Only semi-related to the video, but through this I discovered most of my DNSbl entries weren't configured properly and had all ended up disabled for some reason, so thanks for giving me cause to poke around my router today.
Great video Tom! We need more content like this since pfBlockeNG's developer has very limited time to write any kind of technical documentation. Thanks!
You sir are awesome. My pfblockerng is up and running perfectly for what I need. Because of this and a few other videos of yours that I consumed, I am now a subsriber.
Thank you ! Thank you! Thank you! I was just looking at adding some TOR lists. Your video also brought out some other things that I did not know. I know these videos take some time, but brother I appreciate it. I always learn something. Thanks to NetGate as well for maintaining such a great product.
Another great video, I just wanted to say thank you for all your videos! One more request, sometimes it would be nice if you would speak a little slower, I would have a few milliseconds more time in my head to translate it into German :D Thanks for everything, greetings from German
I've been using the Geo-blocking to block outbound connections to countries like Russia, China, and North Korea. Sure malware can easily get around that kind of block, but seeing as I never visit sites from those places, there's no harm in making it that little bit more complicated for them (as well as closing potential holes due to disguised malicious download links/scripts). :)
But you are totally OK with google taking your information anyways. I haven't seen anyone get their money taken by Russia, China or North Korea but I have seen US kidnap other foreigners from other countries that are based on any evidence and then China had to retaliate of course because of your nations stupidity. No wonder there is over a million dead in the US
Thanks Tom... I have been trying to do dns filtering but it mainly fails and breaks... Hope you can do a video on how to properly configure pfblocker and Snort
Very Cool Video as usual Tom..I am still runing PfSense on my Dell R210II with a old Xeon E3 1220 Quad Core & 8gb of ecc it still seams to work good..thinking about going to a Xeon e3 2675 v2 but i think i may at some point !
My problem is finding out which blocklist is blocking me from accessing a legitimate website. Lawrence's firewall loglist showed which rule caused the block. Is that a setting, do I need to upgrade to pfSense plus or what?
I currently have GeoIP enabled to only allow U.S. IPs to a VPN Port .. I am looking to be able to restrict it further to just a single State within the US. And yes I know the lists are not 100% accurate. but it is a start. Is there a good way to accomplish this without having to pay for the MaxMind City Lists?
Interesting content as ever. Might have a look at Pfsense and this again, running XG Home atm. I have a spare Sophos XG230Rev2 that I’ll test with before maybe selling it. I still like their web filtering offerings etc. easy to manage and works well when niece or nephew stay over…
maybe also pay some attention to whitelisting? I had for example once the ip adresses of the dns servers I use being blocked after an ip list update. Took me quite some time to troubleshoot why my entire Internet was unavailable. Now I put them in my whitelist by default so even if they make it to a blacklist somehow my dns will keep working. (yes, even if it can't be dns it always turn out dns is the issue 🤪)
I know this is old question. What Toms shares here in the videos could be his sandpit environment which he build and rebuild multiple times. He will not be even posting a photo of his production environment gear due to security reasons. If you have any lab or test cases where you are emulating the wan link within your private network then we can uncheck those boxes.
If I have a personal server and only a few people within my country would even access it. It guess it would make sense to block geolocation other than my country
I tried this - but just adding 2 of /my/ "most problematic continents" from the geo list (only using ipv4) it swallowed memory I could barely afford to loose (my bare metal box only has 4gig...so yea...waiting on postman with 32 gig that is hopefully compatible and good and gives some breathing room) Instead I am playing with only using my country as a pass list - thought process being less intensive on CPU, memory and disk space and less to keep updated had some success with using fail2ban on the "server" to do dropping on its own firewall and also as a feed to another subsrcibe-able "blocklist" on the pfSense box- as my country also has dickheads and bots unfortunately...but no point in letting them past the router downside is they have to do something bad on my server first to find themselves on that list ....so far been lucky, but I guess it is only a matter of time I hate that after 20 odd years of relatively trouble free "home hosting" I am thinking of having to turn my hobby hosting from being a world wide accessible thing - to having to restrict to just serving to this damp island...but the cat n mouse game it once was has changed to a heard of very hungry robotic zombie army of bears and a fresh salmon with a big flashing sign above it Not long come to pfsense as my ISP provided router was dumb as it gets and I have been solely relying on the servers firewall and fail2ban and lots of watching of logs and blocking stuff as needed
You talked about looking at the Firewall System Log | Firewall to see a particular rule tracking ID, but then when you go to the firewall Rules how do you figure out which rule matches the ID?
