pfBlockerNG
is an excellent Free and Open Source package developed for pfSense® software that provides advertisem*nt blocking and malicious content blocking, as well as geo-blocking capabilities.
By installing pfBlockerNG, you can not only block ads but also web tracking, malware and ransomware. When you use pfBlockerNG, you gain extra security and privacy. It will do this for your entire network by utilizing a feature known as DNSBL
(short for Domain Name System-based Blackhole List). pfBlockerNG allows you to block internet traffic from specific IP addresses. These IP addresses may belong to specific countries and regions, which can be very useful in protecting your network from all of those hackers attempting to gain access to it.
BEST PRACTICE
The biggest problem for pfSense software administrators who are considering to switch to OPNsense is that most of them trust pfBlockerNG with their network security. This is the biggest hurdle they need to jump in order to make their choice. How can they keep their networks safe from hackers without the pfBlockerNG package on OPNsense? This is the first and most important question they need to answer when making a migration plan from pfSense to OPNsense. When it comes to the OPNsense firewall, Zenarmor is the best pfBlockerNG alternative.
If you want to add Next Generation Firewall capabilities to your open source firewall, check out Zenarmor. Zenarmor is a plug-in that upgrades your open source firewall to a NGFW in a matter of seconds.
Some of the available features are: Application/User based blocking, Web/Content Filtering, Enterprise-grade Network Analytics, Policy-based filtering, Ad Blocking, Real-time Cloud Threat Intelligence, Active Directory Integration, Cloud-managed central policies and many more.
You can install and start to use Zenarmor Free Edition forever on your pfSense® software firewall.
In this guide, we will briefly explain how to setup pfBlocketNG plugin and complete pfBlockerNG configuration by following the next main steps:
- Install pfBlockerNG package
- Complete initial configuration of pfBlockerNG
- Complete general settings of pfBlockerNG
- Enable IP Filtering
- Enable GeoIP Blocking
- Enable DNS Blocking
- Enable DNS over HTTPS/TLS Blocking
- Enable SafeSearch and YouTube Restrictions
- Enable Whitelisting
We will describe each pfBlockerNG configuration steps in detail and cover the following topics:
- What is pfBlockerNG?
- History of pfBlockerNG
- Features of the pfBlockerNG
- Differences Between pfBlockerNG and pfBlockerNG-devel
- Differences Between pfSense Ad Blocking and Pihole
What is pfBlockerNG?
pfBlockerNG is a pfSense® software package created by BBCan177
and used for IP/DNS-based filtering. It is based on the previous work of Marcello Coutinho and Tom Schaefer. The project's goal was to extend pfSense's core firewall functionality by allowing users to control and manage inbound and outbound access through the firewall using IP and DNS control lists.
pfBlockerNG gives pfSense® software the ability to make allow/deny decisions based on items like the geolocation of an IP address, the domain name of a resource, or the Alexa ratings of specific websites.
Most of the pfSense® software users think that pfBlockerNG is a fantastic package and a pfSense® installation would be incomplete without it.
History of pfBlockerNG
Since 2014, pfBlockerNG has been protecting assets behind pfSense® software consumer and corporate networks. The desire to create a unified solution to manage IP and Domain feeds with rich customization and management features drove the development of pfBlockerNG. BBcan177 an independent developer created, designed, and developed pfBlockerNG. It is still being supported and maintained by BBcan177.
Before pfBlockerNG was born, the pf-blocker developed by Marcello Coutinho was widespread among the pfSense® community. Pf-blocker was the successor of the Country Block
developed by Tom Schaefer. On Oct 27, 2011, Country Block ended and the pf-blocker
took over. The package was designed to keep a mail server from being flooded with spam. However, pf-blocker was unable to process the required feeds, and when large IP feeds were added, it crashed. BBcan177 had offered to assist the developer in adding some additional functionality, but he got nothing in return. As a result, Pf-blocker life was very short and the last commit to the pf-blocker GitHub repository was on Jun 20, 2014. Fortunately, pfBlockerNG was released on Nov 30, 2014, and pf-blocker ended.
BBcan177 takes a lot of responsibility for developing pfBlockerNG and making sure that it is thoroughly tested before release and that any issues are resolved as soon as possible.
It's worth noting that BBCan177 has a Patreon campaign where you can easily donate a few dollars to ensure he keeps up with and improves the package. We strongly encourage you to donate if you are using pfBlockerNG in a production environment.
At the time of writing this article, the latest version of pfBlockerNG-devel package is v3.0.0_16 released on April 8th of 2021.
Features of the pfBlockerNG
pfBlockerNG includes a wide variety of features such as country blocking, IP/DNS blacklisting, and IP reputation blocking to protect your network from unwanted traffic. We will cover the pfBlockerNG features briefly below.
