Thank you very much for teaching us how to configure pfblocker DNSBL on pfsense. I have followed your instructions and everything is working perfectly. Best Regards from Catalonia (Spain)
Hi sir. I've watched your video about how to block this whole thing using pfblocker it seems I like it much and very informative video. This is what I looking for. I am new in pfsense and I found out that your videos are very resourceful. Keep up the good work sir. God bless
Today my neighbor gave me an "old" motherboard and I grabbed some ram and my old SSD and installed pfSense right away, and temporarily replaced my Mikrotik (RB750r2) with it.. I just finished setting pfBlockerNG up, and man.. that's simply amazing.. it even looks like I never turned off my AdBlocker on Chrome! Thank you so much for this tutorial ;)
4:08 Thank you for also stressing that best practice is to block external DNS request and force the network to go through pfSense. Thank you also for demonstrating how to properly and easily apply the Firewall Rule. This is an overall fantastic tutorial.
Great video Tom. Suggestion: Use NAT for DNS; set up NAT rule on LAN that forwards all UDP port 53 traffic to the localhost IP (pfsense). This way, pfsense has all dns traffic and nothing breaks if dns is manually set.
Yes I added those 2 rules into my pfsense for DNS and it worked, but broke my ability to browse my share on my freenas box with my linux file manager. I could still get to it in ssh and my mounts worked, but for some reason my Dolphin file manager failed to connect \\10.x.x.x it would just time out. I turned off the 2 rules and it worked fine.
Love your videos, especially pfSense. I've got my home VMware hosts all up and running and pfSense thanks to you. I just need to setup a cluster now for pfSense, I'm sure you already have a video on that.
It's the oddest thing - the first time I tried this about 6 months ago, it wasn't working properly - oh it worked but DNS resolution was so slow it was unworkable. Now after seeing your other tutorial on running PFSense on XCP-ng where you state to disable checksum offloading, I turned PFBlocker back on without disabling the CO and it works normally. Weird or what? Thanks for making these videos BTW. They are great.
Thanks Tom for the great Tutorial! Please consider the pihole on raspi and pfsense tutorial you mentioned at 11:11 in the video. I currently use a pihole running on raspi at home and want to get that working with my new pfsense box.
Wonderful video, thank you!! I had tried to configure this before without fully understand some of the essential options. You covered them all with explanations to boot. Really great material to operate a safer home network.
aah, i just got into making soft rn and tNice tutorials is so helpful and your voice is so sootNice tutorialng btw! thanks for tNice tutorials tutorial
Very nice Video , i need to ask 2 questions. I am running this schema ,internet Pfsense, USG , Un-switch 8port 150w. I tried to block gambling bets etc but nothing with pfBlockerNG-devel . Also i cant see ip lease from Pfsense only the USG is this correct ?Any suggestions ?
Thanks so much for the great video! I am confused on your LANnet DNS rules beginning at 4:48 in the video. What are you specifying for DNS servers for these rules? On your dashboard, DNS Servers listed are: 127.0.0.7; 192.168.3.1 (maybe pfsense box?); 208.67.222.222 (OpenDNS server) and 8.8.4.4 (google). Can you please explain or direct me to a previous video that specifies what DNS servers you are using and how they tie into the LAN net Rules?
Your tutorial have been a great help setting up my pfsense box. But now i feel like i am knocking my head agenst a brick wall. I have 2 interfaces bridged and the second one (without an IP) cant talk to the pfsense DNS server despit allowing using rules. Anyone had the dame problem, any clues on solution. As a tempory fix i have set up a NAS to an external DNS server.
Love your videos on pfSense. Is there anyway you can zoom to the sections where your typing when your typing? Even when you said let me zoom in, when you were doing NS lookup, it was still so far out. Thanks again for all your pfSense videos...
