pfBlockerNG Guide - zenarmor.com (2024)

pfBlockerNG is an excellent Free and Open Source package developed for pfSense® software that provides advertisem*nt blocking and malicious content blocking, as well as geo-blocking capabilities.

By installing pfBlockerNG, you can not only block ads but also web tracking, malware and ransomware. When you use pfBlockerNG, you gain extra security and privacy. It will do this for your entire network by utilizing a feature known as DNSBL (short for Domain Name System-based Blackhole List). pfBlockerNG allows you to block internet traffic from specific IP addresses. These IP addresses may belong to specific countries and regions, which can be very useful in protecting your network from all of those hackers attempting to gain access to it.

In this guide, we will briefly explain how to setup pfBlocketNG plugin and complete pfBlockerNG configuration by following the next main steps:

1. Install pfBlockerNG package
2. Complete initial configuration of pfBlockerNG
3. Complete general settings of pfBlockerNG
4. Enable IP Filtering
5. Enable GeoIP Blocking
6. Enable DNS Blocking
7. Enable DNS over HTTPS/TLS Blocking
8. Enable SafeSearch and YouTube Restrictions
9. Enable Whitelisting

We will describe each pfBlockerNG configuration steps in detail and cover the following topics:

• What is pfBlockerNG?
• History of pfBlockerNG
• Features of the pfBlockerNG
• Differences Between pfBlockerNG and pfBlockerNG-devel
• Differences Between pfSense Ad Blocking and Pihole

What is pfBlockerNG?​

pfBlockerNG is a pfSense® software package created by BBCan177 and used for IP/DNS-based filtering. It is based on the previous work of Marcello Coutinho and Tom Schaefer. The project's goal was to extend pfSense's core firewall functionality by allowing users to control and manage inbound and outbound access through the firewall using IP and DNS control lists.

pfBlockerNG gives pfSense® software the ability to make allow/deny decisions based on items like the geolocation of an IP address, the domain name of a resource, or the Alexa ratings of specific websites.

Most of the pfSense® software users think that pfBlockerNG is a fantastic package and a pfSense® installation would be incomplete without it.

History of pfBlockerNG​

Since 2014, pfBlockerNG has been protecting assets behind pfSense® software consumer and corporate networks. The desire to create a unified solution to manage IP and Domain feeds with rich customization and management features drove the development of pfBlockerNG. BBcan177 an independent developer created, designed, and developed pfBlockerNG. It is still being supported and maintained by BBcan177.

Before pfBlockerNG was born, the pf-blocker developed by Marcello Coutinho was widespread among the pfSense® community. Pf-blocker was the successor of the Country Block developed by Tom Schaefer. On Oct 27, 2011, Country Block ended and the pf-blocker took over. The package was designed to keep a mail server from being flooded with spam. However, pf-blocker was unable to process the required feeds, and when large IP feeds were added, it crashed. BBcan177 had offered to assist the developer in adding some additional functionality, but he got nothing in return. As a result, Pf-blocker life was very short and the last commit to the pf-blocker GitHub repository was on Jun 20, 2014. Fortunately, pfBlockerNG was released on Nov 30, 2014, and pf-blocker ended.

BBcan177 takes a lot of responsibility for developing pfBlockerNG and making sure that it is thoroughly tested before release and that any issues are resolved as soon as possible.

It's worth noting that BBCan177 has a Patreon campaign where you can easily donate a few dollars to ensure he keeps up with and improves the package. We strongly encourage you to donate if you are using pfBlockerNG in a production environment.

At the time of writing this article, the latest version of pfBlockerNG-devel package is v3.0.0_16 released on April 8th of 2021.

Features of the pfBlockerNG​

pfBlockerNG includes a wide variety of features such as country blocking, IP/DNS blacklisting, and IP reputation blocking to protect your network from unwanted traffic. We will cover the pfBlockerNG features briefly below.

IP Blocking​

pfBlockerNG allows you to create firewall rules based on IPv4 and IPv6 address spaces. So that You can control both incoming and outgoing traffic on single or multiple interfaces. You can restrict the IP address according to geolocation. Geolocation is the identification or estimation of an IP address's real-world geographic location. MaxMind, an industry leader in the accuracy of IP geolocation provides and maintains lists that are used by pfBlockerNG. Websites host content and media on servers all over the world, so be cautious about blocking too much. Inadvertently blocking some of these IP addresses may result in broken websites or unavailable downloads.

