Pfblockerng issue

I run pfsense at home and I am experiencing some strange issues seemingly to do with pfblockerng.

The issue I was seeing was my IoT & guest vlans were not resolving certain websites. I didn’t really notice since I personally never use these… but strangely I am on vacation this weekend and am seeing this issue on 1 of my 2 wireguard connections as well. On my laptop I have a full tunnel and a split tunnel config, same subnet on the pfsense side… only 1 has allowIPs of:

AllowedIPs = 10.1.15.0/24, 10.90.5.0/24, 10.80.5.0/24, 10.81.5.0/24, 10.70.5.0/24, 192.168.69.0/24

and the full tunnel is:

AllowedIPs =0.0.0.0/0, ::/0

I am seeing the same issue I see on my local vlan subnets across these two different wireguard client configs.

I have been playing around with settings and it seems like if I dissable pfblockerng and dnsbl, reset pfsense states, and bounce unbound, things start to work as expected. I am testing this via trying to resolve cnn.com. When I am in the state of this issue, I can’t get it to load (it will eventually load… after minutes) on my split tunnel nor on a VM I spun up on my IoT network back at home. As soon as I take pbclockerng down, clear states and bounce unbound, I can immedietly get to cnn.com again.

Of note, which makes no sense to me, I don’t have this issue on my full tunnel with

AllowedIPs =0.0.0.0/0, ::/0

Originally I thought this was a DNS issue, but even when I am in the state of not being able to load the website, I can ping cnn.com without issue. What the heck is going on? Any ideas how I fix this?

My IoT subnet rules are a little more involved, but seeing as I can replicate it on my wireguard subnet… this is about as simple a ruleset as you could get…

image2284×422 44.4 KB

Wireguard settings for the split tunnel:

[Interface]
PrivateKey = xxx
Address = 10.1.15.4/24
DNS = 10.70.5.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 10.1.15.0/24, 10.90.5.0/24, 10.80.5.0/24, 10.81.5.0/24, 10.70.5.0/24, 192.168.69.0/24
Endpoint = xxx

Wireguard settings for the full tunnel:

[Interface]
PrivateKey = xxx
Address = 10.1.15.4/24
DNS = 10.70.5.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs =0.0.0.0/0, ::/0
Endpoint = xxx

My guess is that pfblocker is blocking a resource that the site needs to load. I stopped using pfblocker for ad blocking and just use uBlock Origin so that it’s quicker to figure out why a site won’t load.

A quick look at CNN shows makes 220 different https calls and blocking some of those, such as Doubleclick.net may cause their site not to load.

It could very well be list that is blocking cnn.com. I had to whitelist ‘cnn.com’ because it was being blocked by one of my adblock lists.

I used the extension AdamOne and these are the https that load when I go into cnn.com:

• cadmus.script.ac
• cdn.cookielaw.org
• cdn.optimizely.com
• healthguides.cnn.com
• logs.browser-intake-datadoghq.com
• media.cnn.com
• privacyportal-eu.onetrust.com
• s.ntv.io
• static.chartbeat.com
• widgets.outbrain.com
• www.cnn.com
• www.ugdturner.com

Considering I have very strict lists, I heavily rely on that extension to weed out what needs to be whitelisted.

Sucks but it’s something I don’t mind doing.

This is where my lack of understanding comes in, but why would some subnets works fine, and others not? And even more strange, why would a WireGuard tunnel have issues simply due to which IP’s I’m allowing. If I edit my split tunnel client side to allow all IP’s as my full tunnel does, it works fine.

Same question as above.

I just don’t quite understand this behavior.

This is where my networking knowledge runs dry… is there an application I should try to use to determine what it happening, or some tools/logs in pfsense? Or could this just be a weird quirk and I should just accept that it’s likely pfblocker since that does appear to solve the issue when I disabled?

Assuming it is indeed pfblocker, should I just switch to pihole? I can easily spin up a container on my homelab for it (I have in the past) but since I use Haproxy internally for domain resolution, my brain gets a bit confused how I’d be able to use pfsense and pihole in tandem. I suppose I use pfsense as the DNS that gets handed out to clients via DHCP, and then I point pfsense to pihole for its DNS? Does this not add extra latency since it’s adding an additional hop for anything not cached?

It’s likely the subnets that work are not using pfsense as the DNS or the things you are testing are using DNS over HTTPS and bypassing the pfblocker.

Hmm, I don’t think so. I have pfblocker applied to all vlans, so why things work on some vlans and not others doesn’t make much sense to me.

My current plan is just switch to pihole with pfsense being the upstream DNS (with pfblocker disabled, or at least the internal facing portion). A quick test in my vpn subnet and that does seem to fix things… so next will be set it up across 2 VM’s for an HA solution and have pfsense hand my pihole IP’s out over DHCP.

Would really like to understand why pfblocker was causing this issue, but for my needs if pihole “fixes” the issue, that’s good enough for government work as they say.

FWIW, after lots more testing, it does look to be pfblockerng just being… fucky. I don’t know what its even doing wrong, or how to explain why its doing what its doing, but I switched to pihole and everything is fixed. So I spun up 2 pihole VM’s for a pseudo HA solution with DHCP handing out each of their IP’s in case one goes down. Things are happier for sure, and I am using unbound on pfsense as their upstream DNS.

Curious if the DNS queries were ever reaching dnsbl. I’d toggle various levels of logging, but not sure if the tools in pfsense allow for every option. But in the end, your new setup is better the way it is.

Doesn’t pie hole do everything dnsbl do? If so I’d just use it as a recursive resolver and be done with it. Also, I don’t bother with a master/slave DNS servers at home, in all my years I have never had a bind server even sputter. Just my $0.02

I’ve used pihole before but ever since I learned pfsense, what it can do, and that it also has ad blocking capabilities I switched.

I personally don’t like having two services that 1 service can handle plus more.

That being said, I believe it may have been the way pfblockerNG was set up. The only thing I change on pfblockerNG on a fresh install of pfSense (which I do almost every other month) is:

Unbound Python Mode, Python Control, IPv6 DNSBL, Global Logging /Blocking Mode: DNSBL WebServer/VIP. In DNSBL SafeSearch, I enable DoH/DoT/DoQ Blocking and select all Apple options (thanks iCloud Private Relay!). Everything else is default in DNSBL.

Any other settings I’m not familiar with except Wildcard Blocking (TLD). WB (TLB) was blocking almost all the websites I would visit… not too sure why but I turned it off for peace of mind.

image1168×1126 50.7 KB

image1146×1096 51.5 KB

image1146×393 14.5 KB

image1170×810 43.4 KB

This is how my DNSBL Group is set up:

image1174×342 16.9 KB

image1157×1224 80 KB

image1186×1050 43.7 KB

I have 3,367,931 blocked domains, which my iPhones and Laptops VPN into via Wireguard to block ads. Has been working great for the past year and a half.