[Guide] pfblockerNG Setup (pfSense Adblocking)

Introduction

This guide will get you started with blocking ads on your pfsense router using a package (plugin) called pfblockerNG. This package is functionally similar to the popular standalone tool ‘pihole,’ with the added bonus of integrating directly with your pfsense router. It’s a much more robust solution than just using adblocking extensions in your browser (though we will cover that, along with added benefits of combining the two, later on).

With pfblockerNG you can ensure that ads will be blocked across your entire home network. You can use prebuilt ‘EasyLists’ and also subscribe to popular user maintained blocklists. We will cover setting up both. pfblockerNG is also smart enough to handle the overlap from duplicate entries in the routing table, so don’t worry if your selected lists might have matching entries.


0 - Prerequisites

Before we get started, we will need to edit the firewall to handle the increased amount of Firewall Table Entries for these lists. Without increasing this value, DNS queries take much longer, causing webpages to load very slowly.

  • Navigate to System / Advanced / Firewall & NAT and locate Firewall Maximum Table Entries. The default value for this setting is 400000. You can safely set it to 1000000 for the purpose of this guide.

Realistically you can set it much higher, but be weary of setting this too high as it directly uses more RAM the higher you set it. Tested on 4GB of RAM, my own fairly basic install sits idle at ~25% RAM in use. YMMV depending on your config and workload.

:warning: Note:

pfblockerNG only functions with the DNS Resolver service active. It will not function with the DNS Forwarder service active. If you need DNS Forwarding functionality, I highly recommend enabling forwarding mode in the DNS Resolver service. Click here for more info.


1 - Install pfblockerNG

  • Navigate to System / Package Manager / Available Packages and locate pfblockerNG. Click The Install button and wait for it to complete.

2 - Enable pfblockerNG

By default, all packages are disabled after installation.

  • Navigate to Firewall / pfBlockerNG / General and check the box for Enable pfBlockerNG.
  • Scroll to the bottom of the page and click the Save button.

3 - Set The Cron Update Schedule

  • On the same tab, locate CRON Settings. Set the desired frequency interval to update your block list(s).

I find once a day is ideal.

  • Scroll to the bottom of the page and click the Save button.

4 - Enable DNSBL

  • Navigate to Firewall / pfBlockerNG / DNSBL and check the box for Enable DNSBL. Scroll to the bottom of the page and click the Save button.

Optionally, if you have a lot of RAM, you can also enable TLD. This setting enables additional processing to block ALL sub-domains for advanced blocking. For example, a list with serverbuilds.net would also result in forums.serverbuilds.net being blocked with TLD enabled.

  • Locate DNSBL Firewall Rule - If you only have one LAN interface, leave this setting unchecked and proceed to Step 5.
    If you have multiple LAN interfaces, select each interface to protect and then check the box.
  • Scroll to the bottom of the page and click the Save button.

5 - Setup EasyLists

  • Navigate to Firewall / pfBlockerNG / DNSBL and click the DNSBL EasyList tab. Set DNS Group Name, and Description to anything you’d like, for example “Easylist.”
  • Set EasyList Feeds to:
State: ON
EasyList Feed: EasyList w/o Elements
Header/Label: Easylist
  • Highlight each category by selecting each one (CTRL + Click to select multiple).
  • Set List Action to Unbound.
  • Set Update Frequency to be at least as often as your cron update schedule in Step 3.

I find once a day is ideal.

  • Scroll to the bottom of the page and click the Save button.

6 - Setup Custom Lists

For this step, I am using a popular user maintained list, found on reddit here. Feel free to edit and add your own favorite block lists for this step.

  • Navigate to Firewall / pfBlockerNG / DNSBL and click the DNSBL Feeds tab.
  • Click the +Add button.
  • Set DNS GROUP Name and Description to anything you’d like, for example “Custom.”
  • Set DNSBL to:
Format: Auto
State: ON
Source: https://dbl.oisd.nl/
Header/Label: Custom Name
  • Set List Action to Unbound
  • Set Update Frequency to be at least as often as your cron update schedule in Step 3.

I find once a day is ideal.

  • Scroll to the bottom of the page and click the Save button.

7 - Update Lists

Updates are run on the schedule set in Step 3. However, the first one must be initiated manually to take effect immediately.

  • Navigate to Firewall / pfBlockerNG / Update. Click the radio button for “Update” and click the Run button.
  • Observe the log viewer as the update processes and allow it a couple minutes to finish.

And thats it! …almost

After the initial update, you should notice ads are now being blocked in your browser. Anandtech.com is a well laid out site to test. You should be well on your way to adblocked nirvana…

But wait, it’s still ugly!

You’ve probably noticed by now, ads that are blocked leave behind the spaces set aside for them. This looks especially bad on some sites, or is just distracting. Here’s where combining adblock efforts with a browser extension are still particularly useful.

Some Adblock Extensions, like uBlock Origin, have a built in feature called Cosmetic Filtering. This is for rearranging websites with blocked ads to look more natural, as if the ad never existed. It really helps clean up the spaces left behind on most sites.

The added benefit here is that pfsense is now tackling the adblock workload, leaving your browser extension free to process cosmetic filtering much faster. Most, if not all ads will never even reach your browser. Here are comparison shots:


No Adblocking


pfblockerNG only


pfblockerNG + uBlock Origin Cosmetic Filtering


tl;dr - Simply install uBlock Origin to make websites pretty again. Have your cake and eat it too.

And thats it! No really, that’s all there is to it!

3 Likes

I haven’t tweaked mine yet, but after installing pfblockerNG via other instructions, I’m unable to access SnapChat stories on Android. Hopefully after following your instructions I’ll be back up and running.

Edit: I also am using the pfBlockerNG-devel version so the labels are different for settings.

Probably depends on what block list you’re using.