Hmm, the majority of lists apply only to IPv4.. so does it stand to reason that having an internet connection with IPv6 enabled makes this approach ineffective as there are way too many addresses to block?
Tom, can you use this tool to block remote access apps such as anydesk or TeamViewer from accessing your network? Im not able to find any effective way to restrict those apps in pfsense. Thank you
Hey Lawrence, not sure if you'll see this message. i have pfblocker working perfectly fine but I'm having one issue, in the DNSBL Configuration i have dnsbl_default.php selected as the block webpage, when i visit a website in the blocklist, instead of seeing the pfblocker block page, im seeing the normal message " your connection is not private, attackers might be trying to steal you info............." is there away to get the pfblocker block page to display instead of that generic message. thanks
I use proton VPN with ad/malware blocker DNS with wireguard, how can I integrate this blocker, normally I don't see traffic in the log with the VPN active
wtf? am i crazy or didn't it used to be packets were "accepted", "rejected", or "dropped"? calling dropped packets "blocked" doesn't make any sense lol
Hi Lawrence, may I make a question? I am looking for a Vpn router: I heard the difference between Vpn router and configuring a Vpn on the router. Pfsense is a Vpn router?
@@LAWRENCESYSTEMS I watched Rob Braxman video “Why you need a Vpn router” and in the first comment he says “you need a vpn router, and not a vpn in a router”
@@yeayea8334 That video is terrible and full of fear mongering that seems to done so he can promote some magic device that will solve the fears he talks about. pfsense can connect to a privacy VPN, I do have videos on how to do it, but I don't make videos exaggerating the claims that it will solve privacy issues.
@@LAWRENCESYSTEMS Don’t worry, I will not buy his product🤗 And then anyway I live in Europe and his product are for US citizens. I only want to know because knowledge is power and I am studying by myself. Its the first time that I heard the difference between Router Vpn and Vpn on a router, in your opinion this distinction is real?
Thank you! Would I need to unblock quad9 from pfblocker? The two ips I found for quad9 I can’t ping with devices on the network that have pfblocker enabled
sadly there is a odd bug with pfblockerng and the dns server which causes dns to crash. i had to write a php script using internal functions from the code to check if dns is down and restart the service if pfblockerng isn't running using cron. its kinda a messy solution but since this bug hasn't been fixed for years after being reported. i had to throw together my own solution.
That's why I switched to OPNsense. DNS in pfSense 2.4.5 was very stable and awesome. But, starting with 2.5, 2.6, and 22.05 it became unstable. Also, the m0n0wall creator recommends to use OPNsense which I didn't know. OPNsense + Adguard Home or PiHole is a good combination for managing DNS.
@@Arcao the reason i wouldn't use service watchdog for dns is because pfblockerng creator bbcan117 suggests not to. It doesn't check if dns being down is related to a reload/cron action. which can lead to odd behavior when both service watchdog and pfblockerng are both attempting to restart dns at the same time. It essentially wont be able to load the dns blocklists properly. Bbcan117 uses grep to check the running processes for pfblockerng with a cron/reload action. Thus leading to jerryrigging a band-aid to take that into account.
@@AbhishekKumar-nt3in i considered switching over to opnsense as well the stability was pretty bad. The main thing holding me back is functionality replication of my particular setup. Also i personally had trouble with pi hole last time i tried. I might respin up a virtual machine to test it again sometime and check out adguard.
Agreed! That's why I switched to OPNsense. DNS in pfSense 2.4.5 was very stable and awesome. But, starting with 2.5, 2.6, and 22.05 it became unstable. Also, the m0n0wall creator recommends to use OPNsense which I didn't know. OPNsense + Adguard Home or PiHole is a good combination for managing DNS.
