One feature i find useful with pfBlockerNG (Not available in pi-hole) is that blocked domains are returned as 1x1 pixel image which makes websites render better rather than showing errors messages in the areas where blocked ad domains should be
Pi-Hole 5.0 came out recently, and now allows for per-client blocking, something pfblocker is lacking (or maybe it isn't and I just couldn't figure it out). I was using pfblocker, but am working on transitioning because this is exactly what I want. Different things blocked for adults, kids, and guests without a super long rules list on the firewall.
I prefer pihole over pfblockerng because of the interface. Whitelisting, Overview etc. is much more useful and powerful in my opinion. And with the "additional" unbound in pihole this instance also resolve the names itself and dont forward it. At the time I'm using pfblockerng only for IP blocking. For DNS stuff pihole.
Pihole still has some advantages: 1. Much easier and cheaper to add to existing config/ router. 2. Can run as a VM, i personally use it that way with no issues whatsoever. Running pfsense as a vm could be a pain, a lot of pain. 3. Hosts lists. Pihole has built in lists and allow you to customise it. Pfsense has no built in lists. you need to find and add yourself. I was using pihole lists with pfsense through :)
I agree with pi-hole being simple. But PFsense def runs just as flawlessly in a VM. Give it a shot. I actually run both. I have a pretty complex home/small business network and use a virtualized Pfsense on a quad core laptop. Very reliable and steady uptime and all functionality still there. Just get a couple usb to Ethernet dongles, then pFsense can have its own Wan and Lan ports. Push the pfsense LAN output to your main router. Really the trick is to leave the virtualbox usb settings alone. Just set the network device options you want to use in the virtualbox network setting (NAT, Bridged Adapter, etc..) Allow your Host OS to control the USB network devices. And then, very importantly, on your Host OS you must disable the ipv4 and ipv6 settings of those same Bridged internet adapters that pfsense is using. Works so sweet after that. Just have a good Host pc with a clean, reliable OS, and is ready for uptime. Allow it to auto-load the pfsense virtualboxes upon startup. I have months of steady uptime on these Pfsense and Pihole VM's, and if I reset the laptop it autostarts everything within 2 mins.
@@briythepcguy7051 I could have sworn those usb ethernet dongles don't take full advantage of the port or some features from PFSense since they depend on the cpu.
Thanks for clarifying! Glad to see I won't need to buy some separate system for it, considering I'm gonna turn the old pc into a firewall with pfSense. (I know about the wattage consumption guys, it's only a temporary build until I can afford a decent Netgate hardware).
I use block lists in OPNsense, under built in Unbound DNS. It works the same, I like not having 2 devices, but I do miss the pretty UI and graphs in pi-hole.
I use pi-hole, bc pi-hole is DNS over HTTPS and DNS over TLS ready. Pfsense DNS Server only works with DNS over TLS. In my case, all device sends the dns request plainttext to pi-hole, pi-hole is filtering, after that, pi-hole sends the request over DNS over HTTPS to the upstream dns server. This case is not possible with pfsense and pfblockerNG, so far.
I couldn't agree more, with this video. I actually run both but that is because I run dedicated Unbound Servers, due to other requirements on my network.
I considered pfBlockerNG; however, I can't seem to get DoH for DNS on pfsense unless I'm mistaken... So I'm using a PiHole running as a separate ESXi instance on the same box I run my pfsense instance on. I think this is a preferable solution as I can route all non-DoH DNS on my networks to the pihole and all the non-blocked resolutions are all over DoH, as I don't want to give that information to my ISP.
I do kind of agree though for home users who are running pfsense and don't want the added complication of a second device likely the simpler solution, especially if they don't care about moving all their DNS resolutions to DoH.
As i recall from using, pi-hole was just easier to manage, and i had some nice graphs. But I use pfBlocker, so that i can use my pi for something else.
The pfsense project should give more credits to BBCAN, the developer of pfblockerng. BB created this package which makes people buy pfsense. The same goes for the developer of the snort and suricata package on pfsense, Bmeeks.
