Would love to have an updated guide, good amount of changes with new release. Thanks for the video!

Tom, good job keeping the pfBlockerNG videos updated with the newer version! I will be setting this up for an Enterprise so this is right on time, thanks!

Wow, I've been using this for a while and totally missed the feeds tab. As always, thanks so much for the information!

Excellent video. My pfsense pfblockerng is definitely dialed in now. I finally have a solid understanding on how it works and how to configure.

Awesome, just updated pfBlockerNG after watching this.

Love the videos, stumbled on this video and a few other a short time ago and has saved me much time learning a new firewall and pfblockerng. Easiest firewall install/config Ive done yet, compared to iptables and others.

I'm really having a blast configuring my first pfsense firewall. Your vids are really helping me a lot. Cheers!

@LAWRENCESYSTEMS

3 жыл бұрын

Rock on!

2023 and this is so invaluable. Thank you!

great video, just setup pfblocker 2.4.5 on my Jetway NUC host. So far so good.

Got a sg1100 because of you. Glad this can work well with it and it should make the most of my terrible internet.

It took me 3 days to figure out how to install pfsense. Come to find out my router that deals with my static IP block was broken lol got it replaced by isp and put into bridge mode. Boom it worked. Thank you for showing me this to replace my pi-hole install! you're the king.

@LAWRENCESYSTEMS

9 ай бұрын

Glad it helped!

Superb video. Thanks Tom! Have set up my pfsense box by using this video!

Thank you for the very informative video, always look forward to your "how to" videos! 👍

Wow..Thank You For Making This New Video For pfsense/PfBlock I Was Hoping You Would ! Thank You ! I Have Ben Runing PfSense now for a cupple of years Now & I Love It But I Could/Would not have ever tried it if you hadnt made ure first video.Think You.. Mine Runs on a old HpZ210 With a quad core xeon & 4Gb of ecc ram & I Also Built a Big Dual Xeon FreeNas Server In Part Thanks To You & Youre Channel !

How do you know all of this? Your Videos are so informative and contain no BS. Much appreciated!

Thanks for this great video. The reason I am running pihole with pfsense just to block websites at DNS level is I do not get the report in pfblockerng about which hosts have visited which websites. Pi-hole does it well. Another point, If you are in active directory envionment you have to put pfblockerng/pihole between the Windows DNS server and client because if windows DNS server forwards the dns queries to pfblockerng/pihole, the latter shows all the dns requests are coming from windows DNS server. Though it seems like a bad practice to put pihole between windows dns server and client, it works perfectly. I have been administrating it for two months. Yes, I also use GeoIP feature of pfblockerng to block IP addresses of unwanted countries. pfblockerng is also a great product and does not replace pihole because of this single report.

Excellent tutorial! I will utilize it when I get it going on my unit.

u r a ROCKSTAR.....Lawrence...Be blessed n stay blessed..

Hello, thank you for these videos always very clear! It would be interesting to have Geoip functionality directly available in pfsense aliases without the addon to the way opnsense implemented it!

Thanks for the very informative video. The only thing I did differently is when I setup GeoIP blocking. I matched the countries that I wanted to allow (US only in my case), denied inbound, then inverted the match. This keeps my ACLs smaller and frees up some memory.

@timothywest6060

4 жыл бұрын

Was wondering about this. Thanks!

I didn't get a setup wizard... My overall interface is quite a bit different now in late 2020. Still helpful tho, so thanks! I also still set up aggressive country rules, since it's nice to at least see the logs, despite not having any open ports.

Another great video and extremely helpful with my journey learning pfSense. Would you be doing an update to for the pfBlocker? One thing missing is the registration for "MaxMind" to have the ability to edit the DNSBL groups. I was able to figure it out, so if I can, I'm sure most others will also...lol

keep up the good video`s.A"m learning alot about PFsense and all the Funstuff.

I'll place this over my raspberry pi pi hole as upstream, also this will be a router. Wow thanks for the info.

The last bit where you add your 'plug', there's a lot of hiss in the audio that I notice with headphones.

Great explanatory video. Cheers!

Just set this up today. Great video and everything was very clear! It looks like they added something or changed something. What is this MaxMind license key for GeoIP requirement? is this necessary? should I just ignore this? This is a home router not a business. I assume this license key isn't free. Just hoping someone knew what this was before I spent too much time looking into it.

