Tutorial: pfsense and pfBlockerNG Version 3

Рет қаралды 221,751

Күн бұрын

Пікірлер: 168

@tomferrin1148 2 жыл бұрын

I set up pfBlockerNG about a year ago by following Tom's tutorial. After making some other changes to my firewall setup recently I decided to re-run pfBlocker's wizard just so I could start with a fresh config. This tutorial is still as spot-on as it was when Tom first made it. So I'm giving another tip of my hat to Tom for his outstanding guidance and thorough explanation of this package.

@zsteinkamp Жыл бұрын

Just wanna say thanks for the great info! I know it's a massive effort to put together all these videos. They've been such a help for me as I've gotten started with pfSense and TrueNAS over the last couple of weeks.

@LAWRENCESYSTEMS Жыл бұрын

Glad you like them!

@LAWRENCESYSTEMS 4 жыл бұрын

Patreon Link for the pfblocker creator www.patreon.com/pfBlockerNG pfblocker reddit www.reddit.com/r/pfBlockerNG/ Maxmind GEOIP Registration www.maxmind.com/en/geolite2/signup ⏱️ Timestamps ⏱️ 0:00 pfblocker patreon 2:02 pfblocker reddit posts and changelog 3:36 installing pfblocker 4:10 pfblocker wizard 7:20 Customizing pfblocker 8:20 Floating Rules 10:18 Maxmind Licence Key 11:06 IP Block Lists 13:20 adding feeds 15:16 GeoIP Configuration 17:40 Alerts and Reporting 19:31 DNSBL Configuration 21:47 Threat Lookups 25:05 DNSBL Whitelisting

@andrewenglish3810 3 жыл бұрын

Where is the GeoIP link you said you were going to add to this video?

@LAWRENCESYSTEMS 3 жыл бұрын

@@andrewenglish3810 www.maxmind.com/en/geolite2/signup

@AniketChakrabartyIndia 4 жыл бұрын

it almost 1.5 years that I undoubtedly follow your tutorials for pfsense configuration, really good content and knowledge shared at it upmost form, thank you very much.

@joevining2603 2 жыл бұрын

Been using this for a couple years and forgot to donate. Just signed up for the Patreon and I encourage others who have the means to do so as well. It's these developers who continue to push pfSense to the top.

@ashleykingston1980 3 жыл бұрын

Thanks for the guide Tom. Upgraded from 2.5 to 3.0. Sound advice as always.

@LAWRENCESYSTEMS 3 жыл бұрын

Great to hear!

@matthewbarnett3461 2 жыл бұрын

Best pfSense content ever. Thankyou your stuff has been a big help!

@gh8447 4 жыл бұрын

Perfect timing! I installed this plug ages ago and was about to finally going and set it up.

@kennethwilson1140 4 жыл бұрын

Tom, thanks for another great update it's much appreciated!

@RiggsTek 3 жыл бұрын

Thanks for this Tom, very complete and awesome explanations.

@gregwysocki8742 2 жыл бұрын

Always a great tutorial. Used it again after updating to a 4-port intel NIC from a 2-port...thanks!

@Ace-qw2cq 3 жыл бұрын

Great video and thanks for the help. If you have VPN setup do you select openvpn for both inbound and outbound interfaces during the setup.

@HijmenSchilperoort 4 жыл бұрын

One of the first things I do when setting up pfblocker-ng is add the (public) DNS servers I use to the IP whitelist. For example; Some time ago the 1.1.1.1 was put on a blacklist :( I had to spend some time figuring out why internet was "dead" on every device in the entire network 🤬

@HijmenSchilperoort 4 жыл бұрын

@S K that is exact how I have my setup. However, if a pfblocker ip blacklist contain the ip of the dns you use for the dns resolver then the dns resolver can not contact that external dns server and nothing in your network will be able to resolve external sites. I found this out the hard way :(

@PCTechHustle 3 жыл бұрын

Love it Tom! Always great detailed content for exactly what I am looking for, best PfSense tutorials on KZbin!

