Archive > 16.7 Legacy Series
Firewall Alias for adblocking
Curly060:
Hi,
I migrated from OpenWRT to OPNSense in the past couple of weeks and can't believe that all these years I wasn't aware of pfSense/OPNSense! I am very happy with pretty much everything, except for the adblocking situation (and perhaps the google rank situation ;)).
What I would really like to see is DNS based adblocking. I have searched the forum, but the resolution always seems to be transparent proxy (really not an option for me) or some firewall rule with a set of IPs (alias). The latter I am trying to implement:
So I have created a very big list of IP addresses and Domains from various sources (PI-Hole, OpenWRT adblock plugin etc.). The list contains about 120000 entries. Then I created an alias like this:
* Name: Adblock
* Type: URL Table (IPs)
* URL: URL to my list (not public)
Now I do have some questions about this:
* Is it ok to have a mixture of IPs and domain names in my list? I would say yes, OPNSense seems to resolve domains in the background and creates a text file in /var/db/aliastables/Adblock.txt which contains only IPs.
* Is there a limit as to how many IPs I can have for an alias?
* What is a healthy amount of IPs inside an alias? Would it be
* When I look in /var/db/aliastables/Adblock.txt file I notice a lot of duplicate IPs. Should this maybe optimized or does it not matter?
* What is OPNSense's strategy when the file changes? Will it only look at differences or parse the file fully each time?
* My Alias does not show up under Firewall: Diagnostics: pfTables. However, if I create the alias with a non capital first letter, then it will appear there. Bug?
* Firewall: Diagnostics: pfTables tells me that there are no entries in my alias. However, when I make my list smaller, suddenly it will show the IP addresses. I have experimented a little: 5000 entries were fine, 10000 already not. So it looks there is indeed a limit somewhere.
* Are there any plans to integrate DNS based adblocking? Sure I can set up a Pi next to my OPNSense with PI-Hole on it, but I'd prefer the all-in-one solution. Would the DNS based adblocking not be far, far more efficient? I mean, only when a resource is actually requested, the DNS resolver would have to check against the black list (might be costly, but can be cached). As firewall rule with, say 5000 entries, this needs to be checked for pretty much every packet, no? Transparent proxy adblock is IMHO far too complex (CA certificate on every client, maintaing no-ssl-bump list,...)
Sorry for the sheer volume of the questions, I hope someone takes time to answer them. I have been googling a lot (which is painful because google always returns results for pfSense. OPNSense must get more popular to drive pfSense off the first ranks ;)) and the forum has only like 2-3 posts about adblocking...
Cheers, Curly060 =;->
bartjsmit:
There is a third option - set your DNS to use OpenDNS and create an account there with adware as part of the Web Content Filtering.
Bart...
paramedic233:
Fourth option, and what I have running.
https://docs.opnsense.org/manual/how-tos/cachingproxy.html
Simple and works for me.
Curly060:
Hi,
thanks for the answers.
OpenDNS is not an option for me. The whole point of my OpnSense installation is that I do not need to rely on external services (esp. when their owners are located in the States...). I prefer having as much under my direct control as possible.
Using a proxy is fine, but every client needs to be configured. That will end up in configuration hell and whenever a client bypasses the proxy, I get ads again. So it would have to be a transparent proxy, which I didn't want in the first place.
Well, I have solved the problem in the meantime like this:
* a custom script on a Raspberry Pi creates a hosts file from various sources every week (similar to what Pi Hole does) and uploads it to OpnSense
* Dnsmasq is configured to use this file as additional hosts file=> Works perfectly and for all clients in my LAN
I was hoping I do not have to rely on the Pi to do this, but well, that's how it is now.
Cheers, Curly060 =;->
bartjsmit:
OPNsense has a full OS and it may be possible to run your RPi script on the firewall. The best way to slot it in is through a plugin, if you're up for a bit of scripting.
Bart...
Navigation
[0] Message Index
[#] Next page
Go to full version