Hi, when i start the update for the first time after disabled or installed PfBlocker this message comes in the log: "Starting Unbound Resolver... Not completed. [ 11/9/22 23:11:57 ] error: SSL handshake failed 1077432320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-img-build/BUILD_NODE/aarch64/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/sources/FreeBSD-src-plus-RELENG_22_05/crypto/openssl/ssl/statem/statem_clnt.c:1916:"
Only semi-related to the video, but through this I discovered most of my DNSbl entries weren't configured properly and had all ended up disabled for some reason, so thanks for giving me cause to poke around my router today.
Great video Tom! We need more content like this since pfBlockeNG's developer has very limited time to write any kind of technical documentation. Thanks!
You sir are awesome. My pfblockerng is up and running perfectly for what I need. Because of this and a few other videos of yours that I consumed, I am now a subsriber.
You Shall Pass!! Love it!! LOTR : ) Thanks for sharing your opinion on how to set PfBlockerNG, great that you update this how-to .
Thank you ! Thank you! Thank you! I was just looking at adding some TOR lists. Your video also brought out some other things that I did not know. I know these videos take some time, but brother I appreciate it. I always learn something.
Thanks to NetGate as well for maintaining such a great product.
Amazing, together with Crowdsec a strong starting point!
Excellent video, Tom! I've been needing to get this installed and configured on my 6100. That's done now, thanks to you!
just another bombastic video 💣 from master tom. thank you very much sir, as always! greetings from buenos aires
Glad you enjoyed it!
Another great video, I just wanted to say thank you for all your videos! One more request, sometimes it would be nice if you would speak a little slower, I would have a few milliseconds more time in my head to translate it into German :D Thanks for everything, greetings from German
Thank you and You can slow down the video via the RUclips settings
@@LAWRENCESYSTEMS 🤣jepp😂
🤣🤣, it's an habit thing, I'm portuguese and I like the way he talks so clearly, always watch him at 2x speed, sometimes even at 2.5 or more!
I've been using the Geo-blocking to block outbound connections to countries like Russia, China, and North Korea. Sure malware can easily get around that kind of block, but seeing as I never visit sites from those places, there's no harm in making it that little bit more complicated for them (as well as closing potential holes due to disguised malicious download links/scripts). :)
But you are totally OK with google taking your information anyways. I haven't seen anyone get their money taken by Russia, China or North Korea but I have seen US kidnap other foreigners from other countries that are based on any evidence and then China had to retaliate of course because of your nations stupidity.
No wonder there is over a million dead in the US
Thanks Tom... I have been trying to do dns filtering but it mainly fails and breaks... Hope you can do a video on how to properly configure pfblocker and Snort
Very Cool Video as usual Tom..I am still runing PfSense on my Dell R210II with a old Xeon E3 1220 Quad Core & 8gb of ecc it still seams to work good..thinking about going to a Xeon e3 2675 v2 but i think i may at some point !
My problem is finding out which blocklist is blocking me from accessing a legitimate website. Lawrence's firewall loglist showed which rule caused the block. Is that a setting, do I need to upgrade to pfSense plus or what?
Thanks
I currently have GeoIP enabled to only allow U.S. IPs to a VPN Port .. I am looking to be able to restrict it further to just a single State within the US. And yes I know the lists are not 100% accurate. but it is a start. Is there a good way to accomplish this without having to pay for the MaxMind City Lists?
Great video as usual!
I'm now a couple months late, but would you consider doing a updated PF blocker? I've noticed the interface is quite different
I'm not sure whether I'm doing something wrong, but when I add the GepIp Blocks on pfblocker, no rules were added to the firewall
merci beaucoup 🥰🥰
Thanks Tom
Another great vid on pFsense, could you think about doing one on getting a SONOS system to work across the LAN an iOt networks with pFsense?
Put the devices that need to talk to Sonos on the same network as Sonos designed it to work
Interesting content as ever. Might have a look at Pfsense and this again, running XG Home atm. I have a spare Sophos XG230Rev2 that I’ll test with before maybe selling it.