@LAWRENCESYSTEMS 3 жыл бұрын

Thank you

@geoff4009 3 жыл бұрын

It's important to note that pfBlockerNG won't work if you're running DNS Forwarder. I was getting address bind errors with unbound after running the setup wizard. To fix, I needed to disable DNS Forwarder and set up DNS Resolver instead. This might be obvious to many, but for a noob like me it took some time to work out the problem.

@andreavergani7414 4 жыл бұрын

Thanks Tom. Its a lil of time that i want to start a pfblocker. Hope your guides can help me. Ciao

@gerrymaddock9234 4 жыл бұрын

I see for North America you have it set for "Match Both". What does match both do?

@bikes-hikes-travels8814 2 жыл бұрын

Tom, excellent information here, so I added it to my cybercentric T-channel (FlynnInfoSec1). As a recent NG6100 owner, it is nice to have such a great resource!

@mishudanco2426 3 жыл бұрын

Great video. Small request: can you please zoom in when you show what you do on screen? It would be much easier to see on the phone the details you show Thanks👍

@freshness7114 3 жыл бұрын

Super helpful video, best one I've seen yet on pfBlocker. Many thanks!!

@ramoschico 4 жыл бұрын

Thank you very much for sharing knowledge. may God return you in much more ...

@krypton8784 3 жыл бұрын

Finally I find something to block Ads. Thanks

@darius55508 2 жыл бұрын

Thank you, as always very good information

@dereksinkro1961 3 жыл бұрын

Thank you for the thorough explanation!

@soheylsalehi3143 Жыл бұрын

Thank you very much for the great Information. You are awesome.

@fritzchristoph8670 3 жыл бұрын

Thank you Tom, your videos are awsome and i have learned so much... love my netgate 5100!!! (got it cheap...)

@JuanLopez-db4cc 4 жыл бұрын

As always excellent content. Thank you.

@chrisumali9841 4 жыл бұрын

Thanks for the demo and info, have a great day

@aborsic 2 жыл бұрын

Thank you for sharing this video which is super useful to anyone starting new to use pfSense / pfBloker. I have a question:: the GEO IP page suggests not blacklisting "the whole world" but to whitelist a few countries from which one is interested in receiving traffic. I believe the approach demonstrated in the video the whole world blacklisting. If you provided instructions, or a dedicated video, on how to whitelist a few countries, that would be super ! (simply a suggestion for consideration)

@JonBrookes 2 жыл бұрын

top banana. Common sense approach. Sensible application. Thanks for posting this.

@krinzyjewaldo1697 Жыл бұрын

Great, especially the custom list

@kamikazee2239 4 жыл бұрын

As always thanks for the video, your vids are always great!

@miketarbox1190 4 жыл бұрын

I was hoping that you would hit on Unbound mode, whether through Unbound mode or through the Unbound Python mode, and what, if any changes need to be made. But good content as always Tom, and I thank you for putting this out.

@michaeljaques77 4 жыл бұрын

I was hoping for that as well, but I can understand if he doesn't as its still listed as BETA. I just attempted changing to the "unbound python mode" and DNSBL broke in all sorts of ways so I just went back to "unbound mode" for now. Still works great!

@21language 3 жыл бұрын

Tom, I was watching your PfblockerNG video from 2019, and then i ran into the MaxMind error, then i searched for this video and bang, problem solved

@jackv486 4 жыл бұрын

Thanks, for this explanation. I would appreciate that you would make a video explaining the lists you are using, and custom lists not found in the Feeds . Cheers

@TechMeOut5 4 жыл бұрын

Excellent stuff Lawrence!

@rogerjohnson8969 3 жыл бұрын

Thank you for making these videos!!

@Porcyln Жыл бұрын

Great tutorial! Thank you sir.

@CandieyestudioCoUkPhotographer 4 жыл бұрын

Thanks Tom for the update, can we get an update on connecting Truenas to PfSense in LACP, please? Pref with a Netgear managed switch!!! lol

@technomad900 3 жыл бұрын

Nice introduction to PFblocker. I deployed it yesterday following this video , hoping to block websites , however many are still getting through . http versions of sites are blocked but https versions are returning . Any advise ? ( Using Shallalist , Already enabled TLD , Force reloaded , rebooted )

@chacha7225 4 жыл бұрын

Best of the best as always.. thank you 🙏 for awesome videos!!