IP Blocking
pfBlockerNG allows you to create firewall rules based on IPv4 and IPv6 address spaces. So that You can control both incoming and outgoing traffic on single or multiple interfaces. You can restrict the IP address according to geolocation. Geolocation
is the identification or estimation of an IP address's real-world geographic location. MaxMind
, an industry leader in the accuracy of IP geolocation provides and maintains lists that are used by pfBlockerNG. Websites host content and media on servers all over the world, so be cautious about blocking too much. Inadvertently blocking some of these IP addresses may result in broken websites or unavailable downloads.
DNS Blocking
pfBlockerNG can control DNS Resolver access to prevent access to malicious websites such as advertisem*nts, threats, and malware. DNS filtering is an effective method to filter tracking domains, malicious domains, and advertisem*nts. Your DNS requests are checked against a blocklist as you browse the internet. If a match is found, the request is denied. It's an excellent way to block ads without using a proxy server.
Domain names gathered from various blacklist sources or manually entered are used to generate optimized DNS Resolver blocklists. You can subscribe to popular user-maintained blocklists as well as use prebuilt EasyLists
.
info
The EasyList
filter lists are sets of rules originally designed for Adblock
that automatically remove unwanted content from the internet, such as irritating advertisem*nts, bothersome banners, and inconvenient tracking. It is the most commonly used list by many ad blockers and serves as the foundation for over a dozen combination and supplementary filter lists.
BEST PRACTICE
DNS filtering applications have some weaknesses, such as DNS Evasion, Poor of Manageability/Portability/Flexibility/Reporting and Analytics, Recent Website-based Attacks.
Therefore, DNS filtering solutions doesn't provide complete network security on their own; instead, they should be used in concert with next-generation firewalls as an additional layer of defense in accordance with the defense-in-depth approach. They should never be viewed as a high-level security mechanism.
Inbound traffic filtering
pfSense® software blocks all inbound traffic by default. Therefore, there is no need to apply a rule to inbound traffic for additional protection unless there are open ports on your firewall. However, you may occasionally have a number of ports open, exposing a VPN endpoint and several self-hosted services. If this is the case, then it is advisable to use the custom IP list and GeoIP restriction features of pfBlockerNG to limit access.
Outbound traffic filtering
Outbound blocking is available in pfBlockerNG to prevent users from accidentally visiting malicious websites. When combined with logging, this is a useful method for identifying potentially compromised devices.
Policy-based routing
pfBlockerNG allows you to create policy-based routing firewall rules that direct traffic away from specific gateways or gateway groups.
Malicious DNS Blocking and advert limiting
DNS blocking to networks served by the DNS Resolver is supported in pfBlockerNG to prevent access to tracking and/or malicious sites. Be cautious of the possibility of introducing false positives.
Spam Filtering
If you have a mail server on your network, pfBlockerNG is an excellent package to use. You can prevent spam from reaching your server by including a spam blacklist, such as Spamhaus
.
Whitelists
If you want a domain not to be blocked, pfBlockerNG allows you to add it to the whitelist.
SafeSearch
SafeSearch can be configured for the most popular search engines. You can use Firefox to block DNS over HTTPS and set YouTube restrictions.
Get Started with Zenarmor Today For Free
How to Install and Configure pfBlockerNG
You can easily set up and configure the pfBlockerNG package on your pfSense® software firewall by following these steps:
pfBlockerNG package installation
pfBlockerNG initial configuration
pfBlockerNG package installation
To install the pfBlockerNG package, you may follow the instructions given below.
- Access your pfSense® software WebGUI.
Figure 1. pfSense® Software CE GUI sign-in page
info
Default username and password for pfSense® software is admin
and pfsense
. It is strongly recommended that you change your password with a strong one.
- Navigate to the
System
->Package Manager
->Available Packages
.
Figure 2. Accessing Package Manager on pfSense® Software CE GUI
Figure 3. Accessing Available Packages on pfSense® Software CE GUI
Type
pfblockerng
into the search field and then clicksearch
.Click
install
on the version with-devel
at the end of the package.
Figure 4. Search and install pfBlockerNG-devel package
- Click
Confirm
to let the package install. This will take some time because it needs to download several files and databases.
Figure 5. Confirmation for installing pfBlockerNG-devel package
- Once the installation is complete, you should see
success
after a few minutes.
Figure 6. pfBlockerNG-devel package installation completed successfully
pfBlockerNG initial configuration
Click on the
Firewall
drop-down menu on your pfSense® software GUI.Click on
pfBlockerNG
to start the configuration wizard.
Figure 7. Accessing pfBlocker menu on pfSense® software GUI
- Click
Next
to continue.
