pfSense is a very powerful open-source firewall/router solution. Based on FreeBSD, pfSense has a strong focus on security. Even in a “vanilla” configuration, pfSense will be much more secure than any off-the-shelf router you can buy.
Out of the box, pfSense gives you many tools to customize your secured network setup. But on top of its default tools, pfSense also hosts a repository of add-on packages that you can install to enhance your setup further.
In this post, we’re going to be looking at pfBlockerNG. pfBlockerNG is an optional package available for pfSense. What pfBlockerNG does is essentially extend pfSense’s firewall functionality by giving you the ability to finely tune inbound and outbound connections using IP and DNS blocklists.
pfBlockerNG has two core uses:
Inbound & outbound traffic filtering
pfBlockerNG can filter inbound and outbound traffic against IP lists and apply GeoIP restrictions by allowing or denying traffic to/from specific countries. The latter functionality can be very useful if you open ports on your WAN.
Blocking ads and malicious sites through DNS blackholing
pfBlockerNG can block ads and access to malicious sites through DNS filtering. As you browse the web, your DNS requests are checked against a blocklist. If there’s a match, the request is blocked. It’s a great way to block ads without using a proxy server.
We’re going to look at both use cases and will go into more detail as we tackle each one.
This guide assumes that you have already set up pfSense with functional WAN and LAN interfaces.
Let’s get started.
The first thing we need to do is install pfBlockerNG.
Now that pfBlockerNG-devel is installed, we need to configure our package. And we’re going to start with IP and GeoIP filtering.
We’ll be configuring pfBlockerNG section by section. Any settings that are not mentioned should be left at their default values.
As I mentioned above, the GeoIP feature of pfBlockerNG enables you to filter traffic to and from entire countries or continents. To do this, pfBlocker uses the MaxMind GeoIP database, which requires a license key. There is a link in the MaxMind License Key field description that takes you to the MaxMind registration page. The MaxMind license key is free.
Fill out the registration form to obtain your license key. Once you have your license key, insert it in the MaxMind License Key field.
This section determines to which inbound and outbound interface(s) pfBlockerNG’s IPv4, IPv6, and GeoIP filtering are applied.
It’s now time to add some blocklists to pfBlockerNG. While you’re free to add your own custom feeds, pfBlockerNG has some built-in feeds that we can enable (the terms list and feed are interchangeable in this context).
This is very practical because hunting down blocklists on the internet is time-consuming, and many simply do not work or are no longer maintained. The feeds within pfBlocker are live lists that are regularly updated, so we’re going to use those.
The name of the feeds collection is populated along with its description. All of the feed URLs included in the collection and their associated descriptions are also populated. However, all of our feeds are set to OFF by default. We need to enable them.
But before we do that, we need to delete one of the feeds from the PRI1 collection. Pulsedive, the 7th feed from the top, is a premium list that requires a paid API key. We’re not going to get the API key for this tutorial. Click the Delete button.
You can repeat the same steps for IPv6 if your ISP assigns both an IPv4 and an IPv6 IP address to your WAN. Most of us are still on IPv4-only networks.
Before we configure GeoIP filtering, we first need to force an update of pfBlockerNG. pfBlocker automatically updates itself at fixed intervals. But to configure GeoIP filtering, pfBlocker first needs to pull the MaxMind database, and a forced update will do just that.
The GeoIP Summary consists of IP address feeds organized by continent, with two extra categories: Top Spammers and Proxy and Satellite. Top Spammers is a list of countries known to be a frequent source of online attacks. And Proxy and Satellite are known anonymous proxy and satellite providers.
You can choose to filter traffic to/from an entire continent, or you can fine-tune the feed by selecting only the countries you want to filter.
Now, there are certain things to consider here. If you’re looking to block outbound connections to a country or continent, go right ahead. However, if you’re thinking of blocking inbound connections from a country or continent, consider that pfSense blocks all unsolicited inbound traffic on the WAN by default.
That means that unless you have open ports on your WAN, blocking countries or continents is absolutely useless and will only consume memory for nothing. If you have open ports on your WAN, make sure you don’t block connections from countries you want to allow to connect to your open port(s).
However, there is a way to create custom aliases from the MaxMind GeoIP database within pfBlockerNG that can then be used directly as the source in your port forwarding firewall rules. Aliases are IP address lists in themselves that are native to pfSense. Using aliases, you can allow only the specific countries you selected to access your open ports.
Because pfSense automatically blocks any traffic that isn’t explicitly allowed in the firewall rules, we want to create an alias of the countries we will allow through the firewall. pfSense will block the rest by default.
If you do have open ports but just want to keep it simple, you can block inbound connections from Top Spammers and Proxy and Satellite without creating a custom alias. Remember that this is only useful if you have open ports on your WAN.
If you do not have any open ports on your WAN, only block outbound traffic or leave GeoIP filtering disabled.
To make sure that our traffic is being filtered. We can try to connect to a known IP address in the blocklist. If I try to access 220.127.116.11 (an IP contained in my pfBlockerNG IPv4 feeds) in my browser, the IP address does not get translated to a domain name, and I cannot connect. That’s what we want.
Let’s move on to configuring pfBlocker’s DNSBL.
Alright. We’ve configured IPv4 filtering and GeoIP filtering, and aliases. It’s now time to move on to using pfBlockerNG for ad-blocking. Ad-blocking in pfBlockerNG is achieved through DNS blackholing. This references your DNS requests against a list of known ad networks and trackers and blocks them at the DNS-level, whenever there’s a match, resulting in an ad-free internet. Hooray.
In order to use the DNSBL feature in pfBlockerNG, you must be using the DNS Resolver in pfSense for your DNS resolution. That means you can’t assign your hosts’ DNS via DHCP or use the DNS Forwarder (dnsmasq) if you want to use the DNSBL feature.
By default, pfSense uses the DNS Resolver on all interfaces. So if you didn’t make any changes to the DNS Resolver settings, you’re fine. If you did make changes, make sure to configure the Resolver to bind to your LAN (outgoing) and your WAN (incoming). And select any other LAN-type (OPT interfaces) and WAN-type (multi-WAN setup, VPN gateways) interfaces you want the DNSBL to filter.
We now need to add some DNSBL feeds.
We now need to force an update of pfBlockerNG, as we did above.
Once the update is complete, we can see that our DNSBL feeds have been updated.
To ensure that DNSBL filtering is working, we will try to connect to the domain I added to DNSBL Custom_List: vungle.com. If I try to access vungle.com in my browser, the DNSBL block page is displayed with some bits of helpful information.
Note: pfBlocker’s DNSBL includes a mini web server that can serve this block page. IPv4, IPv6, and GeoIP filtering extend the existing functionality of the pfSense firewall and simply block or allow IP addresses without displaying a block page.
So there you have it. You’ve successfully installed and configured pfBlockerNG-devel in pfSense. We configured IPv4 filtering, GeoIP filtering, as well as DNSBL filtering. All three of these make your network more secure and private without slowing down your connection.
As your network grows, you may need to open certain ports on your WAN if you want to run a VPN server or if you want to host a web server that’s accessible from the internet. When you do that, pfBlockerNG will be a nice tool in your security toolkit to help you lock down your network and granularly control access from the outside.