This did not work for me / I am in an internal network, also I didn't add the dns rules because they ended up blocking everything, and I use a public dns, plus dns over tls, I think that might be stopping me from blocking via dns
Hello. thanks for the tutorial. After setting the firewall rules for DNS 52 UDP port, it also blocks the Google services, like GoogleDrive, and so on. It also stops Windows applications like Microsoft Teams. Does this have a solution? I want to allow Google products to run on my Lan. I am using pfsense 2.6.0
Thanks for the Video, I have implemented but how would I block say netflix? just one site in addition? Or maybe streaming websites, but not like youtube.
DNS over TLS uses port 853, would I need to also set up the same firewall rules along with the ones for port 53 if I’m using pfSense DNS Resolver to do DNS over TLS? Or just rules for 853? Thanks in advance.
thanks for the tutorial tom!!!! i just configure in my pfsense, I just have an error that the hostnet is not updating, but maybe is a server error. grettings from mexico
Why do you need the first "allow" rule for port 53? Source=any, destination=lan net. The rule is inbound on lan port. If host there wanted to get to dns server on the lan, it wouldn't be routing thru pfsense it would go direct. So the rule is not needed.
Hey... Thanks for the tutorial, just have on question... wouldn't the exception rule included at the end be invalid if the machine is allocated another ip address at boot up from yo pfsense system? I believe it would be more effective if the machine was to be assigned a static IP possibly outside the defined range. Cheers.
Tom, Some of the Pi-Hole list entries don't work anymore namely Zeustracker and Hosts file. Can you show us the lists you currently use or point us to the links that we can use?
I am probably asking you a difficult question - I have two different interfaces, I want to block Ad + Social on one and on other I want to block only Ad. I was hoping to get custom alias built by pfblockerng and then use it in firewall rules. Right now I found some IP addresses and then added to the rule - though this is hard to maintain - what is your take? Thanks in advace :)
+Steve Oechsle to my knowledge is not any easy way to do it I'm not sure if they will be updating that in future versions though. But because this is almost pfblockerng her to my knowledge there is no version of that for UniFi or the edge router products
Not how this works, blocking individual users requires a more complex firewall rules that wold have a list of all facebook addresses and then the IP of the device you want to block.
Thank you very much another great video! been following your tutorials for quite some time. Anyways a bit out of topic can you please help me on how to block psiphon application or how to even track it on the network its been causing me some problems. Any help would be greatly appreciated
I watched this tutorial to the end,porn sites etc dosent get blocked with a message or even a pixel but it gets listed on firewall/pfblockerng/alerts and then tab report. its like its sees that i am wanting to access it but no block?. Even at nslookup i still get the ip address of porn site gamble etc. rules are set on the firewall/rules/lan, what i am missing here?
is there a good way to change the pixle to display an image of your shoosing all i could find on the forum is that its a selectable feature coming in the next update of dns or blocker, if there is a manual way id love to know.
Superb tutorial. Do you know if there is a way to block youtube ads { those that appear before a video }? Also are you planing a tutorial on doing a tutorial on pfsense Snort setup - which rules to enable for home setup? That would be great! Big fan! Greetings from the UK.
There is a comment in the reddit thread about it. It seems to work for them, even on mobile and consoles. I really want check it out after I get a hang on the basics.
Tomasz Nowicki It unfortunately cannot be done on router level, because ads on UA-cam are just videos from UA-cam itself. So the router doesn't see the difference between a ad video and a normal video, the browser however can spot the difference, that's why browser extensions are able to filter out the youtube ads!
With all due respect to free software, pfBlockerNG needs to address some surprisingly absent features to address issues it creates. For instance, it needs to allow the input of DNS txt lists without a server like with IP lists. It's only a txt list so why can't you easily add custom designed DNS txt lists that don't rely on large foreign web lists. Otherwise, you need to be able to edit the accumulated list as well as view it for easy assessment. It also needs to allow changing the 1 pixel to a graphic which shows pfblocker as the blocker to know what it effects vs other restrictors. These simple limitations cause way more effort and complexity than necessary in deployment of an otherwise great concept and in troubleshooting web issues.