Thanks Tom! Great video

Cool thanks a bunch and keep smiling :-)

Tom great video. Do you know a way to bypass the pfblocker for local ips, but not changing the DNS in the hosts

I love your info helps me allot. you are my pfsense god

Nice video,thanks, but i have a question, how do i block unifi telemetry in pfblocker ?

How do you feel about having a default deny outbound IP rule then permitting GeoIP locations you want and also enabling IP > Reputation? There seems to be a tipping point where that might make more sense than adding too many rules or blocklists.

Thanks Tom, after seeing another channel video on the new UBNT home-junk that indicates once again that UBNT are not developing "Enterprise" stuff and focusing on home stuff, another reason to drop the USG's as they simply lack even the basics of PFSense, only to happy to move back to the light.

@charlescc1000

4 жыл бұрын

Agreed! I am just a hobbyist but after watching Tom's videos, I'm looking forward to replacing my EdgeRouter with a pfSense appliance. I tried pfSense once before and found that it didn't work very well but that was because I was using some seriously old hardware (10+ years old). This go around, I think I'll pickup a HP thin client which I've read are great for pfSense and can be found under $100 used.

@sitte24

4 жыл бұрын

@@charlescc1000 or you just buy an sg1100 and have brand new hardware that will work flawlessly and won't consume much energy at all

@charlescc1000

4 жыл бұрын

sitte Yes I’m debating between a thin client Dell or HP system or an SG-3100. The SG-1100 would not suffice for a gigabit WAN connection. I like the fact that buying a netgate appliance supports the development of pfSense!

It's good that you pay the $10, but in your case you could argue that they should be paying you for bringing more people to their project. Love your channel.

Hey Tom, thanks for the updated video I had two issues the first was getting notifications about rules not being able to be loaded and after some research was able to identify tue fix which was to increase the State tables size. The other issue I am having is when I set the IPv4 Top spammers list to deny both and check the alerts I get quad9:853 being blocked when my Wan address and OpenVpn client interface to PIA tries to access it. I have other dns servers in pfsense that are listed that are not getting the issue quadone for instance. My Question is should the PIA interface and openvpn remote interface be selected iN Pfblockerng and if so which section Lan or Wan or both? Thanks

thank you for another great tutorial.

Explain things in detail please: The difference between BLOCK and REJECT is simple if you know TCP: Block would simply drop the packet and the sender would time out at some point. Reject would send a reset back to the sender, notifying IMMEDIATELY that the connection did not succeed. Reject is better for outgoing rules so the app doesn’t need to wait for the timeout.

Thank you Thank you Thank you Thank you Thank you. Awesome how to!

Once again, great content. :)

Hi Tom, pretty great video, very well explained as always. Would you consider doing a video talking about some of the pros and cons of pfBlocker and Pi Hole? I think many people would be interested in learning more about the differences between the two similar open source filtering systems

@x240strongx

4 жыл бұрын

As someone who find a pizero in my storage and just set a pihole up on it with his pfsense, I would like to know this as well!

@NetITGeeks

4 жыл бұрын

​@@x240strongx I have pi Hole at the moment because my pfSense is still in my lab environment. But I think there is no need to run a second VM to hold pi hole if you already have a pfSense VM or a box setup. I like the pi Hole interface and easy to use, set it and forget it nature. As far as I can see, pi hole cannot do IP based blocking.

@x240strongx

4 жыл бұрын

@@NetITGeeks I had pihole running on a pi zero I had in storage. I ended up changing my DNS servers from it however, as it ended dup locking me out of the internet on the whole network. Never figured out what it did, but I ended up moving to pfblockerng on pfsense. I agree with you though. The pihole UI and everything just looks nest and is alot more user friendly to those less network savy.

I have registered for maxmind license and added that in the ip section. i do not see the edit icon in the geo ip. kindly help

So, is pfblockerng able to filter/block KZread ads on devices like iPad or SmartTV?

Do you have a setup guide for using pfBlocker with Active Directory for DNS blocking? Specifically when you have a LAN that has AD hosts and a guest LAN where the hosts are not a member of AD

Hi Tom, I have pfSense installed in my home lab and I am about to deploy it to the entire house. But can pfBlockerNG log all DNS requests from all clients on the LAN? (I think I found as you mentioned: at 24:46 , but I think it only logs blocked DNS not allowed once) Also, because pfBlockerNG cannot do regex, how do you block custom websites? Do I have to create my own text file on a webserver and loaded as a list to pfBlockerNG? Thank you so much for thee videos.

