfblocker lists are based on ipblocklist continent ip address. Now this service is paid, what whe have is a few months old database.
    I'm not sure ip address move from contries, but you can edit pfblocker cidr txt files  on /usr/local/pkg dir and/or apply a whitelist for ips you do not want to block.

    att,
    Marcello Coutinho



  • Thank you Marcello for this information I did not know all that about the ipblocklist. To be honest i don't like to tinker under the hood with pfsense. I like the webbased gui. I could also build a router with iptables and setup up all the services i need. I shoose for pfsense because of the convenience of webbased router pfsense. Befor i used m0n0wall for years with never any problems. Thats why i asked in the start post maybe its better for me to downgrade to pfsense 2.0? And wen i adjust the ipbloclist and update pfsense i have to fix all those things again and again.

    Wen pfblocker blocks a site i just switch it off. I posted the troubles i have with pfsense beta here with hope someone would fix it because this web gui looks really nice and many many packages and options but some of them just don't work yet.

    I looked up the ip of pfsense.org on dnsstuff.com:
    DNSstuff first created a snapshot for 69.64.6.21 (ip of pfsense.org) on Thursday, November 17th, 2011, 1:19:45 PM. We have not seen any changes to the records since that date.

    As you can see the ip of pfsense.org is at least one year in use and connected to pfsense.org and located in de US and since i didn't block north amerika in the pfblocker gui it proves it just doens't work sadely enough. Does pfsense 2.0 also have those packages like pfblocker radius and so on because i realy like radius, certificate manager, captiveportal and pfblocker if it works that is.

    I have never seen the gui of pfsense 2.0 so i'm in doubt of i'm going to downgrade from the beta to the stable.

    Another strange thing is wen i "nslookup pfsense.org ns.mydomain.tld" it can't be found but wen i use "nslookup pfsense.org 8.8.8.8" (dns server of google) it does find the ip. Wen i switch of pfblocker i can use my own dns server again in the nslookup.



  • @Gé:

    Are there more people with those problems or am I doing something wrong?

    I'm using pfSense 2.0.2 with the pfBlocker package. I have it set to deny incoming for all countries and am not having any problems reaching this or any other site. Both pfBlocker and 2.0.2 have been working flawlessly for me. From my FreeBSD box:

    $ nslookup pfsense.org
    Server:        192.168.1.1
    Address:        192.168.1.1#53

    Non-authoritative answer:
    Name:  pfsense.org
    Address: 69.64.6.21

    $ nslookup about.com
    Server:        192.168.1.1
    Address:        192.168.1.1#53

    Non-authoritative answer:
    Name:  about.com
    Address: 207.241.148.80

    I have set up additional CIDR lists with data acquired from countryipblocks.net as well.

    https://www.countryipblocks.net/country_selection.php



  • Great thank you.
    Good to know PFsense also has the packages system like the beta version and has also pfblocker package available.


Locked