Setup pfBlockerNG python mode with pfSense

Reading Time: 10 minutes

In this blog post I will show you how to setup pfBlockerNG python mode with pfsense. Nearly a year ago I made a blog post here explaining why I was moving away from pfBlockerNG to Pihole. The main reason was that pfBlockerNG could not show all the blocked DNS requests. This made is difficult to troubleshoot why some app or (iot) device was not working properly. Read my blog post here for all the details.

In recent times, the developer of pfBlockerNG, BBcan177, has given a major update to pfBlockerNG. With the integration of python into pfBlockerNG, it is now possible to show all DNS requests that are blocked. I’ve always loved the combination pfSense and pfBlockerNG. I think it is a great setup for protecting your network and keeping all the ads and tracking away, making a beter and safer internet for all the users on your network (kumbaya-mode). Plus you only need one device for routing and adblocking.

Requirements

For this blogpost I used the following versions:

  • pfSense ce 2.4.5-RELEASE-p1
  • pfBlockerNG-devel 3.0.0_10

Install pfBlockerNG package

Before you start with configuring pfBlockerNG make sure you pfSense firewall runs fine and internet is working as expected for all the devices on your network. If this is the case then continue to make a backup of this running setup. Always a good idea of having a backup before making changes. To do this go to Backup -> Backup & Restore. Click on Download configuration as XML. Safe this file in a secure place.

Vikash.nl - Backup & Restore pfSense configuration
Backup & Restore pfSense configuration

Then go to System -> Package Manager -> Available Packages. Search for pfBlockerNG. This part is very important. You need to install pfBlockerNG-devel package. Click on the green Install button behind pfBlockerNG-devel to install the package. After installing the package it should be in the list of Installed Packages:

pfSense Installed Packages

Configuring pfBlockerNG-devel

Before you start you should know that using the new python mode you to disable some setting in Unbound DNS Resolver (if you are using that in pfSense). Disable the following options in Unbound Resolver:

  • DHCP Registration: Register DHCP leases in the DNS Resolver
  • OpenVPN Clients: Register connected OpenVPN clients in the DNS Resolver

pfBlockerNG has some checks to make sure that the options above are disabled when you enable python mode but I would strongly advise to disable them before starting to configure pfBlockerNG.

Unbound Resolver options to disable for python mode

After you’ve installed you will find it in the menu Firewall -> pfBlockerNG:

Menu Firewall -> pfBlockerNG

When you open pfBlockerNG for the first time you will be presented with a wizard. I just skip this because I like to setup pfBlockerNG manually with my own settings. Let me share them with you 🙂

Configure IP settings

I will share my production configuration with you so I will blur out some things. Let’s start by the following settings. In the General tab I enable the checkboxes for pfBlockerNG and Keep Settings. The Keep Settings option wil make sure that your pfBlockerNG configuration stays in place when upgrading or when you make a backup of your pfSense configuration. I also change the cron update settings here just be spread the cronjobs load. You can leave this default and everything will just run fine :).

pfBlockerNG General Tab settings

pfBlockerNG can be used for IP blocking (malicious IP’s) and DNSBL (DNS sinkhole). Let’s go over my settings for IP blocking. Go go the IP tab. The first section is IP Configuration. I pretty much the basic settings here. I have a couple of IP blocklists configured and the De-Duplication option will make sure that there are not duplicate IP’s in blocklist pfBlockerNG builds. Make sure that The Placeholder IP Address is not being used in your network. The default of 127.1.7.7 should be fine. Here are my settings:

pfBlockNG IP Configuration

Next is MaxMind GeoIP configuration. You need to register and get a valid license key and you can register here for free. I use MaxMind GeoIP to block certain countries. If you don’t host services behind your pfSense router (like a webserver) you probably don’t need the country blocking because pfSense will default block all inbound connections. Security is all about layers and having this option is another layer of security. Here are my settings:

