How to block ads on pfsense with pfBlockerNG and Dnsbl?

Featured Image Pfsense Ad Blocking

In order to block ads in your network, you need to Install the Pfsense as a firewall in your network. Configuring a Pfsense firewall to block ads is much easier than other firewalls or security devices. To block ads pfsense uses a special package called pfBlockerNG, this package can also be chosen to block malware, adult sites, and many more. This package has two parts DNSBL (DNS blocking) and GeoIP blocking but to block ads, we only need to configure the dnsbl portion.

A Summary of Pfsense Configuration steps

In order to block ads on pfsense, we need to configure the dnsbl portion but before that we also need to configure a few other things, here is their summary.

  • firstly, we will create two floating firewall rules in pfsense, these rules will make all local networks such as LAN and VLANs use pfsense as the only DNS server and they will also block access to the external DNS servers
  • Secondly, we will install and configure the devel version of pfblockerng. The devel version is the latest development version.
  • Thirdly, we are going to configure DNSBL Portion for pfBlockerNG. In this step, we will configure DNS feeds for dnsbl. The DNS feeds are the list containing data regarding the restricted site names.
  • lastly, we will take a look at the reports section and then we will test our configuration for verification.

Configure DNS Floating Firewall rules

Pfsense can also act as a DNS Server, This DNS server checks all DNS traffic against its database and blocks the ad traffic, as this database contains information for the sites that may throw ads and malware at you.

So to ensure this we will make two floating firewall rules that will make the pfsense act as the only DNS server in our network.

The first rule is a pass rule which allows pfsense to act as a DNS server for our network and the second rule is a block rule, which blocks traffic to any external DNS server.

The DNS First Floating Firewall Rule

To create the first rule, go to Firewall>Rules and select Floating, and then select Add, this will open the new firewall rule window and then configure as shown in the screenshot.

Pfsense Ads Block | Add pass rule to allow  local networks traffic to pfsense local dns server

After you create the rule select save and apply changes.

The following settings were involved in the first rule:

  • Action: Pass, as this is an allow rule.
  • Quick: Apply the action immediately on Match, make sure to enable this setting.
  • Interface: Select all interfaces such as LAN and VLANs if applicable but make sure that you do not select a WAN interface.
  • Address Family: IPv4
  • Protocol: UDP & TCP, as DNS uses both protocols.
  • Source: any
  • Destination: This Firewall (Self), allows all DNS traffic from our local Networks to go to Pfsense local address(DNS Server Address).
  • Destination Port Range: 53, This instructs the firewall to allow traffic from any source going to the pfsense local IP address using port 53 (DNS traffic uses port 53 by default).

Since we have already allowed DNS traffic in the first firewall rule so the second rule is just a Block rule and denies all DNS traffic from any source to any destination.

The Second DNS Floating Firewall Rule

To create the second rule just go to Firewall>Rules and select Floating, and then select Add and then select as shown in the screenshot.

Add a block rule to deny all local networks traffic to external DNS server
Add a block rule to deny all local networks traffic to external DNS server

The second firewall rule is a block rule and forbids our local networks to access any external DNS Server.

  • Action: Block.
  • Quick: Apply the action immediately on Match, make sure to enable this setting.
  • Interface: Select all interfaces such as LAN and VLANs if applicable but make sure that you do not select a WAN interface.
  • Address Family: IPv4
  • Protocol: UDP & TCP, as DNS uses both protocols.
  • Source: any.
  • Destination: any.
  • Destination Port range: 53.

Once the following information is entered select Save and then Apply Changes. When both the rules configured this will force our pfsense to act as the only DNS server for our network.

Install and Configure pfBlockerNG Devel Version

Before Installing, make sure that your pfsense has the latest version, if not? then install the latest version, else, you may face installation problems.

Make sure you have the latest version before installing pfblockerng

The devel version for pfblockerng is the latest and greatest package, as it has come with great upgrade features and it’s very easy to configure.

To install go to Systems>Package Manager and then select Available Packages and then in the Search Term Field just type pfblocker and then select install pfblockerng devel version as shown, and then after this select Confirm which will initiate installation.

Pfsense Ads Block | select pfblockerng devel version to install

Configuring pfBlockerNG Devel Version

In order to block ads through pfsense, we need to configure our pfblockerng properly. To configure go to Firewall>pfBlockerNG this will take you to welcome screen, now select Next to start the wizard.

Caution Wizard Screen pfBlockerNG

As shown in the wizard screen, our configuration has two portions IP & DNSBL. while the IP portion composes of firewall rules to block our outgoing traffic to any offender destinations but the DNSBL portion utilizes the DNS Resolver to block Ads and Malware. Now select Next to move to the next screen.

select inbound and outbound interfaces to be used by IP Portion of pfblockerng to block ads

As shown , Select your inbound Firewall interface as WAN , I have selected multiple wan because i have two WAN interfaces namely WN_901_BRN and WN_1820_WTN. If you have not named your WAN interface then just select WAN from the list.

For Selecting outbound Firewall interface , just select all your local interfaces and if you have just one local interface such as LAN then just select LAN from the list and then select Next to move to next screen.

Pfsense Ads Blocking | Web configurator screen for pfsense pfblockerng dnsbl portion

DNSBL Web Server Configuration

The above screen is about configuring a web server for the DNSBL portion, while VIP Address 10.10.10.1 is a virtual IP address used by the DNSBL service.

