Differences

This shows you the differences between two versions of the page.

--- pfsense:pfblockerng:install_pfblockerng [2021/01/28 09:52] – [Install pfblockerNG] peter
+++ pfsense:pfblockerng:install_pfblockerng [2021/01/28 11:28] (current) – peter
@@ Line 1: / Line 1: @@
 ====== PFSense - pfBlockerNG - Install pfBlockerNG ======
-===== Increase Firewall Maximum Table Entries =====
+There are multiple parts to this:
-Navigate to **System -> Advanced -> Firewall & NAT**.
+  * [[PFSense:pfBlockerNG:Install pfBlockerNG:Increase Firewall Maximum Table Entries|Increase Firewall Maximum Table Entries]]
+  * [[PFSense:pfBlockerNG:Install pfBlockerNG:Install pfBlockerNG Package|Install pfBlockerNG Package]]
+  * [[PFSense:pfBlockerNG:Install pfBlockerNG:First Install Wizard|First Install Wizard]]
+  * [[PFSense:pfBlockerNG:Install pfBlockerNG:Configure pfBlockerNG|Configure pfBlockerNG]]
+  * [[PFSense:pfBlockerNG:Install pfBlockerNG:Setup IP Blocking|Setup IP Blocking]]
+  * [[PFSense:pfBlockerNG:Install pfBlockerNG:Setup DNSBL Blocking|Setup DNSBL Blocking]]
+  * [[PFSense:pfBlockerNG:Install pfBlockerNG:Update Blocking Lists|Update Blocking Lists]]
+  * [[PFSense:pfBlockerNG:Install pfBlockerNG:Test|Test]]
-In **Firewall Advanced**:
-  * Firewall Maximum Table Entries:  **Set to at least 1000000, unless the system has very little RAM**.
-<WRAP info>
-**NOTE:**  Without increasing this value, DNS queries take much longer, causing webpages to load very slowly.
-As a rough guide, set this value to the following, depending on how much memory there is.
-^Memory^Firewall Maximum Table Entries^
-|4GB|800000|
-|8GB|1000000|
-|16GB|1200000|
-|32GB or Higher|2000000|
-If lots of blocklists are being used, then look at setting these slightly higher if you notice any slowness in DNS resolving.
-  * Be careful of setting this too high as it directly uses more RAM the higher you set it.
-</WRAP>
 ----
-===== Install pfblockerNG =====
-Navigate to **System -> Package Manager -> Available Packages**.
-Locate **pfBlockerNG-devel**.
-<WRAP info>
-**NOTE:**  **pfBlockerNG-devel** is installed instead of the standard pfBlockerNG.
-pfBlockerNG-devel is much easier to configure and is extremely stable and should have no issues being used in production.
-</WRAP>
-Click the **Install** button and wait for it to complete.
-Once installation is completed, pfBlockerNG appears in **System -> Package Manager -> Installed Packages**.
-----
-===== First Install - Wizard =====
-Navigate to **Firewall -> pfBlockerNG**.
-The first time you visit this link, the following Wizard will be shown.
-Click **Next**.
-{{:pfsense:pfblockerng:pfsense_-_firewall_-_pfblockerng_setup.png?800|}}
-----
-A warning is shown that ALL settings will be wiped.
-Click **Next**.
-{{:pfsense:pfblockerng:pfsense_-_firewall_-_pfblockerng_setup_-_caution.png?800|}}
-----
-==== IP Component Configuration ====
-Now select the input and output interfaces.
-For now, even though there are other interfaces, just select the defaults.
-{{:pfsense:pfblockerng:pfsense_-_firewall_-_pfblockerng_setup_-_ip_component_configuration.png?800|}}
-----
-==== DNSBL Component Configuration ====
-Select the defaults.
-{{:pfsense:pfblockerng:pfsense_-_firewall_-_pfblockerng_setup_-_dnsbl_component_configuration.png?800|}}
-----
-==== Finalized ====
-{{:pfsense:pfblockerng:pfsense_-_firewall_-_pfblockerng_setup_-_finalized.png?800|}}
-----
-{{:pfsense:pfblockerng:pfsense_-_firewall_-_pfblockerng_-_update.png?800|}}
-{{:pfsense:pfblockerng:pfsense_-_firewall_-_pfblockerng_-_update_-_log.png?800|}}
-{{:pfsense:pfblockerng:pfsense_-_firewall_-_pfblockerng_-_update_-_note.png?800|}}
-----
-----
-===== General Settings =====
-Navigate to **Firewall -> pfBlockerNG**.