pfBlockerNG MaxMind GeoIP configuration

Next is Inbound Firewall Rules. These apply to any interface which is used to get internet traffic to you network. Here you select your WAN interface and if you have VPN client connections going to your VPN provider, select those here too. I use several VPN connections to VPN providers and those interface names end with _WAN. The screenshot below shows what I have selected here:

pfBlockerNG Inbound Firewall Rules

Next is Outbound Firewall Rules. These apply to any interface which you have on your local network. I have several local networks like a guest and a testlab network. I am running a OpenVPN server on pfSense and I treat that network also as a local network. Here are my settings:

pfBlockerNG Outbound Firewall Rules

I have also enabled the Floating Rules option because I like it that I can find all the firewall rules in one place. Kill States is enabled because IP blocklists are being updated several times a day and you want pfBlockerNG to kill any state to a blocked IP immediately. Don’t forget to hit the Save IP settings when you are done here.

Enable some IP feeds

To let pfBlockerNG do block malicious IP’s you need to enable some IP feeds. pfBlockerNG has a nice selection of IP feeds you can enable. Go the Feeds tab and I would suggest to enable the PRI1 feed category and start from there. Remember the more feeds you enable the greater the chances are that you will break the internet :). Proceed with care is my advise and only enable extra feeds after doing extensive testing. This is not a set-and-forget approach! It’s more a set-test-monitor-forget approach. Check my screenshots here:

pfBlockerNG Feed Settings

You just have to click on the + sign and pfBlockerNG will add the feeds. Afterwards you can find the feeds you enabled in the IP -> IPv4 tab. I have done some renaming and sorting here. Feel free to make you own adjustments. Here’s what mine looks like:

pfBlockerNG IP -> IPv4 Summary

I have changed the Action here to Deny Both. This means that pfBlockerNG will block incoming and outgoing communication to a blacklisted IP. I have also changes the Frequency of the updates. The PRI1 category is being updated a few time a day and I want pfBlockerNG to be on top of the changes so I chose to update it every 4 hours. The others in my list have more to do with Public DNS servers and DNS-over-HTTP. In my experience they don’t change that much. I want to make clear that I don’t use IPv6 in my network. I have disabled it in pfSense and blocking it in my Firewall rules. I don’t have need for it at the moment and I don’t want to complicate things.

GeoIP blocking

While you are in the IP -> IPv4 tab click on the GeoIP tab if you want to block specific geographical regions or separate countries.

pfBlockerNG IP -> GeoIP

You will notice here that I have the Action set to Deny Both. But I don’t block the whole region. I block specific countries and you can choose which countries you want to block by clicking on the pencil icon. Then select the countries and enable List Action and Loggin and click on Save:

pfBlockerNG – GeoIP block specific countries

This is all I configure for the IP blocking part. Let’s move to the DNSBL part.

Configure DNSBL settings

I assume you know what DNSBL blocking does so I won’t go into the details here. It blocks malicious and/or unwanted adverts domains. Recently pfBlockgerNG got a huge update and DNSBL is now able to use python mode. This new python mode makes it a lot faster and also shows all the DNS requests which are being blocked! This is for me the major option to get rid of my Pihole setup. I want my pfSense doing everything in my network and adding pfBlockerNG to my setup gives me a single place to secure my network and keep ads and malicious traffic out of the door. You can read about all the changes in pfBlockerNG here.

To configure the DNSBL settings click on the DNSBL tab. There are a lot of options here and this can be overwhelming. These are the settings I have enabled or configured and I think this should give you a good starting point:

  • Enable DNSBL: checked (otherwise DNSBL will not be enabled :P)
  • DNSBL Mode: Unbound python mode. This is the major new option! We need this.
  • DNS Reply Logging: checked. This will show you all the DNS queries which are answered by Unbound.
  • DNSBL Blocking: checked. This option must be selected as soon as you choose Unbound python mode.
  • CNAME Validation checked: This option to make sure that an ad domain cannot “bypass” DNSBL by using a different dns name.
pfBlockerNG – DNSBL options

Scroll down to the DNSBL Configuration section and check Permit Firewall Rules. This will create rules in the Floating in your Firewall. I like having these in one place :). Also select all your internal networks here. This will enable pfBlockerNG for those networks. Here are my settings:

DNSBL Configuration – Permit Firewall Rules

As you can see I have several internal networks (LAN, Guest, DMZ, TestLAB) and I want pfBlockerNG to be enabled on all of those.