You need to make sure that this address is not in use or overlaps with any of you local network such as LAN.

This VIP address is not only utilized as a web server address but is also used as a sinkhole address. This sinkhole address drains all malware domain names and ads.

If by any chance DNSBL cannot utilize this address then it won’t be able to block ads.

In case you are already using this IP address in your network then move this VIP address to some Unique Subnet/Address.

If all is well then select Next to move to the next screen to finish the installation.

Configure pfBlockerNG DNSBL Portion

Once the installation is finished, it’s time to block the ads by configuring the DNSBL portion. As you press the Finish button on the installation wizard screen then it will take you to the update screen.

On the update, screen pfblockerng auto-update its DNSBL database and finish necessary settings. Now from the Update screen please move to General Section Tab.

Pfsense Ads Block

Keeping the General Section settings at their default is a good idea, so better not change anything unless necessary. Make sure not to uncheck the Keep Settings checkbox. Because if it’s unchecked while you upgrade or downgrade your pfblockerng package then any previous settings will be lost.

The pfblockerng is an awesome tool and it’s created by the BBcan177 group. So if you like to donate? then they have a Patreon Campaign Page just for you.

After General Section move to DNSBL section.

dnsbl section pfsense pfblockerng

As you can see this section is composed of multiple sections. Please leave the subsequent section at its defaults and scroll down to the Dnsbl Configuration subsection.

Pfsense Ads Block | dnsbl configuration subsection pfsense pfblockerng

In this section look at the Default Permit Firewall Rules setting, by default, this setting is not enabled. You will only need to enable this setting if you have multiple interfaces otherwise leave it unchecked. As my pfsense is using multiple interfaces so I have selected all local interfaces in the list. I have also selected the Default Permit Firewall Rules to be Enabled.

DNSBL Feeds

The DNSBL portion works with feeds. where feeds are the list of reported domains for Ads, Malware, Porn, Gambling, etc. It also comes with default feeds which can be customized as desired.

As of the time of writing this content, my pfsense uses version 2.5.1 Release. This comes with some pre-configured blocklists (Feed) for Ads. In order to check the default configured feed select DNSBL>DNSBL Groups.

Pfsense Ads Block | dnsbl group pfblockerng

As you can see a default feed is selected. There are lots of DNS feeds or blacklists available on the internet claiming to be the best. As per my finding, pfsense, by default, chooses the best list out there for you. So just leave the settings for this list at its defaults.

Steven Blacklist Feed

The following feed is a part of Steven Blacklist and it is the best-maintained blacklist database on the internet. When we install Pfsense pfblockerng this list is set to active and start blocking ads. There are further lists related to Steve Black List which can be used to stop malware, porn, gambling, etc.

In order to add more feeds from the Steven Black List database select Feeds .

Pfsense Ad Blocking  | feed page pfblockerng

The page carries a lot of information. It carries information for both IP and DNSBL but we only need DNSBL information. So scroll down until you reach the start of Category on the left is equal to DNSBL.

Pfsense Ads Block | steven blacklist pfsense pfblockerng dnsbl portion.

The highlighted Steven Blacklist has a tick mark because it’s the selected list.

Now click Steven Black which will take you to Steven Black Github Maintained Lists page. Once you see the page just scroll down until you reach the following section of the page.

Pfsense Ad Blocking | add list dnsbl : steven black github page fakenews,gambling and porn.

The top list (in green) is already been added to dnsbl. Now let’s add another list by the name, unified hosts +fakenews+gambling+porn. To add this list copy the link address and then go to DNSBL>DNSBL Groups and then select Add. After this add the following as shown.

Pfsense Ad Blocking | add new feed list dnsbl pfblockerng

Name/Description: as shown in the screenshot

Under DNSBL Source Definitions set State to ON and copy the link address in the Source field and add the Header/Label as shown. After this select Add and then select Save DNSBL Settings.

After this select DNSBL>DNSBL Groups again and add the following settings as shown.

Pfsense Ads Block | finalizing dnsbl config

As shown on the screen select Unbound and Once a day from the respective drop down list and then select Save.

The settings will only take effect once the DNSBL portion is reloaded, so go to update and select, Reload and DNSBL and then select Run as shown.

After reloaded it will start blocking ads automatically.

Whitelist Domains

You can always whitelist some domains if you face any problems after completing the configuration.

For whitelisting a domain, go to the DNSBL section then scroll down to the DNSBL Whitelist subsection, then you can add any domain address that you think should not pass by DNSBL checks.

Pfsense Ads Block | Domain whitelist pfsense dnsbl pfblockerng.

DNSBL Reporting

The DNSBL comes with remarkable reporting, the reporting has many sections that give granular information about the block domains, to see reporting go to Reports>DNSBL Blocked Stats.

Pfsense Ads Block | Reporting DNSBL Blocking Stats

Ad Block Testing And Verification

Once you are done with the configuration, then it’s time to test. If you have added the feed to block ads along with gambling and porn then just try to browse any porn site and you will see this screen.

If you browse yahoo.com then your pfsense will block ads and you will not see any ads on the right side of the page, which means that your configuration is a success.

Next to Read:

How to access pfsense web interface from wan using ssh tunnel

Was This Post Helpful ?

Sharing is Caring :)

Leave a Reply

Your email address will not be published. Required fields are marked *