Setup Guide / Tutorial for pfBlockerNG 2.2.5 on pfsense with DNSBL & GeoIP Blocking

Would love to have an updated guide, good amount of changes with new release. Thanks for the video!

Tom, good job keeping the pfBlockerNG videos updated with the newer version! I will be setting this up for an Enterprise so this is right on time, thanks!

Awesome, just updated pfBlockerNG after watching this.

Love the videos, stumbled on this video and a few other a short time ago and has saved me much time learning a new firewall and pfblockerng. Easiest firewall install/config Ive done yet, compared to iptables and others.

Wow, I've been using this for a while and totally missed the feeds tab. As always, thanks so much for the information!

Excellent video. My pfsense pfblockerng is definitely dialed in now. I finally have a solid understanding on how it works and how to configure.

Thank you for the very informative video, always look forward to your "how to" videos! 👍

Superb video. Thanks Tom! Have set up my pfsense box by using this video!

It took me 3 days to figure out how to install pfsense. Come to find out my router that deals with my static IP block was broken lol got it replaced by isp and put into bridge mode. Boom it worked. Thank you for showing me this to replace my pi-hole install! you're the king.

I'm really having a blast configuring my first pfsense firewall. Your vids are really helping me a lot. Cheers!

Excellent tutorial! I will utilize it when I get it going on my unit.

2023 and this is so invaluable. Thank you!

great video, just setup pfblocker 2.4.5 on my Jetway NUC host. So far so good.

Got a sg1100 because of you. Glad this can work well with it and it should make the most of my terrible internet.

u r a ROCKSTAR.....Lawrence...Be blessed n stay blessed..

Great explanatory video. Cheers!

Thanks Tom! Great video

Cool thanks a bunch and keep smiling :-)

I love your info helps me allot. you are my pfsense god

Wow..Thank You For Making This New Video For pfsense/PfBlock I Was Hoping You Would ! Thank You ! I Have Ben Runing PfSense now for a cupple of years Now & I Love It But I Could/Would not have ever tried it if you hadnt made ure first video.Think You.. Mine Runs on a old HpZ210 With a quad core xeon & 4Gb of ecc ram & I Also Built a Big Dual Xeon FreeNas Server In Part Thanks To You & Youre Channel !

keep up the good video`s.A"m learning alot about PFsense and all the Funstuff.

thank you for another great tutorial.

Once again, great content. :)

Thanks for the very informative video. The only thing I did differently is when I setup GeoIP blocking. I matched the countries that I wanted to allow (US only in my case), denied inbound, then inverted the match. This keeps my ACLs smaller and frees up some memory.

Thank you Thank you Thank you Thank you Thank you. Awesome how to!

Thanks for this great video. The reason I am running pihole with pfsense just to block websites at DNS level is I do not get the report in pfblockerng about which hosts have visited which websites. Pi-hole does it well. Another point, If you are in active directory envionment you have to put pfblockerng/pihole between the Windows DNS server and client because if windows DNS server forwards the dns queries to pfblockerng/pihole, the latter shows all the dns requests are coming from windows DNS server. Though it seems like a bad practice to put pihole between windows dns server and client, it works perfectly. I have been administrating it for two months. Yes, I also use GeoIP feature of pfblockerng to block IP addresses of unwanted countries. pfblockerng is also a great product and does not replace pihole because of this single report.

How do you know all of this? Your Videos are so informative and contain no BS. Much appreciated!

I'll place this over my raspberry pi pi hole as upstream, also this will be a router. Wow thanks for the info.

Another great video and extremely helpful with my journey learning pfSense. Would you be doing an update to for the pfBlocker? One thing missing is the registration for "MaxMind" to have the ability to edit the DNSBL groups. I was able to figure it out, so if I can, I'm sure most others will also...lol

great video!

Hello, thank you for these videos always very clear!
It would be interesting to have Geoip functionality directly available in pfsense aliases without the addon to the way opnsense implemented it!

I didn't get a setup wizard... My overall interface is quite a bit different now in late 2020. Still helpful tho, so thanks!
I also still set up aggressive country rules, since it's nice to at least see the logs, despite not having any open ports.

Hi Tom, pretty great video, very well explained as always.
Would you consider doing a video talking about some of the pros and cons of pfBlocker and Pi Hole? I think many people would be interested in learning more about the differences between the two similar open source filtering systems

It's good that you pay the $10, but in your case you could argue that they should be paying you for bringing more people to their project. Love your channel.

Tom great video. Do you know a way to bypass the pfblocker for local ips, but not changing the DNS in the hosts

Just set this up today. Great video and everything was very clear! It looks like they added something or changed something. What is this MaxMind license key for GeoIP requirement? is this necessary? should I just ignore this? This is a home router not a business. I assume this license key isn't free. Just hoping someone knew what this was before I spent too much time looking into it.

How do you feel about having a default deny outbound IP rule then permitting GeoIP locations you want and also enabling IP > Reputation? There seems to be a tipping point where that might make more sense than adding too many rules or blocklists.