DNSBL Whitelist

Click on the + sign to open this section. In this section you can add domains you don’t want to be blocked. Like when you have a lot of Apple devices in your network you want to whitelist *.apple.com. Adding domains in the whitelist makes sure that even when these domains are in some DNSBL feed you have enabled (see next section) they will still be allowed (whitelisted) by pfBlockerNG. You can add domains here manually or using the Reports tab in pfBlockerNG. In the screenshot below you can see some examples I have added to my whitelist:

pfBlockerNG – DNSBL whitelist

Those are all the options I have set for DNSBL. Scroll to the bottom of this page and click on Save DNSBL settings.

Enable some DNSBL feeds

Now go to the Feeds tab and scroll down to the DNSBL category. Here you can enable different DNSBL feeds by clicking on the + sign:

DNSBL category – Enable feeds

I want to remind you again that the more feeds you enable the bigger the chance is that you will break the internet for users on your network :). And you will find that for some services to work you will have to whitelist certain domain names like I explained above. The feeds you enable are listed in the DNSBL Groups section. Here you can review what feeds you have enabled or disable and remove an enabled feed.

pfBlockerNG – DNSBL Groups

By clicking on the pencil icon and the end of the line you can edit those specific groups. The names of the groups will be different for you, I just renamed them for my ease:

pfBlockerNG – Enable or disable individual feeds

DNS over HTTPS/TLS Blocking

This version of pfBlockerNG also has a very extensive list with known public DNS servers who are supporting DNS over HTTPS. DNS over HTTPS is a serious privacy and security risk so you want to enable this because you don’t want devices in your network using these DNS servers and bypassing pfBlockerNG’s adblocking and pfSense’s DNS server. Go to the DNSBL SafeSearch and enable DoH/DoT Blocking. Then select all the DNS servers from the list you want to block and click on Safe:

pfBlockerNG – DNS over HTTPS/TLS Blocking

The Reports tab in pfBlockerNG

The Reports tab is very important. It will give you an overview of what IP’s or DNS names are blocked by pfBlockerNG. It will also tell you the source device of the DNS or IP request thus making troubleshooting easy. Here you can investigate if pfBlockerNG is the reason why a certain app or website is not working properly for devices on you network:

pfBlockerNG – Reports tab blocked IP overview

The fist section shows you the IP’s being blocked and the section below that will show you DNS requests being blocked. Whitelisting an IP or DNS is simply a matter of clicking on the + sign before the DNS name or IP:

pfBlockerNG – Reports tab blocked DNS overview

When you click on the + sign pfBlockerNG will ask you if you know for sure you want to whitelist this domain. Click OK:

pfBlockerNG – whitelisting DNS example

Then it will ask you if you want to whitelist this domain only or add a wildcard for the domain:

pfBlockerNG – Wildcard whitelisting

After that you will have the option to add a description. If you don’t want a description just click on No and that’s it. The pfBlockerNG will no longer block that domain:

pfBlockerNG – Whitelist description

If you want to review the domains you have whitelisted you can just review them in the DNSBL Whitelist section in the DNSBL tab like I explained above.

With the settings and configuration options explained in this blog you should be off to a great start in keeping those ads, trackers and malicious websites out of your network. This is all you need to setup pfBlockerNG python mode with pfSense. pfBlockerNG has a lot more options but I don’t think you need all the features to be safe. The Reports tab is your friend for troubleshooting. Thank you for reading and good luck!

Setup pfBlockerNG python mode with pfSense Read More

Moved from pfBlockerNG to Pi-Hole

Reading Time: 6 minutes

The ad-free internet can exists!