There are caveats regarding what you do if you, like we do, backhaul all your traffic to a colo from your office using an ipsec link and are using VTI routing to do that - there are some modifications you need to make to what gateway to use and where the rules need to go since your 'exit interface' isnt 'the wan'.

Been playing with pfBlockerNG for the last year on two systems but on both cannot get DNSBL to work on VLANS. No amount of googling has gotten me an answer to this. Guest networks set up on Unifi Access Points connected to PFSense by VLAN. Sites are blocked on the LAN on both wired and wireless but not on the VLANS. All interfaces have been selected in the settings but no matter what I do I cannot get it to work.

I have a configuration like this: ISP router > PFsense > Linksys Velop Mesh, but the issue I have i that the PFsense only can see the Linksys velop ip and then everything is reported as if where the lynsys, ¿how can i configure so the pfsense can report the sources ip for each device thru the Linsys?

Can you please make a video guide how to get this working through openvpn? So my employees when they connect to my company network have filtered connection trough pfblocker?

Hi Tom, Could you re-visit this video now on August 2020. I have an SG-1100 and followed this video to the letter, however when I enable pfBlockerNG 2.2.5_33 my CPU goes to 100% and the SG-1100 becomes unusable and comes to a halt until I switch it off and on again and quickly disable pfBlockerNG. Thanks for sharing your knowledge with us.

I did these settings to enable on all my interfaces, but all interfaces other than LAN do not have pfblocker working correctly, Why? The rules show up in floating rules.

I didn't get the wizard... I did update to pfSense 2.4.5 before installing though.. likely to make a difference?

Quick question. Will PfBlocker port 8443 interfere with the unifi controller port?

When on the road and using my "roadwarrior" vpn, pfblocker won't block anything. When at home it blocks everything. How do I configure pfblocker to also work on my vpn?

Thank you for the very informative video. I currently have pfBlockerNG, Suricata and Snort w/Subscription installed. I was wondering since pfBlockerNG checks both IP addresses and FQDN’s why do I need Snort or Suricata, they only filter on IP addresses. I understand that each of the installed programs have different rules sets, I assume pfBlockerNG would have a larger rule set then both Snort and Suricata combined, so pfBlockerNG makes Snort and Suricata redundant? Thoughts, comments?

We have a redundant 2 nodes PfSense configuration. I just installed pfBlockerNG on both nodes and planning to start the configuration wizard. Do you have any recommendations about the configuration steps? Best Regards, Bela Vajda

Lawrence what feeds do you use to block the ads? For your personal use

Nice video. So now my ISP can't "see" the DNS i am on, only the ip? Can they read f.eks "192.168.10.10/info/importentstuffthatissecret"? or do they just see "192.168.10.10"?

Another super video. When I started geo-blocking, PfSense seemed to say that everything was blocked anyway and there was no necessity to block from pfBlockerNG. That's a bit confusing. What's your take.

Thanks for the timely video. Should I configure the client primary DNS server to the IP address of the pfSense box?

@sitte24

4 жыл бұрын

Normally you would just hand over that DNS IP automatically over DHCP, if however you are not using DHCP or have set DNS on the clients manually, you should put that IP address in there in order to work as expected. Edit: As with pihole, you should only have a single DNS address configured in the clients settings. Otherwise the client could use the alternative DNS server which would result in bypassing all blocking configured in your pfsense box

I will not be needing uMatrix, Adblock Plus, Privacy Badger, uBlock Origin, Forget Me Not add-ons anymore for my Firefox correct?

great video!

I just install it and run the wizard and then can't connect to any websites...

If I have networks handing out 1.1.1.3 DNS to devices to block porn does that mean the DNS portion of pfblocker will be bypassed but the IP protection will still apply? Do you recommend this?

There a more updated video on pfBlocker?

Odd I have no edit pen under GeoIP...

well it looks like if you play overwatch the geo drops connections after a while.

Great video!! Would you mind to share your blocklists? :D

This blocking helps for folks using preinstalled browsers (IE, Safari), but using a browser with builtin ad-blocking (Brave is a good one) gets you over the line.

lol I consider myself to be a fairly savy pfsense user but I've tried many times, followed this guide many times and am unable to get pfblocker to dnsbl to filter at all. I'm sure I'm doing something wrong...

