How to reproduce pfBlockerNG functionality in OPNsense

OPNsense is a popular firewall/router that shares many of its features and functionality with pfSense. That shouldn’t come as much of a surprise because OPNsense is actually a fork of pfSense – both of which are based on FreeBSD.

Netgate, the company behind pfSense’s development, recently decided to create a premium version of pfSense (pfSense Plus) that includes proprietary premium features alongside the fully open-source version (pfSense Community Edition). That development shift has led many pfSense users to believe pfSense CE will slowly be abandoned.

Because of that, many pfSense users have jumped ship (or are considering switching) to OPNsense. The two are very similar, and you can achieve most of the same things on both systems. But their configurations have substantial differences by now, leaving OPNsense users wondering how to reproduce the functionality they relied on in pfSense.

A very common question on the OPNsense forum is how to reproduce the functionality of pfSense’s pfBlockerNG – an extremely popular add-on package for pfSense CE/Plus. pfBlockerNG package enhances your firewall’s functionality by allowing you to filter inbound and outbound connections using IP and DNS blocklists.

pfBlockerNG has two main features:

IP-based Inbound & outbound traffic filtering

Using pfBlockerNG, you can filter both inbound and outbound traffic using IP lists. It also implements GeoIP restrictions to permit or prohibit traffic to and from certain countries. That is especially useful if you have open ports on your WAN.

DNS-based ad and malicious site blocking

pfBlockerNG’s other main feature is blocking ads and preventing access to malicious sites without a proxy server. It performs its filtering using DNS – specifically, a technique called DNS-blackholing. With pfBlockerNG, your DNS requests are cross-referenced against a list of blocked domains as you go about your business on the internet. If there’s a match, the request is denied. If not, it goes through untouched.

OPNsense does not have a pfBlockerNG plugin, but its main functionality can be implemented manually – that is, without installing extra packages. And in many ways, it’s easier to configure once you wrap your head around OPNsense’s implementation. It’s not more complex, just different.

This post will explain how to configure OPNsense with pfBlockerNG functionality. It assumes you have a working OPNsense configuration with working WAN and LAN interfaces and are using the Unbound DNS Resolver for DNS resolution (this is a requirement).

Let’s get started.

Setting up IP-based filtering

As mentioned above, one of pfBlockerNG’s main features is IP address-based filtering, including GeoIP functionality (i.e., blocking or allowing traffic to and from specified countries using GeoIP lists). We’ll configure both.

The first thing we need to do is add our IP lists to OPNsense. This is done using Aliases – specifically, we’ll create a URL Table alias. URL Table aliases can contain URLs used to download the IP address lists locally, and they work exactly the same way in OPNsense as in pfSense.

The lists themselves (URLs) can be found on the internet. You can also use the same lists you were using in pfBlockerNG if you were on pfSense before.

Creating a URL table alias

1. From the side menus, select Firewall > Aliases. The main Aliases page is displayed.
2. Click the + sign to create a new alias. The Edit Alias page is displayed.
3. Tick the Enabled box.
4. Enter a name for your alias in the Name field. Spaces are not permitted.
5. Select URL Table (IPs) from the Type drop-down menu.
6. Set your desired Refresh Frequency. I set mine to refresh every day at midnight.
7. Copy and paste each URL individually in the Content box.
8. Optionally provide a description for your alias in the Description field.
9. Click Save. You’re taken back to the main Aliases page, and we can see our newly created alias in the list.
10. Click Apply.

We’ve successfully created our IP address filtering alias. We’re now going to create a GeoIP alias.

Creating a GeoIP alias

1. From the main Aliases page, select the GeoIP settings tab. The GeoIP settings page is displayed.
2. The page only contains a single field for your GeoIP URL. The GeoIP database is provided by MaxMind. To access the database, you first need to create a free account with MaxMind by visiting: https://www.maxmind.com/en/geolite2/signup.
3. The MaxMind signup page looks like this:
4. Once you’ve signed up, you will receive your license key via email. Then, on OPNsense’s GeoIP settings page, enter the following URL, https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<YOUR LICENSE KEY>&suffix=zip, replacing <YOUR LICENSE KEY> with your actual license key. The license key consists of an alphanumeric string of 16 characters.
5. Click Apply to begin downloading the GeoIP database.
6. Once downloaded, the Last updated and Total number of ranges fields are populated. Select the Aliases tab. You’re taken back to the main Aliases page.
7. Click the + sign to create a new alias. The Edit Alias page is displayed. We’ll be creating a GeoIP alias for the United States.
8. Tick the Enabled box.
9. Enter a name for your GeoIP alias in the Name field. Spaces are not permitted.
10. Select GeoIP and IPv4 from the Type drop-down menus.
11. From the Americas drop-down menu in the Content section, select United States.
12. Optionally tick the Statistics box.
13. Optionally provide a description for your alias in the Description box.
14. Click Save. You’re taken back to the main Aliases page and we can see our GeoIP alias in the list.
15. Click Apply to apply the changes.

We’ve now created two IP address aliases:

1. A URL table alias that contains our IP address lists for malicious traffic filtering.
2. A GeoIP alias containing all IP address ranges from the United States.

We’re going to implement our URL Table IP alias for filtering purposes through floating rules. Floating rules are a subclass of firewall rules that are referenced for matching traffic before the “regular” firewall rules. Floating rules can also be applied to multiple interfaces within the same rule. Floating rules are very powerful, but they need to be configured carefully, as they can create problems if misconfigured.

Our GeoIP alias will be implemented through a Port Forward rule. GeoIP rules are really only useful if you have open ports on your OPNsense WAN to host web-accessible servers within your network, for example. Because OPNsense already blocks all incoming traffic on the WAN by default, there’s no need to duplicate this behavior by “blocking the world” – you’ll just add an unneeded load to your system. Instead, we will create a port forward rule that allows only US-based IP addresses to connect to the server using our US GeoIP alias.