For a while now I have pfSense firewall running at home. I really love the performance, stability and security pfSense provides. It is just rock-solid! But let me tell you why I moved from pfBlockerNG to Pi-Hole. What I also love in pfSense is the ability to install packages and add even more useful features to the platform. So I went ahead and installed the pfBlockerNG-devel package. At the time of writing this blog post the latest version of pfBlockerNG-devel is 2.2.5_29. Note the “devel” in the name because this is the branche of pfBlockerNG which is actively being developed.

Ads on themselves can be OK I think. It all depends on how ads are being used and in the end you need to find funding. After all this site is also using ads. Adding pfBlockerNG allows you not to only block ads but also block web tracking and ransomware. That there is added security and privacy you get when using pfBlockerNG. It will do this for your whole network using something called DNSBL (short for Domain Name System-based Blackhole List). Every device in your network will benefit from this and be protected. But pfBlockerNG does so much more like also giving you the ability to block internet traffic coming from certain IP addresses. These IP addresses translate to specific countries and regions so it can be very handy in protecting your network from all those hackers trying to get in your network.

I went ahead and set up both and for some time everything was working well. I enjoyed ad-free and tracking-free internet on all the devices in my LAN. But then something happened…

The internet broke down (well a little bit)

I have several iOT devices at home including Ikea Tradfri smart lights. Suddenly these lights because unreachable in the Apple Homekit App on my iPhone. The rest of my Homekit enabled iOT devices were doing fine. The first time this happened I thought it is probably a bug so let’s power cycle the Ikea Tradfri gateway. This was a success and the Ikea smart lights were available again. Nice!

Not so nice when I discovered an hour or so later that the Ikea Tradfri smart light were unreachable again. So now I’m thinking that maybe pfBlockerNG is blocking some hostname (the DNSBL feature). This is possible because maybe one of the DNSBL feeds I am using has got an update and some hostname which Ikea Tradfri gateway uses is bow blacklisted. Luckily pfBlockerNG gives you the ability to whitelist hostnames.

I went into the management interface of my pfSense firewall and selected the Reports tab in pfBlockerNG settings. The Reports tab shows a very nice list of hostnames which have been blocked by pfBlockerNG. There is a nice filtering option as well. See the screenshot below.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 01

My Ikea Tradfri gateway has 192.168.100.51 as IP address. This is static setup in the DHCP server on my pfSense. So I enter this IP address in the Alert filter to see if pfBlockerNG is blocking DNS requests from my Ikea Tradfri gateway. The result was 0 so according to pfBlockerNG nothing from my Ikea Tradfri gateway was blocked. See screenshot below.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 02

But still I had the same behavior. When I power cycle the Ikea Tradfri gateway all is well for a short time and then is just becomes unavailable. I continued my investigation and decided to replace the USB power adapter of the Tradfri gateway. That didn’t help. By now I was thinking that I have tried everything but to replace the unit. I went to Ikea and got a new Tradfri gateway. I set it up and went trough the painful experience of connecting all my Tradfri lights and switches to the new gateway. I was just wrapping up when I saw that all my Ikea lights were unreachable again! Imagine my frustration.

Bring on Pi-Hole!

OK now I was furious. Even after replacing the Ikea Tradfri gateway I had the same problem. I was getting more convinced that is has to be something in my network. First step for me now was that I wanted to know all the DNS queries the Ikea Tradfri gateway was making. I tried debugging that in Unbound resolver on my pfSense but there were so many DNS requests flying by that it made troubleshooting nearly impossible.

I needed another DNS server, one specifically for my Ikea Tradfri gateway. And I needed it quick. Since I had a Raspberry Pi lying around I went the Pi-Hole route. Just download the correct image from the Pi-Hole website, extract to the SD-card and startup your new DNS server. Within a couple of minutes I was up and running with Pi-Hole. I loaded the exact same DNSBL lists I was using on pfBlockNG on the Pi-Hole. Using DHCP reservation I managed to set -Pi-Hole as the DNS server on the Tradfri gateway.

