Tutorial: pfsense and pfBlockerNG Version 3

I set up pfBlockerNG about a year ago by following Tom's tutorial. After making some other changes to my firewall setup recently I decided to re-run pfBlocker's wizard just so I could start with a fresh config. This tutorial is still as spot-on as it was when Tom first made it. So I'm giving another tip of my hat to Tom for his outstanding guidance and thorough explanation of this package.

Tom, thanks for another great update it's much appreciated!

Perfect timing! I installed this plug ages ago and was about to finally going and set it up.

Thanks for this Tom, very complete and awesome explanations.

Super helpful video, best one I've seen yet on pfBlocker. Many thanks!!

Always a great tutorial. Used it again after updating to a 4-port intel NIC from a 2-port...thanks!

it almost 1.5 years that I undoubtedly follow your tutorials for pfsense configuration, really good content and knowledge shared at it upmost form, thank you very much.

Best pfSense content ever. Thankyou your stuff has been a big help!

Thanks for the demo and info, have a great day

Thank you for the thorough explanation!

As always excellent content. Thank you.

Just wanna say thanks for the great info! I know it's a massive effort to put together all these videos. They've been such a help for me as I've gotten started with pfSense and TrueNAS over the last couple of weeks.

As always thanks for the video, your vids are always great!

Best of the best as always.. thank you 🙏 for awesome videos!!

Thanks Tom. Its a lil of time that i want to start a pfblocker. Hope your guides can help me. Ciao

Thanks for the guide Tom. Upgraded from 2.5 to 3.0. Sound advice as always.

Been using this for a couple years and forgot to donate. Just signed up for the Patreon and I encourage others who have the means to do so as well. It's these developers who continue to push pfSense to the top.

Thank you for making these videos!!

Thank you Tom, your videos are awsome and i have learned so much... love my netgate 5100!!! (got it cheap...)

Great video as always. Keep it up!

Love it Tom! Always great detailed content for exactly what I am looking for, best PfSense tutorials on TH-cam!

Excellent stuff Lawrence!

Thank you very much for sharing knowledge. may God return you in much more ...

Thank you, as always very good information

Thank you very much for the great Information. You are awesome.

Great tutorial! Thank you sir.

Great, especially the custom list

Great video. Small request: can you please zoom in when you show what you do on screen? It would be much easier to see on the phone the details you show
Thanks👍

Thank you. It helped a lot!

Thanks Tom for the update, can we get an update on connecting Truenas to PfSense in LACP, please? Pref with a Netgear managed switch!!! lol

Patreon Link for the pfblocker creator
www.patreon.com/pfBlockerNG
pfblocker reddit
www.reddit.com/r/pfBlockerNG/
Maxmind GEOIP Registration www.maxmind.com/en/geolite2/signup
⏱️ Timestamps ⏱️
0:00 pfblocker patreon
2:02 pfblocker reddit posts and changelog
3:36 installing pfblocker
4:10 pfblocker wizard
7:20 Customizing pfblocker
8:20 Floating Rules
10:18 Maxmind Licence Key
11:06 IP Block Lists
13:20 adding feeds
15:16 GeoIP Configuration
17:40 Alerts and Reporting
19:31 DNSBL Configuration
21:47 Threat Lookups
25:05 DNSBL Whitelisting

Finally I find something to block Ads. Thanks

top banana. Common sense approach. Sensible application. Thanks for posting this.

Thank you for sharing this video which is super useful to anyone starting new to use pfSense / pfBloker. I have a question:: the GEO IP page suggests not blacklisting "the whole world" but to whitelist a few countries from which one is interested in receiving traffic. I believe the approach demonstrated in the video the whole world blacklisting. If you provided instructions, or a dedicated video, on how to whitelist a few countries, that would be super ! (simply a suggestion for consideration)

It help me a lot! Thanks!

Very helpful! Thanks

Great video and thanks for the help. If you have VPN setup do you select openvpn for both inbound and outbound interfaces during the setup.

It's important to note that pfBlockerNG won't work if you're running DNS Forwarder. I was getting address bind errors with unbound after running the setup wizard. To fix, I needed to disable DNS Forwarder and set up DNS Resolver instead. This might be obvious to many, but for a noob like me it took some time to work out the problem.

Thanks, for this explanation. I would appreciate that you would make a video explaining the lists you are using, and custom lists not found in the Feeds . Cheers

One of the first things I do when setting up pfblocker-ng is add the (public) DNS servers I use to the IP whitelist.
For example; Some time ago the 1.1.1.1 was put on a blacklist :(
I had to spend some time figuring out why internet was "dead" on every device in the entire network 🤬

Thank you!!

thank you!