Figure 8. pfBlockerNG setup wizard
- Click
Next
to proceed to the configuration. This will remove all settings if you have previously configured pfBlockerNG and install the following components:
IP: Firewall rules will be defined for the WAN interface to block the worst-known attackers.
DNSBL: DNS resolver will be utilized so that advertising and other known malicious domains are blocked.
Figure 9. pfBlockerNG component installation notice
- Select
WAN
forInbound Firewall Interface
andLAN
forOutbound Firewall Interface
to complete the IP Component Configuration. If you have more than one internal interface, you may select all the ones you wish to set up pfBlockerNG for.
Figure 10. pfBlockerNG IP Component Configuration
Click on
Next
to proceed to the configuration.Enter an IP address that is not used in your networks for
VIP address
and leave theport
andssl port
as default. pfBlockberNG DNSBL web server will run on these IP addresses. If your LAN is 10.1.1.0/24, the VIP address should not be in this range. Here in our example, we leave the address at 10.10.10.1. Also, you may enable IPv6 DNSBL and DNSBL Whitelist options.
Figure 11. pfBlockerNG DNSBL Component Configuration
- Click on
Finish
to finish the wizard. The setup is now complete.
Figure 12. pfBlockerNG initial configuration finalize
- The pfBlockerNG update page then appears, and all activated blocklists are automatically downloaded and activated. Also, you may select the
Cron
option for regular updates.
Figure 13. pfBlockerNG update settings
Congratulations! You now have a basic pfSense® web filter running with pfblockerNG!
Figure 14. pfBlockerNG installation is complete
General Settings of pfBlockerNG
To view or change the general settings of the pfBlockerNG, you may navigate to Firewall
> pfBlockerNG
> General
.
Make sure that pfBlockerNG is enabled on your pfSense® software firewall. You may leave the settings on this page at their default values.
Figure 15. General Settings of pfBlockerNG
IP Filtering
Even if the firewall is not configured with open internet facing ports, local users may inadvertently initiate connections to malicious servers and this may be a high-security risk for your network. To reduce the likelihood of this happening, you should restrict access to known sources of Ransomware, malware, botnets, and Command & Control (C&C) servers. Through the bundled PRI1 feed, pfBlockerNG provides regularly updated blocklists.
In this section, we'll explain how to enable the IP feed (PRI1-PR5 groups) on pfBlockerNG and set up a firewall rule to prevent outbound traffic from accessing any addresses in that group.
IP Configuration
You should navigate to the Firewall
-> pfBlockerNG ->
IPand ensure the following settings on
IP Configuration` pane.
Enable De-Duplication. This option provides reducing the list size by detecting and removing duplicate entries
Enable CIDR aggregation. This option optimizes CIDRs. Because CIDR aggregation is processor intensive, you may need to disable it if your firewall does not have enough power.
Enable Suppression. When enabled, RFC1918 and loopback addresses are filtered. Suppression makes sure that your local subnets are not blocked. Also, pfBlockerNG removes any deny list entries that match those specified in the Suppression list which can be manually or automatically populated from the pfBlockerNG alerts tab.
You may leave other settings as default. But, ensure that the Placeholder IP address is not used in your network. Also, you may enable ASN reporting, When it is enabled the Alerts and Statistics tab will report the ASN for the Block/Reject/Permit/Match IP entries. The ASN details are collected from BGPview.io and cached for 1 week (can be configured for 24,12,4,1 hour caching)
Figure 16. IP Configuration pane of pfBlockerNG
- Click
Save IP Settings
button at the end of the page
MaxMind GeoIP configuration
With pfBlockerNG's GeoIP feature, you can filter traffic to and from entire countries or continents. pfBlockerNG accomplishes this by utilizing the MaxMind GeoIP database, which requires a license key. This license key is completely free. The MaxMind License Key field description includes a link to the MaxMind registration page.
To obtain your license key, fill out the registration form on the MaxMind sign-up page.
Figure 17. MaxMind GeoLite2 Sign Up page
Figure 18. MaxMind Managing license keys
After generating a license key, enter it in the MaxMind License Key field on the pfBlockerNG.
You may select MaxMind localized language as you wish. The following languages are available:
English
French
Brazilian Portuguese
Spanish
German
Japanese
Simplified Chinese
You may disable the MaxMind monthly CSV GeoIP database cron update.
Figure 19. MaxMind GeoIP configuration
IPv4 Suppression List
pfBlockerNG allows you to add the IP addresses (only for /32 or /24) that should never be blocked to the suppression list. You can add one IP address per line. You must run Force Reload-IP
after manually adding an IP address to this list, for changes to take effect.