Pi-Hole showed me all the DNS queries the Tradfri gateway was doing, which ones were allowed and which ones blocked. I was specifically interested in DNS queries being blocked. I saw immediately that a lot of DNS queries were being blocked to webhook.logentries.com. That DNS query did not came up when I was troubleshooting on pfBlockerNG to find out the blocked queries. I added webhook.logentries.com to the Pi-Hole’s whitelist and waiting a couple of hours. Ikea smart lights were working fine now. Even after 24 hours all my Tradfri lights were now working fine.

Now let’s remove webhook.logentries.com from the Pi-Hole’s whitelist I thought and see what happens. Within the hour my Tradfri lights were offline again. Root cause found :).

Why I made the switch to Pi-Hole

I began to investigate why pfBlockerNG was not showing the blocked DNS queries. I discovered that when I did a DNS lookup on pfSense with pfBlockerNG enabled the request for webhook.logentries.com was being “sink holed” to pfBlockerNG, but it was not showing up in the Reports tab as blocked (or allowed). Check the screenshots below what happens on pfSense.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 03

As you can see above the DNS request is blocked by pfBlockerNG because it is “sink-holed” to the DNSBL VIP pfBlockerNG is using (10.10.10.1). But when I check the Reports tab in pfBlockerNG, I don’t see the blocked DNS request.

Moved from pfBlockerNG to Pi-Hole - vikash.nl - 04

Now when I do the same DNS lookup against the Pi-Hole I can see the DNS lookup immediately in the Query Log tab:

vikash.nl - 05

The gui on the Pi-Hole makes it really easy to troubleshoot as it shows immediately which client is doing what DNS queries and which ones are being blocked. The gui is also very easy in filtering options.

Moved from pfBlockerNG to Pi-Hole - vikash.nl

And you can find very easy in which DNSBL feed a certain hostname is so you know what feed is blocking your internet traffic. It even tells you if the dns name is whitelisted. Makes management so much more easy.

This gui compared to pfBlockerNG was refreshing to me. Amazing how much time I spend troubleshooting on pfBlockerNG while the Pi-Hole showed me within minutes what was happening and where the problem was! Great tech :).

In the end

I moved from pfBlockerNG to Pi-Hole. Don’t get me wrong, I still love and use pfBlockerNG. But I now only use it to block IP addresses from certain countries and regions. It is still very useful for that.

Moved from pfBlockerNG to Pi-Hole - vikash.nl

But I don’t use the DNSBL option anymore because I have no faith in it’s reporting capabilities. And that starts to count very heavy when you are troubleshooting why something is not working in your network. Since I started using Pi-Hole I did find some other dns hostnames which were also blocked and were not reported by pfBlockerNG. One of them was to the download server of Ubiquiti for firmwares. Pretty important to know that sort of stuff.

I just can’t be bothered to make tcp dumps of my network traffic on pfSense and then use some kind of tool to analyze and try to find the needle in the haystack. So I recommend you use Pi-Hole for the DNSBL part as it is amazing at that. From the pragmatic perspective it is blazing fast and has great reporting options about what is happening in your network.

Moved from pfBlockerNG to Pi-Hole Read More

pfSense with routed IPTV and OpenVPN client for private internet access

Reading Time: 10 minutes

What I wanted was pfSense with routed IPTV and OpenVPN client for private internet access. You know that there are a lot of prying eyes who are interested in your internet traffic. I think that what you do with your internet is your business only. So I use a VPN provider to route all my internet traffic. When you do that without taking into account a couple of rules, you will break IPTV. Recently I got fiber ( Fiber to the Home – FTTH) internet at home with IPTV included. My ISP now is Xs4all (soon to be KPN). With that service comes a very nice Fritz!box and an IPTV set-op box. The Fritz!box takes care of everything. You just plug the box in and follow a few steps on the manual and you are online. Very nice :). The Fritz!box has 4 network ports. These ports can be used to connect your computer or connect the IPTV set-op box. The Fritz!box will configure the network ports automatically for internet access or tv functionality depending on what device you connect. internet access.

