Introduction
More and more users are asking for bringing pfBlocker to OPNsense, or telling they don’t use OPNsense because all the features pfBlocker offers arent useable with OPNsense. The current main problem are missing updates in the documentation or just a lack of features.
GeoIP
If you search the docs for GeoIP you only get results with the implementation via Suricata. Using an IPS for GeoIP results in two problems:
- You can not mix it with firewall rules since IPS comes first
- No granularity, e.g. only block SMTP from specific countries
Since about 17.7.10 there’s the availability of GeoIP aliases with a very easy mechanism:
Just create an alias, put in the countries to allow or block and add a rule. Within rules you can also negate, so you have the full control like within pfBlocker, and you don’t have to manage double aliases or rules, it’s all in there. 🙂
External Blacklists / IP block lists
External lists are also managed via Aliases.
Use URL table, add the link and the time how often to reload the list. With 18.1 it’s also possible to load more often than once a day (also a feature many users compared against pfBlocker).
There are many lists out there like FireHOL:
https://lists.blocklist.de/lists/
Be sure to test them first because FireHOL1 e.g. also blocks private IPs!
When using big lists be sure to set Firewall : Settings : Advanced : Firewall Maximum States to a value beyond 1Mio.
Blocking Ad’s (Option 0 – NEW)
With version 20.7 you now have os-unbound-plus Plugin in Core, you can just setup Blacklisting via Services : Unbound : Blacklist.
Blocking Ad’s (Option 0 – OLD)
With version 20.1.4 you now have os-unbound-plus Plugin, offering native DNSL via Unbound. Just install the plugin and behind Services-Unbound DNS-Blacklist, you’ll find predefined lists but also allowing you to grep your own lists which is unsupported in BIND or dnscrypt-proxy. It offers DNS over TLS too and will nearly find it’s way into core, so you don’t have to install any plugins.
Blocking Ad’s (Option 1)
With 18.7.1 there is a new BIND plugin with offers DNSBL via RPZ. There you can choose from a bunch of public available blacklists like with PiHole. The amount of lists will grow, but for now it’s a good start. When you install the plugin it listens only on localhost port 53530, so it won’t interfere with your already configured Unbound or dnsmasq.
For testing you can just do a portforward from some interal IPs to your localhost:53530 and enjoy the blocked Ads, Malware or Porn.
Here’s a small guide for BIND Plugin:
Blocking Ad’s (Option 2)
Blocking Ad’s can also be done via Unbound and DNSBL, it’s described here, so I won’t reinvent the wheel:
https://devinstechblog.com/block-ads-with-dns-in-opnsense/
Final words
I know there are more features that pfBlocker supports (ASN lists etc.) but I think with the tweaks above you can easily reach your goals with a fair amount of work. Since all the tools are already there it doesn’t make really sense to build an own plugin.
If you have further comments you can reach me in the OPNsense forums 🙂