Figure 20. IPv4 Suppression list
IP Interface/Rules Configuration
According to the settings in the IP Interface/Rules Configuration
pane, pfBlockerNG defines firewall rules automatically. In this pane, you can specify which inbound and outbound interface(s) pfBlockerNG's IPv4, IPv6, and GeoIP filtering apply to. To determine the inbound and outbound interfaces you may follow the next instructions.
Select
WAN
for Inbound Firewall Rules to apply auto rules to the inbound interface.Select
LAN
for Outbound Firewall Rules to apply auto rules to the outbound interface.Enabling the Floating Rules option may be useful if you have more than one outbound interface. Floating rules are special firewall rules that take precedence over regular firewall rules. This ensures that pfBlockerNG begins filtering traffic as soon as it enters the firewall. Another advantage is that pfBlockerNG will generate the floating rules for you.
Enable
Kill states
. Since IP blocklists are updated several times per day and you should allow pfBlockerNG to immediately kill any connection to a blocked IP.You may leave other options as default.
Click on the
Save IP Settings
button at the bottom of the page.
Figure 21. IP Interface/Rules Configuration on pfBlockerNG
Enabling IPv4 Filtering
On pfBlockerNG PRI1 feed is enabled by default. Feeds are publicly available blocklists that pfBlockerNG is configured to synchronize with on a regular basis. To view the list of enabled IPv4 feeds, navigate to the Firewall
-> pfBlockerNG
-> IP
-> IPv4
.
Figure 22. Enabled IPv4 feed on pfBlockerNG
PRI1 feed has a fairly broad coverage but is designed to avoid false positives, so there is a greater chance that it will miss genuine threats. To harden the security on your network, you should enable additional IPv4 feeds on your pfBlockerNG. To view the list of available feeds on the pfBlockerNB, navigate to the Firewall
-> pfBlockerNG
-> Feeds
.
Figure 23. IPv4 Category feeds(PRI1-5)
At the time of writing, the available Number of Feeds per Category Type
is given below:
Category | Number of Feeds |
---|---|
IPv4 | 92 |
IPv6 | 14 |
DNSBL | 140 |
Table 1. Number of Feeds per Category Type
IPv4 Category feeds are divided into five groups(PRI1-5). These PRI groups are Known Ransomware, malware, botnets, Command & Control (C&C) servers, bots, web scripts, phishing & compromised servers, malicious IP's found attacking SSH, SMTP, IMAP, TELNET, FTP endpoints and other known originators of malicious behavior. In general, the lower the number, the more pfBlockerNG tries to avoid false positives. Therefore you should be prepared for some websites to be unreachable unexpectedly if you enable the more restrictive lists (PRI3 and above). In such cases, some troubleshooting and possibly whitelisting of false positives will be required. There are a variety of feed groups aimed at blocking specific types of malicious or undesirable traffic such as:
Scanner (Internet Storm Center)
Mail (Known sources of spam; useful for protecting mail servers)
Forum Spam
Tor nodes(Known Tor exit points; not inherently dangerous but you may want to isolate users anonymizing their traffic.)
Internic (Contains root name servers needed to initialize the cache of Internet domain name servers)
Proxy IP
Torrent IP
Public DNS
DOH (DNS over HTTP)
VPN
BlocklistDE
Figure 24. Other IPv4 Category feed groups
You may enable IPv4 category PRI3 group feeds on your pfBlockerNG by following the next steps.
- Scroll down to the PRI3 group header and click the + icon next to the group name. This will redirect you to the settings page to add the rule.
Figure 25. Adding IPv4 category PRI3 group feeds
You may set the name and description, or leave them as default.
Select
ON
option in theState
drop-down menu for all feeds in theIPv4 Source Definitions
pane. You may selectHOLD
option if you wish to download the list once but exclude it from automatic updates. We will not enable theBBC_C2
feed as it requires an API key.You may click the
Enable All
button at the bottom of theIPv4 Source Definitions
pane to enable all feeds.
Figure 26. IPv4 source definitions for PRI3 group
Scroll down to the
Settings
pane and select one of theAction
options you wish to take when an IP address is matched.Select
Deny Both
in theAction
drop-down menu to apply the rule to both inbound and outbound connections.
Figure 27. IPv4 category settings to add PRI3 feeds on pfBlockerNG
Leave other settings as default.
Click on the
Save IPv4 Settings
button.Congratulations! You have successfully enabled IPv4 category PRI3 feeds on your pfBlockerNG to protect your network.
You may apply PRI feeds rule to both inbound and outbound connections by selecting
Deny Both
in Action drop-down menu and clicking theSave
button onIPv4 Summary
pane.
Figure 28. IPv4 category settings
You can follow the similar steps given above for enabling other PRI groups, IPv6 and DNS blocklists, just add the alias group, select the lists you want to enable, and choose the action to be taken when an item is matched. However, be aware that there is a memory and processing impact with each list enabled and you may overload your hardware.