One thing I still have not figured out is how to block the PI hole sites for all. But block X for a set of people and allow X for others. Yet keep PI hole blocked
Works in Hyper-V as well. May fall back on that but virtualizing your router\firewall has it's own issues no matter how you do it. Mainly, rebooting the hypervisor shuts your internet off.
Hello my friend, how are you? What are you using to block files download? I know that you can accomplish that with squid proxy filter using regex, but I do not know any other way to do the same thing. Do you have any suggestion? Thanks.
Thank you very much for teaching us how to configure pfblocker DNSBL on pfsense. I have followed your instructions and everything is working perfectly. Best Regards from Catalonia (Spain)
How did you get the black list? Is it possible to use squidguard blacklist in pfblockerng?
by far the best explained and easy to understand tutorial. subbed.
Hi sir. I've watched your video about how to block this whole thing using pfblocker it seems I like it much and very informative video. This is what I looking for. I am new in pfsense and I found out that your videos are very resourceful. Keep up the good work sir. God bless
Today my neighbor gave me an "old" motherboard and I grabbed some ram and my old SSD and installed pfSense right away, and temporarily replaced my Mikrotik (RB750r2) with it.. I just finished setting pfBlockerNG up, and man.. that's simply amazing.. it even looks like I never turned off my AdBlocker on Chrome! Thank you so much for this tutorial ;)
Just got my Netgate 1100 up and running and this was the first config video I went to! Thanks for the info, now those ads are going away...
i got mine as well around the same time. great fw
4:08 Thank you for also stressing that best practice is to block external DNS request and force the network to go through pfSense. Thank you also for demonstrating how to properly and easily apply the Firewall Rule. This is an overall fantastic tutorial.
great video! BTW you can whitelist some sites in the DNSBL. You can go to alerts and whitelist the site that is being blocked.
"not gonna talk about this feature"
the only one I cared for
Your explanation and thoroughness of this is fantastic. Love your pacing with it all as well. Thanks for the great video!
Thank you so much for making this video. You have no idea what a headache you have relieved!!
Great video Tom. Suggestion: Use NAT for DNS; set up NAT rule on LAN that forwards all UDP port 53 traffic to the localhost IP (pfsense). This way, pfsense has all dns traffic and nothing breaks if dns is manually set.
Great idea!
Yes I added those 2 rules into my pfsense for DNS and it worked, but broke my ability to browse my share on my freenas box with my linux file manager. I could still get to it in ssh and my mounts worked, but for some reason my Dolphin file manager failed to connect \\10.x.x.x it would just time out. I turned off the 2 rules and it worked fine.
I do that and works great! Thanks.
Clever!
Sorry, I'm a bit confused. Am I setting the rule to pass or deny the UDP packets as per what you recommended?
Thank you so much. I was specifically looking for the "Pi-Hole lists" part.
Is the list for pi-hole still available? I can't seem to go to the github page as it doesn't exist.
Got this up and running in about 10 minutes, took about 5 hours with manual unbound/pihole config on my old setup.
Love your videos, especially pfSense. I've got my home VMware hosts all up and running and pfSense thanks to you. I just need to setup a cluster now for pfSense, I'm sure you already have a video on that.
It's the oddest thing - the first time I tried this about 6 months ago, it wasn't working properly - oh it worked but DNS resolution was so slow it was unworkable. Now after seeing your other tutorial on running PFSense on XCP-ng where you state to disable checksum offloading, I turned PFBlocker back on without disabling the CO and it works normally. Weird or what? Thanks for making these videos BTW. They are great.
I had it disabled, was not working before, now working and will continue to use it
Thanks Tom for the great Tutorial! Please consider the pihole on raspi and pfsense tutorial you mentioned at 11:11 in the video. I currently use a pihole running on raspi at home and want to get that working with my new pfsense box.
