How to reproduce pfBlockerNG functionality in OPNsense

OPNsense is a popular firewall/router that shares many of its features and functionality with pfSense. That shouldn’t come as much of a surprise because OPNsense is actually a fork of pfSense – both of which are based on FreeBSD.

Netgate, the company behind pfSense’s development, recently decided to create a premium version of pfSense (pfSense Plus) that includes proprietary premium features alongside the fully open-source version (pfSense Community Edition). That development shift has led many pfSense users to believe pfSense CE will slowly be abandoned.

Because of that, many pfSense users have jumped ship (or are considering switching) to OPNsense. The two are very similar, and you can achieve most of the same things on both systems. But their configurations have substantial differences by now, leaving OPNsense users wondering how to reproduce the functionality they relied on in pfSense.

A very common question on the OPNsense forum is how to reproduce the functionality of pfSense’s pfBlockerNG – an extremely popular add-on package for pfSense CE/Plus. pfBlockerNG package enhances your firewall’s functionality by allowing you to filter inbound and outbound connections using IP and DNS blocklists.

pfBlockerNG has two main features:

IP-based Inbound & outbound traffic filtering

Using pfBlockerNG, you can filter both inbound and outbound traffic using IP lists. It also implements GeoIP restrictions to permit or prohibit traffic to and from certain countries. That is especially useful if you have open ports on your WAN.

DNS-based ad and malicious site blocking

pfBlockerNG’s other main feature is blocking ads and preventing access to malicious sites without a proxy server. It performs its filtering using DNS – specifically, a technique called DNS-blackholing. With pfBlockerNG, your DNS requests are cross-referenced against a list of blocked domains as you go about your business on the internet. If there’s a match, the request is denied. If not, it goes through untouched.

OPNsense does not have a pfBlockerNG plugin, but its main functionality can be implemented manually – that is, without installing extra packages. And in many ways, it’s easier to configure once you wrap your head around OPNsense’s implementation. It’s not more complex, just different.

This post will explain how to configure OPNsense with pfBlockerNG functionality. It assumes you have a working OPNsense configuration with working WAN and LAN interfaces and are using the Unbound DNS Resolver for DNS resolution (this is a requirement).

OPNsense - pfBlocker - Dashboard

Let’s get started.

Setting up IP-based filtering

As mentioned above, one of pfBlockerNG’s main features is IP address-based filtering, including GeoIP functionality (i.e., blocking or allowing traffic to and from specified countries using GeoIP lists). We’ll configure both.

The first thing we need to do is add our IP lists to OPNsense. This is done using Aliases – specifically, we’ll create a URL Table alias. URL Table aliases can contain URLs used to download the IP address lists locally, and they work exactly the same way in OPNsense as in pfSense.

The lists themselves (URLs) can be found on the internet. You can also use the same lists you were using in pfBlockerNG if you were on pfSense before.

Creating a URL table alias

  1. From the side menus, select Firewall > Aliases. The main Aliases page is displayed. OPNsense - pfBlocker - Firewall - Aliases
  2. Click the + sign to create a new alias. The Edit Alias page is displayed. OPNsense - pfBlocker - Aliases - ClickPlus
  3. Tick the Enabled box.
  4. Enter a name for your alias in the Name field. Spaces are not permitted.
  5. Select URL Table (IPs) from the Type drop-down menu.
  6. Set your desired Refresh Frequency. I set mine to refresh every day at midnight.
  7. Copy and paste each URL individually in the Content box.
  8. Optionally provide a description for your alias in the Description field.
  9. Click Save. You’re taken back to the main Aliases page, and we can see our newly created alias in the list. OPNsense - pfBlocker - Alias Configuration
  10. Click Apply. OPNsense - pfBlocker - IP Alias Created

We’ve successfully created our IP address filtering alias. We’re now going to create a GeoIP alias.

