I haven’t had any issues with AliExpress with the example list + built in lists.
I have a bunch of lists from elsewhere I grabbed, I think I’m going to ditch them however as they’re pretty extreme. They block alot of things I use on the daily. May try out yours in your write-up and play it by ear
After the example list went belly up, I updated the guide, specifically Step 6, to encourage people to research and decide their own list(s) to use as needed.
1 Like
Possibly worth mentioning changing the virtual IP used for DNSBL?
The default won’t be an issue for most people, but I ended up pretty much DoS’ing my own router when I tried setting this up the other night because it was my router’s IP. After I changed to an IP that isn’t used in my network, everything has been working swimmingly.
I’m not sure I follow. Can you give an example? I’ve created this guide assuming the defaults are set, so I was unaware of this issue.
I think it’s probably not an issue for most people, but I use 10.10.10.1 as my router IP, which is the default virtual IP used as the target for DNSBL.
When I turned DNSBL on without changing that, it basically redirected everything that was blocked back to my router, and I guess either DoS’d myself with blocked ads, or ended up with some sort of loop. Either way, I couldn’t access the router at all and had to revert my config from the console.
So I think it’s not a common thing, but just a minor gotcha if you’re using that as your router IP.
Good info. I’ll look at adding a section for this.
This is a great article, I love the ease of setup, however, my problem is that I’m using a bridge to connect all of my interfaces together and I don’t necessarily see any rules (floating or not) that would seem to indicate that the traffic is being blocked.
Testing out on Anandtech also seems to still show ads, any helpful tips?
Why are you using a bridge to connect all of your interfaces together?
I want to have them all grab addresses from a single subnet
I don’t recommend this type of configuration, and I’m not sure how to make it work with this setup, sorry.
Do not bridge your interfaces together. pfsense is not a switch!
I have to ask, why not? Sure, it isn’t supposed to be a switch, but at the same time. The one I currently have only has four ports on it. So, the only difference it makes is making them appear as one that allows me to control one set of rules instead of four.
I don’t have quite the best setup for using VLANs either because I have lots of devices like streaming boxes and such that are not smart about VLANs.
pfSense is a firewall with routing capability, not a switch. Bridging ports is a configuration that you can use and it will work in the basic sense that all ports are on the same subnet and broadcast/multicast traffic is passed. It should not be used unless you have a (quite niche) requirement for a transparent firewall, due to the insane performance cost.
You will ALWAYS be better served by a $15 dumb switch - it doesn’t matter how fast your CPU is, it will be dog slow in comparison. Switching in software with x86 vs in hardware with a specialized ASIC that moves traffic before it even sees the whole frame is unbelievably slow, and simultaneously introduces that slowness to all other traffic your general-purpose-and-decidedly-not-a-switching-ASIC CPU is handling.
The software implementation will only get you a fraction of the necessary switching capacity for the four bridged interfaces without performance problems (8Gbps, Netgate’s recent $2700 Xeon appliance tops out at 6.10Gbps), and even then the latency avalanche as your CPU maxes out and dumps packets it can’t process quick enough into a memory buffer will come much earlier anyway (many would-be network testers fail to measure latency in these comparisons). As a result, any significant transfers across the bridged interfaces will bog down the traffic of your entire network. Any regular traffic across the bridged interfaces will be orders of magnitude higher latency than normal. Use a $15 switch.
In addition to the abhorrent performance of switching in software with pfSense, bridging interfaces like this will cause interoperability problems with various other services and packages, requiring advanced configuration (as you have discovered). So not only do you save $15 and have terrible performance on your local network, but you also get to spend more time working out how to get things functional with a nonstandard setup that isn’t accounted for in documentation because of how bad of an idea it is (seriously, if you search “pfsense software switching,” most every conversation will have at least one person from Netgate saying not to do it - they are correct).
Your client devices would never be aware of VLANs existing unless you wildly misconfigured something.
If you’re not going to use VLANs, just get a $15 dumb switch and be done. If you’d like to use VLANs, spend a few dollars more on a managed switch, used enterprise or otherwise, and definitely read up on them first.
4 Likes
Thanks for the guide.
I had managed to install pfblockerNG but hadn’t managed to figure out how to configure it to actually work. The guide got me through the hurdle and it appears to be working now.
1 Like
Got me through to getting easylists started. Going to try to come up with whole pfsense guide at some point.
Works fine with pfsense CE 2.5.2
1 Like
What topics would you cover, out of curiosity? I do like the idea of a complete guide but I feel pfSense is easy enough to get running that there isn’t much to do for most users. I’ve already written a couple starter guides, Aliases and Static IP. These could be referenced and linked to in a larger guide. I had also intended to write port forwarding and open-nat guides, but have been lazy on getting back to that. Anything beyond that would be intermediate or advanced imo. @Riggi has also done a couple great writeups, pinned in the category.
It appears that this plugin has been updated a little bit since this guide was made. Anyways I followed the guide and it doesn’t appear to be blocking ads.
So now the plugin has a setup wizard. Followed that and I left everything as default. There is no easy list setting so instead I followed step 6 and added the big oisd list. Ran an update but it doesn’t seem to be blocking ads.
For instance if I go to https://www.cnn.com in safari, I see a big banner ad at the top.
Thanks for the info. It does appear the guide is no longer working/current and will need a complete rewrite after some testing. I have no plans at the moment to do so at the moment, but I may take a look in the near future.