@nkerboute 4 жыл бұрын

Great video as always. Keep it up!

@verygoodbrother 2 жыл бұрын

Basically for newbies, leave settings as defaults which works for me.

@dimitristsoutsouras2712 4 жыл бұрын

Even with version 3 I am still getting [DNSBL_Misc - hpHostsFSA] Download FAIL [12/11/20 11:10:22] [DNSBL_Misc - BBCDGAAgr] Download FAIL [12/11/20 11:10:00] Do I have to remove them ?

@LAWRENCESYSTEMS 4 жыл бұрын

If they are failing temporarily then no, if they are always failing then yes.

@dimitristsoutsouras2712 4 жыл бұрын

@@LAWRENCESYSTEMS Than k you for your quick reply!! Well yes at least with ver 2 they were keep failing with each update, I have a couple of hours running ver 3 and got the below also [ DNSBL_Misc - hpHostsFSA ] Download FAIL [ 12/11/20 12:01:09 ] [ DNSBL_Misc - Quidsup ] Download FAIL [ 12/11/20 12:00:33 ] [ DNSBL_Misc - hpHosts ] Download FAIL [ 12/11/20 12:00:29 ] [ DNSBL_Misc - hpHostsFSA ] Download FAIL [ 12/11/20 11:10:22 ] [ DNSBL_Misc - BBCDGAAgr ] Download FAIL [ 12/11/20 11:10:00 ] [ DNSBL_Misc - Quidsup ] Download FAIL [ 12/11/20 11:09:59 ] [ DNSBL_Misc - hpHosts ] Download FAIL [ 12/11/20 11:09:55 ] So any info of the web ui path I follow to do this? Also just registered with Maxmind in order to avoid in extra fail messages (my eye tends to spot them and stare them for a long time :) ) I just generated a key for ver 3.1.1 and newer and pasted it in the relevant field in pfsense in the IP tab. In the Maxmind page though it also has : For Usage with GeoIP Update We've generated a config file for you to use with GeoIP Update. See the Automatic Updates for GeoIP2 and GeoIP Legacy Databases page to learn how to use this config file to set up automatic updates. Download Config button Do I need this because even if I downloaded I didnt figure a way to import it inside pfsense Thank you once more!!!! PS Either you didnt leave it your comments below as you mentioned or I am blind and cant see the previous video where you talk about the way to setup the GeoIP

@Franchyze923 2 жыл бұрын

Very helpful! Thanks

@t0nkatsu 4 жыл бұрын

Hey Lawrence, I want to run pfSense but it has to be on a box with multiple 10GbE SFP+ slots. Know of any such commonly available hardware that can be used with pfSense?

@ToxicwasteProductions Жыл бұрын

Can I have lan1 non filtered via pf blocker and. Having lan2 or opt filtered by pf blocker?

@garretts9529 2 жыл бұрын

Thank you for all your videos! I really want to buy a couple of your shirts like the crimp hand one, but they are black and I work outdoors mostly in texas :(

@neccron9956 4 жыл бұрын

Why in the GeoIP setting for North America, do you have it as Match Both vs Deny Inbound?

@cosminachim 3 жыл бұрын

This might be a dumb question. I apology in advance but I still ask... So, I want to use pfSense to restrict my kids from accessing other domains that I want (those from school). Is that easy doable? Can you suggest anything?

@LAWRENCESYSTEMS 3 жыл бұрын

It does not do a great job of that, we usually recommend Untangle Firewalls for web site filtering.

@cosminachim 3 жыл бұрын

Untangle Firewalls has only paid option as far as I can see ... which for household looks expensive to me. Thank you for pointing me to the right direction.

@sy5tem Жыл бұрын

ty for all the great info, and any site taht i found taht "you must unblock us to view content" is a big okay bye bye for me. i don't need them. lol

@chrislowe8085 2 жыл бұрын

When do we think v3 of pfblockng will be stable and not dev? thanks for all your pfsense video's they really help.

@sufyankhanbest 3 жыл бұрын

How do I block all websites and allow only few websites to access from specific LAN IP's, and allow all websites on other IP's of LAN

@rolson1011 4 жыл бұрын

I've been trying to allow a specific port forward to bypass the GeoIP lists. I can't seem to find a good resource for this latest version. Since you mentioned enabling floating rules, would I just add a new floating FW rule to the top of the list that allows that one port?

@BizAutomation 3 жыл бұрын

Wonder if there's a reason to run PFblocker together with the blacklist blocker on CloudFlare.

@ksodhi 2 жыл бұрын

How does this compare against the PiHole project on the RPi?

@LAWRENCESYSTEMS 2 жыл бұрын

I don't use PiHole but they are similar

@gajotres Жыл бұрын

If anyone is having problems with MaxMind licence being rejected, just update pfBlockerNg to version 3.2.0_4.

@fabiuzaum 4 жыл бұрын

Thank you. It helped a lot!

@pierrepaniagua 2 жыл бұрын

I know this video is a year or so old, but after I go through the wizard for pfblockerng-devel 3.0.. i am only seeing 1 dnsbl group? In the video it looks like there's 3? Is this some sort of recent update or did I mess something up?

@mrteausaable 3 жыл бұрын

Floating Rule and LAN rule in the firewall, which one is evaluate first?

@LAWRENCESYSTEMS 3 жыл бұрын

docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html

@crites57 4 жыл бұрын

Kind of off topic, but how did you get the selected check boxes in pfSense a different color? :-)

@arjayUU 2 жыл бұрын

It seems like with version 2.1.4_28 the wizard is gone. Also there is no Feed and IP tab. Tthere is nothing set up for IPv4 as well as no lists in the Source Definitions. There are no DNSBL Groups and the EasyList is just blank. Is there a meaning to the Header/Label field for the URL of the list or can it be anything?

@subzzeroevil 3 жыл бұрын

Cool needed this but some of the default feeds gone. Does anyone have new feeds that will replace the ones we lost?

@gtag174 3 жыл бұрын

I can seem to find any rules in the Floating tab. What would be the reason ?

@LAWRENCESYSTEMS 3 жыл бұрын

That is an option you have to enable under the IP settings.

@gtag174 3 жыл бұрын

@@LAWRENCESYSTEMS Aren't they auto-generated when enabling 'Floating Rules'. How do i do them otherwise ?

@vagtlsc4087 2 жыл бұрын

Hi I have a question about PfblokkerNG. When I use Pi-Hole as a DNS blocker, I have the opportunity to see an active here and now updated log file that shows in color what is blocked and what is not blocked. I use a Nategate 4100 which I am very happy with, but am considering using PfblockingNG rather than Pi-hole. However, I really like the online log reading that is possible in Pi.Hole. Is it somehow possible to get the same information from my Nategate?

@LAWRENCESYSTEMS 2 жыл бұрын

pihole has better reporting.

@dimitristsoutsouras2712 4 жыл бұрын

Please a quick elaboration on why in Firewall/pfBlockerNG/IP/GeoIP all rules have as action Deny inbound (so deny what comes from outside to the network according to my GeoIP rules which seems right as a choice) where in Firewall/pfBlockerNG/IP/IPv4 for all block lists the action is Deny outbound. Its like our network is the malicious one and prevents it from contaminated net :) Am I missing something here> Shouldnt all actions in both GeoIp and Blocklists set to Inbound than outbound????? What purpose serves the outbound? New Edit: hmmm.... probably block lists set to outbound in order to prevent the user/s to visit already known malicious sites .. so this traffic is considered to be outbound right?

@LAWRENCESYSTEMS 4 жыл бұрын

Yes, blocking outbound prevents internal systems from connecting to those IP's.

@TheJason13 3 жыл бұрын

Any thoughts as to why fb isn't loading videos or video thumbnails on my wall? "Sorry, we're having trouble playing this video"

@LAWRENCESYSTEMS 3 жыл бұрын

No idea, just watch it on KZbin.