Not needed ua-cam.com/video/OJ8HHwpGxHw/v-deo.html
Hate to chime in...but well done. Thank you for *all* the instructional videos and reviews that you've done.
Wonderful video, thank you!! I had tried to configure this before without fully understand some of the essential options. You covered them all with explanations to boot. Really great material to operate a safer home network.
Do you have a video showing how to edit softs????
aah, i just got into making soft rn and tNice tutorials is so helpful and your voice is so sootNice tutorialng btw! thanks for tNice tutorials tutorial
Very nice Video , i need to ask 2 questions. I am running this schema ,internet Pfsense, USG , Un-switch 8port 150w. I tried to block gambling bets etc but nothing with pfBlockerNG-devel . Also i cant see ip lease from Pfsense only the USG is this correct ?Any suggestions ?
very well explained, thank you, is there any way to block streaming websites espacially youtube using pfblockerNG?
is it possible to allow using a MAC address or binding an IP address to a MAC address and allowing that IP/MAC address ??
Should the Action under PfBlockerNG\IP PRI1 be Deny Outbound or Deny Inbounnd?
Thanks so much for the great video! I am confused on your LANnet DNS rules beginning at 4:48 in the video. What are you specifying for DNS servers for these rules? On your dashboard, DNS Servers listed are: 127.0.0.7; 192.168.3.1 (maybe pfsense box?); 208.67.222.222 (OpenDNS server) and 8.8.4.4 (google).
Can you please explain or direct me to a previous video that specifies what DNS servers you are using and how they tie into the LAN net Rules?
Hi!
I have the same question, were you able to figure out how to set the DNS server?
I was able to use squid to filter ssl traffic but this is much easier! Thanks Tom!
Very nice and easy to follow. Nice job Sir !
DUDE, I got so frustrated 'cause of that problem, thanks a lot!
excellent video once again. It is just what I was looking for. Thanks
Thanks for the great tutorial, but can i use a custom html web page including a message to be directed to instead of the (1x1) single Pixel? :)
Great explanations man! Keep up the amazing work man!
Thanks a lot for making this video.
Could you also make a video on how to add a custom domain not on the list to be blocked?
Great tutorial!!! But what if I want to add a specific website to block? Where can I enter the URL? Thanks man.
Thx good video! Do you think that services like PS Vue won't have troubles with this approach ?
This is a very handy pfsense video. Thanks for sharing.
Your tutorial have been a great help setting up my pfsense box.
But now i feel like i am knocking my head agenst a brick wall. I have 2 interfaces bridged and the second one (without an IP) cant talk to the pfsense DNS server despit allowing using rules. Anyone had the dame problem, any clues on solution. As a tempory fix i have set up a NAS to an external DNS server.
very informative and easy to implement . thanks bro ,you did great job .
What firewall setup would you use on. A small broadcast studio (TV)?
Love your videos on pfSense. Is there anyway you can zoom to the sections where your typing when your typing? Even when you said let me zoom in, when you were doing NS lookup, it was still so far out. Thanks again for all your pfSense videos...
Very informative tutorial, always enjoy your videos! Thank you.
great video, to the point, important information. many many thanks
is it possible to create diffrent policies for diffrent users like hardware firewall
Hi Lawarence, please need your help in updating my PFsense so that ii can install the packages on my firewall
This did not work for me /
I am in an internal network, also I didn't add the dns rules because they ended up blocking everything, and I use a public dns, plus dns over tls, I think that might be stopping me from blocking via dns
Hello. thanks for the tutorial. After setting the firewall rules for DNS 52 UDP port, it also blocks the Google services, like GoogleDrive, and so on. It also stops Windows applications like Microsoft Teams. Does this have a solution? I want to allow Google products to run on my Lan.
I am using pfsense 2.6.0
How can I set it to I only allow my smartphone access a server in my neighborhood from outside it?
Is it possible to create a custom redirect page with a message? instead of using the single pixel for those websites
Thanks for the Video, I have implemented but how would I block say netflix? just one site in addition? Or maybe streaming websites, but not like youtube.