So I wanted to get rid of the Fritz!box for a couple of reasons:

  • use pfSense as my firewall
  • have my WAN IP address directly on pfSense (no double NAT!)
  • use OpenVPN client on pfSense to my VPN provider (for privacy reasons)
  • route all my internet traffic via my VPN provider (Mullvad)
  • be in complete control of my network at home

Getting internet to work with my fiber connection and pfSense was no issue. There is plenty of information on the internet about how to setup PPPoE and all the VLAN stuff. Maybe I will do a blog post about that some day. Routed IPTV however was a different story. I had done some research and quickly discovered that getting routed IPTV to work with pfSense is going to require more effort than the plug-and-play method the Fritz!box was using. Mullvad has a great guide on how to configure pfSense with their services here. But there are no guides out there (at least I could not find them) on how to route all your internet traffic trough you VPN provider while at the same time routing your IPTV traffic outside the VPN tunnel. Note that this is not the same as making an exception for a device in your network to access the internet outside the VPN tunnel! There is routing and IGMP and firewall rules and dhcp options in play with different networks. I will show you how to setup pfSense to route all your internet traffic trough your VPN provider and at the same time make IPTV work!

So I made a little diagram of the situation I had in mind. I decided to get a mini-pc with multiple network ports (6 in total) so I could dedicate network ports for IPTV traffic or internet traffic. There are other options you could use like managed switches but I wanted to keep things lean. The diagram below shows the setup I implemented:

pfSense with routed IPTV and OpenVPN client for private internet access - 01

So basically the layout for the network ports on my pfSense firewall is as follows:

  • NIC 0: WAN / Internet/ Xs4all
  • NIC 1: LAN – to my managed switch for all the devices in my LAN.
  • NIC 2: free (future use)
  • NIC 3: free (future use)
  • NIC 4: IPTV set-op box Bedroom
  • NIC 5: IPTV set-op box Living room

VLANs

As you can see in my diagram above Xs4all is using VLANs. VLAN 4 is used for IPTV and VLAN 6 is used for internet access. That means that I need to have two VLANs coming in on my NIC 0 (WAN) on pfSense. On pfSense management interface go to Interface -> Assignments and then click on the VLANs tab. When you add the VLANs here make sure the correct VLAN tag is entered and choose the correct network interface. Create your VLANs here and make sure they look like the picture below:

pfSense with routed IPTV and OpenVPN client for private internet access creating_vlans

As you can see in the picture below VLAN 4 and 6 are both configured to use interface igb0. igb0 is the name pfSense gave NIC 0 on the mini-pc I am using. Make sure to check the name pfSense assigns to the network interfaces on your hardware. Description is optional so use it as you see fit. In the end our configuration should look something like my config below:

pfSense with routed IPTV and OpenVPN client for private internet access - 03

WAN configuration

WAN configuration consists of 2 parts. The first part is the internet access part and the second one is for IPTV.

Internet WAN side

I am not going to deep dive in the WAN configuration part. Internet access is living in VLAN 4 and there is some PPPoE configuration involved. In the end the WAN interface will be using NIC 0 and VLAN 6. It looks like this:

pfSense with routed IPTV and OpenVPN client for private internet access - 04

As you can see my WAN is coming in on igb0.6 with PPPoE. igb0.6 stands for NIC 0 VLAN 6. That is the way pfSense is naming the interfaces combined with the VLAN tag.