Hi Tom, I found your video after discovering my webgui was exposed to the WAN after configuring geo blocking. In each configuration page it says "it's NOT recommended to block the 'world', instead consider rules to permit traffic from selected countries only". So that's what I did - I permitted the select few countries I required inbound for, but in doing this it also automatically permitted port 80 to our pfsense. I even tried creating a block rule at the top of both the floating and wan pages (source: any, destination: wan address, port: 80) and reloaded the rules. Port 80 was still accessible on the WAN! I tried changing the destination from 'wan address' to 'this firewall' but this made no difference. Any ideas why the block rule was being ignored? I've temporarily had to turn off geo blocking all together to hide port 80. Should I be ignoring the recommendation to not block the world, and instead deny inbound just as you have?

where can I find a DNSBL list to block Bigo Live?

DNSBL Feeds List has a lot of change Malwarebytes & hphost has delete

Is there any similar way for Edgerouter? I use just a Pi-hole there now.

@LAWRENCESYSTEMS

4 жыл бұрын

Nope

I just got this up and running but if a client manually sets their dns server to a public server (not the pfsense dns) dnsbl does not work as intended. Any suggestions? I followed the "Redirecting all DNS Requests to pfSense" guide on their website.

@mal798

8 ай бұрын

2 years late, but you just need a firewall rule to deny outbound traffic from LAN to destination port 53. This forces the use of an internal DNS server, be it pfblocker, unbound, pihole or some other service.

What's the best way before updating to devel to ensure ALL pfblockerng settings are DELETED (not preserved) when uninstalling. I read do a force update but unclear if that means after uninstalling or after the devel release is installed.

@LAWRENCESYSTEMS

4 жыл бұрын

uncheck the "Keep Settings" box or just run the Wizard again.

Hi Tom, if LAN Have a public IP can we filter the sites on that Lan or not if yes, then instruct me how ? thanks in advance it's an issue that I faced with it please help me

@LAWRENCESYSTEMS

2 жыл бұрын

docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-transparent.html

This job files eyes which?

Tom, how can I whitelist a port for inbound when GoeIP is enabled?

@occrash5616

4 жыл бұрын

Put it above the other rules and make sure to select "apply immediately"

Currently am using Untangle (Home pro) , am I loosing something if am not using pfSense ? Or is it better than UT

@aldi3556

4 жыл бұрын

Hi I second to that, also I’m using Pi-Hole on a separate VM, it would be good to know if Untangle has something similar.

didnt work to edit GeoIP. Maybe i need I licence, but still after getting trial licence nothing showed up

@darkdelta

3 жыл бұрын

Same thing here, the edit option is not there. And no replies to your comment.

Hi Tom in the past you said about GeoIP yourself: Don't lock out the world, but rather permit the connections you want/need Especially for Inbound connections Did you change your mind on that? Thanks

@LAWRENCESYSTEMS

4 жыл бұрын

We have inbound GeoIP blocked for countries we don't interact with.

@JasonLeaman

4 жыл бұрын

@@LAWRENCESYSTEMS I block all inbound of China & other country that hammer on my site !

@ZerED73

4 жыл бұрын

@@LAWRENCESYSTEMS But by default, everything is blocked what is not allowed. Isn’t it easier/better to create pfBlocker GeoIP alias of permitted countries (i.e. List Action: Alias Permit) and use this alias as source address in existing firewall rule(s) for opened port(s)?

Working through this you now need a licence for max mind if you don't do that no option to update feeds in geoIP

@LAWRENCESYSTEMS

3 жыл бұрын

yup kzread.info/dash/bejne/ZoB1ptSjncnFoqQ.html

Please confirm that a Pi-hole on a network with pfBlockerNG should be disabled or removed.

@LAWRENCESYSTEMS

4 жыл бұрын

Pfblocker replacees the pihole

@aldi3556

4 жыл бұрын

Hi Tom, Thanks for the informative video, do you know if Untangle has something similar to Pfblocker on their side?

Hi I am having issues with it, does not want to update data base. its Only updating GEO. UPDATE PROCESS START [ 05/31/20 11:45:10 ] ===[ DNSBL Process ]================================================ Clearing all DNSBL Feeds... completed Validating database... completed Reloading Unbound.... completed DNSBL update [ 0 | PASSED ]... completed [ 05/31/20 11:45:11 ] ------------------------------------------

23:33 my town, sad story.

