[Retr0id]

Some telemetry is blocked unconditionally during startup, although it is incomplete [1] (Perhaps I was a bit over-optimistic when I said a pihole was not required).

Custom CA certs are possible, which people on older models have been using to work around issues stemming from the X3 cert expiry [2].

[1] https://github.com/RootMyTV/RootMyTV.github.io/issues/19

[2] https://github.com/tf318/lg

[alias_neo]

I used to have everything blocked using PiHole but recently moved to a pfSense router, I guess I just need to block some hosts again.

Thanks for the links!

[gerdesj]

pfblocker-ng devel. Run the startup wizard to get a pretty safe ruleset running quickly.

[alias_neo]

I'm running pfBlockerNG already but not devel. Is that the key?

[gerdesj]

Devel is a lot better. It has a wizard to get you started that is excellent and loads of other stuff.

Disable the dynamic DNS options for DHCP on the DNS resolver to avoid problems with Python modules in the DNS resolver (unbound).

Untick the box for leaving config behind and uninstall pfb not devel. Install pfb devel.

Go to Firewall -> pfblockerng-devel and you will be presented with a wizard. Take the defaults but do indicate your WANS and LANS when they are asked for. You'll get a great basic PRI1 ruleset setup and DNS blocking too, out of the box. I recommend adding "TOR/Tor Project Bulk Exit List" - block inbound on WAN as soon as you work out how to do it.

There is a vast amount of built in rule set links. Give them a go.

If you want easy then go for block on inbound and/or outbound on all rules but if you need some flexibility then go for aliases and make your own rules.