Hey Tom, thanks for the updated video I had two issues the first was getting notifications about rules not being able to be loaded and after some research was able to identify tue fix which was to increase the State tables size. The other issue I am having is when I set the IPv4 Top spammers list to deny both and check the alerts I get quad9:853 being blocked when my Wan address and OpenVpn client interface to PIA tries to access it. I have other dns servers in pfsense that are listed that are not getting the issue quadone for instance. My Question is should the PIA interface and openvpn remote interface be selected iN Pfblockerng and if so which section Lan or Wan or both? Thanks

The last bit where you add your 'plug', there's a lot of hiss in the audio that I notice with headphones.

Nice video,thanks, but i have a question, how do i block unifi telemetry in pfblocker ?

Thanks Tom, after seeing another channel video on the new UBNT home-junk that indicates once again that UBNT are not developing "Enterprise" stuff and focusing on home stuff, another reason to drop the USG's as they simply lack even the basics of PFSense, only to happy to move back to the light.

Thanks for the timely video. Should I configure the client primary DNS server to the IP address of the pfSense box?

Thank you for the very informative video. I currently have pfBlockerNG, Suricata and Snort w/Subscription installed. I was wondering since pfBlockerNG checks both IP addresses and FQDN’s why do I need Snort or Suricata, they only filter on IP addresses. I understand that each of the installed programs have different rules sets, I assume pfBlockerNG would have a larger rule set then both Snort and Suricata combined, so pfBlockerNG makes Snort and Suricata redundant? Thoughts, comments?

Do you have a setup guide for using pfBlocker with Active Directory for DNS blocking? Specifically when you have a LAN that has AD hosts and a guest LAN where the hosts are not a member of AD

Explain things in detail please:
The difference between BLOCK and REJECT is simple if you know TCP:
Block would simply drop the packet and the sender would time out at some point.
Reject would send a reset back to the sender, notifying IMMEDIATELY that the connection did not succeed.
Reject is better for outgoing rules so the app doesn’t need to wait for the timeout.

Great video!!
Would you mind to share your blocklists? :D

Hi Tom, Could you re-visit this video now on August 2020. I have an SG-1100 and followed this video to the letter, however when I enable pfBlockerNG 2.2.5_33 my CPU goes to 100% and the SG-1100 becomes unusable and comes to a halt until I switch it off and on again and quickly disable pfBlockerNG. Thanks for sharing your knowledge with us.

Lawrence what feeds do you use to block the ads? For your personal use

So, is pfblockerng able to filter/block TH-cam ads on devices like iPad or SmartTV?

We have a redundant 2 nodes PfSense configuration. I just installed pfBlockerNG on both nodes and planning to start the configuration wizard. Do you have any recommendations about the configuration steps?
Best Regards,
Bela Vajda

Another super video. When I started geo-blocking, PfSense seemed to say that everything was blocked anyway and there was no necessity to block from pfBlockerNG. That's a bit confusing. What's your take.

Can you please make a video guide how to get this working through openvpn? So my employees when they connect to my company network have filtered connection trough pfblocker?

Quick question. Will PfBlocker port 8443 interfere with the unifi controller port?

I have registered for maxmind license and added that in the ip section. i do not see the edit icon in the geo ip. kindly help

Hi Tom, I have pfSense installed in my home lab and I am about to deploy it to the entire house. But can pfBlockerNG log all DNS requests from all clients on the LAN? (I think I found as you mentioned: at 24:46 , but I think it only logs blocked DNS not allowed once) Also, because pfBlockerNG cannot do regex, how do you block custom websites? Do I have to create my own text file on a webserver and loaded as a list to pfBlockerNG? Thank you so much for thee videos.

There are caveats regarding what you do if you, like we do, backhaul all your traffic to a colo from your office using an ipsec link and are using VTI routing to do that - there are some modifications you need to make to what gateway to use and where the rules need to go since your 'exit interface' isnt 'the wan'.

I didn't get the wizard... I did update to pfSense 2.4.5 before installing though.. likely to make a difference?

Nice video. So now my ISP can't "see" the DNS i am on, only the ip? Can they read f.eks "192.168.10.10/info/importentstuffthatissecret"? or do they just see "192.168.10.10"?

Hi Tom in the past you said about GeoIP yourself: Don't lock out the world, but rather permit the connections you want/need
Especially for Inbound connections
Did you change your mind on that?
Thanks

I have a configuration like this: ISP router > PFsense > Linksys Velop Mesh, but the issue I have i that the PFsense only can see the Linksys velop ip and then everything is reported as if where the lynsys, ¿how can i configure so the pfsense can report the sources ip for each device thru the Linsys?

There a more updated video on pfBlocker?

Been playing with pfBlockerNG for the last year on two systems but on both cannot get DNSBL to work on VLANS. No amount of googling has gotten me an answer to this. Guest networks set up on Unifi Access Points connected to PFSense by VLAN. Sites are blocked on the LAN on both wired and wireless but not on the VLANS. All interfaces have been selected in the settings but no matter what I do I cannot get it to work.

When on the road and using my "roadwarrior" vpn, pfblocker won't block anything. When at home it blocks everything. How do I configure pfblocker to also work on my vpn?