One other small advantage of pfblocker is that you can actually block the usage of other dns servers except your own, you can't do that with pihole because well… it's not a firewall. The graphs however are way better in pihole :)
I'm not going to lie PiHole on a Raspberry PI is one of the simplest applications to install on a PI, plus you can have it up and running in minutes. The PI Hole graphical user interface is clean, the network activity graphs and info is presented extremely well (one of the best looking ones I've seen). It's nowhere near as complex or fiddly to operate as Pfsense/PfBlockerNG and that's its real strong point, simplicity. PfSense with PfblockerNG on the other hand by comparison can be very time consuming and complex depending how deep you want to go, but ultimately it can do a whole lot more (just make sure you do backups along the way in pfsense). Updating PiHole is easy, adding new blocklists is easy, whitelisting and blacklisting sites is just a case of clicking a button. Note: PiHole can also function as a basic DHCP server. The only real downside of PiHole is its inability to block adverts shown on RU-vid videos, but if you pair PiHole alongside Ublock Origin browser plugin (for the likes of RU-vid on your desktops) then you're good to go. Note you can access your PiHole GUI from pretty much any device on your LAN, just add your PiHole IP address in your browsers and just log in. If you want to access the back end of it (i.e the operating system the PiHole server is running on (Raspbian)) and you don't have a seperate monitor for your physical PI device, be sure to install VNC on it, then you can access it using VNC Viewer for free.
I love my Raspberry Pi!! And everyone should have pi-hole on their network. Another even simpler setup is to just download virtualbox on an desktop/laptop and spin up a ubuntu server iso. And command line a pihole install. Then you can use your Raspberry pi for many other things!
@@humanbeing-001 Yes Raspberry Pi are pretty simple but if you like to have full control, Pfsense is the way to go. As it takes more time to set up, Pfsense Is just a all in one solution for networking. Also you could use's pfsense to control a home made switch. I love my pfsense I went from a NetgearWNDR to a DD-WRT/Pi hole to Pfsense. I tried the Pi out it just lacks the configurbility but is very simple, Just like most low end managed switches do. My setup Pfsense-MikroTik317/10Gb/s-CiscoSG350X-CiscoSG300PP. I wish I would have gone with a UniFi switch instead of the MikroTik but the price different at the time was 200-300 different, also ones it is configured its awesome.
Nice vid. I prefer using pihole. It’s not as good as pfblocker but... I have it running on parents network since they can access the gui easily without the risk of them trashing pfsence.
The main issue I ran in to with pfblocker, which I love, is the auto generated rules made loading my firewall pages take up to a minute to load with every change. After I disabled it the problems went away.
I find pi-hole to work very nice in home networks. Pfsense embedded PfBlockerNG is cool too. And PFsense def runs just as flawlessly in a VM. I actually run both. I have a pretty complex home/small business network and use a virtualized Pfsense on a quad core laptop. Very reliable and steady uptime and all functionality still there. Just get a couple usb to Ethernet dongles, then pFsense can have its own Wan and Lan ports. Push the pfsense LAN output to your main router. Really the trick is to leave the virtualbox usb settings alone. Just set the network device options you want to use in the virtualbox network setting (NAT, Bridged Adapter, etc..) Allow your Host OS to control the USB network devices. And then, very importantly, on your Host OS you must disable the ipv4 and ipv6 settings of those same Bridged internet adapters that pfsense is using. Works so sweet after that. Just have a good Host pc with a clean, reliable OS, and is ready for uptime. Allow it to auto-load the pfsense virtualboxes upon startup. I have months of steady uptime on these Pfsense and Pihole VM's, and if I reset the laptop it autostarts everything within 2 mins.
Just to let you know in security you want to use 2 different firewalls, to lessen the attack surface of malicious actors. That way the same bug cannot be exploited on both firewall instances.
@@jameswatkins7806 Lol, you preaching to the choir my friend. Actually, you would want at least 3 firewalls. Pfsense, a good router firewall, and an OS level firewall. You def want a software based firewall on your OS's that keeps track of, and restricts any program from running unless approved. I actually put t-pot honeypot in front of my whole network so hackers can't even get into my inner network. They won't get past the honeypot. They like a kid in a candy store when they see hundreds of open ports and vulnerabilities. Then I can just IP block them on the inner firewalls.
@@jameswatkins7806 I own many servers across the world and I pentest my own networks all the time. I really try to get into it. I designed it to be complex for that exact reason. A Honeypot gives you a wealth of information and can be very helpful. Hook a honeypot up and you will be probed from China within seconds. They masscan probe the whole internet constantly. So, You basically want two or more network security segments. Like they do with fences in prisons. First an outside facing DMZ that is"unsecure" and for your Honeypot only, Then behind that would be your locked down pfsense, Pfsense would then feed out to a good router like a flashed dd-wrt or something fancy, but the routers ports are also locked down. Needed ports can be forwarded to pfsense. No outside hacker will be able to get past a properly placed DMZ'd honeypot and into your real network, past your snort IDS if you use layered segments, utilizing different private network lan ip's. A,B,C classes. You could even put another Honeypot on the inside of your network to be sure no hacker has gotten in. If you are going to run a wan side honeypot though you best be ready to be able to change your IP when you want to shut it off or you will get DDOS'd and maybe really hacked. You can change a static IP by changing the mac address of your cable modem. This can be done in a number of ways. Your cable modem probably doesn't have a mac address change setting itself, but I have comcast and I can force them to change my IP by using a DD-WRT router, connected to my cable modem. If you can master a honeypot placement on your networks wan and/or lan, and also learn how to probe your ports. Then you can secure your network with confidence.
