Ben Oliver
Now
How
Fred Taylor-Young
How to block ads and trackers on your firewall with pfBlocker
"Nuke those pesky ads before they even reach your device."
February 27 2016 - 08:40 UTC

If there’s one thing I cannot stand online, it’s ads. At best they are a nuisance, at worst they are dangerous. A few months back I encountered a serious problem when I asked a user to download the CyberDuck FTP program:

I had ublock on and did not realise that on the ‘raw’ version of the page, there was an ad which simply said ‘DOWNLOAD’. The user clicked that instead of the real download link and ended up with some shit on their Mac that took hours to get rid of.

There are some great tools out there like uBlock Origin which work as browser extensions to block out ads, trackers and dodgy domains and I recommend everyone go out and install it. Rooted Android users should use AdAway.

However, pfSense users can take it one step further by blocking this sludge at the firewall level. This way, any device on your network will be ad-blocked whether they have the extension installed or not.

Anyone with a firewall can block IPs and domains, but I want to talk about an extension, pfBlockerNG, which simplifies the task by automatically downloading lists of ad servers and creating rules to block them.

You may find you have not had much joy with pfBlocker in the past, I am one of those people, but recent updates and new features have made it work reliably for me now, so I’m posting this to share how I got it working.

Installation

This is painless.

  1. Go to your pfsense web interface
  2. System->Packages
  3. Click ‘Available Packages’
  4. Scroll down to pfBlockerNG and click the little + icon.
  5. Click ‘Confirm’ and wait for the installer to finish.

Set up

If the install worked then you should see pfBlockerNG in the ‘Firewall’ drop down menu.

I’ll take you through the relevant tabs.

General Settings

pfBlockerNG General Settings

Interface/Rules Configuration

IPv4

Click ‘add new alias’

IPv4

IPv4 Custom list

This is a good place to put extra stuff in. I have an alias where I just use this box and no lists, to block specific IPs. I have another alias where I allow specific IPs too.

You can also use a firewall rule with a ‘regular’ pfSense alias but I use this because it puts it all in one place.

When you are done click save. Then where you are done adding aliases, click save on the ‘index’ page.

DNSBL

This is a trick I had missed before, but I wish I had seen it sooner. Since enabling this, lots more ads have been blocked. I also have not seen it mentioned on other guides.

DNSBL

DNSBL IP Firewall Rule Settings

DNSBL Feeds

Very similar to above. Make sure your feeds are lists of host names, not IP addresses.

DNSBL EasyList

Easylist is a popular and effective list, for some reason built into pfBlocker. Makes life easy for us.

Hit save.

Loading the rules

This will happen on its own at the set time, but you can manually update the lists.

For testing purposes I like to open a site with ads first, then reload the site to make sure the ads are gone.

  1. Go to the ‘Update’ tab
  2. Click ‘Force Update’
  3. Look at the live-view of the logs to make sure there are no errors.

Conclusion

That’s it! This is an easy way to stop users on your network getting ads.

If you get lots of stuff blocked that you do not want blocking, look at the logs to determine which list is causing the problem. When I first set this up I went way overboard and ended up trimming the list down considerably!