I still like their web filtering offerings etc. easy to manage and works well when niece or nephew stay over…
Would you use Crowdsec over pfblocker now that crowdsec has submitted a pkg for approval
maybe also pay some attention to whitelisting?
I had for example once the ip adresses of the dns servers I use being blocked after an ip list update. Took me quite some time to troubleshoot why my entire Internet was unavailable.
Now I put them in my whitelist by default so even if they make it to a blacklist somehow my dns will keep working.
(yes, even if it can't be dns it always turn out dns is the issue 🤪)
How is PfBlockerNG compared to AdGuard Home?
Not sure, I never used AdGuard
@Lawrence Systems what about url shortener feeds? Looking to bolster our network security.
Omg Thank you so much
I noticed you don't have block private and bogon rules on your wan, but somewhere in my setup I have those checked. should I uncheck them?
I know this is old question. What Toms shares here in the videos could be his sandpit environment which he build and rebuild multiple times. He will not be even posting a photo of his production environment gear due to security reasons. If you have any lab or test cases where you are emulating the wan link within your private network then we can uncheck those boxes.
If I have a personal server and only a few people within my country would even access it. It guess it would make sense to block geolocation other than my country
I tried this - but just adding 2 of /my/ "most problematic continents" from the geo list (only using ipv4) it swallowed memory I could barely afford to loose
(my bare metal box only has 4gig...so yea...waiting on postman with 32 gig that is hopefully compatible and good and gives some breathing room)
Instead I am playing with only using my country as a pass list - thought process being less intensive on CPU, memory and disk space and less to keep updated
had some success with using fail2ban on the "server" to do dropping on its own firewall and also as a feed to another subsrcibe-able "blocklist" on the pfSense box- as my country also has dickheads and bots unfortunately...but no point in letting them past the router
downside is they have to do something bad on my server first to find themselves on that list ....so far been lucky, but I guess it is only a matter of time
I hate that after 20 odd years of relatively trouble free "home hosting" I am thinking of having to turn my hobby hosting from being a world wide accessible thing - to having to restrict to just serving to this damp island...but the cat n mouse game it once was has changed to a heard of very hungry robotic zombie army of bears and a fresh salmon with a big flashing sign above it
Not long come to pfsense as my ISP provided router was dumb as it gets and I have been solely relying on the servers firewall and fail2ban and lots of watching of logs and blocking stuff as needed
Hello. How to use pfblockerng in conjunction with DoT? ADs blocking does not work.
thank you
You talked about looking at the Firewall System Log | Firewall to see a particular rule tracking ID, but then when you go to the firewall Rules how do you figure out which rule matches the ID?
Each rule shows the tracking ID at the bottom.
Hmm, the majority of lists apply only to IPv4.. so does it stand to reason that having an internet connection with IPv6 enabled makes this approach ineffective as there are way too many addresses to block?
Not sure, have not done any IPV6 blocking testing
Tom, can you use this tool to block remote access apps such as anydesk or TeamViewer from accessing your network? Im not able to find any effective way to restrict those apps in pfsense. Thank you
Get list of the IP addresses they connect to and block them.
Hey Lawrence, not sure if you'll see this message. i have pfblocker working perfectly fine but I'm having one issue, in the DNSBL Configuration i have dnsbl_default.php selected as the block webpage, when i visit a website in the blocklist, instead of seeing the pfblocker block page, im seeing the normal message " your connection is not private, attackers might be trying to steal you info............." is there away to get the pfblocker block page to display instead of that generic message. thanks
I use proton VPN with ad/malware blocker DNS with wireguard, how can I integrate this blocker, normally I don't see traffic in the log with the VPN active
wtf? am i crazy or didn't it used to be packets were "accepted", "rejected", or "dropped"?
calling dropped packets "blocked" doesn't make any sense lol
do you recommend development version?
Always
is there a homepage where i can check if my pfBlocker NG is working fine?
Really good tutorial
Hi Lawrence, may I make a question? I am looking for a Vpn router: I heard the difference between Vpn router and configuring a Vpn on the router.
Pfsense is a Vpn router?
Not clear on your question but pfsense does offer VPN routing.
@@LAWRENCESYSTEMS I watched Rob Braxman video “Why you need a Vpn router” and in the first comment he says “you need a vpn router, and not a vpn in a router”
@@yeayea8334 That video is terrible and full of fear mongering that seems to done so he can promote some magic device that will solve the fears he talks about. pfsense can connect to a privacy VPN, I do have videos on how to do it, but I don't make videos exaggerating the claims that it will solve privacy issues.
@@LAWRENCESYSTEMS
Don’t worry, I will not buy his product🤗 And then anyway I live in Europe and his product are for US citizens.
I only want to know because knowledge is power and I am studying by myself.
Its the first time that I heard the difference between Router Vpn and Vpn on a router, in your opinion this distinction is real?
It's true that some routers don't support VPN
With v2.1.4_28 there is no Feeds tab in pfBlockerNG for me. Any idea, if the Source url needs to be set for this?
Use the new pfblocker
16 October 22.
Installed blockerNG, interface changed.. i am lost.. where is "feeds" gone?
use the developer one
Is there a way to have a machine on the network bypass pfblocker?
Have that machine use a different DNS, such as Quad9
Thank you! Would I need to unblock quad9 from pfblocker? The two ips I found for quad9 I can’t ping with devices on the network that have pfblocker enabled
sadly there is a odd bug with pfblockerng and the dns server which causes dns to crash. i had to write a php script using internal functions from the code to check if dns is down and restart the service if pfblockerng isn't running using cron. its kinda a messy solution but since this bug hasn't been fixed for years after being reported. i had to throw together my own solution.
That's why I switched to OPNsense. DNS in pfSense 2.4.5 was very stable and awesome. But, starting with 2.5, 2.6, and 22.05 it became unstable. Also, the m0n0wall creator recommends to use OPNsense which I didn't know. OPNsense + Adguard Home or PiHole is a good combination for managing DNS.
I use Service Watchdog (installed from package manager) for it. When unbound crash, it performs unbound start and notify me about it via e-mail.
@@Arcao the reason i wouldn't use service watchdog for dns is because pfblockerng creator bbcan117 suggests not to. It doesn't check if dns being down is related to a reload/cron action. which can lead to odd behavior when both service watchdog and pfblockerng are both attempting to restart dns at the same time. It essentially wont be able to load the dns blocklists properly. Bbcan117 uses grep to check the running processes for pfblockerng with a cron/reload action. Thus leading to jerryrigging a band-aid to take that into account.
@@AbhishekKumar-nt3in i considered switching over to opnsense as well the stability was pretty bad. The main thing holding me back is functionality replication of my particular setup. Also i personally had trouble with pi hole last time i tried. I might respin up a virtual machine to test it again sometime and check out adguard.
Can you run pfblocker and snort at the same time
yes
Is there a pi-hole equivalent (DNS blocking) in pfsense?
Yes, same plugin supports DNS feeds as well
Pihole is better for me, and works good with pfsense as DNS
I only use pihole for the ads blocking how do I replace pihole with pfblocker?
Install pf\blocker and use the settings under DNSBL to put the ad feeds in.
Why do we add TOR to the list?
Because from a threat perspective that is where lot of bad things are coming from.
Strosin Mountains
host a website to sell cookies, haahha.. Ace! - Thank you Tom
King Underpass
Koepp Centers
First
Or use opnsense with AdGuard Home running on it if you want to get up and running in minutes.
Agreed! That's why I switched to OPNsense. DNS in pfSense 2.4.5 was very stable and awesome. But, starting with 2.5, 2.6, and 22.05 it became unstable. Also, the m0n0wall creator recommends to use OPNsense which I didn't know. OPNsense + Adguard Home or PiHole is a good combination for managing DNS.
Hi, when i start the update for the first time after disabled or installed PfBlocker this message comes in the log:
"Starting Unbound Resolver... Not completed. [ 11/9/22 23:11:57 ]
error: SSL handshake failed
1077432320:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-img-build/BUILD_NODE/aarch64/OS_MAJOR_VERSION/freebsd12/PLATFORM/aws/sources/FreeBSD-src-plus-RELENG_22_05/crypto/openssl/ssl/statem/statem_clnt.c:1916:"