How To Install And Configure The PfblockerNG Package On A PFSENSE Firewall.
The PFBLOCKERNG pfsense package is the Next Generation of the legacy pfBlocker package and ships with powerful features that are usually only available on proprietary products. The pfblockerng package makes it possible to filter network traffic by geo-location of an IP address, block online ads and malicious content. PfblockerNG has many options to choose from that allow you to specify what to block and how to block. This tutorial aims to provide a simple guide on how to install and configure the PfblockerNG package on a PFSENSE firewall.
1) A desktop or laptop computer with a web browser installed.
2) A pfsense firewall appliance or virtual machine.
3) A connection to the internet.
The network diagram as shown in the image shows a basic network topology with three desktop computers and a network printer all connected to the PFSENSE LAN interface. The PFSENSE WAN interface is connected to an internet access gateway used ti gain access to the internet through an internet service provider (ISP). The PFBLOCKERNG package will be installed on the PFSENSE firewall and filter out network traffic to-and-from the LAN devices.
Step One: Download And Install The PfblockerNG Package.
1) Open up any web browser and type in the IP address of the PFSENSE web configurator. The web browser may present an invalid SSL certificate error message, simply add an exception for this error message and the login page will be loaded.
The PFSENSE web configurator uses a self signed SSL certificate that ensures that your interaction with it is secure. However it is possible to disable https and use plain old http when accessing the web configurator or to install a valid SSL certificate from a certificate authrority on the PFSENSE firewall.
2) Type in your login username and password on the web configurator login page and click on SIGN IN.
If you forgot your password simply reboot the PFSENSE firewall and connect to the command line interface using SSH or a console cable and PUTTY (how you connect to the PFSENSE command line interface largely depends on your environment setup)
From the PFSENSE CLI choose option “3) RESET WEB CONFIGURATOR PASSWORD” and enter “Y” to confirm the password reset.
Open the web browser and type “admin” on the username field and “pfsense” on the password field and click on “SIGN IN”
Please ensure that you change the password just after completing the web configurator password reset process.
3) Next select “SYSTEM > PACKAGE MANAGER ” and click on the “AVAILABLE PACKAGES” tab. On the “SEARCH TERM” field type “PFBLOCKERNG” and click on ‘SEARCH”. The first search result should be the “PFBLOCKERNG” package. Click on the “INSTALL” button on the right side of the “PFBLOCKERNG” description.
Once the installation of the package has been completed, the pfBlockerNG configuration can start.
DNS requests for websites should be intercepted by the PFSENSE firewall running the pfBlockerNG software. pfBlockerNG will utilise lists of known bad domains that are mapped to a bad IP address.
If the client requests a domain that is on pfBlockerNG’s block lists, then pfBlockerNG will respond with an incorrect IP ADDRESS for the requested domain name.
Step Two: Enable The DNS Resolver
4) Start by enabling the built in PFSENSE DNS resolver by clicking on “SERVICES > DNS RESOLVER”. Select the “GENERAL SETTINGS” tab.
Click on the “ENABLE DNS RESOLVER” checkbox, and ensure the “LISTEN PORT” is set to 53.
On the “NETWORK INTERFACES” section select the LAN and LOCALHOST interfaces.
On the “OUTGOING NETWORK INTERFACES” section choose the WAN interface, scroll down and click on the “SAVE” button then click on the green “APPLY CHANGES” button.
Step Three: Configure PfblockerNG
5) The next step is to configure PFBLOCKERNG. Navigate to the PFBLOCKERNG configuration page by clicking on “FIREWALL > PFBLOCKERNG” and click on the “DNSBL” tab.
Click on the “ENABLE DNSBL” check box and enter a private IP address on the “DNSBL Virtual IP” input box. This IP ADDRESS should not be within the same subnet as that of where PFSENSE is being used.
6) Scroll down and set the “DNSBL LISTENING INTERFACE” to LAN. On the “DNSBL IP FIREWALL RULE” settings set the “LIST ACTION” to DENY BOTH and the “ENABLE LOGGING” option to YES. Click on the “SAVE” button at the botton of the page to save the DNSBL settings.