Just becasue a webpage says they're a data analytics company it doesn't mean that "clearly" they're a data analytics company. It's just a web page son. I have a bridge for sale. Interested? Fantastic video though. This makes me want to stay with PFSense. You've got one of the lowest thumbs down ratios I've ever seen. Keep up the good work. Thank you.

Thank you for all your videos! I really want to buy a couple of your shirts like the crimp hand one, but they are black and I work outdoors mostly in texas :(

I see for North America you have it set for "Match Both". What does match both do?

Basically for newbies, leave settings as defaults which works for me.

Tom, I was watching your PfblockerNG video from 2019, and then i ran into the MaxMind error, then i searched for this video and bang, problem solved

I've been trying to allow a specific port forward to bypass the GeoIP lists. I can't seem to find a good resource for this latest version. Since you mentioned enabling floating rules, would I just add a new floating FW rule to the top of the list that allows that one port?

Nice introduction to PFblocker. I deployed it yesterday following this video , hoping to block websites , however many are still getting through . http versions of sites are blocked but https versions are returning . Any advise ? ( Using Shallalist , Already enabled TLD , Force reloaded , rebooted )

If anyone is having problems with MaxMind licence being rejected, just update pfBlockerNg to version 3.2.0_4.

ty for all the great info, and any site taht i found taht "you must unblock us to view content" is a big okay bye bye for me. i don't need them. lol

I am from michigan same area :P

I was hoping that you would hit on Unbound mode, whether through Unbound mode or through the Unbound Python mode, and what, if any changes need to be made. But good content as always Tom, and I thank you for putting this out.

Hey Lawrence, I want to run pfSense but it has to be on a box with multiple 10GbE SFP+ slots. Know of any such commonly available hardware that can be used with pfSense?

👍👍

Can I have lan1 non filtered via pf blocker and. Having lan2 or opt filtered by pf blocker?

When do we think v3 of pfblockng will be stable and not dev? thanks for all your pfsense video's they really help.

Kind of off topic, but how did you get the selected check boxes in pfSense a different color? :-)

Why in the GeoIP setting for North America, do you have it as Match Both vs Deny Inbound?

Wonder if there's a reason to run PFblocker together with the blacklist blocker on CloudFlare.

Cool needed this but some of the default feeds gone. Does anyone have new feeds that will replace the ones we lost?

Thx for great video. Although I think its pretty confusing :D NFL Game Pass android app(on tv), is getting ad-blocked when I want to start streaming a game, and then black screen. But I cant find out how find the specific host to whitelist. :S

Should the Action under PfBlockerNG\IP PRI1 be Deny Outbound or Deny Inbounnd?

dang, something broke in the latest update of PFB for me...when I try to go into the reporting section, I time out no matter what browser/pc etc.

How would you add a range of IPs (ie cloudflare) to the whitelist? I'm having issues with the cloudflare proxy (orange cloud) not responding due to pfblocker.

How do I block all websites and allow only few websites to access from specific LAN IP's, and allow all websites on other IP's of LAN

Please a quick elaboration on why in
Firewall/pfBlockerNG/IP/GeoIP all rules have as action Deny inbound (so deny what comes from outside to the network according to my GeoIP rules which seems right as a choice) where in
Firewall/pfBlockerNG/IP/IPv4 for all block lists the action is Deny outbound. Its like our network is the malicious one and prevents it from contaminated net :) Am I missing something here>
Shouldnt all actions in both GeoIp and Blocklists set to Inbound than outbound?????
What purpose serves the outbound?
New Edit: hmmm.... probably block lists set to outbound in order to prevent the user/s to visit already known malicious sites .. so this traffic is considered to be outbound right?

It seems like with version 2.1.4_28 the wizard is gone. Also there is no Feed and IP tab.
Tthere is nothing set up for IPv4 as well as no lists in the Source Definitions. There are no DNSBL Groups and the EasyList is just blank. Is there a meaning to the Header/Label field for the URL of the list or can it be anything?

Will it work on SG-1100 without any other plugins set, configured and enabled? I’m just concerned that the SG-1100 is too small to work with pfBlocker-NG. Can anyone confirm this please? Thanks.