Creating a GeoIP alias

  1. From the main Aliases page, select the GeoIP settings tab. The GeoIP settings page is displayed. OPNsense - pfBlocker - Select GeioIP Settings Tab
  2. The page only contains a single field for your GeoIP URL. The GeoIP database is provided by MaxMind. To access the database, you first need to create a free account with MaxMind by visiting: https://www.maxmind.com/en/geolite2/signup. OPNsense - pfBlocker - GeoIP Settings - Emply
  3. The MaxMind signup page looks like this: OPNsense - pfBlocker - MaxMind SignUp
  4. Once you’ve signed up, you will receive your license key via email. Then, on OPNsense’s GeoIP settings page, enter the following URL, https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=<YOUR LICENSE KEY>&suffix=zip, replacing <YOUR LICENSE KEY> with your actual license key. The license key consists of an alphanumeric string of 16 characters.
  5. Click Apply to begin downloading the GeoIP database. OPNsense - pfBlocker - GeoIP URL
  6. Once downloaded, the Last updated and Total number of ranges fields are populated. Select the Aliases tab. You’re taken back to the main Aliases page. OPNsense - pfBlocker - GeoIP Database Downloaded
  7. Click the + sign to create a new alias. The Edit Alias page is displayed. We’ll be creating a GeoIP alias for the United States. OPNsense - pfBlocker - Aliases Tab - ClickPlus
  8. Tick the Enabled box.
  9. Enter a name for your GeoIP alias in the Name field. Spaces are not permitted.
  10. Select GeoIP and IPv4 from the Type drop-down menus.
  11. From the Americas drop-down menu in the Content section, select United States.
  12. Optionally tick the Statistics box.
  13. Optionally provide a description for your alias in the Description box.
  14. Click Save. You’re taken back to the main Aliases page and we can see our GeoIP alias in the list. OPNsense - pfBlocker - GeoIP Alias Configuration
  15. Click Apply to apply the changes. OPNsense - pfBlocker - GeoIP Alias Created

We’ve now created two IP address aliases:

  1. A URL table alias that contains our IP address lists for malicious traffic filtering.
  2. A GeoIP alias containing all IP address ranges from the United States.

We’re going to implement our URL Table IP alias for filtering purposes through floating rules. Floating rules are a subclass of firewall rules that are referenced for matching traffic before the “regular” firewall rules. Floating rules can also be applied to multiple interfaces within the same rule. Floating rules are very powerful, but they need to be configured carefully, as they can create problems if misconfigured.

Our GeoIP alias will be implemented through a Port Forward rule. GeoIP rules are really only useful if you have open ports on your OPNsense WAN to host web-accessible servers within your network, for example. Because OPNsense already blocks all incoming traffic on the WAN by default, there’s no need to duplicate this behavior by “blocking the world” – you’ll just add an unneeded load to your system. Instead, we will create a port forward rule that allows only US-based IP addresses to connect to the server using our US GeoIP alias.

We’ll start by configuring malicious IP address filtering using floating rules.

Creating an inbound floating rule for malicious traffic filtering

  1. From the side menus, go to Rules > Floating (we’re already in the Firewall section). The Floating Firewall Rules page is displayed. OPNsense - pfBlocker - Rules - Floating
  2. Click the + sign to create a new floating rule. OPNsense - pfBlocker - Floating Rules - ClickPlus
  3. Select Block from the Action drop-down menu.
  4. Select WAN from the Interface drop-down menu.
  5. Set the Direction to In.
  6. Set the TCP/IP Version to IPv4.
  7. Set the Protocol to any.
  8. From the Source drop-down menu, select the URL Table alias we created earlier. Mine is called MALICIOUS_IPS. *Note that I could restrict the rule to only apply to the open ports on my WAN but if I want to specify a port number, I can’t set the protocol to any. I’d rather live with some “duplicate blocking” than restrict the traffic types or create rules for each one.
  9. Optionally enter a description for our floating rule in the Description field.
  10. Click Save. You’re taken back to the main Floating Firewall Rules page. OPNsense - pfBlocker - Floating Malicious IP Rule 1
  11. We can see our floating rule is displayed. Click Apply Changes. OPNsense - pfBlocker - Floating Malicious IP Rule 1 - Apply Changes
  12. You should see The changes have been applied successfully at the top of the page.

Creating an outbound floating rule for malicious traffic filtering

  1. Click the + sign to add another floating rule. OPNsense - pfBlocker - Floatng Rule 2 - ClickPlus
  2. Select Reject from the Action drop-down menu.
  3. Select LAN from the Interface drop-down menu. If you have any other LAN-type interfaces on your system, you can add them here.
  4. Set the Direction to any.
  5. Set the TCP/IP Version to IPv4.
  6. Set the Protocol to any.
  7. Set the Source to any.
  8. From the Destination drop-down menu, select the URL Table alias we created earlier. Mine is MALICIOUS_IPS.
  9. Optionally enter a description for our floating rule in the Description field.
  10. Click Save. You’re taken back to the main Floating Firewall Rules page. OPNsense - pfBlocker - Malicious IP Floating Rule 2 Configuration
  11. We can see our second floating rule is displayed. Click Apply Changes. OPNsense - pfBlocker - Floating Rule 2 - Apply Changes
  12. You should see The changes have been applied successfully at the top of the page. OPNsense - pfBlocker - Floating Rule 2 - Changes Applied

We’ve now configured malicious traffic blocking using IP address lists within URL Table aliases. Any incoming traffic from the IP addresses included in the alias will be blocked on the WAN – even with ports open. And any outgoing traffic from your LAN to any of those IP addresses will be rejected. The difference between Reject and Block is that Reject will inform the user that the connection was refused, whereas Block will silently drop connections.