I think you’re missing the value of not necessarily pihole itself, but a typified configuration: upstream dns encryption. Namely, cloudflareD. Either method will block ads, but I can’t say whether pfsense or the like would support upstream dns encryption in the same way as you would on a raspberry pi. This ads another layer of privacy that frankly should be available to every household.
Good summary of the basic choice. The hardware cost of Pi-Hole is pretty low, and there are virtual machine options. Anything at this level, check for other sources of info, and check the dates of those sources. It's April 2021 and things can have changed a lot.
This is a good question and I believe it does but I don't plan to verify it though. OpenWRT has updated DNS hajicking topic on their doc page and it is done via ipset. DoH might be encrypted but you need SRC and DST in the IP header. If the DST IP is on the pfBlockerNG's blocklist (that is being applied) it must block the IP but don't take it for granted.
+System Lord, the regex issue in pfBlockerNG is the reason why I have pi-hole running on a VM and pfSense DNS is set to the pi-hole address. Such a pain because I have specific websites I wan to block. One thing I looked into is just creating a text file in my HTTP server and adding that as a list in pfBlockerNG.
Is it just me or ........ whatever anyone else does pfSense just do it better or at least the RIGHT way - that is what I seem to hear from Lawrence Systems every time "....vs pf" is in the headline.
I have several vlans, only want to allow 1 vlan with full access to the web. Can you have PFblocker assigned to individual vlans? Looking to install Pfsense for home network.
@@kristopherleslie8343 the Pie is like a VW bug, Pfsense is like a aircraft carrier. The Throughput of the firewall, IDS & IPS and Along with DNS filtering & IP Blocking. The amount is really what will be the difference. As you start to add this stuff and lists on the pie the list can not be that big as it will kill your throughput. Also hole point to security is to have logs so you can look at what has happened. With a Large list with more then 4 clients on a pie you will be lucky to get 100/5 internet. even if you have 1G/1G internet. you could sacrifice the security but then why even do a pie? The Pi = Slow Speed / Pfsense = All the Speed with all the security. So you start to cut the list down to increases bandwidth. But you've now lost security. That's the technical differences.
Recently subscribed to your channel - great content! My question is, are then any similar extensions to edgeOS you can use to serve a similar function? Or is there a way of doing this with an edgerouter. I liked your explanation and justification for running pfblocker on a pfsense firewall, and would go down this path but I already have an edgerouter. I would have got a Netgate but they have not yet been approved for use in New Zealand, and no one is selling them so I ended up getting an an edgerouter. Can you make any recommendations for a network based DNS blackhole in this situation? Or should I just go with Pi-hole, also do you know if it’s possible to run Pi-hole in a container?
Interesting video. Thank you. What if you only want one or two devices to have this sort of control- aka, my son's laptop while remote learning? Which way to lean?
it is an extension for pfsense, if you already have your router setup, it goes on that for free. (Home router: pfsense box with multiple nics) - small form factor
@@annfry9072 however.. just to get a hp t610+ thin client, 16gb SATA SSD Dom module, the power cord, and an intel dual port ethernet card... just to build that pfsense router cost me ~$150
@@annfry9072 meanwhile if you don't wanna fool with pfsense or otherwise don't have any old x86-64 computers preferably with at least one pcie slot laying around... it's prolly for the best to go along with the raspberry pie with pihole for the cost and use your existing equipment
How important is it to use SSDs with powerloss protection in combination with ZFS for homelab or small business? Is it OK to use consumer SSDs with ZFS in my NAS/SAN ?
@@LAWRENCESYSTEMS How does ZFS cope with such a power loss scenario? Would I just loose the new data or changes that should have been made to a file or could it render my existing files corrupt without me noticing it except later when I open a file? (just realized that I commented under the wrong video… damn YT autoplay. But thanks for answering anyways!) 😄😄
@@succubiuseisspin3707 ZFS is a COW, that is how it copes with powerloss further explanation here ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-nlBXXdz0JKA.html
Alan Xu RU-vid ads aren’t easy to block, because the ads themselves are basically also just youtube videos, a firewall can’t tell the difference, a browser plugin however (uBlock) can.