DNS Blocking​

pfBlockerNG can control DNS Resolver access to prevent access to malicious websites such as advertisem*nts, threats, and malware. DNS filtering is an effective method to filter tracking domains, malicious domains, and advertisem*nts. Your DNS requests are checked against a blocklist as you browse the internet. If a match is found, the request is denied. It's an excellent way to block ads without using a proxy server.

Domain names gathered from various blacklist sources or manually entered are used to generate optimized DNS Resolver blocklists. You can subscribe to popular user-maintained blocklists as well as use prebuilt EasyLists.

Inbound traffic filtering​

pfSense® software blocks all inbound traffic by default. Therefore, there is no need to apply a rule to inbound traffic for additional protection unless there are open ports on your firewall. However, you may occasionally have a number of ports open, exposing a VPN endpoint and several self-hosted services. If this is the case, then it is advisable to use the custom IP list and GeoIP restriction features of pfBlockerNG to limit access.

Outbound traffic filtering​

Outbound blocking is available in pfBlockerNG to prevent users from accidentally visiting malicious websites. When combined with logging, this is a useful method for identifying potentially compromised devices.

Policy-based routing​

pfBlockerNG allows you to create policy-based routing firewall rules that direct traffic away from specific gateways or gateway groups.

Malicious DNS Blocking and advert limiting​

DNS blocking to networks served by the DNS Resolver is supported in pfBlockerNG to prevent access to tracking and/or malicious sites. Be cautious of the possibility of introducing false positives.

Spam Filtering​

If you have a mail server on your network, pfBlockerNG is an excellent package to use. You can prevent spam from reaching your server by including a spam blacklist, such as Spamhaus.

Whitelists​

If you want a domain not to be blocked, pfBlockerNG allows you to add it to the whitelist.

SafeSearch​

SafeSearch can be configured for the most popular search engines. You can use Firefox to block DNS over HTTPS and set YouTube restrictions.

How to Install and Configure pfBlockerNG​

You can easily set up and configure the pfBlockerNG package on your pfSense® software firewall by following these steps:

1. pfBlockerNG package installation

2. pfBlockerNG initial configuration

pfBlockerNG package installation​

To install the pfBlockerNG package, you may follow the instructions given below.

1. Access your pfSense® software WebGUI.

Figure 1. pfSense® Software CE GUI sign-in page

2. Navigate to the System -> Package Manager->Available Packages.

Figure 2. Accessing Package Manager on pfSense® Software CE GUI

Figure 3. Accessing Available Packages on pfSense® Software CE GUI

3. Type pfblockerng into the search field and then click search.

4. Click install on the version with -devel at the end of the package.

Figure 4. Search and install pfBlockerNG-devel package

5. Click Confirm to let the package install. This will take some time because it needs to download several files and databases.

Figure 5. Confirmation for installing pfBlockerNG-devel package

6. Once the installation is complete, you should see success after a few minutes.

Figure 6. pfBlockerNG-devel package installation completed successfully

pfBlockerNG initial configuration​

1. Click on the Firewall drop-down menu on your pfSense® software GUI.

2. Click on pfBlockerNG to start the configuration wizard.

Figure 7. Accessing pfBlocker menu on pfSense® software GUI

3. Click Next to continue.

Figure 8. pfBlockerNG setup wizard

4. Click Next to proceed to the configuration. This will remove all settings if you have previously configured pfBlockerNG and install the following components:

• IP: Firewall rules will be defined for the WAN interface to block the worst-known attackers.

• DNSBL: DNS resolver will be utilized so that advertising and other known malicious domains are blocked.

Figure 9. pfBlockerNG component installation notice

5. Select WAN for Inbound Firewall Interface and LAN for Outbound Firewall Interface to complete the IP Component Configuration. If you have more than one internal interface, you may select all the ones you wish to set up pfBlockerNG for.

Figure 10. pfBlockerNG IP Component Configuration

6. Click on Next to proceed to the configuration.

7. Enter an IP address that is not used in your networks for VIP address and leave the port and ssl port as default. pfBlockberNG DNSBL web server will run on these IP addresses. If your LAN is 10.1.1.0/24, the VIP address should not be in this range. Here in our example, we leave the address at 10.10.10.1. Also, you may enable IPv6 DNSBL and DNSBL Whitelist options.