This blocking helps for folks using preinstalled browsers (IE, Safari), but using a browser with builtin ad-blocking (Brave is a good one) gets you over the line.

I did these settings to enable on all my interfaces, but all interfaces other than LAN do not have pfblocker working correctly, Why? The rules show up in floating rules.

If I have networks handing out 1.1.1.3 DNS to devices to block porn does that mean the DNS portion of pfblocker will be bypassed but the IP protection will still apply? Do you recommend this?

I will not be needing uMatrix, Adblock Plus, Privacy Badger, uBlock Origin, Forget Me Not add-ons anymore for my Firefox correct?

Please confirm that a Pi-hole on a network with pfBlockerNG should be disabled or removed.

Hi Tom, I found your video after discovering my webgui was exposed to the WAN after configuring geo blocking.
In each configuration page it says "it's NOT recommended to block the 'world', instead consider rules to permit traffic from selected countries only".
So that's what I did - I permitted the select few countries I required inbound for, but in doing this it also automatically permitted port 80 to our pfsense.
I even tried creating a block rule at the top of both the floating and wan pages (source: any, destination: wan address, port: 80) and reloaded the rules.
Port 80 was still accessible on the WAN! I tried changing the destination from 'wan address' to 'this firewall' but this made no difference.
Any ideas why the block rule was being ignored? I've temporarily had to turn off geo blocking all together to hide port 80.
Should I be ignoring the recommendation to not block the world, and instead deny inbound just as you have?

Currently am using Untangle (Home pro) , am I loosing something if am not using pfSense ?
Or is it better than UT

Is there any similar way for Edgerouter? I use just a Pi-hole there now.

where can I find a DNSBL list to block Bigo Live?

What's the best way before updating to devel to ensure ALL pfblockerng settings are DELETED (not preserved) when uninstalling. I read do a force update but unclear if that means after uninstalling or after the devel release is installed.

well it looks like if you play overwatch the geo drops connections after a while.

23:33 my town, sad story.

Tom, how can I whitelist a port for inbound when GoeIP is enabled?

In your experience, would you run pfBlocker over piehole? Benifits?

Odd I have no edit pen under GeoIP...

Working through this you now need a licence for max mind if you don't do that no option to update feeds in geoIP

I just got this up and running but if a client manually sets their dns server to a public server (not the pfsense dns) dnsbl does not work as intended. Any suggestions? I followed the "Redirecting all DNS Requests to pfSense" guide on their website.

DNSBL Feeds List has a lot of change Malwarebytes & hphost has delete

Hi Tom, if LAN Have a public IP can we filter the sites on that Lan or not if yes, then instruct me how ?
thanks in advance
it's an issue that I faced with it please help me

very intresting vid.
but got a question, i was gonna order Raspberry pi for Pi Hole, jut few hours ago and fell to sleep, woke up and watched your vid. 😉,
btw question is, can i black list domains i dont like? like Pi Hole? is there a report of domains that are beeing resolved with a click in front of them? so i can just black list thoes?
im sorry if thats something i missed in the vid but my english is not my native language.

didnt work to edit GeoIP. Maybe i need I licence, but still after getting trial licence nothing showed up

lol I consider myself to be a fairly savy pfsense user but I've tried many times, followed this guide many times and am unable to get pfblocker to dnsbl to filter at all. I'm sure I'm doing something wrong...

I just install it and run the wizard and then can't connect to any websites...

great tutorial! tnx. Do you use static route in this tut? Have you tried OSPF? im running ospf and pfblocker VIP ip breaks OSPF negotiation. Have any ide how to fix even?

This job files eyes which?

can pfblocker and snort live together in the same pfsense box?

It seems that GeoIP setting has changed since the make of this video: It looks like it requires a license key in order to be configured?

How do we stop Android devices from getting around pfblocker?

Can pfBlockerNg block specific url? Like I want to block some youtube channel, but not the entire youtube

Using this and pi hole.

Hi I am having issues with it, does not want to update data base. its Only updating GEO.
UPDATE PROCESS START [ 05/31/20 11:45:10 ]
===[ DNSBL Process ]================================================
Clearing all DNSBL Feeds... completed
Validating database... completed
Reloading Unbound.... completed
DNSBL update [ 0 | PASSED ]... completed [ 05/31/20 11:45:11 ]
------------------------------------------

The pfBlockerNG wizard did not run for me. There is no "IP" tab under pfBlockerNG. Published November 10 and it's already so out of date that it's useless to follow along.

You still shall not block the world like the developer have said so many times. You should only allow from specific countries to protect your ports. Not block the whole world except a few countries.

looks like the pfBlockerNG changed a bit recently, some settings are mixed and GeoIP needs a licence *NEVERMIND* i'm a dumbass and installed the wrong thing...

Hi lourence, may you consider talk a litle more slowly, for that guys like me that mother language isnt english, pelase. I realy like your vídeos but some times i cant undertand. TKS and congrats for ur TH-cam channel!

Every tech nerd knows what getting blocked and rejected are - from stalking women online

i got jipped.. i never got no dam wizard lol..