@TheJason13 3 жыл бұрын

@@LAWRENCESYSTEMS I wanted to make sure it wasn't indicative of another issue, or if the block list(s) were blocking just that portion of fb. it shows the video on my phone, but not on my computer. weird.

@TheJason13 3 жыл бұрын

it seems to be working now. default blocklists are enabled and "deny both" is selected...

@JP-ei2jz 6 ай бұрын

Hello, regarding the DNSBL VIP Address, if you have 2 pfsense firewalls syncing via XMLRPC, should that IP be different for each firewall or that doesnt matter since its virtual?

@jeffsadowski 2 жыл бұрын

Is there an easy way to tell if my clients IP is on one or more of the lists?

@jeffsadowski 2 жыл бұрын

I will just whitelist it for now but curious how to do this.

@CoMmAnDrX Жыл бұрын

pfb_dnsbl pfBlockerNG DNSBL service shows disabled and when I click enable it doesn't start the service. Looked around and cannot find the answer for this issue.

@RyouConcord 2 жыл бұрын

Thank you!!

@guidon.5413 2 жыл бұрын

I've looked at pfblockerng-devel a few times now and I just can't get it to not hog the CPU on my Netgate SG2100. The SG2100 normally sits at 95 to 98% idle in normal conditions on my home network, but with pfblockerng-devel enabled just after running through the Wizard and making no changes the router sits at 30 to 40% idle and gets a lot hotter to touch. I don't get it since there really isn't much going on in the network, the pihole does the same work using less than 1% CPU on a Raspberry Pi 4. I'd love to use pfblockerng, but given the strain it puts on the Netgate router, it's just not feasible. Am I doing something wrong there? Am I missing something?

@robertkennedy268 4 жыл бұрын

I've had issues with false positives using pfBlocker in the past. I ended up switching to pihole instead for its UI/ease of use as well. What are your thoughts on the two for a home user? Does it matter?

@LAWRENCESYSTEMS 4 жыл бұрын

You can use feeds from one in the other. I like have it all in my firewall without a separate device.

@mrteausaable 3 жыл бұрын

I tried to only allow my computer IP to access without blocking but no working. I put rules on the top at Floating, WAN and LAN interface, still not working. I use your examples blocking the UDP 53(DNS). What I did wrong?

@b2rtechnologies 2 жыл бұрын

Hi, Can you please help with a query. Suppose we need to bypass a LAN side host for PFblockerNG then how it is possible. Pls, suggest.

@LAWRENCESYSTEMS 2 жыл бұрын

Assign a different DNS server.

@Sneksz 3 жыл бұрын

How would you add a range of IPs (ie cloudflare) to the whitelist? I'm having issues with the cloudflare proxy (orange cloud) not responding due to pfblocker.

@perfect.stealth 3 жыл бұрын

ok so what exactly is the difference with _rep countries and non _rep countries?

@homeassistantiptv8068 3 жыл бұрын

Should the Action under PfBlockerNG\IP PRI1 be Deny Outbound or Deny Inbounnd?

@praveentadepalli1255 3 жыл бұрын

What type of support i may have if I purchase the Netgate device?

@LAWRENCESYSTEMS 3 жыл бұрын

www.netgate.com/support

@exploringearth3223 2 жыл бұрын

i still get youtube ads?

@LAWRENCESYSTEMS 2 жыл бұрын

Unless you pay for KZbin premium, you will get ads.

@TK-le8wd 2 жыл бұрын

What if I setup Nord VPN on pfSense? Would that be my WAN port even though I still have a "Wan" port listed? My external Ip of cours shows my true IP on the "WAN" interface.

@LAWRENCESYSTEMS 2 жыл бұрын

For outgoing blocking you would need to list all the gateways including NORD if you have it configured as such.

@TK-le8wd 2 жыл бұрын

@@LAWRENCESYSTEMS Thank you sir!

@1981SPL 4 жыл бұрын

dang, something broke in the latest update of PFB for me...when I try to go into the reporting section, I time out no matter what browser/pc etc.

@kalbecharoliya6814 Жыл бұрын

How can I customize DSNBL blocking page on PfblockerNg3,

@SuperZeroon 2 жыл бұрын

Hello , i’m new to pfsense , and have pfBlockNG setup and working okay , but right now pfsense blocked Radarr for search or add new exiting movies. How can i whitelist Radarr ?

@prashantbanthia2720 3 жыл бұрын

Hello, can we configure webfilter on user groups on pfsense? if yes how?

@RidinWithMyLocsOn 3 жыл бұрын

What if you have a VPN? In Inbound/Outbound Firewall Rules - do I select WAN+VPN and LAN+VPN?

@LAWRENCESYSTEMS 3 жыл бұрын

LAN & VPN

@alk_dl 4 жыл бұрын

i was waiting a mention to Unbound Python mode...the new of the 3 version

@Dankeller69 4 жыл бұрын

I am curious what the difference is between unbound and python mode...

@benhvienakhoatrungtamangia4373 3 жыл бұрын

hello bro! I have range ip in route , so how to use pfblockng with range ip in static route

@parl-88 4 жыл бұрын

Will it work on SG-1100 without any other plugins set, configured and enabled? I’m just concerned that the SG-1100 is too small to work with pfBlocker-NG. Can anyone confirm this please? Thanks.

@tekidiots6863 2 жыл бұрын

Can pfblocker be used as a WAF ?

@LAWRENCESYSTEMS 2 жыл бұрын

@allgood4u 3 жыл бұрын

I confused. What if I already have 3 LAN Address with IP's of 192.168.0.0, 10.0.0.0 & 172.16.0.0, what VIP Address can/should I add?

@chunkworthersby9321 3 жыл бұрын

Hopefully you already figured this out, but it would depend on what your subnet mask is. If you are using 192.168.0.0/24, then setting a VIP of 192.168.1.1 (as would any thing between 1 and 253 in that 3rd octet) would be fine because it's not part of that subnet. Same thing if you are using 10.0.0.0/24, 10.10.10.1 like in the example would be fine. Your subnets define how your internal traffic is routed, so any private IP that is on a different subnet than what's already in use would be fine. If there's a conflict, you wouldn't be able to get to the VIP because your router would send that traffic to the interface responsible for that subnet instead of hitting the VIP.

@kennethnicklowicz1030 3 жыл бұрын

I am from michigan same area :P

@matthewswan1873 2 жыл бұрын

If things look off, its because you downloaded the wrong package.... took me a while of fighting to figure out what was going on.

@pjg7472 2 жыл бұрын

Hey everyone, I have setup this as per the video instructions and cannot for the life of me get it to work correctly. I ads still come through.. Under rules, floating, the stats for the rule that pfBlocker created remain at 0/0 B Which appears to indicates that no traffic is flowing through/using this rule. I am at a bit of a loss what to do to rectify this, can anyone assist?

@itworks9445 3 жыл бұрын

I've tried mine working smoothly until I found out that it didn't work in https sites... The documentation says that it will also apply to https sites but it doesn't. Can you help me with my problem?

@TaylorSwifty69 3 жыл бұрын

thank you!

@MrJetlag34 2 жыл бұрын

Thx for great video. Although I think its pretty confusing :D NFL Game Pass android app(on tv), is getting ad-blocked when I want to start streaming a game, and then black screen. But I cant find out how find the specific host to whitelist. :S

@muhammadaamir566 2 жыл бұрын

can we block IDM download on pfsense and how?

@aayendehrsol 4 жыл бұрын

Has anyone found a way to get amazon prime video apps on smart tv's to work, I cannot find a solution to this problem when running pfblocker?

@mattcero1 3 жыл бұрын

Just becasue a webpage says they're a data analytics company it doesn't mean that "clearly" they're a data analytics company. It's just a web page son. I have a bridge for sale. Interested? Fantastic video though. This makes me want to stay with PFSense. You've got one of the lowest thumbs down ratios I've ever seen. Keep up the good work. Thank you.