Figure 11. pfBlockerNG DNSBL Component Configuration

8. Click on Finish to finish the wizard. The setup is now complete.

Figure 12. pfBlockerNG initial configuration finalize

9. The pfBlockerNG update page then appears, and all activated blocklists are automatically downloaded and activated. Also, you may select the Cron option for regular updates.

Figure 13. pfBlockerNG update settings

Congratulations! You now have a basic pfSense® web filter running with pfblockerNG!

Figure 14. pfBlockerNG installation is complete

General Settings of pfBlockerNG​

To view or change the general settings of the pfBlockerNG, you may navigate to Firewall > pfBlockerNG > General.

Make sure that pfBlockerNG is enabled on your pfSense® software firewall. You may leave the settings on this page at their default values.

Figure 15. General Settings of pfBlockerNG

IP Filtering​

Even if the firewall is not configured with open internet facing ports, local users may inadvertently initiate connections to malicious servers and this may be a high-security risk for your network. To reduce the likelihood of this happening, you should restrict access to known sources of Ransomware, malware, botnets, and Command & Control (C&C) servers. Through the bundled PRI1 feed, pfBlockerNG provides regularly updated blocklists.

In this section, we'll explain how to enable the IP feed (PRI1-PR5 groups) on pfBlockerNG and set up a firewall rule to prevent outbound traffic from accessing any addresses in that group.

IP Configuration​

You should navigate to the Firewall-> pfBlockerNG -> IPand ensure the following settings onIP Configuration` pane.

1. Enable De-Duplication. This option provides reducing the list size by detecting and removing duplicate entries

2. Enable CIDR aggregation. This option optimizes CIDRs. Because CIDR aggregation is processor intensive, you may need to disable it if your firewall does not have enough power.

3. Enable Suppression. When enabled, RFC1918 and loopback addresses are filtered. Suppression makes sure that your local subnets are not blocked. Also, pfBlockerNG removes any deny list entries that match those specified in the Suppression list which can be manually or automatically populated from the pfBlockerNG alerts tab.

4. You may leave other settings as default. But, ensure that the Placeholder IP address is not used in your network. Also, you may enable ASN reporting, When it is enabled the Alerts and Statistics tab will report the ASN for the Block/Reject/Permit/Match IP entries. The ASN details are collected from BGPview.io and cached for 1 week (can be configured for 24,12,4,1 hour caching)

Figure 16. IP Configuration pane of pfBlockerNG

5. Click Save IP Settings button at the end of the page

MaxMind GeoIP configuration​

With pfBlockerNG's GeoIP feature, you can filter traffic to and from entire countries or continents. pfBlockerNG accomplishes this by utilizing the MaxMind GeoIP database, which requires a license key. This license key is completely free. The MaxMind License Key field description includes a link to the MaxMind registration page.

To obtain your license key, fill out the registration form on the MaxMind sign-up page.

Figure 17. MaxMind GeoLite2 Sign Up page

Figure 18. MaxMind Managing license keys

After generating a license key, enter it in the MaxMind License Key field on the pfBlockerNG.

You may select MaxMind localized language as you wish. The following languages are available:

• English

• French

• Brazilian Portuguese

• Spanish

• German

• Japanese

• Simplified Chinese

You may disable the MaxMind monthly CSV GeoIP database cron update.

Figure 19. MaxMind GeoIP configuration

IPv4 Suppression List​

pfBlockerNG allows you to add the IP addresses (only for /32 or /24) that should never be blocked to the suppression list. You can add one IP address per line. You must run Force Reload-IP after manually adding an IP address to this list, for changes to take effect.

Figure 20. IPv4 Suppression list

IP Interface/Rules Configuration​

According to the settings in the IP Interface/Rules Configuration pane, pfBlockerNG defines firewall rules automatically. In this pane, you can specify which inbound and outbound interface(s) pfBlockerNG's IPv4, IPv6, and GeoIP filtering apply to. To determine the inbound and outbound interfaces you may follow the next instructions.

1. Select WAN for Inbound Firewall Rules to apply auto rules to the inbound interface.

2. Select LAN for Outbound Firewall Rules to apply auto rules to the outbound interface.

3. Enabling the Floating Rules option may be useful if you have more than one outbound interface. Floating rules are special firewall rules that take precedence over regular firewall rules. This ensures that pfBlockerNG begins filtering traffic as soon as it enters the firewall. Another advantage is that pfBlockerNG will generate the floating rules for you.

