OPNsense Forum

English Forums => General Discussion => Topic started by: Inxsible on March 03, 2021, 07:00:40 am

Title: Unbound BlockList vs Firewall Alias+Rule
Post by: Inxsible on March 03, 2021, 07:00:40 am

Recent migrant from Pfsense. I was using pfBlockerNG-devel on pfSense.

Since I have been using Opnsense (2 days now) -- I see a lot more ads being loaded on various websites. So I was searching the web and these forums on how to set up alternatives to pfBlockerNG since no plugin is available on Opnsense. I found a bunch of different ways -- Adguard Home, Unbound DNSBL, a separate PiHole server and https://docs.opnsense.org/manual/how-tos/edrop.html

Unbound DNSBL seems simple enough where you add a block list under Services-->Unbound-->Blocklist and click Apply

But the link for the Spamhaus gave me reason to look at the Firewall Aliases and I found that you can create many different types of aliases in Opnsense (not sure if this was possible in pfSense too -- if it was, it wasn't as obvious)
If I create an alias of type URL Table(IP), it also asks for a Refresh Frequency which I assume creates a cron job to auto renew the lists. I also assume that I can create N number of aliases for all the different block lists that I want and simply add a firewall rule to block access to any url in those aliases.

So the question is :

• Which of the method is better?

From first glance it seems, Unbound blocklist is easier -- but then you would have to separately create cron jobs for each list to be updated
The firewall alias+ rules seem to create the auto-renewal of the lists, but you would need an alias and a rule

• Am I missing other advantages/disadvantages of either method?
• I also noted that Firewall-->Aliases allows creating Aliases based on GeoIP -- Would these aliases + the appropriate rules be similar to the pfBlockerNG Geo IP blocking?

Thanks,

Title: Re: Unbound BlockList vs Firewall Alias+Rule
Post by: hushcoden on March 03, 2021, 08:49:58 pm

I use both, and they complement each other pretty well.

I have 7 Aliases for 'dangerous' IPs + firewall rules as well as using the blacklist feature of Unbound: they are not too many, but you can add additional URLs when you select advanced mode.

Title: Re: Unbound BlockList vs Firewall Alias+Rule
Post by: Inxsible on March 03, 2021, 09:28:00 pm

Thanks.

Yeah I selected all the DNSBL lists under Unbound except the WindowsSpyBlocker ones and it still loads a few ads on certain websites. It also unfortunately blocked access to NordVPN which is my vpn provider, so I had to whitelist nordvpn.com

So trying to make the DNSBL more restrictive is what led me to research and I found the Firewall alias creation option for URL Table(IPs). So I guess there are multiple ways to skin the cat.

Another thing I noticed is if I add Blocklist URLs and click Apply, it has no effect on the ads -- maybe it's a combination of cached page or what.. but I also tried a new profile in Chromium and Firefox. However when I did a

Code: [Select]

pluginctl -s unbound restart && pluginctl -s dhcpd restart in the opnsense-shell, I could immediately see the difference in the ads that were loaded or not loaded depending on whether I had removed or added new URLs in Blocklist.