Now we will configure a port forward rule allowing only US-based IP addresses to access our server. IP addresses from all other countries will be blocked by default. If you aren’t hosting any servers, you can skip this step.

Creating a port forward rule using a GeoIP alias

  1. From the side menus, go to NAT > Port Forward (we are already in the Firewall section). The main Port Forward page is displayed. OPNsense - pfBlocker - GoTo NAT - Port Forward
  2. Click the + sign to create a new port forward rule. OPNsense - pfBlocker - Port Forward - Click Plus
  3. Select WAN from the Interface drop-down menu.
  4. Select IPv4 from the TCP/IP Version drop-down menu.
  5. Select TCP from the Protocol drop-down menu.
  6. From the Source drop-down menu, select the GeoIP alias we created earlier. Mine is called US.
  7. Select WAN address from the Destination drop-down menu.
  8. In the Destination port range section, set the To and From drop-down menus to Other and enter the port number your server listens on in the underneath fields. I’ll be using port 8080 for this example.
  9. Select Single Host or Network from the Redirect target IP drop-down menu and enter your server’s IP address underneath.
  10. Set the Redirect target port to Other and enter the port number underneath.
  11. Optionally enter a description for your port forward rule in the Description field.
  12. Set the Filter rule association drop-down menu to Add associated filter rule. This will create a matching firewall rule on the WAN interface allowing incoming traffic that matches the port forward rule.
  13. Click Save. You’re taken back to the main Port Forward page. OPNsense - pfBlocker - Port Forward Configuration
  14. We can see our port forward rule is displayed. Click Apply Changes. OPNsense - pfBlocker - Port Forward Rules Created - Apply Changes
  15. You should see The changes have been applied successfully at the top of the page. OPNsense - pfBlocker - Port Fprward - Changes Applied
  16. From the side menus, select WAN (we are already in the Firewall > Rules section). OPNsense - pfBlocker - Go To Rules - WAN
  17. We can see our auto-created rule in the list. OPNsense - pfBlocker - WAN Rule
  18. Because I have a US-based IP address, I should be granted access if I attempt to access the server. Hooray, it works. OPNsense - pfBlocker - Access Server Behind Firewall

Now that we’ve set up malicious IP address filtering and used a GeoIP alias to granularly allow traffic to our server, we’re now ready to tackle pfBlockerNG’s other major tenant: blocking ads and malware using DNS blackholing.

We will set this up in the Unbound DNS Resolver, which natively supports blocklists in OPNsense.

Setting up DNS blackholing in Unbound

  1. From the side menus, select Services > Unbound DNS > General. The Unbound General page is displayed. OPNsense - pfBlocker - Go To Services - Unbound DNS - General
  2. Make sure that the Network Interfaces drop-down menu is either set to All (recommended) or that your LAN-type interfaces are selected. OPNsense - pfBlocker - Unbound DNS Interfaces
  3. From the side menus, select Blocklist (we are already in the Services > Unbound DNS section). The Blocklist page is displayed. OPNsense - pfBlocker - Go To Blocklist
  4. Tick the Enable box.
  5. Select EasyList and EasyList Privacy from the Type of DNSBL drop-down menu. Feel free to select other lists if you like.
  6. Optionally add a custom blocklist in the URLs of Blocklists field. I will add https://dbl.oisd.nl/ in this example.
  7. Click Apply. OPNsense - pfBlocker - Unbound DNS Blocklist Configuration
  8. To make sure our DNSBL is working properly, let’s add a custom entry in the Blocklist Domains field. I will add facebook.com and click Apply again. OPNsense - pfBlocker - Unbound DNS - Block Facebook
  9. Now if I try to access facebook.com using a web browser, I get the below error. That’s what we want. OPNsense - pfBlocker - Unbound DNS - Facebook Blocked
  10. Ads should now be blocked! Test it out:

Without DNS blackholing

OPNsense - pfBlocker - Unbound - No DNS Blocking

With DNS blackholing

OPNsense - pfBlocker - Unbound - With DNS Blocking

Wrap Up

That’s how we can mimic the functionality of pfSense’s excellent pgBlockerNG add-on package. It can be daunting to try and figure out how to achieve this in OPNsense as the settings are found throughout the OPNsense UI as opposed to being centralized in the add-on package’s UI. But, in many respects, it’s a bit easier to configure in OPNsense.

Stay safe.

Related: