OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: pricklydevil on February 05, 2016, 11:58:40 am

Title: pfblocker to OPNSense?
Post by: pricklydevil on February 05, 2016, 11:58:40 am
Heya,

First post here and I've used the search function but to no avail on this one :(

Whilst I absolutely love OPN over pF, I'm looking to add some sort of adblocker on my network rather than use the standard adblocking tools in browsers.

I know that pF have the pFblocker addon as part of the latest release and it definitely would do the trick but that would mean moving away from OPN which IMHO is wayy better and easier to use.

Is there a plan to integrate this into OPN? I appreciate that it'll take time/effort/blood/sweat/tears and lots of rewriting, as its pF code and so doesn't fit with the ethos of OPN, but it would definitely be a big move :)

Unless it's already been done and I'm a complete dunce finding it hehe.

Cheers
Title: Re: pfblocker to OPNSense?
Post by: AdSchellevis on February 05, 2016, 01:32:32 pm
Hi,

I think we already have all of the functionality, but if something is missing it might be worth looking at that specific missing part.
When you want to block geoips, you can use "Intrusion detection" (enable ips, as of 16.1.2), if you want daily updates from a remote set of ip addresses you should be able to use aliases, like this:

(https://forum.opnsense.org/images/block_spamhaus_ips.png)

I think this is what your looking for, but if it's something else, just let me know.

Regards,

Ad
Title: Re: pfblocker to OPNSense?
Post by: pricklydevil on February 05, 2016, 02:40:48 pm
Fantastic! Thank you Ad :D

I didn't realise that you could do that and then just enable the IPS. Guess that'll teach me for not reading *facepalm*

Just as a check, when it says disable hardware offloading, does that mean CRC/TSO and LRO? i.e. all of them?
Title: Re: pfblocker to OPNSense?
Post by: AdSchellevis on February 05, 2016, 02:45:01 pm
Your welcome, and yes you need to disable all hardware offloading features, otherwise your traffic will very likely be dropped.
Netmap doesn't like the hardware features.

To just block a list of ip's, you can use the aliases (not in IPS, but normal firewall feature, my screenshot was from that part)