Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Help about MediaWiki
FUTO
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Introduction to a Self Managed Life: a 13 hour & 28 minute presentation by FUTO software
(section)
Main Page
Discussion
English
Read
Edit
Edit source
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
Edit source
View history
General
What links here
Related changes
Special pages
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
= Setting Up '''pfBlockerNG''' for Ad-Blocking in pfSense = <span id="why-adblock-at-the-router"></span> === Why adblock at the router? === '''''Why not'''''?? Isn’t this '''beautiful'''? <pre>louis@happycloud:~/Downloads/frigate$ ping googleadservices.com ping: googleadservices.com: Name or service not known</pre> Seeing ''Name or service not known'' trying to contact a google ad server warms my heart. :D Ad-blocking at the router level offers several advantages: # '''Simplicity:''' Instead of installing ad-blockers on every device, you can block ads network-wide. # '''Complete coverage:''' Blocks ads on devices where traditional ad-blockers can’t be installed (smart TVs, Android/iOS apps). Somewhere, there is probably some piece of garbage application that has an ad in it that you can’t install [https://ublockorigin.com/ ublock origin] onto. What if it were blocked from connecting at the router level? # '''Control:''' You can manage internet connectivity and ad-blocking for all connected devices from a single point. We’ll use two methods for blocking: * '''IP address blocking''' - blocking <code>103.31.6.184</code> * '''Domain name blocking''' - blocking <code>googleadservices.com</code> This dual approach makes sure more effective ad-blocking, as it covers both static IP addresses and changing domain names associated with ad servers. <span id="step-1-measure-our-baseline"></span> === Step 1: Measure our Baseline === <span id="install-stock-google-chrome"></span> ==== 1.1 Install [https://www.google.com/chrome/ stock Google Chrome] ==== <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_bceadf90.png </gallery> </div> No ad-blocking extensions, no privacy protections. We want to test our ROUTER’S ability to block ads – not our browser’s. The browser is going to be the ''“constant”'' here. In an ideal setup, we want to block ads at the router level (which we CAN control) in order to not see ads in random Android apps & unreliable smart TVs (which we can’t always control). You won’t always be able to block ads with certain hardware or software. And even if you can, can your boyfriend, your mother-in-law, your kids? Imagine having kids that grow up in a household with no ads. :) Don’t use your normal web browser with all the ad-blocking stuff built-in because then we can’t tell if what we did actually worked. We’re starting by installing stock, vanilla Google Chrome, no extensions installed, and running a couple of quick tests. Something tells me Google’s business model isn’t going to provide us an ad-free web browsing experience by default… <span id="run-adblock-dns-tests"></span> ==== 1.2 Run adblock & DNS tests ==== <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_16d96f79.png File:lu55028jxb9s_tmp_ccf2f730.png File:lu55028jxb9s_tmp_29860614.png </gallery> * [https://adblock-tester.com/ adblock-tester.com] * [https://d3ward.github.io/toolz/adblock.html d3ward.github.io/toolz/adblock.html] -> This project is no longer maintained and has been archived. * [https://dnsleaktest.com/ dnsleaktest.com] '''My Initial results:''' * Ad-block tester: 38 points out of 100 * D3Ward Ad Block testing: 6 blocked out of 135 * DNS: Using home device ('''pfSense''' DNS resolver) ''Your mileage will vary.'' <span id="step-2-install-pfblockerng"></span> === Step 2: Install '''pfBlockerNG''' === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_36101b0c.png File:lu55028jxb9s_tmp_df926adb.png File:lu55028jxb9s_tmp_8c37d4ee.png File:lu55028jxb9s_tmp_6863d4b9.png </gallery> # Log in to your '''pfSense''' web interface. # Navigate to '''System > Package Manager > Available Packages'''. # In the search bar, type '''“pfBlockerNG”'''. # Find <code>pfBlockerNG-devel</code> and click the '''Install''' button (you want the devel version because it receives more updates &, as AvE would say, is more betterer). # Wait for the installation to complete. <span id="step-3-configure-pfblockerng-general-settings"></span> === Step 3: Configure '''pfBlockerNG''' General Settings === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_e3a57841.png File:lu55028jxb9s_tmp_bef0d3ca.png File:lu55028jxb9s_tmp_f6e73464.png File:lu55028jxb9s_tmp_2c627cd5.png </gallery> # After installation, go to '''Firewall > pfBlockerNG'''. # Under '''General Settings:''' ## Enable pfBlockerNG: Make sure this is checked. # Click '''IP''' next to general. # For '''Outbound Firewall Rules''', make sure both '''LAN''' and '''OpenVPN''' interfaces are selected for REJECTING. # '''I had you set up OpenVPN''' '''''before''''' '''pfBlockerNG explicitly''' '''''because''''' '''it makes this option automatically be checked for you, but double check just in case!''' # Click '''Save''' at the bottom. <span id="step-4-set-up-dnsbl-dns-blacklists"></span> === Step 