The following lines were added (+) and removed (-):
OPNSense Documentation* https://docs.opnsense.org/:* [[https://docs.opnsense.org/manual/install.html installation]](1) via dns:(1) '''DNSBL''' via dns:''* Note: You have just blocked a web address or IP address and you notice a network client still has access. There is probably an active state established in the state pool and therefore the client continues to use a blocked site. In pfSense versioin 21.0.x goto DIAGNOSTICS -> STATES and either remove the specific active state or "Reset States" which will reset all client connections on the lan.'' Aliases can be defined for use with different blocking methods. In the single illustrated example above, an alias could be used to replace either the source or destination IP address. An alias can be used to define a host which may have multiple associated IP addressses like a group of workstations or an Internet destination where a DNS may resolve to more than one host. An alias could also be used to create a list of hosts which are unrelated other than you wish for them to be blocked. If a rule were added for each host to block individually, the rules list would grow quite large. By adding all of these hosts to an alias, only one firewall rule is necessary. Aliases can be defined for use with different blocking methods. In the single illustrated example above, an alias could be used to replace either the source or destination IP address. An alias can be used to define a host which may have multiple associated IP addressses like a group of workstations or an Internet destination where a DNS may resolve to more than one host. An alias could also be used to create a list of hosts which are unrelated other than you wish for them to be blocked. If a rule were added for each host to block individually, the rules list would grow quite large. By adding all of these hosts to an alias, only one firewall rule is necessary. In one list it seems to partially fail if there are multiple hosts and some are IP and some are DNS.=== Using pfBlockerNG ===Differences between '''IPBL''' and '''DNSBL''' with the pfBlockerNG plugin*DNSBL uses Unbound (DNS Resolver) to block network clients from accessing specified domains*IPBL creates firewall rules to block network clients from accessing IPs and to keep those IPs from accessing the network. DSNBL only has Unbound or Disabled, IPBL has a variety of actions, Denying inbound, outbound, both or simply matching and logging the traffic. IPBL has as many modes of enforcement of a firewall rule because it uses firewall rules to block traffic, where DNSBL simply uses the DNS resolver to send the client a different answer.Per HOST or Per USER note: pfBlockerNG is not the best way to providing filtering while exempting specific hosts on the network. Although possible, it is problematic and difficult to configure.== Troubleshooting ===== The following CA/Certificate entries are expiring ===Beginning with 2.5.0 pfSense also allows you to renew the certificate in the web GUI in System > Certificate Manager > Certificates.* Certificates are managed from System > Cert Manager, on the Certificates tabUsing pfSense as a Certificate Authority for your network: For network Chain of Trust.=== Force a DHCP lease to expire without impacting all other client leases ===If you give a static lease assignment after a client already has a dynamic lease, and you wish to trigger that client workstation or device to stop using the old dynamic IP from the previous lease and start using the new IP that was static mapped for it, without having physical access to the client device... here is what you do:# In the GUI, go to Diagnostics/Edit File and load /var/dhcpd/var/db/dhcpd.leases~# Do the same for /var/dhcpd/var/db/dhcpd.leases# goto Services -> DHCP Server and RESTART the DHCP server service.== Related ==* [[Classful Networks and CIDR Routing]]* [[Facebook Filtering With a SOHO Firewall]]