-Within the **General** section:
-  * pfBlockerNG: **Checked**.  This enabled pfBlockerNG.
-  * Keep Settings: **Checked**.  pgBlockerNG can remember any settings even against upgrades of the software.
-  * CRON Settings: **Every Hour**  **00**  **0**  **0**.
-  * Download Failure Threshold:  **No Limit**.
-Within the **Log Settings** section:
-  * Keep all settings at default:  **20000**.
-Scroll to the bottom of the page and click the **Save** button.
-General Tab should look like this:
-{{:pfsense:pfblockerng:pfsense_pfblockerng_general.png?800|}}
-----
-===== IP Configuration =====
-Navigate to **Firewall -> pfBlockerNG -> IP**.
-Within the **IP Configuration** section:
-  * De-Duplication: **Checked**
-  * CIDR Aggregation: **Not checked**
-  * Suppression: **Checked**
-  * Force Global IP Logging: **Not checked**
-  * Placeholder IP Address: **127.1.7.7**
-  * ASN Reporting: **Disabled**
-{{:pfsense:pfblockerng:pfsense_pfblockerng_ip_ip_configuration.png?800|}}
-----
-===== MaxMind GeoIP configuration =====
-Navigate to **Firewall -> pfBlockerNG -> IP**.
-Within the **MaxMind GeoIP configuration** section:
-  * MaxMind License Key: **Enter the MaxMind License Key**.  If you don't have a key, register for one on the [[https://www.maxmind.com/|Maxmind Site]].
-  * MaxMind Localized Language: **English**.
-  * MaxMind CSV Updates:  **Not Checked**.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_ip_maxmind.png?800|}}
-----
-===== IP Interface/Rules Configuration =====
-Within the **IP Interface/Rules Configuration** section:
-  * Inbound Firewall Rules:  **WAN** and **Block**.
-  * Outbound Firewall Rules: **LAN** and **Reject**.
-    *  If you have more than one internal interfaces, press **CTRL** or CMD (for Mac users) and click on interfaces.
-  * Floating Rules:  **Not Checked**.
-  * Firewall 'Auto' Rule Order:  **Select the top option**.
-  * Firewall 'Auto' Rule Suffix:  **auto rule**.
-  * Kill States:  **Checked**.
-{{:pfsense:pfblockerng:pfsense_-_pfblockerng_-_ip_-_ip_-_interface_-_rules_-_configuration.png?800|}}
-Scroll to the bottom of the page and click the **Save** button.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_ip_save.png?800|}}
-----
-===== Setup Custom IP Lists =====
-See IP Lists
-Navigate to **Firewall -> pfBlockerNG -> IP -> IPv4**.
-Click the **Add** button.
-Give it a **Name** and **Description**.
-Add in as many **IP Source Definitions** as needed.
-Set:
-  * State: **ON**.
-  * Action: **Deny Both**.
-  * Update Frequency: **Once per day**.
-For Example:
-{{:pfsense:pfblockerng:pfsense_pfblockerng_ip_ipv4_feed_pri1.png?800|}}
-----
-===== Enable DNSBL =====
-Navigate to **Firewall -> pfBlockerNG -> DNSBL** and check the box for **Enable DNSBL**.
-Optionally, if you have a lot of RAM, you can also enable **TLD**.  This setting enables additional processing to block ALL sub-domains for advanced blocking.  For example, a list with sharewiz.net would also result in blog.sharewiz.net also being blocked if TLD is enabled.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_tld.png?800|}}
-Locate the **DNSBL Webserver Configuration** section:
-  * Virtual IP Address: **10.10.10.1**.  This is the default IP address and should be fine.  Only change if needed.  Enter an IP address that is not in your internal networks, something like 10.10.10.10.
-  * VIP Address Type: **IP Alias**.  The default.  Only change if needed.
-  * Port: **8081**. The default.  Only change if needed.
-  * SSL Port: **8443**.  The default.  Only change if needed.
-  * Webserver Interface:  **LAN**.  The default.  Only change if needed.  Select LAN or another internal interface to listen on.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_webserver_configuration.png?800|}}
-Locate **Permit Firewall Rules** within the **DNSBL Configuration** section:
-  * If you ONLY have one LAN interface, leave this setting unchecked.
-  * If you have multiple LAN interfaces, check this setting and select each interface to protect.
