====== PFSense - pfBlockerNG - Install pfBlockerNG - Setup IP Blocking ======

===== IP Configuration =====

Navigate to **Firewall -> pfBlockerNG -> IP**.

In **IP Configuration**:

  * De-Duplication: **Checked**
  * CIDR Aggregation: **Not checked**
  * Suppression: **Checked**
  * Force Global IP Logging: **Not checked**
  * Placeholder IP Address: **127.1.7.7**
  * ASN Reporting: **Disabled**


{{:pfsense:pfblockerng:pfsense_pfblockerng_ip_ip_configuration.png?800|}}

----


===== MaxMind GeoIP configuration =====

Navigate to **Firewall -> pfBlockerNG -> IP**. 

In **MaxMind GeoIP configuration**:

  * MaxMind License Key: **Enter the MaxMind License Key**.  If you don't have a key, register for one on the [[https://www.maxmind.com/|Maxmind Site]].
  * MaxMind Localized Language: **English**.
  * MaxMind CSV Updates:  **Not Checked**.

{{:pfsense:pfblockerng:pfsense_pfblockerng_ip_maxmind.png?800|}}

----

===== IP Interface/Rules Configuration =====

Navigate to **Firewall -> pfBlockerNG -> IP**. 

In **IP Interface/Rules Configuration**:

  * Inbound Firewall Rules:  **WAN** and **Block**.
  * Outbound Firewall Rules: **LAN** and **Reject**.
    *  If you have more than one internal interfaces, press **CTRL** or CMD (for Mac users) and click on each interface to be included.
  * Floating Rules:  **Checked**.
  * Firewall 'Auto' Rule Order:  **Select the top option**.
  * Firewall 'Auto' Rule Suffix:  **auto rule**.
  * Kill States:  **Checked**.

{{:pfsense:pfblockerng:pfsense_-_pfblockerng_-_ip_-_ip_-_interface_-_rules_-_configuration.png?800|}}


Scroll to the bottom of the page and click the **Save** button.

{{:pfsense:pfblockerng:pfsense_pfblockerng_ip_save.png?800|}}

<WRAP info>
**NOTE:**  Floating rules are used here, as they keep all the pfBlockerNG rules in one place.

Otherwise each interface will have a copy of these rules and therefore harder to maintain.

</WRAP>

----

===== Setup Custom IP Lists =====

==== IPv4 ====

Navigate to **Firewall -> pfBlockerNG -> IP -> IPv4**.

  * Click the **Add** button.
  * Give it a **Name** and **Description**.

Add in as many **IP Source Definitions** as needed.

<WRAP info>
Set:
 
  * Type:  **Auto**.
  * State: **On**.

See [[PFSense:pfBlockerNG:pfBlockerNG IP Lists - IPv4|pfBlockerNG IP Lists - IPv4]]
</WRAP>

{{:pfsense:pfblockerng:install_pfblockerng:pfsense_-_firewall_-_pfblockerng_-_ip_-_ipv4_-_ipv4.png?800|}}

----

In **Settings**:

  * State: **ON**.
  * Action: **Deny Both**.
  * Update Frequency: **Once per day**.

{{:pfsense:pfblockerng:install_pfblockerng:pfsense_-_firewall_-_pfblockerng_-_ip_-_ipv4_-_ipv4_-_settings.png?800|}}


----

==== IPv6 ====

Navigate to **Firewall -> pfBlockerNG -> IP -> IPv6**.

  * Click the **Add** button.
  * Give it a **Name** and **Description**.

Add in as many **IP Source Definitions** as needed.

<WRAP info>
Set:
 
  * Type:  **Auto**.
  * State: **On**.

See [[PFSense:pfBlockerNG:pfBlockerNG IP Lists - IPv6|pfBlockerNG IP Lists - IPv6]]
</WRAP>

{{:pfsense:pfblockerng:install_pfblockerng:pfsense_-_firewall_-_pfblockerng_-_ip_-_ipv6_-_ipv6.png?800|}}

----

In **Settings**:

  * State: **ON**.
  * Action: **Deny Both**.
  * Update Frequency: **Once per day**.

----

==== GeoIP ====

Navigate to **Firewall -> pfBlockerNG -> IP -> GeoIP**.

<WRAP info>
**NOTE:**  GeoIP is not used.  

All Actions are **Disabled**.

Reason is that many services, such as AWS, utilize services in other countries, so if a country is blocked this may result in impacting legitimate sites,

</WRAP>

{{:pfsense:pfblockerng:install_pfblockerng:pfsense_-_firewall_-_pfblockerng_-_ip_-_geoip.png?800|}}

----

==== Reputation ====

{{:pfsense:pfblockerng:install_pfblockerng:pfsense_-_firewall_-_pfblockerng_-_ip_-_reputation.png?800|}}

----

Return to [[PFSense:pfBlockerNG:Install pfBlockerNG|Install pfBlockerNG]] or continue to [[PFSense:pfBlockerNG:Install pfBlockerNG:Setup DNSBL Blocking|Setup DNSBL Blocking]].

----