I've looked at pfblockerng-devel a few times now and I just can't get it to not hog the CPU on my Netgate SG2100. The SG2100 normally sits at 95 to 98% idle in normal conditions on my home network, but with pfblockerng-devel enabled just after running through the Wizard and making no changes the router sits at 30 to 40% idle and gets a lot hotter to touch. I don't get it since there really isn't much going on in the network, the pihole does the same work using less than 1% CPU on a Raspberry Pi 4. I'd love to use pfblockerng, but given the strain it puts on the Netgate router, it's just not feasible.
Am I doing something wrong there? Am I missing something?

I've had issues with false positives using pfBlocker in the past. I ended up switching to pihole instead for its UI/ease of use as well. What are your thoughts on the two for a home user? Does it matter?

I know this video is a year or so old, but after I go through the wizard for pfblockerng-devel 3.0.. i am only seeing 1 dnsbl group? In the video it looks like there's 3? Is this some sort of recent update or did I mess something up?

hello bro! I have range ip in route , so how to use pfblockng with range ip in static route

pfb_dnsbl pfBlockerNG DNSBL service shows disabled and when I click enable it doesn't start the service. Looked around and cannot find the answer for this issue.

How can I customize DSNBL blocking page on PfblockerNg3,

I tried to only allow my computer IP to access without blocking but no working. I put rules on the top at Floating, WAN and LAN interface, still not working. I use your examples blocking the UDP 53(DNS). What I did wrong?

Tom, excellent information here, so I added it to my cybercentric T-channel (FlynnInfoSec1). As a recent NG6100 owner, it is nice to have such a great resource!

Hello, can we configure webfilter on user groups on pfsense? if yes how?

Hi
I have a question about PfblokkerNG.
When I use Pi-Hole as a DNS blocker, I have the opportunity to see an active here and now updated log file that shows in color what is blocked and what is not blocked.
I use a Nategate 4100 which I am very happy with, but am considering using PfblockingNG rather than Pi-hole. However, I really like the online log reading that is possible in Pi.Hole.
Is it somehow possible to get the same information from my Nategate?

If things look off, its because you downloaded the wrong package.... took me a while of fighting to figure out what was going on.

Hey everyone, I have setup this as per the video instructions and cannot for the life of me get it to work correctly. I ads still come through.. Under rules, floating, the stats for the rule that pfBlocker created remain at 0/0 B Which appears to indicates that no traffic is flowing through/using this rule. I am at a bit of a loss what to do to rectify this, can anyone assist?

I installed it and it works great except for some reason it is blocking Amazon app. Is there a way to fix this?

i was waiting a mention to Unbound Python mode...the new of the 3 version

Floating Rule and LAN rule in the firewall, which one is evaluate first?

Hello , i’m new to pfsense , and have pfBlockNG setup and working okay , but right now pfsense blocked Radarr for search or add new exiting movies.
How can i whitelist Radarr ?

What if you have a VPN? In Inbound/Outbound Firewall Rules - do I select WAN+VPN and LAN+VPN?

I like your minimalist approach to the DNSBL. I'm going to turn them all off for now. Have you or anyone found a list to block ads when browsing on mobile devices? 🤔

Can't believe you are still setting up ipv4-only firewall not a dual stack one, especially in USA

Time for an update... no more Wizard tab ;)

in fact you may lough, but Penguins do most of atacks, ;) Linux ?

How does this compare against the PiHole project on the RPi?

I've tried mine working smoothly until I found out that it didn't work in https sites... The documentation says that it will also apply to https sites but it doesn't. Can you help me with my problem?

Hi, Can you please help with a query. Suppose we need to bypass a LAN side host for PFblockerNG then how it is possible. Pls, suggest.

This might be a dumb question. I apology in advance but I still ask... So, I want to use pfSense to restrict my kids from accessing other domains that I want (those from school). Is that easy doable? Can you suggest anything?

What if I setup Nord VPN on pfSense? Would that be my WAN port even though I still have a "Wan" port listed? My external Ip of cours shows my true IP on the "WAN" interface.

Is there an easy way to tell if my clients IP is on one or more of the lists?

ok so what exactly is the difference with _rep countries and non _rep countries?

Even with version 3 I am still getting
[DNSBL_Misc - hpHostsFSA] Download FAIL [12/11/20 11:10:22] 
[DNSBL_Misc - BBCDGAAgr] Download FAIL [12/11/20 11:10:00]
Do I have to remove them ?

just run the wizard and it just works for a base config lol no it does not and spent 2 hrs trying to get it to work and nothing (pfb_dnsbl pfBlockerNG DNSBL service wont start)

What type of support i may have if I purchase the Netgate device?