====== PFSense - pfBlockerNG - Bypass pfBlockerNG for specific clients ======

Unfortunately, even if the some interfaces are NOT selected as per this configuration, pfBlockerNG does NOT ignore them and still performs DNSBL checking.

To have pfBlockerNG ignore some interfaces, such as the CLEAR network in this diagram, pfSense needs to use a different DNS server.

{{:pfsense:pfblockerng:pfsense_pfblockerng_dnsbl_permit_firewall_rules_multiple_lans.png?800|}}


----

Navigate to **Services -> DNS Resolver**.

In the **General Settings** tab, change:

  * Custom options: <code>
server:
    private-domain: "plex.direct"
    include: /var/unbound/pfb_dnsbl.*conf
</code>

to

  * Custom options: <code>
server:
    private-domain: "plex.direct"
    access-control-view: 192.168.1.0/24 dnsbl
    access-control-view: 192.168.50.0/24 bypass
    access-control-view: 192.168.70.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf
</code>


<WRAP info>
**NOTE:**  
Do not have multiple **server** options against the **access-control-view** settings.

Also, do not have the word **server:** in front of the following statement **server:include: /var/unbound/pfb_dnsbl.*conf**.

The following line may be needed above the **include: /var/unbound/pfb_dnsbl.*conf** line: <code>include: /var/unbound/host_entries.conf</code>
</WRAP>



<WRAP important>
**WARNING:** If you do an update, disable and re-enable DNSBL the line **include: /var/unbound/pfb_dnsbl.*conf** will be reset back to the standard entry to start with the word **server:**, so will become **server:include: /var/unbound/pfb_dnsbl.*conf**.

This is hard-coded into pfBlockerNG, and until this is fixed, you will need to check each time and remove any leading **server:** to ensure your expected behavior works as expected.
</WRAP>



----

===== Another example =====

Use Cloudflares DNS over TLS hence the forward-zone configuration.


<code>
server:
    private-domain: "plex.direct"
    access-control-view: 192.168.1.51/32 bypass
    access-control-view: 192.168.1.61/32 bypass
    access-control-view: 192.168.1.83/32 bypass
    access-control-view: 2601:abcd:abcd:abc0::/64 dnsbl
    access-control-view: 2601:abcd:abcd:abc1::/64 dnsbl
    access-control-view: 2601:abcd:abcd:abc2::/64 dnsbl
    access-control-view: 192.168.1.0/24 dnsbl
    access-control-view: 192.168.2.0/24 dnsbl
    access-control-view: 192.168.3.0/24 dnsbl
    rrset-roundrobin: yes
forward-zone:
    name: "."
    forward-ssl-upstream: yes
    # Cloudflare DNS
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    forward-addr: 2606:4700:4700::1111@853
    forward-addr: 2606:4700:4700::1001@853
view:
    name: "bypass"
    view-first: yes
    #include: /var/unbound/host_entries.conf
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/host_entries.conf
    # local-zone: "youtube.com" inform_deny
    # local-zone: "facebook.com" inform_deny
    include: /var/unbound/pfb_dnsbl.*conf
</code>


<WRAP info>
**NOTE:**  A 192.168.0.0/22 mask (CIDR) for the IPv4 subnets did not work, I instead had to define each subnet with /24. Maybe a /16 would have worked?

Same problem with IPv6. (note, the examples mask my real IPv6 prefix), I had to define multiple /64's as a single /62 did not work.

The dnsbl view needed to have include: **/var/unbound/host_entries.conf** otherwise the host overrides did not resolve.  For some reason however that was not required for the bypass view, which seems to operate quite happily without the include: hence it is commented out.

The two commented out local-zone's are an easy way to block social media.
</WRAP>


----

===== Enforce Google, YouTube, Bing and DuckDuckGo SafeSearch =====

<code>
server:
    access-control-view: 192.168.10.0/24 bypass
    access-control-view: 192.168.20.0/24 dnsbl
view:
    name: "bypass"
    view-first: yes
view:
    name: "dnsbl"
    view-first: yes
    include: /var/unbound/pfb_dnsbl.*conf
    local-data: "www.google.com 60 IN A 216.239.38.120"
    local-data: "www.youtube.com 60 IN A 216.239.38.119"
    local-data: "www.bing.com 60 IN A 204.79.197.220"
    local-data: "duckduckgo.com 60 IN A 107.20.240.232"
</code>

<WRAP info>
**NOTE:**  These entries added in the **dnsbl** view force all clients in this group (192.168.20.x) to the SafeSearch address for each of the four services included.

These have to be added here, as adding them as a Host Override on the DNS Resolver configuration page, would enforce them for all clients.

</WRAP>

----

===== Allow websites on a per client basis =====

  * group A allow websites X and deny websites Y
  * group B allow websites X and allow websites Y
  * group C allow websites X and allow websites Y and allow websites Z

pfBlockerNG can do this using the new tag feature in [[https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/|Unbound]].

<WRAP info>
**NOTE:**  Tagging is only supported in Unbound 1.5.10 on-wards, so you may need to update your pfSense.
</WRAP>

Navigatge to **Services -> DNS Resolver -> Custom Options**.

<code>
# give pfSense a server: tag so it puts directives in correct place
server:                                      

# Define a new tag.
define-tag: "websiteX"
define-tag: "websiteY"
define-tag: "websiteZ"

# Create access control entry.
access-control: 10.1.1.0/24 allow  # group A
access-control: 10.1.2.0/24 allow  # group B
access-control: 10.1.3.0/24 allow  # group C

# Tag the access.
# Allocate IP ranges to the tag.
access-control-tag: 10.1.1.0/24 "websiteX"     
access-control-tag: 10.1.2.0/24 "websiteX"     
access-control-tag: 10.1.3.0/24 "websiteX"     
access-control-tag: 10.1.1.0/24 "websiteY"     
access-control-tag: 10.1.2.0/24 "websiteY"     
access-control-tag: 10.1.3.0/24 "websiteY"     
access-control-tag: 10.1.1.0/24 "websiteZ"     
access-control-tag: 10.1.2.0/24 "websiteZ"     
access-control-tag: 10.1.3.0/24 "websiteZ"     

# Create the local-zone, and allow normal service 
#  which allows non-blocked users access
#  and allow all types like A and AAAA and CNAME.
local-zone: www.websitex.com typetransparent  
local-zone: www.websitey.com typetransparent  
local-zone: www.websitez.com typetransparent  

# Tag the domain.
local-zone-tag: www.websitex.com websiteX       
local-zone-tag: www.websitey.com websiteY
local-zone-tag: www.websitez.com websiteZ       

# Ensure local data served first.
access-control-tag-action: 10.1.1.0/24 "websiteY" redirect  
access-control-tag-action: 10.1.2.0/24 "websiteZ" redirect  

# Send users to your polite internal block page.
access-control-tag-data: 10.1.1.0/24 "websiteY" "A 10.1.1.1"
access-control-tag-data: 10.1.2.0/24 "websiteZ" "A 10.1.1.1"
</code>

----

===== References =====

https://mitky.com/pfblockerng-pfsense-filter-specific-clients-computers-network/

https://forum.netgate.com/topic/129365/bypassing-dnsbl-for-specific-ips/9

https://www.reddit.com/r/pfBlockerNG/comments/9z0g28/bypass_dnsbl_based_on_ip_alias_or_interface/

https://jpmens.net/2016/12/20/unbound-supports-views-for-local-data/

https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26

https://www.nlnetlabs.nl/blog/2016/12/22/client-based-filtering-in-unbound/