4. Enable Kill states. Since IP blocklists are updated several times per day and you should allow pfBlockerNG to immediately kill any connection to a blocked IP.

5. You may leave other options as default.

6. Click on the Save IP Settings button at the bottom of the page.

Figure 21. IP Interface/Rules Configuration on pfBlockerNG

Enabling IPv4 Filtering​

On pfBlockerNG PRI1 feed is enabled by default. Feeds are publicly available blocklists that pfBlockerNG is configured to synchronize with on a regular basis. To view the list of enabled IPv4 feeds, navigate to the Firewall -> pfBlockerNG -> IP -> IPv4.

Figure 22. Enabled IPv4 feed on pfBlockerNG

PRI1 feed has a fairly broad coverage but is designed to avoid false positives, so there is a greater chance that it will miss genuine threats. To harden the security on your network, you should enable additional IPv4 feeds on your pfBlockerNG. To view the list of available feeds on the pfBlockerNB, navigate to the Firewall -> pfBlockerNG -> Feeds.

Figure 23. IPv4 Category feeds(PRI1-5)

At the time of writing, the available Number of Feeds per Category Type is given below:

Table 1. Number of Feeds per Category Type

IPv4 Category feeds are divided into five groups(PRI1-5). These PRI groups are Known Ransomware, malware, botnets, Command & Control (C&C) servers, bots, web scripts, phishing & compromised servers, malicious IP's found attacking SSH, SMTP, IMAP, TELNET, FTP endpoints and other known originators of malicious behavior. In general, the lower the number, the more pfBlockerNG tries to avoid false positives. Therefore you should be prepared for some websites to be unreachable unexpectedly if you enable the more restrictive lists (PRI3 and above). In such cases, some troubleshooting and possibly whitelisting of false positives will be required. There are a variety of feed groups aimed at blocking specific types of malicious or undesirable traffic such as:

• Scanner (Internet Storm Center)

• Mail (Known sources of spam; useful for protecting mail servers)

• Forum Spam

• Tor nodes(Known Tor exit points; not inherently dangerous but you may want to isolate users anonymizing their traffic.)

• Internic (Contains root name servers needed to initialize the cache of Internet domain name servers)

• Proxy IP

• Torrent IP

• Public DNS

• DOH (DNS over HTTP)

• VPN

• BlocklistDE

Figure 24. Other IPv4 Category feed groups

You may enable IPv4 category PRI3 group feeds on your pfBlockerNG by following the next steps.

1. Scroll down to the PRI3 group header and click the + icon next to the group name. This will redirect you to the settings page to add the rule.

Figure 25. Adding IPv4 category PRI3 group feeds

2. You may set the name and description, or leave them as default.

3. Select ON option in the State drop-down menu for all feeds in the IPv4 Source Definitions pane. You may select HOLD option if you wish to download the list once but exclude it from automatic updates. We will not enable the BBC_C2 feed as it requires an API key.

4. You may click the Enable All button at the bottom of the IPv4 Source Definitions pane to enable all feeds.

Figure 26. IPv4 source definitions for PRI3 group

5. Scroll down to the Settings pane and select one of the Action options you wish to take when an IP address is matched.

6. Select Deny Both in the Action drop-down menu to apply the rule to both inbound and outbound connections.

Figure 27. IPv4 category settings to add PRI3 feeds on pfBlockerNG

7. Leave other settings as default.

8. Click on the Save IPv4 Settings button.

9. Congratulations! You have successfully enabled IPv4 category PRI3 feeds on your pfBlockerNG to protect your network.

10. You may apply PRI feeds rule to both inbound and outbound connections by selecting Deny Both in Action drop-down menu and clicking the Save button on IPv4 Summary pane.

Figure 28. IPv4 category settings

You can follow the similar steps given above for enabling other PRI groups, IPv6 and DNS blocklists, just add the alias group, select the lists you want to enable, and choose the action to be taken when an item is matched. However, be aware that there is a memory and processing impact with each list enabled and you may overload your hardware.

Verifying IPv4 Filtering​

By following the given steps below you may verify IPv4 filtering on your pfBlockerNG. Before starting to test IPv4 filtering you should ensure that pfBlockerNG settings are updated. If it is not, you may Force Update by clicking on the Run button in the Update Settings under Update tab of the pfBlockerNG.

1. Navigate to the Firewall -> Rules -> Floating.

   See Also

   OPNsense firewalls

2. Ensure that the firewall rules for blocking IPv4 category PRI3 groups are added.

Figure 29. Firewall floating rules on pfSense® software for blocking IPv4 category PRI3 groups

3. Hover your mouse over the Source pfB_PRI3_v4 to view the blocked IP lists.

Figure 30. Viewing IPv4 PRI3 alias details

4. Note one of the IP addresses from the list to try to access for testing IPv4 filtering. We will select 1.0.221.21 for testing

5. You may open your browser and enter the IP address you select from the list to the search bar or ping the IP address from the CLI prompt. You should see that the IP address is not reachable.

Figure 31. PRI3 ip address is not reachable

6. To view that IP address is blocked by pfBlockerNG you may check the related firewall logs click on the Related log entries icon at the top right corner of the page.

7. Search for the IP address that tries to access, such as 1.0.221.21. You should see the related logs showing the PRI3 IP address is blocked by pfBlockerNG as given in the figure below.

Figure 32. Firewall log showing PRI3 ip address is blocked by pfBlockerNG

GeoIP Blocking​

GeoIP feature of the pfBlockerNG can be useful for restricting access to specific regions. This will not be useful in all circ*mstances because not all regions are malicious. However, if all of your expected traffic comes from a specific geographic region, allowing traffic from other regions is pointless because it exposes you to additional risk for no real benefit. In most cases, you'll only need to block inbound access based on GeoIP data. This allows your local users to access any websites all over the world while blocking inbound access from regions where you don't expect traffic.

To enable GeoIP Blocking on your pfBlockerNG,

1. Navigate to the Firewall -> pfBlockerNG -> IP -> GeoIP.

2. Select Deny Inbound in Action drop-down menu for Top Spammers -a list of countries that have been identified as a frequent source of online attacks- and Proxy and Satellite -well known anonymous proxy and satellite providers-.

3. You may select one of the continents where you never expect legitimate traffic to originate.

Figure 33. GeoIP blocking on pfBlockerNG

4. Click the Save button.

Instead of blocking a whole region, you may block specific countries. To block a country in a region;

1. Click on the pencil icon next to the region.

2. Select the countries that you wish to block.

3. Enable List Action and Logging

4. Click on Save.

Figure 34. Blocking countries using GeoIP on pfBlockerNG

DNS Blocking​

You may block advertisem*nts and some malicious sites such as Malware, p*rn, Gambling, etc. by pfBlockerNG which has DNS blackholing capability. When you enable the DNSBL feature on your pfBlockerNG, the DNS requests against a list of known ad networks and trackers will be blocked at the DNS level on your network.

To be able to use the DNS Blocking feature of the pfBlockerNG, you should make sure that your client devices are configured to use the pfSense® software firewall as their DNS server. If you are using a standard pfSense® software configuration, this will be set automatically. However, if you have configured an alternative DNS server, such as a Pi-hole, you should check the DNS configuration on pfSense® software and configure client devices to use it.

1. Navigate to Services -> DNS Resolver -> General Settings and check that the DNS resolver is enabled.

Figure 35. Enabling DNS resolver on pfSense® software

2. Navigate to System -> General Setup and check that external DNS resolvers are configured as these will be required to forward DNS requests that aren't blocked. You may add Google DNS server, 8.8.8.8, as external DNS and click the Save button.

Figure 36. Adding DNS server on pfSense® software

3. Navigate to Services -> DHCP Server and select all the interfaces for which you want to enable blocking and ensure that nothing is listed under DNS servers. If you have a configured static DNS, set them to your pfSense® software firewall's IP address.

4. Navigate to the Firewall-> pfBlockerNG -> IP

5. Enable DNSBL.

6. Select Unbound python mode for DNSBL mode setting.

4. Ensure that the following options are enabled:

• Wildcard Blocking TLD
• DNS Reply Logging: This will show you all the DNS queries which are answered by Unbound.
• DNSBL Blocking
• HSTS mode
• CNAME Validation checked: This option must be enabled to make sure that an ad domain cannot bypass DNSBL by using a different DNS name.

Figure 37. DNSBL settings on pfBlockerNG

5. Scroll down to the DNSBL Webserver Configuration pane. Make sure that the Virtual IP address is correct and It is not already used in the Network. You may leave other settings as default.

Figure 38. DNSBL webserver configuration on pfBlockerNG

6. Scroll down to the DNSBL Configuration pane.

7. Enable Permit Firewall Rules and select LAN interface. This will create rules in the Floating in your Firewall and enable pfBlockerNG for selected networks(LAN).

8. Select DNSBL Webserver/VIP for Global Logging/Blocking Mode. So that Domains are sinkholed to the DNSBL VIP and logged via the DNSBL WebServer. You may leave other settings as default.

Figure 39. DNSBL configuration on pfBlockerNG

9. Click Save DNSBL Settings button at the bottom of the page.

Enable some DNSBL feeds​

On pfBlockerNG ADS_Basic feed is enabled by default. To view the list of enabled DNSBL feeds, navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups.

Figure 40. Enabled DNSBL Group feed on pfBlockerNG

ADS_Basic feed, also known as StevenBlack_ADs, has a fairly broad coverage but is designed to avoid false positives, so there is a greater chance that it will miss genuine threats. To harden the security on your network, you should enable additional DNSBL feeds on your pfBlockerNG. To view the list of available feeds on the pfBlockerNB, navigate to the Firewall -> pfBlockerNG -> Feeds.

Figure 41. DNSBL Category feeds

At the time of writing, there are 140 DNSBL Category Feeds available. There are a variety of feed groups on pfBlockerNG aimed at blocking specific types of malicious or undesirable traffic such as:

• EasyList

• ADs

• Email

• Malicious

• Phishing

• BBCAN177

• STUN

• DoH

• Torrent

• BBC

• Malicious2

• Cryptojackers

• Compilation

• Firebog_Suspicious

• Firebog_Advertising

• Firebog_Trackers

• Firebog_Malicious

• Firebog_Other

You may enable different DNSBL feeds as you wish on your pfBlockerNG by following the next steps. Here, we will enable EasyList group feeds on our pgBlockerNG as an example. We recommend you add the Steven Black feed is one of the best-maintained blacklist databases on the internet.

1. Scroll down to the EasyList group header and click the + icon next to the group name. This will redirect you to the settings page to add the rule.

Figure 42. Adding DNSBL category EasyList group feeds

2. You may set the name and description, or leave them as default.

Figure 43. Setting name and description for newly added DNSBL feed

3. You may click Enable All button at the bottom of the DNSBL Source Definitions pane to enable all feeds. But, we will enable some of the feeds such as EasyList, EasyList_Adware, EasyList_Spanish, EasyList_Turkish and EasyPrivacy. Select ON option in the State drop-down menu for the related feeds in the DNSBL Source Definitions pane. You may select HOLD option if you wish to download the list once but exclude it from automatic updates.

Figure 44. DNSBL source definitions for EasyList group

4. Scroll down to the Settings pane and select one of the Action options you wish to take when a domain name is matched.

5. Select Unbound in the Action drop-down menu.

Figure 45. DNSBL category settings to add EasyList feeds on pfBlockerNG

6. Leave other settings as default.

7. You may add your own domain name list that you wish to block by clicking on + sign icon.

Figure 46. Custom DNSBL list on pfBlockerNG

8. Enter domain name to be blocked. We will add dnsbltest.com domain for verification of DNSBL blocking on our pfBlockerNG.

9. Click on the Save DNSBL Settings button.

10. Congratulations! You have successfully enabled DNSBL category EasyList feeds on your pfBlockerNG to protect your network.

Figure 47. DNSBL Groups summary on pfBlockerNG

You can follow the similar steps given above for enabling more DNSBL groups, just add the alias group, select the lists you want to enable and choose the action to be taken when an item is matched. However, be aware that there is a memory and processing impact with each list enabled and you may overload your hardware.

Forcing to reload the DNSBL on pfblockerNG​

You may need to force reloading the DNSBL list. To activate the newly enabled DNSBL settings, follow these steps:

1. Navigate to the Firewall -> pfBlockerNG -> Update

2. Select Reload in Force option.

3. Select DNSBL in Reload option.

4. Click on Run.

Figure 48. Forcing to reload the DNSBL list on pfblockerNG

Verifying the DNSBL Blocking on pfBlockerNG​

You may verify your DNSBL Blocking settings on pfBlockerNG by following the next steps easily.

1. Open your favorite browser and enter the domain name that you added to the Custom DNSBL list. It is dnsbltest.com for our example.

2. You should see the default blocking landing page of pfBlockerNG given below.

Figure 49. DNSBL blocking landing page of pfBlockerNG

3. You should see the related blocks on pfBlockerNG alerts. Navigate to the Firewall > pfBlockerNG > Reports -> Alerts.

4. Search dnsbltest.com on the DNSBL Python pane.

Figure 50. DNSBL alerts in pfBlockerNG

5. Another verification method for DNSBL is viewing the DNSBL Block Stats page under Reports tab of pfBlockerNG. You may see the related blocks in Top Blocked Domain or Top Blocked Evaluated Domain, if the blocked domain is on the top blocked domain list in your firewall.

Figure 51. Top Blocked Domain and Top Blocked Evaluated Domain

6. Lastly, you may check the result of the DNS query for dnsbltest.com domain in your network. Your pfSense® software DNS resolver should return the Virtual IP address(10.10.10.1 by default) of the DNSBL Web server as a result.

Figure 52. nslookup for dnsbltest.com returns VIP of DNSBL server on pfBlockerNG

Ad-Blocking Verification​

To verify the ad-blocking feature of the pfBlockerNG, you may connect to the yahoo.com website on your favorite browser. You should see empty spaces in the place of advertisem*nts on the page as given below.

Figure 53. yahoo.com page with ad-blocking (ads in the red rectangles are blocked)

Figure 54. yahoo.com page without ad-blocking

DNS over HTTPS/TLS Blocking​

pfBlockerNG allows you to block DNS over HTTPS/TLS packets on your network. It includes a comprehensive list of known public DNS servers that support DNS over HTTPS. Since DNS over HTTPS is a serious privacy and security risk, you should enable DoH/DoT(DNS over HTTPS/DNS over TLS) feature on your pfBlockerNG. Otherwise, some of your users in your network may bypass pfBlockerNG's adblocking and pfSense's DNS server.

To enable DoH/DoT Blocking you may follow the steps listed below.

1. Navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL SafeSearch.

2. Select Enable for DoH/DoT Blocking in the DNS over HTTPS/TLS Blocking pane

3. Select all the DNS servers from the DoH/DoT Blocking List you want to block.

4. Click Save button at the bottom of the page.

Figure 55. Enabling DoH/DoT on pfBlockerNG

Enabling SafeSearch and YouTube Restrictions​

pfBlockerNG has a SafeSearch feature which will force Search sites to utilize the "Safe Search" algorithms. At the time of writing, SafeSearch is supported by Google, Yandex, DuckDuckGo, Bing and Pixabay.

pfBlockerNG allows you to use YouTube Restrictions on your network. YouTube Restricted Mode filters out potentially mature videos while leaving a large number of videos still available. You may use the following settings for Youtube restrictions on your pfBlockerNG:

• Strict: This setting is the most restrictive. Strict Mode does not block all videos, but works as a filter to screen out many videos based on an automated system, while leaving some videos still available for viewing.

• Moderate: This setting is similar to Strict Mode but makes a much larger collection of videos available.

To enable SafeSearch and YouTube Restrictions you may follow the steps listed below.

1. Navigate to the Firewall -> pfBlockerNG -> DNSBL -> DNSBL SafeSearch.

2. Select Enable for SafeSearch Redirection in the SafeSearch settings pane.

3. You may select Moderate or Strict to enable YouTube Restrictions.

4. Click the Save button at the bottom of the page.

Figure 56. SafeSearch settings on pfBlockerNG

Whitelisting​

While you shouldn't have too many problems as long as you don't get too innovative with your blocklists, rightful services may be blocked in some cases. This may be a result of genuine false positives, but it can also be an indication that a legitimate site has been hacked and is now sending malicious traffic, so always be careful before whitelisting. Because the blocklists are frequently updated, these issues are often temporary.

When you need to whitelist something on pfBlockerNG, you can follow the next steps below:

1. Navigate to Firewall -> pfBlockerNG -> Reports -> Alerts.

2. Look through the list of recent blocks and add the offending item to the whitelist by clicking the + icon next to it. For example, we will add the dnsbltest.com domain that we use for DNSBL testing to the whitelist. This will pop up a confirmation message.

Figure 57. Domain Whitelisting on pfBlockerNG

3. Click OK.

4. It will ask you if you want to whitelist this domain only or add a wildcard for the domain. Select as you wish.

Figure 58. Domain Whitelisting on pfBlockerNG-2

5. Then, you will have the option to add a description. To enter a description click on Yes and then enter a description.

