After Adam:One setup, all outbound access is blocked

After following the instructions here:

I am running pfsense 2.5.1-RELEASE** (amd64) on protectli hardware.

I lose (normal) contact with the internet when the DNS Resolver is stopped. I must enable the DNS Resolver in order to access the dashboard. Adam:One is enabled on the adam:ONE/Settings, and Automatically manage DNS firewall rules is checked. The Router Configuration page on Dashboard indicates it can see my router. In fact, the dashboard lists all devices in my DHCP assignments, so it has definitely obtained information from the router.

I see (2) NAT Port Forward rules and (1) LAN rule that Adam:One set up.

All of my devices were already set to require DNS from the pfsense firewall prior to the install, and no device is allowed off network via port 53 or 853. The point is that I know my devices look to the router for DNS.

I do have my DNS directed to OpenDNS as indicated on Status / Dashboard: DNS Servers are and

I am rather confused about how the instructions say to turn off the resolver but then directs you later to set up the Adam:One details. Following those instructions, it was impossible to set up the Adam:One account because DNS was down at step 2.

All of my devices are in the Basic Blacklist policy which I have not changed.

I’ve read through the Quick Start Guide. Hopefully I haven’t missed anything obvious.

@kbulgrien when the anmgr service is running it should still resolve without any filtering which is why it’s OK to disable the built-in DNS Resolver before step 2.

If you run the command sockstat -4 what services do you see listening on port 53?
Do you see anmgr running under Status / Services?

Did you click the Setup DTTS button? As that will disable your default allow Internet firewall rule and if your account isn’t live will cut off your Internet access as a result.

root anmgr 50323 17 tcp4 :
root anmgr 50323 18 tcp4 :
root anmgr 50323 19 tcp4 xxx.yyy.104.12:53 :
root anmgr 50323 21 tcp4 :
root anmgr 50323 22 tcp4 :
root anmgr 50323 23 tcp4 xxx.yyy.104.12:80 :
root anmgr 50323 26 udp4 *:5353 :
root anmgr 50323 28 udp4 :
root anmgr 50323 30 tcp4 xxx.yyy.104.12:13950
root anmgr 50323 31 tcp4 xxx.yyy.104.12:38133

I did push the blue Setup Firewall for DTTS button only after several tries at figuring this out. I do see (3) adam:ONE LAN rules now, but none look like they block anything.

adam:ONE Reject 443 for Ad-blocks
adam:ONE allow DNS
adam:ONE allow HTTP to

No allow rules are disabled that I did not have disabled before the install. The main allow is still there:

Any valid local getting here is allowed

My firewall rule set is not a “default” pfsense rule set. I have a number of blocks, schedules, exceptions to rules, etc. that are my base policies for devices on the network.

Disabling unbound still disables my ability to use DNS.

I guess I didn’t state this, but it feels as if not being able to disable the DNS Resolver as instructed probably means that the install is a failure and offers no benefit because DNS resolves are bypassing adam:ONE. I guess I don’t really understand the process of how it works. I suppose that adam:ONE essentially sits between my DNS provider and what is served to to local network?

A router reboot was necessary after turning off the unbound DNS Resolver.

The dashboard shows no DNS requests for today even though Domain Logging is enabled, so I guess it is still not working. ‘sockstat -4’ lists anmgr and unbound is not listed. I have outbound blocks for 53 and 853 for all devices except the firewall.

On a test PC:

$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default pfs UG 0 0 0 enp2s0
link-local U 0 0 0 enp2s0 U 0 0 0 enp2s0
$ grep pfs /etc/hosts pfs pfsense

Perhaps reporting lags operations. The log is now showing some allows and blocks.

There can be an hour delay for the domain logs to appear on the Dashboard. If you are still seeing issues there please contact our support via

It’s interesting that you had to reboot pfSense after disabling the built-in DNS Resolver. Based on the sockstat output above only anmgr was listening on port 53 which is what we’d want to see.
But good to know that a reboot fixed that issue.