Verifying IPv4 Filtering
By following the given steps below you may verify IPv4 filtering on your pfBlockerNG. Before starting to test IPv4 filtering you should ensure that pfBlockerNG settings are updated. If it is not, you may Force Update by clicking on the Run
button in the Update Settings
under Update
tab of the pfBlockerNG.
Navigate to the
Firewall
->Rules
->Floating
.Ensure that the firewall rules for blocking IPv4 category PRI3 groups are added.
Figure 29. Firewall floating rules on pfSense® software for blocking IPv4 category PRI3 groups
- Hover your mouse over the Source
pfB_PRI3_v4
to view the blocked IP lists.
Figure 30. Viewing IPv4 PRI3 alias details
Note one of the IP addresses from the list to try to access for testing IPv4 filtering. We will select
1.0.221.21
for testingYou may open your browser and enter the IP address you select from the list to the search bar or ping the IP address from the CLI prompt. You should see that the IP address is not reachable.
Figure 31. PRI3 ip address is not reachable
To view that IP address is blocked by pfBlockerNG you may check the related firewall logs click on the
Related log entries
icon at the top right corner of the page.Search for the IP address that tries to access, such as
1.0.221.21
. You should see the related logs showing the PRI3 IP address is blocked by pfBlockerNG as given in the figure below.
Figure 32. Firewall log showing PRI3 ip address is blocked by pfBlockerNG
GeoIP Blocking
GeoIP feature of the pfBlockerNG can be useful for restricting access to specific regions. This will not be useful in all circ*mstances because not all regions are malicious. However, if all of your expected traffic comes from a specific geographic region, allowing traffic from other regions is pointless because it exposes you to additional risk for no real benefit. In most cases, you'll only need to block inbound access based on GeoIP data. This allows your local users to access any websites all over the world while blocking inbound access from regions where you don't expect traffic.
To enable GeoIP Blocking on your pfBlockerNG,
Navigate to the
Firewall
->pfBlockerNG
->IP
->GeoIP
.Select
Deny Inbound
inAction
drop-down menu forTop Spammers
-a list of countries that have been identified as a frequent source of online attacks- andProxy and Satellite
-well known anonymous proxy and satellite providers-.You may select one of the continents where you never expect legitimate traffic to originate.
Figure 33. GeoIP blocking on pfBlockerNG
- Click the
Save
button.
Instead of blocking a whole region, you may block specific countries. To block a country in a region;
Click on the pencil icon next to the region.
Select the countries that you wish to block.
Enable
List Action
andLogging
Click on
Save
.
Figure 34. Blocking countries using GeoIP on pfBlockerNG
DNS Blocking
You may block advertisem*nts and some malicious sites such as Malware, p*rn, Gambling, etc. by pfBlockerNG which has DNS blackholing capability. When you enable the DNSBL feature on your pfBlockerNG, the DNS requests against a list of known ad networks and trackers will be blocked at the DNS level on your network.
To be able to use the DNS Blocking feature of the pfBlockerNG, you should make sure that your client devices are configured to use the pfSense® software firewall as their DNS server. If you are using a standard pfSense® software configuration, this will be set automatically. However, if you have configured an alternative DNS server, such as a Pi-hole, you should check the DNS configuration on pfSense® software and configure client devices to use it.
- Navigate to
Services
->DNS Resolver
->General Settings
and check that the DNS resolver is enabled.
Figure 35. Enabling DNS resolver on pfSense® software
- Navigate to
System
->General Setup
and check that external DNS resolvers are configured as these will be required to forward DNS requests that aren't blocked. You may add Google DNS server,8.8.8.8
, as external DNS and click theSave
button.
Figure 36. Adding DNS server on pfSense® software
Navigate to
Services
->DHCP Server
and select all the interfaces for which you want to enable blocking and ensure that nothing is listed under DNS servers. If you have a configured static DNS, set them to your pfSense® software firewall's IP address.Navigate to the
Firewall
->pfBlockerNG
->IP
Enable
DNSBL
.Select
Unbound python mode
for DNSBL mode setting.
tip
Unbound python mode
requires substantially less memory than the unbound mode
. It allows for some advanced options too.
- Ensure that the following options are enabled:
- Wildcard Blocking TLD
- DNS Reply Logging: This will show you all the DNS queries which are answered by Unbound.
- DNSBL Blocking
- HSTS mode
- CNAME Validation checked: This option must be enabled to make sure that an ad domain cannot
bypass
DNSBL by using a different DNS name.
Figure 37. DNSBL settings on pfBlockerNG
- Scroll down to the
DNSBL Webserver Configuration
pane. Make sure that the Virtual IP address is correct and It is not already used in the Network. You may leave other settings as default.