4: Set Up DNSBL (DNS Blacklists) === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_d758afc8.png </gallery> # Navigate to '''Firewall > pfBlockerNG > DNSBL'''. # Enable DNSBL: Check this box to enable DNS-based blocking. # DNSBL Mode: Set to '''Unbound Mode''' to use pfSense’s DNS Resolver for DNSBL. # Go down to '''DNSBL Configuration''', make sure some random bs IP is in ''virtual IP address (LIKE 10.10.10.1), this is where we are directing requests to ad-ridden domain names to.'' <span id="step-5-add-dnsbl-feeds-ip-blocklist-feeds-lists-of-ad-domains"></span> === Step 5: Add DNSBL Feeds & IP blocklist feeds (Lists of Ad Domains) === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_ab93a985.png File:lu55028jxb9s_tmp_e7f85dc0.png File:lu55028jxb9s_tmp_d117a3f0.png </gallery> Let me explain how these feeds work in pfBlockerNG because the interface can be intimidating for a newbie. The feeds tab has two main sections: IP address feeds at the top (for blocking specific IPs) and DNS feeds at the bottom (for blocking domain names like googleadservices.com). When you’re looking at the feeds, you’ll see these checkboxes and plus signs that can be a bit confusing. Here’s what they mean: * If you see a checkbox on the left, that means it’s a GROUP of feeds. If you see a blue checkbox next to “PRI1” that means all the feeds under that group are already enabled. * Individual feeds will have their own checkboxes to show if they’re active. * The plus signs let you add new feeds to your configuration. When you want to add feeds, click the plus sign to add the feed. For IP blocklists, make sure the action is set to '''“Deny Both”'''. For DNS blocklists, set the action to '''“Unbound”'''. Even if you see something’s already checked, sometimes clicking “Enable All” can catch feeds that weren’t properly activated. I’ve had weird situations where I thought I added everything in a group but missed some - the interface isn’t always super clear about what’s actually enabled. For what to block: I avoid blocking things like Tor or torrent trackers. Why would you block that? That’s like DDoSing Pornhub - they’re giving you free stuff! One of them blocks AWS, avoid that unless you want non-functional internet (sadly the world runs on AWS whether we like it or not). <blockquote>It is very easy to block too much and then not be able to log into youtube, receive email, visit your bank, etc. More isn’t better here. </blockquote> # Go to '''Firewall > pfBlockerNG > Feeds'''. # Scroll to the '''DNSBL Feeds''' section. # Add multiple feeds by clicking on different categories and enabling relevant lists. # For each selected feed: #* For DNS block lists, set “Action” to '''Unbound'''. #* For IP lists, set “Action” to '''Deny Both'''. # There is a blue “ENABLE ALL” method at the bottom that will often save you a lot of time. # Recommended categories to add: #* Easylist #* Malicious #* Phishing #* Malware #* Suspicious #* Trackers #* Spam (for email) # '''Avoid adding feeds that might block legitimate services (e.g., AWS, public DNS servers, Tor).''' # After selecting feeds, click '''Save''' to apply these DNSBL lists. # Don’t enable/turn them on one by one. When you click on a list of feeds, note the blue '''“enable all”''' button. ''Don’t be like Louis of 2018 & toggle each line to “on” manually like an idiot (I actually did this :’( )'' <span id="step-6-update-and-apply-lists"></span> === Step 6: Update and Apply Lists === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_88427bbb.png </gallery> # Navigate to '''Firewall > pfBlockerNG > Update'''. # Select '''“Force”''' option. # Set '''“Reload”''' option to '''“All.”''' # Click '''“Run”''' to download and update all lists (both DNSBL and IP lists). ''This process can take a while.'' <span id="step-7-testing-and-verifying-ad-blocking-effectiveness"></span> === Step 7: Testing and Verifying Ad-Blocking Effectiveness === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_cd49ce7b.png File:lu55028jxb9s_tmp_82193a4c.png </gallery> # Clear cache and cookies in your test browser. # Revisit the ad-blocking test sites: ## [https://adblock-tester.com/ adblock-tester.com] ## [http://d3ward.github.io/toolz/adblock.html d3ward.github.io/toolz/adblock.html] -> This project is no longer maintained and has been archived. '''Expected results:''' * Ad-block tester: Improved score (e.g., 78 out of 100) * D3Ward Ad Block testing: Many more blocked (e.g., 119 out of 135) <span id="step-9-implement-adguard-dns"></span> === Step 9: Implement AdGuard DNS === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_ae2b0b8d.png File:lu55028jxb9s_tmp_1ca05f7d.png File:lu55028jxb9s_tmp_b129b41f.png File:lu55028jxb9s_tmp_18e54ec0.png </gallery> # Visit [https://adguard-dns.io/en/public-dns.html adguard-dns.io] and go to the '''“Routers”''' section. # Copy the DNS server addresses that block ads and trackers. # In '''pfSense''', go to '''System > General Setup'''. # Uncheck '''“Allow DNS server list to be overridden by DHCP/PPP on WAN.”''' # Remove existing DNS servers and add the AdGuard DNS servers. '''Use what is on AdGuard’s site: at the time of this writing, they were as follows. Only use the below