Is there any way to implement pfblocker on Edgerouter? Or any alternatives? I see you are running pfsense at home and all other stuff is unifi, is that because the pfblocker? Now I am using pihole on my edgerouter network. I think you often forget to give as an alternative that one can install pfsense on a low power Linux machine, old hardware or VM.
I don't forget, I have a video with over 260,000 views showing how to do it. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-9kSZ1oM-4ZM.html I don't discourage people from doing it, but I do frequently suggest the SG1100 because for many people that is easier than loading pfsense on an old computer.
@@LAWRENCESYSTEMS Yes, I remember that video :) I should better say, that is an advantage of pfsense vs consumer routers and vs also unifi / edgerouter. So this could be mentioned when comparing pfsense to other stuff.
pfsense is a lot more reliable - because the hardware on the small Edgerouter and USG simply is a bottleneck - MIPS dualcore below 1GHZ and very little RAM (just look into the datasheets for them). If you want a small and good PFSense router there's the fitlet2 on Amazon.com otherwise look at Aliexpress - if you want to spend about half for it with more ports. The fitlet2 is about the best, smallest and most high quality solution I've found - nothing else came close (spoiler: I don't own one so far, so I can only speak about theory, digging datasheets and reading reviews).
@@prevaloir5362 I'm using the pfblockers ip lists and have installed adguard home onto my pfsense box for dns. It's a much nicer interface and handles DNS rewrites better than the pfsense way of doing it
Pihole isn't foolproof, in fact it doesn't really block effectively anymore. It can't block ads at the beginning of videos or even ones in between videos. It will however block older RU-vid ads that give you the option to click skip. But youtube ads without the skip option won't be blocked unless you like creating 20,000 plus host name lists for every iteration of RU-vid ads address's. And you will need to do that by the hour because that's how aggressive RU-vid ads are these days
Cool, I was wondering if it would be possible to do piehole without a pi... Can this be used to block Microsoft from collecting data and forcing updates without user permission? If yes=true then how? Thanks for the awesome and informative videos!
Lawrence, thanks for all your help with your videos...the network is legit. But man how the hell do i get DNS over TLS/HTTPS + piHole working? Currently its one or the other, DNS over TLS/HTTPS are working and so is the piHole. How the hell do i get them both playing nicely with each other?
So I would to need install pfSense on my laptop in order to take a advantage of all the features such the anti virus that come with pfSense and ad blocker
pfSense is a firewall service which would typically be ran on a dedicated server, replacing your current router. There is no way to install it on your laptop as a client software.
Well if you virtualize it you could. Of course you’d have to virtualize your client software too.. and boot times are going to go way up since you’d start your hypervisor then pf then lastly your client. It kinda works on a laptop but imho it’s way better to just call your home pf box via openvpn and run your client through that.
Jimmy Bristow Adgyard scabs your browser for code that is the ad pi hole is a dns server which blocks ads from being generated when a website asks for an ad
You should also mention the Raspberry Pi isn’t very robust hardware. If you run Linux on an SD card 7x24, for example, the writes eventually trash the SD card and your Pi crashes in as little as a few months. The Pi hardware is made to be as cheap and small as possible and it has thermal and other limitations. It’s designed for hobby use not continuous mission critical operation. A Pi is far less robust than a Netgate box or similar typical pfSense hardware. I know countless people trying to use a Pi in continuous operation only to have frequent failures.
You don't have to run it on a Pi. I have it as a Hyper-V virtual machine on my server. The domain controller VM on the same computer has the PiHole as its upstream DNS server.
Soooo true, the Pi's problem is not having a HHD or SSD bus, just charge a little more so we can hack a lot more. SD bus speeds are too slow for modern day.
I've got a few friends in the government/military that actually run pi 24x7. Never mentioned a problem before that was outlandish. I actually looked at them twice when they mentioned this since I didn't expect rpi to be that kind of use case.
i tried pi hole and i found it kinda shit, took hours to update the many lists i found online but ZERO youtube ads (and, hm, hub ads) were blocked, it worked on some websites but not all, maybe 50-50
A ridiculous comparison. If you could put pfsense or OPNsense on a Raspberry Pi, or compare to IPFire (on Pi 3s, 4 in development) with Pi-hole added... Are you sponsored by pfSense? It seems like users not buying pfSense hardware have turned to OPNsense. Anyway, apples to oranges comparison.
And btw, the jerk that is speaking on this video: cool down! Get of the steroids! Jezus, you are giving headaches with that speed, nobody actually can listen, let alone understand, this!