Figure 38. DNSBL webserver configuration on pfBlockerNG
Scroll down to the
DNSBL Configuration
pane.Enable
Permit Firewall Rules
and selectLAN
interface. This will create rules in the Floating in your Firewall and enable pfBlockerNG for selected networks(LAN).Select DNSBL Webserver/VIP for Global Logging/Blocking Mode. So that Domains are sinkholed to the DNSBL VIP and logged via the DNSBL WebServer. You may leave other settings as default.
Figure 39. DNSBL configuration on pfBlockerNG
- Click
Save DNSBL Settings
button at the bottom of the page.
Enable some DNSBL feeds
On pfBlockerNG ADS_Basic feed is enabled by default. To view the list of enabled DNSBL feeds, navigate to the Firewall
-> pfBlockerNG
-> DNSBL
-> DNSBL Groups
.
Figure 40. Enabled DNSBL Group feed on pfBlockerNG
ADS_Basic feed, also known as StevenBlack_ADs, has a fairly broad coverage but is designed to avoid false positives, so there is a greater chance that it will miss genuine threats. To harden the security on your network, you should enable additional DNSBL feeds on your pfBlockerNG. To view the list of available feeds on the pfBlockerNB, navigate to the Firewall
-> pfBlockerNG
-> Feeds
.
Figure 41. DNSBL Category feeds
At the time of writing, there are 140 DNSBL Category Feeds available. There are a variety of feed groups on pfBlockerNG aimed at blocking specific types of malicious or undesirable traffic such as:
EasyList
ADs
Email
Malicious
Phishing
BBCAN177
STUN
DoH
Torrent
BBC
Malicious2
Cryptojackers
Compilation
Firebog_Suspicious
Firebog_Advertising
Firebog_Trackers
Firebog_Malicious
Firebog_Other
You may enable different DNSBL feeds as you wish on your pfBlockerNG by following the next steps. Here, we will enable EasyList group feeds on our pgBlockerNG as an example. We recommend you add the Steven Black feed is one of the best-maintained blacklist databases on the internet.
info
EasyList is the primary filter list that removes the majority of advertisem*nts from international webpages, as well as unwanted frames, images, and objects. It is the most commonly used list by many ad blockers and serves as the foundation for over a dozen combination and supplementary filter lists.
warning
The more feeds you enable, the more likely it is that you will disrupt internet access for users on your network. Then you must whitelist specific domain names.
- Scroll down to the
EasyList
group header and click the+
icon next to the group name. This will redirect you to the settings page to add the rule.
Figure 42. Adding DNSBL category EasyList group feeds
- You may set the name and description, or leave them as default.
Figure 43. Setting name and description for newly added DNSBL feed
- You may click
Enable All
button at the bottom of theDNSBL Source Definitions
pane to enable all feeds. But, we will enable some of the feeds such asEasyList
,EasyList_Adware
,EasyList_Spanish
,EasyList_Turkish
andEasyPrivacy
. SelectON
option in theState
drop-down menu for the related feeds in theDNSBL Source Definitions
pane. You may selectHOLD
option if you wish to download the list once but exclude it from automatic updates.
Figure 44. DNSBL source definitions for EasyList group
Scroll down to the
Settings
pane and select one of theAction
options you wish to take when a domain name is matched.Select
Unbound
in theAction
drop-down menu.
Figure 45. DNSBL category settings to add EasyList feeds on pfBlockerNG
Leave other settings as default.
You may add your own domain name list that you wish to block by clicking on
+
sign icon.
Figure 46. Custom DNSBL list on pfBlockerNG
Enter domain name to be blocked. We will add
dnsbltest.com
domain for verification of DNSBL blocking on our pfBlockerNG.Click on the
Save DNSBL Settings
button.Congratulations! You have successfully enabled DNSBL category EasyList feeds on your pfBlockerNG to protect your network.
Figure 47. DNSBL Groups summary on pfBlockerNG
You can follow the similar steps given above for enabling more DNSBL groups, just add the alias group, select the lists you want to enable and choose the action to be taken when an item is matched. However, be aware that there is a memory and processing impact with each list enabled and you may overload your hardware.
Forcing to reload the DNSBL on pfblockerNG
You may need to force reloading the DNSBL list. To activate the newly enabled DNSBL settings, follow these steps:
Navigate to the
Firewall
->pfBlockerNG
->Update
Select
Reload
in Force option.Select
DNSBL
in Reload option.Click on
Run
.
Figure 48. Forcing to reload the DNSBL list on pfblockerNG
Verifying the DNSBL Blocking on pfBlockerNG
You may verify your DNSBL Blocking settings on pfBlockerNG by following the next steps easily.
