That actually seems like a better approach as long as you are using your router for DNS resolving. Thanks for the tip, I wasn’t aware of that option in the unbound tab

can you use the website links list he shows in the video? to block those in the link list using unbound in opnsense?

@@Jorvs Yes you can, custom lists for unbound can be added in advanced settings (click "advanced mode" option in unbound blocklist section, and you'll be able to add any URL containing blocklists to it)

@@Jorvs oh forgot to mention that unbound doesn't support IP addresses in plain text format. You have to use DNS lists (lists like there are for BIND). Now just be mindful what you add and what you don't, lists like these can contain things like steam and other services, which will prevent them from working. Afterall this kind of filters are used mostly on school, library and enterprise networks

Is it OUT on the LAN or in? Surely if the WAN is protected on the IN your devices on your LAN are effectively protected from incoming bad IPs, if however you've got a virus, malware, IOT device or something that's managed to make its way on to a device on your LAN device via a USB stick or something trying to call home, surely you would want the LAN rule to be protected going outbound to the WAN to break connection and stop it no? Plus if its outbound on the LAN rule wouldn't it be easier to identify the exact device which is trying to dial OUT?

@@ecotts I believe Opnsense firewall treats "IN" as anything going to the firewall to another network (E.g. WAN or another Local VLAN). Thus what Wiz dude was saying is correct, use IN on the Lan side as well. Opnsense is also apparently more efficient processing "IN" rules. This is something about processing double packets on the OUT rule.

​@@kyleg3433 For LAN, you need to block IN traffic in most cases. You would have to use out, if you want to for example block uploading files cloud but still be able to download them and/or just browse cloud shares or video streams etc.

Good remark, opnsense is a bit strange in its terminology sometimes. Coming from openwrt, things like block and reject are ambiguous, i think the netfilter/iptables terminology is more clear: you either DROP the packet or you REJECT it. Opnsense had to call it block and reject instead (why stick with reject but make the other option "block"?). Your remark on the "source interface" is another example, looking at openwrt again; no interfaces but rather zones (logical collections of interfaces). interfaces are optional. When talking about openwrt, interfaces and direction of traffic it is the way you describe (and more clear imho). I have to admit that is all rather confusing and when i moved from openwrt to opensense recently i found i needed to prevent myself from getting a false sense of security by implementing rules with unclear/ambiguous terminology. I didn't even bother spending much time figuring that out, instead i went straight to floating rules which make things more clear (imho): as an (related, similar) example: setup an alias to include any local network, e.g. "locally_managed_networks". Put all the local "__lan_network", "__openvpn_network" (pre-defined local networks) etc in there. The floating rule will just be: incoming on any interface, source: "locally_managed_networks" (the network group alias we just created), destination interface: any, destination address: the blocklist alias, action: reject. Why reject? Because that will make troubleshooting easier in the future and i trust my local hosts to a degree that i am ok with them getting "destination denied"-like response from the gateway, instead of being silent and blocking (dropping!) the traffic. If you go a step further and mirror the rule you will want to block(drop) the traffic, because we obviously do not trust any of the hosts on that blocklist alias, we don't want them to get any response when trying to reach out to us.

came here to say this

yes, the Unbound DNS blocklist feature

The answer is yes in case anyone is reading this.

You're welcome