DNS over TLS uses port 853, would I need to also set up the same firewall rules along with the ones for port 53 if I’m using pfSense DNS Resolver to do DNS over TLS? Or just rules for 853?
Thanks in advance.
thanks for the tutorial tom!!!! i just configure in my pfsense, I just have an error that the hostnet is not updating, but maybe is a server error. grettings from mexico
Why do you need the first "allow" rule for port 53? Source=any, destination=lan net. The rule is inbound on lan port. If host there wanted to get to dns server on the lan, it wouldn't be routing thru pfsense it would go direct. So the rule is not needed.
Hey... Thanks for the tutorial, just have on question... wouldn't the exception rule included at the end be invalid if the machine is allocated another ip address at boot up from yo pfsense system? I believe it would be more effective if the machine was to be assigned a static IP possibly outside the defined range. Cheers.
Juste une question, c'est nécessaire d'utiliser en même temps squid et pfblock sous pfsense?
i want to create for particular ip group and some sites blocks in this group.its possible in this.
Is there a way to customize the web server so that you would get your own "block screen" instead of just a black screen?
Can opnsense do this as effectively and easily? I was going to go with opnsense but this looks like a good feature.
This package is not available in OPNsense.
At the very least, LTS deserve an extra couple of zeros on the amount of subscribers they currently have.
My pass IP rule does not work. Do I have to restart something? I am still blocked. (19:25= -> )
Hi! I got curious about if you use a screen capture software, or a streaming software and capturing the output. Which is it?
Whatever he uses he's extraordinarily adept at presenting to a technical audience.
+Scott Smith ;) OBS makes it easy
Cool! Thanks for confirming ;)
I'm a newbie soft soft (20.9) user, and I'm on Mac 10.14. Would you please help about how to select
HI, Larence very good video. Could you please tell how to put a blocking webpage instead of the pixel ..
When a page is blocked you get he pixel
Hi, What if i want to Block all then whitelist few websites. What would be the best way to do it ? Thanks
Maybe you can guide me, I can block the pages but when I put www. ahead lets me enter the page. What would be the problem?
Hi, very good tutorial , os how i can unblock a site in list ?
I don't know if there is any way to prevent pfsense from solving dns pollution and poisoning and reset the connection
Is it possible to specify a list of IP to this rule? Not only for the hole network? How? Thanks in advance.
# ZeuS Tracker has been discontinued on Jul 8th, 2019
Not seeing the DNSBL/Feed in 3.0. They they move it some where?
did they ever find a work around for android chrome?
Tom, Some of the Pi-Hole list entries don't work anymore namely Zeustracker and Hosts file. Can you show us the lists you currently use or point us to the links that we can use?
I am probably asking you a difficult question - I have two different interfaces, I want to block Ad + Social on one and on other I want to block only Ad. I was hoping to get custom alias built by pfblockerng and then use it in firewall rules. Right now I found some IP addresses and then added to the rule - though this is hard to maintain - what is your take?
Thanks in advace :)
Thanks Tom - very insightful. Do you know if this site-blocking technique is also available in the UBNT Edgerouter-X?
+Steve Oechsle to my knowledge is not any easy way to do it I'm not sure if they will be updating that in future versions though. But because this is almost pfblockerng her to my knowledge there is no version of that for UniFi or the edge router products
I haven’t created a single project on there. On my iPhone and iPad on the other hand, I’ve created multiple s and soft in just one
If I multiple vlan setup, Should I create the same rules which you created for LAN in all the vlans?
Yes
Hi there I hope you can answer a question how would this apply when you would want to block only one user from accessing Facebook for example?
Not how this works, blocking individual users requires a more complex firewall rules that wold have a list of all facebook addresses and then the IP of the device you want to block.
@@LAWRENCESYSTEMS Thanks will look into the rules for the pfsense
Quick question, i'm new to pfsense. Does openDNS already does this? Or is configuring pfblocker better?