Open your favorite browser and enter the domain name that you added to the Custom DNSBL list. It is
dnsbltest.com
for our example.You should see the default blocking landing page of pfBlockerNG given below.
Figure 49. DNSBL blocking landing page of pfBlockerNG
You should see the related blocks on pfBlockerNG alerts. Navigate to the
Firewal
l >pfBlockerNG
>Reports
->Alerts
.Search
dnsbltest.com
on the DNSBL Python pane.
Figure 50. DNSBL alerts in pfBlockerNG
- Another verification method for DNSBL is viewing the DNSBL Block Stats page under Reports tab of pfBlockerNG. You may see the related blocks in
Top Blocked Domain
orTop Blocked Evaluated Domain
, if the blocked domain is on the top blocked domain list in your firewall.
Figure 51. Top Blocked Domain and Top Blocked Evaluated Domain
info
You may add your custom pfBlockerNG block web pages to /usr/local/www/pfblockerng/www/
on your pfSense® software. Then activate it in the Blocked Webpage
option of DNSBL Configuration
pane.
- Lastly, you may check the result of the DNS query for
dnsbltest.com
domain in your network. Your pfSense® software DNS resolver should return the Virtual IP address(10.10.10.1 by default) of the DNSBL Web server as a result.
Figure 52. nslookup for dnsbltest.com returns VIP of DNSBL server on pfBlockerNG
Ad-Blocking Verification
To verify the ad-blocking feature of the pfBlockerNG, you may connect to the yahoo.com
website on your favorite browser. You should see empty spaces in the place of advertisem*nts on the page as given below.
Figure 53. yahoo.com page with ad-blocking (ads in the red rectangles are blocked)
Figure 54. yahoo.com page without ad-blocking
DNS over HTTPS/TLS Blocking
pfBlockerNG allows you to block DNS over HTTPS/TLS packets on your network. It includes a comprehensive list of known public DNS servers that support DNS over HTTPS. Since DNS over HTTPS is a serious privacy and security risk, you should enable DoH/DoT(DNS over HTTPS/DNS over TLS) feature on your pfBlockerNG. Otherwise, some of your users in your network may bypass pfBlockerNG's adblocking and pfSense's DNS server.
To enable DoH/DoT Blocking you may follow the steps listed below.
Navigate to the
Firewall
->pfBlockerNG
->DNSBL
->DNSBL SafeSearch
.Select
Enable
for DoH/DoT Blocking in the DNS over HTTPS/TLS Blocking paneSelect all the DNS servers from the
DoH/DoT Blocking List
you want to block.Click
Save
button at the bottom of the page.
Figure 55. Enabling DoH/DoT on pfBlockerNG
Enabling SafeSearch and YouTube Restrictions
pfBlockerNG has a SafeSearch
feature which will force Search sites to utilize the "Safe Search" algorithms. At the time of writing, SafeSearch is supported by Google, Yandex, DuckDuckGo, Bing and Pixabay.
pfBlockerNG allows you to use YouTube Restrictions
on your network. YouTube Restricted Mode filters out potentially mature videos while leaving a large number of videos still available. You may use the following settings for Youtube restrictions on your pfBlockerNG:
Strict: This setting is the most restrictive. Strict Mode does not block all videos, but works as a filter to screen out many videos based on an automated system, while leaving some videos still available for viewing.
Moderate: This setting is similar to Strict Mode but makes a much larger collection of videos available.
To enable SafeSearch and YouTube Restrictions you may follow the steps listed below.
Navigate to the
Firewall
->pfBlockerNG
->DNSBL
->DNSBL SafeSearch
.Select
Enable
for SafeSearch Redirection in the SafeSearch settings pane.You may select
Moderate
orStrict
to enable YouTube Restrictions.Click the
Save
button at the bottom of the page.
Figure 56. SafeSearch settings on pfBlockerNG
Whitelisting
While you shouldn't have too many problems as long as you don't get too innovative with your blocklists, rightful services may be blocked in some cases. This may be a result of genuine false positives, but it can also be an indication that a legitimate site has been hacked and is now sending malicious traffic, so always be careful before whitelisting. Because the blocklists are frequently updated, these issues are often temporary.
When you need to whitelist something on pfBlockerNG, you can follow the next steps below:
Navigate to
Firewall
->pfBlockerNG
->Reports
->Alerts
.Look through the list of recent blocks and add the offending item to the whitelist by clicking the
+
icon next to it. For example, we will add thednsbltest.com
domain that we use for DNSBL testing to the whitelist. This will pop up a confirmation message.
Figure 57. Domain Whitelisting on pfBlockerNG
Click
OK
.It will ask you if you want to whitelist this domain only or add a wildcard for the domain. Select as you wish.