servers if you see them on''' [https://adguard-dns.io/en/public-dns.html '''adguard-dns.io''']: ## Primary DNS: <code>94.140.14.14</code> ## Secondary DNS: <code>94.140.15.15</code> # You checked [https://adguard-dns.io/en/public-dns.html AdGuard’s site] rather than copy & paste from here, right? RIGHT? # Save changes. <span id="step-10-configure-the-dns-resolver"></span> === Step 10: Configure the DNS Resolver === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_18e54ec0.png File:lu55028jxb9s_tmp_ac1bdd90.png File:lu55028jxb9s_tmp_a68efb7e.png </gallery> # Go to '''Services > DNS Resolver'''. # Enable DNS Resolver: make sure this is checked. # Click '''Enable Forwarding Mode'''. # Save and apply changes. # Reload the DNS Resolver service. <span id="step-11-verify-adblocking-from-desktop"></span> === Step 11: Verify adblocking from Desktop === <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:lu55028jxb9s_tmp_253defc2.png File:lu55028jxb9s_tmp_6f775d7c.png File:lu55028jxb9s_tmp_7763a7c0.png File:lu55028jxb9s_tmp_51675dc6.png File:lu55028jxb9s_tmp_2de8777b.png </gallery> # Clear DNS cache and browser data. # Rerun the ad-blocking tests. # Visit [https://dnsleaktest.com/ dnsleaktest.com] and run an extended test to confirm you’re using AdGuard DNS. You should see something like the figure above. Your DNS should be DIFFERENT than it was before! If not, something went wrong. # Redo your adblock test: #* [https://adblock-tester.com/ adblock-tester.com] #* [https://d3ward.github.io/toolz/adblock.html d3ward.github.io/toolz/adblock.html] # You should see adblocking become even more better, or more betterer as [https://www.youtube.com/@arduinoversusevil2025 AvE] would say, than what you had prior to installing pfBlockerNG, depending on the feeds you’ve chosen. <span id="step-13-verify-adblock-on-mobile-via-vpn"></span> === Step 13: Verify adblock on mobile via VPN === <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106123802153.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106123837196.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106124123482.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106124131570.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106124141942.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106124249587.png </gallery> </div> <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106124207433.png </gallery> </div> To make sure ad-blocking works on mobile devices connected through VPN: # Clear browser data on your phone. # '''Disconnect from the VPN we attached to earlier.''' # Visit the following websites and note the results: #* [https://adblock-tester.com/ adblock-tester.com] – should have horrible results #* [https://d3ward.github.io/toolz/adblock.html d3ward.github.io/toolz/adblock.html] – also horrible results #* [https://dnsleaktest.com/ dnsleaktest.com] – should show AdGuard DNS, same as what you saw in the above figure on your PC # Go over to the OpenVPN app & connect to VPN #* [https://adblock-tester.com/ adblock-tester.com] – should have better results #* [https://d3ward.github.io/toolz/adblock.html d3ward.github.io/toolz/adblock.html] – should have better results #* [https://dnsleaktest.com/ dnsleaktest.com] – should show your mobile provider’s DNS servers Double-check that you’re using the '''pfSense''' DNS on <code>dnsleaktest.com</code> & NOTHING ELSE!! You do not want your ISP’s server, or anyone else’s server, to show up. If in doubt, research the IP address & hostname of the DNS that is coming up. <ol start="5" style="list-style-type: decimal;"> <li>Compare results to those without a VPN connection.</li></ol> '''Expected results:''' * Much more ad-blocking on mobile when connected to VPN * Confirmation that you’re using AdGuard DNS through the VPN <div class="figure"> <gallery mode="packed-hover" heights=250 widths=400 perrow=2> File:image-20241106125051953.png </gallery> </div> <span id="step-14-verify-vpn-allows-connectivity-to-home-network."></span> === Step 14: Verify VPN allows connectivity to home network. === Try to visit your router’s IP address https://192.168.5.1/ once you have connected to the VPN – and '''make sure you are connected to the CELLULAR network only, not your home Wi-Fi!!''' Congratulations; you’ve set up an ad-blocking system that blocks a ton of ads before your internet connection even wastes bandwidth loading them, for all devices on your network. Blocking ads in a browser using uBlock Origin is fun, but '''nothing compares to the feeling of blocking ads they think you can’t block. It’s beautiful. :D''' This means that even inside of Android apps that have ads, you can block them all—it just takes the right feed. :D '''REMEMBER: THIS IS YOUR JOURNEY!!! FIND THE FEEDS THAT MAKE YOU HAPPY, YOU DO NOT HAVE TO USE THE SAME ONES THAT I DID!''' <span id="installing-ubuntu-server-with-raid-1-lvm-and-luks-encryption"></span>
Summary:
Please note that all contributions to FUTO may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
FUTO:Copyrights
for details).
Do not submit copyrighted work without permission!
To protect the wiki against automated edit spam, we kindly ask you to solve the following hCaptcha:
Cancel
Editing help
(opens in new window)