Can pfBlockerNg block specific url? Like I want to block some youtube channel, but not the entire youtube

@LAWRENCESYSTEMS

3 жыл бұрын

no

can pfblocker and snort live together in the same pfsense box?

@LAWRENCESYSTEMS

4 жыл бұрын

Yes, they are both plugins that can work together

The pfBlockerNG wizard did not run for me. There is no "IP" tab under pfBlockerNG. Published November 10 and it's already so out of date that it's useless to follow along.

@gordonsoukoreff4309

4 жыл бұрын

Same issue with version 2.1.4_20 ie. no wizard and no IP tab.

very intresting vid. but got a question, i was gonna order Raspberry pi for Pi Hole, jut few hours ago and fell to sleep, woke up and watched your vid. 😉, btw question is, can i black list domains i dont like? like Pi Hole? is there a report of domains that are beeing resolved with a click in front of them? so i can just black list thoes? im sorry if thats something i missed in the vid but my english is not my native language.

@LAWRENCESYSTEMS

4 жыл бұрын

You would use this instead of the pihole

@skipad4306

4 жыл бұрын

@@LAWRENCESYSTEMS yes Thanks. but is there an Blacklist button on resolved domains for future block? Pi Hole has a button in front of all resolved ones to add it to the black list. that would be easier then editing or adding each domain manualy. i mean im sure there is or there must be, but cant test it yet as tomorrow i will get my pfsense machine( been using Pfsense and PiHole in vm till a month ago)

@sitte24

4 жыл бұрын

@@skipad4306 short answer: yes there is

@skipad4306

4 жыл бұрын

@@sitte24 thankyou. lol immodding a chinese mini pc right now. adding pcie 4x nics. preapring it for pfsense

It seems that GeoIP setting has changed since the make of this video: It looks like it requires a license key in order to be configured?

@LAWRENCESYSTEMS

3 жыл бұрын

Yes

@GeorgeTJ

3 жыл бұрын

@@LAWRENCESYSTEMS I figured that the license key is free of charge but you have to have a business company in order to legally obtain one. From what i understand it's illegal for home users. Therefore, after reading the terms I had to step back... Thanks for another excellent video anyway!

How do we stop Android devices from getting around pfblocker?

@LAWRENCESYSTEMS

4 жыл бұрын

you don't

@thezfunk

4 жыл бұрын

@@LAWRENCESYSTEMS but seriously, rooting the device? How is this impossible. I have not found a good explaination.

great tutorial! tnx. Do you use static route in this tut? Have you tried OSPF? im running ospf and pfblocker VIP ip breaks OSPF negotiation. Have any ide how to fix even?

looks like the pfBlockerNG changed a bit recently, some settings are mixed and GeoIP needs a licence *NEVERMIND* i'm a dumbass and installed the wrong thing...

In your experience, would you run pfBlocker over piehole? Benifits?

@Ayymoss

4 жыл бұрын

I switched from PiHole just because it's now all in one instead of another device/VM to run PiHole.

@stuartwilson2277

4 жыл бұрын

@@Ayymoss do you like it better or is essentially the same? Any features missing that you would like to see the piehole has that pfBlocker doesn't?

@LAWRENCESYSTEMS

4 жыл бұрын

It's better than a pihole because I don't have to run a separate system

@michaelandersson6088

4 жыл бұрын

Pi-hole is DNS only, pfBlocker can do DNS aswell as ipv4 and ipv6 blocking.

@Ayymoss

4 жыл бұрын

@@michaelandersson6088 What Michael said. Good shit. :)

You still shall not block the world like the developer have said so many times. You should only allow from specific countries to protect your ports. Not block the whole world except a few countries.

Using this and pi hole.

@sitte24

4 жыл бұрын

Why both? Pfblocker does everything pihole can

@Phil-D83

4 жыл бұрын

@@sitte24 fun. Lol

Hi lourence, may you consider talk a litle more slowly, for that guys like me that mother language isnt english, pelase. I realy like your vídeos but some times i cant undertand. TKS and congrats for ur KZread channel!

@stephendetomasi1701

4 жыл бұрын

You should be able to change the speed of the video

@robertoadriano7390

4 жыл бұрын

@@stephendetomasi1701 ok, TKS i realy didnt know! Kkk

i got jipped.. i never got no dam wizard lol..

Every tech nerd knows what getting blocked and rejected are - from stalking women online