Figure 58. Domain Whitelisting on pfBlockerNG-2
- Then, you will have the option to add a description. To enter a description click on
Yes
and then enter a description.
Figure 59. Enter a description for whitelist
- The
pfBlockerNG
will no longer block the whitelisted domain.
Figure 60. Whitelisting completed successfully
pfBlockerNG vs pfBlockerNG-devel
The pfBlockerNG package is quite useful and reliable, but the pfBlockerNG-devel package has been in pure development mode for years. The primary distinction between both software packages is that pfBlockerNG-devel has the most recent developments/features. As pfBlockerNG-devel is officially supported, administrators may utilize the DEVEL version with full peace of mind. pfBlockerNG and pfBlockerNG-devel v3.2.0 3 are available for pfSense CE and pfSense+ at the time of authoring this article.
What is the Difference Between pfSense Ad Blocking and Pihole?
Pi-hole is a DNS ad-blocking solution for the whole network that functions as an external DNS server. That simply implies that Pi-hole becomes the DNS server that you provide to network clients. Pi-hole then either permits or "sinkholes" DNS queries that correspond to domain names on prohibited lists. It generates a "black hole" that refuses DNS queries from clients for FQDNs linked with blocklists loaded on the Pi-hole server. Pi-hole lacks routing and other firewalling capabilities. It can operate on numerous platforms, including Raspberry Pi devices. Therefore, the term "Pi" hole. The system incorporates a DHCP server that can provide IP address information to network clients.
pfSense pfBlockerNG and Pi-hole are used to protect residential and other networks from unwanted traffic, such as malicious traffic, advertisem*nts, and tracking. These initiatives have a major impact on your network's traffic security. But, each has advantages and disadvantages as a solution, and your choice depends on your own preferences, requirements, and use cases.The advantages of pfSense pfBlockerNG over Pi-hole are listed below:
- Free and open source
- Includes DNS feeds and IP filtering from lists and geolocation capabilities
- Blocks IP addresses, providing genuine L3 firewall capabilities and functionality, whereas Pi-hole cannot.
- Blocks categories of sites as opposed to standard blocklists, which Pi-hole cannot
- Permits using free Internet-accessible block lists that are compatible with Pi-hole.
- Does not need a standalone box to operate
- Integrates with your current pfSense firewall device
- Integrates well with the pfSense UI and "feels" natural to pfSense.
- Accomplish without customized feed lists that specifically block a single category.
- pfSense, on which pfBlockerNG operates, is configured for high availability (HA).
- Commercially available pfSense hardware devices from Netgate are fully supported.
The main disadvantages of pfBlockerNG are listed below:
- If you do not presently use pfSense as your firewall, you must install it in order to use pfBlockerNG.
- That is a little more involved than Pi-hole, particularly given that you must install pfSense to use it.
- If you just want to set up a simple DNS solution in tandem with your firewall, Pi-hole is a superior option.
- pfBlockerNG's UI is not as intuitive as Pi-hole's.
- Some individuals dislike the reporting portion of pfBlockerNG since it is part of the general system logging and is more difficult to locate entries than Pi-hole.
The benefits of Pi-hole over pfSense pfBlockerNG are listed below:
- Free and open-source
- Operates independently of your current router and firewall.
- Permits the use of DNS sinkholing, which is a very effective network-wide technique for removing advertisem*nts, malware, and other undesirable traffic.
- Elegant UI Excellent reporting
- User-friendly UI
- Compatible with low-power Raspberry Pi and other ARM devices.
- Simple to set up
- Routes particular domain queries to another internal DNS server, such as AD DNS, using conditional forwarding.
The primary drawbacks of Pi-hole are listed below:
- Needs a separate router/firewall in addition to the Pi-hole device.
- Just DNS sinkholing, DHCP, and a few additional functionalities are supported.
- Not possible to ban websites based on IP addresses
- As a default feature, categories of websites cannot be blocked simply.
- Needs adjusting your DNS setup to your Pi-IP hole's address
- Lacks a natural technique for achieving high availability. While programs such as GravitySync are available, they are not a native solutions and involve moving data back and forth.
- As opposed to Netgate's pfSense appliance, there is no commercially available supported hardware that can be purchased with Pi-hole installed and operating.
Adding pfBlockerNG makes perfect sense if you are already using pfSense, and if you are currently running pfSense, you are likely already running pfBlockerNG. For setups that do not use pfSense as the firewall, adding Pi-hole to conduct DNS sinkholing for clients makes a great deal of sense. You may run pfSense and Pi-hole together for a hybrid method that combines the best of both. Keep in mind, however, that this setup is more complex and makes locating blocks and other troubleshooting tasks more complicated.