IPTV WAN side

Let’s get the IPTV interface on pfSense up and running! I have named the IPTV WAN interface WAN_IPTV. This interface is on igb0 and has VLAN tag 4 assigned. You can see it in the picture above. The next step is configure some DHCP options for this interface. If we don’t do this pfSense will not be able to pick up a valid network configuration and won’t be able to pick up the IPTV feed on from the WAN side. Open the properties of the the interface. In my case it is the interface with the name WAN_IPTV. In the first part of the properties make sure that the interface is enabled and IPv4 Configuration Type is set to DHCP:

pfSense with routed IPTV 06

Now scroll down on this page because we have to make sure that we set a couple of properties here.

pfSense with routed IPTV 07

As you can see in the picture above you have to enable the Advanced Configuration option here. This will enable some options in the Lease Requirements and Requests segment of this page:

  • Send options field: in this field enter dhcp-class-identifier “IPTV_RG”
  • Request options field: in this field enter subnet-mask, routers, broadcast-address, classless-routes

Check the image below:

pfSense with routed IPTV 08

After these options you will see that the WAN_IPTV interface will get an IP address from the ISP.

pfSense with routed IPTV 09

Setup the IPTV interface (for local set-op boxes)

So let’s move on the IPTV. As I said before I am using NIC 4 and NIC 5 for my IPTV set-op boxes. That means that those set-op boxes will be directly connected to that network port. Select the interfaces you will use and assign them a static IP address. Make sure that each interface used for IPTV need to have their own subnet. In my case I will be using the following subnet:

  • 192.168.100.0/24 for my LAN (NIC 1 – igb1)
  • 192.168.112.0/24 for the IPTV set-op box in my Bedroom (NIC 4 – igb4)
  • 192.168.111.0/24 for the IPTV set-op box in my Living room (NIC 5 – igb5)

I know that the subnet I use for IPTV is a little bit big as I only have 1 set-op box on that interface :). Ah well, this works for me and maybe I will adjust it in the future to make it smaller or combine both my set-op boxes on one subnet. For now this works for me. The IPTV interface has to be assigned a static IP address. Make sure yours look something like the picture below:

pfSense with routed IPTV 10

Double check the network ports you will use for your IPTV set-op box. Below is an overview of the IPTV interfaces I will use. As you can see I have assigned the dedicated network interfaces for my IPTV set-op boxes.

pfSense with routed IPTV 11

Next step is to make sure that those set-op boxes will get an IP address when connected to those interfaces. For that to happen I will be running a dedicated DHCP server on each IPTV interface. I know that there are other options, but hey…this keeps is simple and pragmatic :). Luckily pfSense makes it easy to run multiple DHCP servers. After assigning a static IP address on a specific interface you will see that interface appear in the DHCP server configuration page. See the image below:

pfSense with routed IPTV 12

The screenshot below shows how I have setup DHCP on the interface where my IPTV set-op box for my Living room is connected. There is nothing special there. Just specify the range for DHCP here.

pfSense with routed IPTV 13

The same goes for all the set-op boxes which have their own dedicated interface on pfSense.

IGMP Proxy

We have to setup IGMP Proxy because IPTV uses multicast. The multicast traffic needs to be received by the set-op box in order to function properly. The way to get the IGMP traffic from the WAN_IPTV interface (from your ISP) to the set-op box is to let pfSense proxy it. By using IGMP proxy we also can isolate multicast traffic to only the set-op boxes in stead of flooding you whole LAN constantly with it. This in a nutshell is why we use IGMP proxy.

Go to Services and the IGMP Proxy. Enable IGMP Proxy by clicking the checkbox. Then we have to add one upstream configuration for the WAN_IPTV network and a downstream configuration for every set-op box you have.

In my case the WAN upstream interface needs to have 3 networks:

  • 217.166.0.0/16
  • 213.75.0.0/16
  • 10.0.0.0/8

These network are in use for IPTV by KPN/Xs4all. Check your ISP for what network ranges they use for upstream. See the below image:

pfSense with routed IPTV 14

We have to tell the IGMP Proxy Service also where our IPTV set-op boxes live. So for each set-op box we need to configure a downstream interface. My Living room IPTV set-op box has the network:

  • 192.168.111.0/24
pfSense with routed IPTV 15

Make sure you select the correct interface. In the end the IGPM Proxy Service settings should look like this:

pfSense with routed IPTV 16

Routing, firewall rules and NAT

Now we have to setup specific firewall rules, routing and also NAT. This blog post is about using IPTV while routing all your internet traffic trough your VPN provider in order to hide it from prying eyes. But we don’t want to route IPTV traffic trough the VPN tunnel because that will break watching old-fashoned tv using your set-op box.