Great video. funny that 3yrs later mainly Steve's list remains undisturbed 😅😅
thank you lawrence you are my super hero :D
Hi Tom, how do you perform blocking for a custom domain list? Thank you.
You could build the list as an alias.
I'm just clear n more understanding to making up my own pfsensen blocked sits 😘
Thank you very much another great video! been following your tutorials for quite some time. Anyways a bit out of topic can you please help me on how to block psiphon application or how to even track it on the network its been causing me some problems. Any help would be greatly appreciated
I watched this tutorial to the end,porn sites etc dosent get blocked with a message or even a pixel but it gets listed on firewall/pfblockerng/alerts and then tab report. its like its sees that i am wanting to access it but no block?. Even at nslookup i still get the ip address of porn site gamble etc. rules are set on the firewall/rules/lan, what i am missing here?
is there a good way to change the pixle to display an image of your shoosing all i could find on the forum is that its a selectable feature coming in the next update of dns or blocker, if there is a manual way id love to know.
thx
Hi Sir! Is there a way that I can whitelist an IP on DNSBL? example. I want 10.10.30.2 to access facebook only. Can I whitelist the said IP?
Thanks, works great! Replaced my RasPI.
Superb tutorial. Do you know if there is a way to block youtube ads { those that appear before a video }? Also are you planing a tutorial on doing a tutorial on pfsense Snort setup - which rules to enable for home setup? That would be great! Big fan! Greetings from the UK.
you can use ablocker plus (chrome extension), i can say i get zero ads in youtube when using Chrome*
jinksy31337 yeah. But I would like to do this on router level.
There is a comment in the reddit thread about it. It seems to work for them, even on mobile and consoles. I really want check it out after I get a hang on the basics.
Tomasz Nowicki It unfortunately cannot be done on router level, because ads on UA-cam are just videos from UA-cam itself. So the router doesn't see the difference between a ad video and a normal video, the browser however can spot the difference, that's why browser extensions are able to filter out the youtube ads!
With all due respect to free software, pfBlockerNG needs to address some surprisingly absent features to address issues it creates. For instance, it needs to allow the input of DNS txt lists without a server like with IP lists. It's only a txt list so why can't you easily add custom designed DNS txt lists that don't rely on large foreign web lists. Otherwise, you need to be able to edit the accumulated list as well as view it for easy assessment. It also needs to allow changing the 1 pixel to a graphic which shows pfblocker as the blocker to know what it effects vs other restrictors. These simple limitations cause way more effort and complexity than necessary in deployment of an otherwise great concept and in troubleshooting web issues.
How to block all traffic, except selected web sites? (can you white-list DnsBlocker?)
Do i have to use different DNS server than PFSense for this to work?
One thing I still have not figured out is how to block the PI hole sites for all. But block X for a set of people and allow X for others. Yet keep PI hole blocked
Is there a way to do this using a USG?
10:37 - Can you use that Xen fork hypervisor to run pfsense virtually on a box ?
pfsense can be run in a hypervisor. I have tested it with both VirtualBox and XEN. I am sure it works in many others.
Works in Hyper-V as well. May fall back on that but virtualizing your router\firewall has it's own issues no matter how you do it. Mainly, rebooting the hypervisor shuts your internet off.
+Scott Smith guess that's why the auto start is necessary
Any problem using NAT to redirect external DNS to 127.0.0.1? Does that happen before or after the firewall rules?
Hello my friend, how are you? What are you using to block files download? I know that you can accomplish that with squid proxy filter using regex, but I do not know any other way to do the same thing. Do you have any suggestion? Thanks.
Very informative, thank you for a great video!
but isn't mim /ssl filtering needed to have clam av scan anything now or else av in squid isn't doing shit????
So I find by adding a single host as the Destination Ip of pfsense it works as well. No block rule either.
when using Browsec extension we can bypass this roles so Is there any solution for that whit pfsense?? i speak about proxi extension or apps