-  * Scroll to the bottom of the page and click the **Save** button.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_permit_firewall_rules_multiple_lans.png?800|}}
-Locate the **DNSBL Whitelist** Section:
-  * See [[PFSense:pfBlockerNG:DNSBL Whitelist|DNSBL Whitelist]].
-  * Enter the following white-list domains and modify as you like:
-  * <code>
-.play.google.com
-.drive.google.com
-.accounts.google.com
-.www.google.com
-.github.com
-.outlook.live.com
-.edge-live.outlook.office.com # CNAME for (outlook.live.com)
-.outlook.ha-live.office365.com # CNAME for (outlook.live.com)
-.outlook.ha.office365.com # CNAME for (outlook.live.com)
-.outlook.ms-acdc.office.com # CNAME for (outlook.live.com)
-.amazonaws.com
-.login.live.com
-.login.msa.akadns6.net # CNAME for (login.live.com)
-.ipv4.login.msa.akadns6.net # CNAME for (login.live.com)
-.mail.google.com
-.googlemail.l.google.com # CNAME for (mail.google.com)
-.pbs.twimg.com
-.wildcard.twimg.com # CNAME for (pbs.twimg.com)
-.sites.google.com
-.www3.l.google.com # CNAME for (sites.google.com)
-.docs.google.com
-.mobile.free.fr
-.plus.google.com
-.samsungcloudsolution.net
-.samsungelectronics.com
-.icloud.com
-.microsoft.com
-.windows.com
-.skype.com
-.googleusercontent.com
-</code>
-Locate **DNSBL IPs** section:
-  * List Action: **Deny Both**.
-  * Enable Logging: **Enable**.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_dnsbl_ips.png?800|}}
-Scroll to the bottom of the page and click the **Save** button.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_save.png?800|}}
-----
-===== Setup DNSBL EasyLists =====
-Navigate to **Firewall -> pfBlockerNG -> Feeds**.
-Scroll down to the **DNSBL Category** section.
-Select the **Easylist** by clicking on the **+** key towards the left side.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_easylist.png?800|}}
-Set EasyList Feeds to:
-  * State: **ON**
-  * Action: **Unbound**
-  * Update Frequency: **Once per day**
-{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_category_easylist_feeds.png?800|}}
-Scroll to the bottom of the page and click the **Save** button.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_save.png?800|}}
-----
-===== Setup Custom DNSBL Lists =====
-See [[PFSense:pfBlockerNG:pfBlockerNG DNSBL Lists|pfBlockerNG DNSBL Lists]].
-Navigate to **Firewall -> pfBlockerNG -> DNSBL -> DNSBL Groups**.
-Click the **Add** button.
-Give it a **Name** and **Description**.
-Add in as many **DNSBL Source Definitions** as needed.
-Set:
-  * State: **ON**
-  * Action: **Unbound**
-  * Update Frequency: **Once per day**
-For Example:
-{{:pfsense:pfblockerng:pfsense_pfblockerng_feeds_dnsbl_pi_hole.png?800|}}
-----
-===== Update Lists =====
-Updates are run on the schedule earlier.
-However, the first one must be initiated manually to take effect immediately.
-Navigate to **Firewall -> pfBlockerNG -> Update**.
-Click the radio button for **Update** and click the **Run** button.
-Observe the log viewer as the update processes and allow it a couple minutes to finish.
-After the initial update, you should notice ads are now being blocked in your browser.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_update_run_manually.png?800|}}
-----
-===== Check the Services =====
-Navigate to **Status -> Services**.
-Restart both **pfBlockerNG DNSBL** & **Unbound** services.
-{{:pfsense:pfblockerng:pfsense_services_-_pfblockerng.png?800|}}
-----
-===== Testing from the command line =====
-Normally, pinging a site will return the sites actual IP address.
-However, with pfBlockerNG properly setup you may instead see a reply of 10.10.10.1, which is the default virtual IP address DNSBL creates:
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_ping_block.png?800|}}
-For sites that are allowed to get through, their proper IP address will be returned by a ping instead of 10.10.10.1:
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_ping_not_blocked.png?800|}}
-The same goes for an nslookup query, which will also return a response of 10.10.10.1 for adverts:
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_nslookup_block.png?800|}}
-For sites that are allowed to get through, their proper IP address will be returned instead of 10.10.10.1.
-{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_nslookup_not_blocked.png?800|}}
-----