Figure 59. Enter a description for whitelist

6. The pfBlockerNG will no longer block the whitelisted domain.

Figure 60. Whitelisting completed successfully

pfBlockerNG vs pfBlockerNG-devel​

The pfBlockerNG package is quite useful and reliable, but the pfBlockerNG-devel package has been in pure development mode for years. The primary distinction between both software packages is that pfBlockerNG-devel has the most recent developments/features. As pfBlockerNG-devel is officially supported, administrators may utilize the DEVEL version with full peace of mind. pfBlockerNG and pfBlockerNG-devel v3.2.0 3 are available for pfSense CE and pfSense+ at the time of authoring this article.

What is the Difference Between pfSense Ad Blocking and Pihole?​

Pi-hole is a DNS ad-blocking solution for the whole network that functions as an external DNS server. That simply implies that Pi-hole becomes the DNS server that you provide to network clients. Pi-hole then either permits or "sinkholes" DNS queries that correspond to domain names on prohibited lists. It generates a "black hole" that refuses DNS queries from clients for FQDNs linked with blocklists loaded on the Pi-hole server. Pi-hole lacks routing and other firewalling capabilities. It can operate on numerous platforms, including Raspberry Pi devices. Therefore, the term "Pi" hole. The system incorporates a DHCP server that can provide IP address information to network clients.

pfSense pfBlockerNG and Pi-hole are used to protect residential and other networks from unwanted traffic, such as malicious traffic, advertisem*nts, and tracking. These initiatives have a major impact on your network's traffic security. But, each has advantages and disadvantages as a solution, and your choice depends on your own preferences, requirements, and use cases.The advantages of pfSense pfBlockerNG over Pi-hole are listed below:

• Free and open source
• Includes DNS feeds and IP filtering from lists and geolocation capabilities
• Blocks IP addresses, providing genuine L3 firewall capabilities and functionality, whereas Pi-hole cannot.
• Blocks categories of sites as opposed to standard blocklists, which Pi-hole cannot
• Permits using free Internet-accessible block lists that are compatible with Pi-hole.
• Does not need a standalone box to operate
• Integrates with your current pfSense firewall device
• Integrates well with the pfSense UI and "feels" natural to pfSense.
• Accomplish without customized feed lists that specifically block a single category.
• pfSense, on which pfBlockerNG operates, is configured for high availability (HA).
• Commercially available pfSense hardware devices from Netgate are fully supported.

The main disadvantages of pfBlockerNG are listed below:

• If you do not presently use pfSense as your firewall, you must install it in order to use pfBlockerNG.
• That is a little more involved than Pi-hole, particularly given that you must install pfSense to use it.
• If you just want to set up a simple DNS solution in tandem with your firewall, Pi-hole is a superior option.
• pfBlockerNG's UI is not as intuitive as Pi-hole's.
• Some individuals dislike the reporting portion of pfBlockerNG since it is part of the general system logging and is more difficult to locate entries than Pi-hole.

The benefits of Pi-hole over pfSense pfBlockerNG are listed below:

• Free and open-source
• Operates independently of your current router and firewall.
• Permits the use of DNS sinkholing, which is a very effective network-wide technique for removing advertisem*nts, malware, and other undesirable traffic.
• Elegant UI Excellent reporting
• User-friendly UI
• Compatible with low-power Raspberry Pi and other ARM devices.
• Simple to set up
• Routes particular domain queries to another internal DNS server, such as AD DNS, using conditional forwarding.

The primary drawbacks of Pi-hole are listed below:

• Needs a separate router/firewall in addition to the Pi-hole device.
• Just DNS sinkholing, DHCP, and a few additional functionalities are supported.
• Not possible to ban websites based on IP addresses
• As a default feature, categories of websites cannot be blocked simply.
• Needs adjusting your DNS setup to your Pi-IP hole's address
• Lacks a natural technique for achieving high availability. While programs such as GravitySync are available, they are not a native solutions and involve moving data back and forth.
• As opposed to Netgate's pfSense appliance, there is no commercially available supported hardware that can be purchased with Pi-hole installed and operating.

Adding pfBlockerNG makes perfect sense if you are already using pfSense, and if you are currently running pfSense, you are likely already running pfBlockerNG. For setups that do not use pfSense as the firewall, adding Pi-hole to conduct DNS sinkholing for clients makes a great deal of sense. You may run pfSense and Pi-hole together for a hybrid method that combines the best of both. Keep in mind, however, that this setup is more complex and makes locating blocks and other troubleshooting tasks more complicated.