We’ll start by configuring malicious IP address filtering using floating rules.

Creating an inbound floating rule for malicious traffic filtering

1. From the side menus, go to Rules > Floating (we’re already in the Firewall section). The Floating Firewall Rules page is displayed.
2. Click the + sign to create a new floating rule.
3. Select Block from the Action drop-down menu.
4. Select WAN from the Interface drop-down menu.
5. Set the Direction to In.
6. Set the TCP/IP Version to IPv4.
7. Set the Protocol to any.
8. From the Source drop-down menu, select the URL Table alias we created earlier. Mine is called MALICIOUS_IPS. *Note that I could restrict the rule to only apply to the open ports on my WAN but if I want to specify a port number, I can’t set the protocol to any. I’d rather live with some “duplicate blocking” than restrict the traffic types or create rules for each one.
9. Optionally enter a description for our floating rule in the Description field.
10. Click Save. You’re taken back to the main Floating Firewall Rules page.
11. We can see our floating rule is displayed. Click Apply Changes.
12. You should see The changes have been applied successfully at the top of the page.

Creating an outbound floating rule for malicious traffic filtering

1. Click the + sign to add another floating rule.
2. Select Reject from the Action drop-down menu.
3. Select LAN from the Interface drop-down menu. If you have any other LAN-type interfaces on your system, you can add them here.
4. Set the Direction to any.
5. Set the TCP/IP Version to IPv4.
6. Set the Protocol to any.
7. Set the Source to any.
8. From the Destination drop-down menu, select the URL Table alias we created earlier. Mine is MALICIOUS_IPS.
9. Optionally enter a description for our floating rule in the Description field.
10. Click Save. You’re taken back to the main Floating Firewall Rules page.
11. We can see our second floating rule is displayed. Click Apply Changes.
12. You should see The changes have been applied successfully at the top of the page.

We’ve now configured malicious traffic blocking using IP address lists within URL Table aliases. Any incoming traffic from the IP addresses included in the alias will be blocked on the WAN – even with ports open. And any outgoing traffic from your LAN to any of those IP addresses will be rejected. The difference between Reject and Block is that Reject will inform the user that the connection was refused, whereas Block will silently drop connections.

Now we will configure a port forward rule allowing only US-based IP addresses to access our server. IP addresses from all other countries will be blocked by default. If you aren’t hosting any servers, you can skip this step.

Creating a port forward rule using a GeoIP alias

1. From the side menus, go to NAT > Port Forward (we are already in the Firewall section). The main Port Forward page is displayed.
2. Click the + sign to create a new port forward rule.
3. Select WAN from the Interface drop-down menu.
4. Select IPv4 from the TCP/IP Version drop-down menu.
5. Select TCP from the Protocol drop-down menu.
6. From the Source drop-down menu, select the GeoIP alias we created earlier. Mine is called US.
7. Select WAN address from the Destination drop-down menu.
8. In the Destination port range section, set the To and From drop-down menus to Other and enter the port number your server listens on in the underneath fields. I’ll be using port 8080 for this example.
9. Select Single Host or Network from the Redirect target IP drop-down menu and enter your server’s IP address underneath.
10. Set the Redirect target port to Other and enter the port number underneath.
11. Optionally enter a description for your port forward rule in the Description field.
12. Set the Filter rule association drop-down menu to Add associated filter rule. This will create a matching firewall rule on the WAN interface allowing incoming traffic that matches the port forward rule.
13. Click Save. You’re taken back to the main Port Forward page.
14. We can see our port forward rule is displayed. Click Apply Changes.
15. You should see The changes have been applied successfully at the top of the page.
16. From the side menus, select WAN (we are already in the Firewall > Rules section).
17. We can see our auto-created rule in the list.
18. Because I have a US-based IP address, I should be granted access if I attempt to access the server. Hooray, it works.

Now that we’ve set up malicious IP address filtering and used a GeoIP alias to granularly allow traffic to our server, we’re now ready to tackle pfBlockerNG’s other major tenant: blocking ads and malware using DNS blackholing.

We will set this up in the Unbound DNS Resolver, which natively supports blocklists in OPNsense.

Setting up DNS blackholing in Unbound

1. From the side menus, select Services > Unbound DNS > General. The Unbound General page is displayed.
2. Make sure that the Network Interfaces drop-down menu is either set to All (recommended) or that your LAN-type interfaces are selected.
3. From the side menus, select Blocklist (we are already in the Services > Unbound DNS section). The Blocklist page is displayed.
4. Tick the Enable box.
5. Select EasyList and EasyList Privacy from the Type of DNSBL drop-down menu. Feel free to select other lists if you like.
6. Optionally add a custom blocklist in the URLs of Blocklists field. I will add https://dbl.oisd.nl/ in this example.
7. Click Apply.
8. To make sure our DNSBL is working properly, let’s add a custom entry in the Blocklist Domains field. I will add facebook.com and click Apply again.
9. Now if I try to access facebook.com using a web browser, I get the below error. That’s what we want.
10. Ads should now be blocked! Test it out:

Without DNS blackholing

With DNS blackholing

Wrap Up

That’s how we can mimic the functionality of pfSense’s excellent pgBlockerNG add-on package. It can be daunting to try and figure out how to achieve this in OPNsense as the settings are found throughout the OPNsense UI as opposed to being centralized in the add-on package’s UI. But, in many respects, it’s a bit easier to configure in OPNsense.

Stay safe.

Related:

• How to configure 2fa in OPNsense
• How to set up WireGuard on OPNsense