My pfSense firewall is running a full-blown OpenVPN tunnel (OpenVPN client) 24/7. When my VPN tunnel is down for some reason I want to block all internet related traffic. This prevents leaking internet traffic accidentally when my VPN tunnel is down. This is also called a “kill-switch”. To achieve this I have to set my pfSense Outbound NAT mode in Manual mode and configure addition NAT rules for my IPTV set-op boxes.

NAT Mode

I will not discuss in this blog post what the consequense is in changing NAT mode to Manual. The network configuration in Manual NAT mode requires additional settings and this can be different depending on your VPN provider. If you are using Mullvad they have a terrific guide here. Go to Firewall -> NAT and click on the tab Outbound.

pfSense with routed IPTV 17

For every local network used for the IPTV set-op boxes we have to add specific NAT rules. We have to tell pfSense to send all the traffic from those networks trought the WAN_IPTV interface. In this way the traffic will not get trough the VPN tunnel.

For the IPTV set-op box in my Living room I have added a rule here with the following configuration:

  • Interface: WAN_IPTV
  • Address family: IPv4
  • Protocol: any
  • Source type: Network
  • Source network: 192.168.111.0/24 (the subnet for my IPTV in the Living room!)
  • Destination: Any

See screenshot below:

pfSense with routed IPTV 18

We have to add one very important rule here. The network 224.0.0.0/8 has to added here and also routed trough the WAN_IPTV. Again check your ISP for details on the network. Add it using the following configuration:

  • Interface: WAN_IPTV
  • Address family: IPv4
  • Protocol: any
  • Source type: Network
  • Source network: 224.0.0.0/8 (the subnet for my IPTV in the Living room!)
  • Destination: Any

See the screenshot below:

pfSense with routed IPTV 19

After adding all the rules relevant for your IPTV set-op boxes your configuration here should look something like this:

pfSense with routed IPTV 20

Routing and firewall rules

The next (and last) step is to add the correct routing and firewalling rules. Per IPTV interface we have to add two rules. One is to route the IGMP traffic and the other one is to route the IP traffic. If you go to Firewall -> Rules you should see several tabs there including the ones specifically for you set-op boxes. Select the tab for your set-op box and let’s add the IGMP rule first.

The IGMP rule should have the following configuration:

  • Action: Pass
  • Interface: IPTV_Livingroom (select your set-op box internal network here!)
  • Address Family: IPv4
  • Protocol: IGMP
  • Source: any
  • Destination: any
  • Advanced configuration: check Allow IP options

The Allow IP options is very important to allow multicast traffic. See the following screenshot:

pfSense with routed IPTV 21

The second rule must be configured with these options:

  • Action: Pass
  • Interface: IPTV_Livingroom (select your set-op box internal network here!)
  • Address Family: IPv4
  • Protocol: IGMP
  • Source: IPTVLIVINGROOM net (select the subnet where your set-op box lives in!)
  • Destination: any
  • Advanced configuration: check Allow IP options

You should end up with these rules in the tab for your set-op box:

pfSense with routed IPTV 22

As you can see I have also added some other rules. The one relevant here I think is to block all traffic from the IPTV subnet to your LAN. It’s up to you if you want this. I added that just because :).

So there you have it. You should now have a fully functional network where your IPTV traffic is routed to your ISP and all your internet traffic is seperated and routed trough your VPN provider. This setup also makes it so that when your VPN tunnel is offline your set-op boxes will still work given that your WAN is off course fully up and running. Very nice!

At the end I want to make clear that I am in no way connected or affiliated to the brands or services I named in my blog post.

pfSense with routed IPTV and OpenVPN client for private internet access Read More