• Cloudflare DNS with multiple WAN

    4
    0 Votes
    4 Posts
    415 Views
    C

    Oups the script was not complete :( Here an updated version :)

    #!/var/www/cloudflare/venv/bin/python3 # -*- coding: utf-8 -*- import requests import json import re import os # Cloudflare API settings API_TOKEN = 'my_api_token' ZONE_ID = 'my_zone_id' # TTL constant (120 = "Auto" on Cloudflare) AUTO = 120 # DNS records to update RECORDS_TO_UPDATE = [ {'name': 'domain.org', 'type': 'A', 'proxied': True, 'ttl': AUTO}, {'name': '*.domain.org', 'type': 'A', 'proxied': True, 'ttl': AUTO}, {'name': 'minecraft.domain.org', 'type': 'A', 'proxied': False, 'ttl': AUTO} ] # API headers HEADERS = { 'Authorization': f'Bearer {API_TOKEN}', 'Content-Type': 'application/json', } # File path to store last known IP LAST_IP_FILE = os.path.join(os.path.dirname(__file__), 'last_ip.txt') def get_public_ip(): """Fetch current public IP from checkip.dyndns.org""" try: response = requests.get("http://checkip.dyndns.org/") ip = re.search(r"Current IP Address: ([\d.]+)", response.text).group(1) return ip except Exception as e: raise RuntimeError(f"Failed to detect public IP: {e}") def load_last_ip(): """Read the last saved public IP address""" try: with open(LAST_IP_FILE, 'r') as f: return f.read().strip() except FileNotFoundError: return None def save_current_ip(ip): """Save the current public IP address""" with open(LAST_IP_FILE, 'w') as f: f.write(ip) def get_all_dns_records(): """Fetch all DNS records in the Cloudflare zone""" url = f'https://api.cloudflare.com/client/v4/zones/{ZONE_ID}/dns_records' response = requests.get(url, headers=HEADERS) if response.status_code != 200: raise RuntimeError(f"Failed to fetch DNS records: {response.text}") return response.json().get('result', []) def update_dns_record(record_id, name, record_type, proxied, ttl, new_ip): """Update a DNS record on Cloudflare""" url = f'https://api.cloudflare.com/client/v4/zones/{ZONE_ID}/dns_records/{record_id}' payload = { 'type': record_type, 'name': name, 'content': new_ip, 'ttl': ttl, 'proxied': proxied } response = requests.put(url, headers=HEADERS, data=json.dumps(payload)) if response.status_code == 200: print(f"✅ Updated {name} to {new_ip}") else: raise RuntimeError(f"Failed to update {name}: {response.text}") def main(): # Output HTTP header (for CGI) print('Content-Type: text/plain; charset=utf-8\n') try: current_ip = get_public_ip() last_ip = load_last_ip() print(f"🌍 Current Public IP: {current_ip}") if current_ip == last_ip: print("⏸️ Public IP has not changed. Skipping update.") return all_records = get_all_dns_records() record_id_map = {(rec['name'], rec['type']): rec['id'] for rec in all_records} all_success = True for record in RECORDS_TO_UPDATE: key = (record['name'], record['type']) record_id = record_id_map.get(key) if not record_id: print(f"⚠️ No record ID found for {record['name']} ({record['type']})") all_success = False continue try: update_dns_record(record_id, record['name'], record['type'], record['proxied'], record['ttl'], current_ip) except Exception as e: print(f"❌ Failed to update {record['name']}: {e}") all_success = False if all_success: save_current_ip(current_ip) print("✅ All records updated successfully. IP saved.") else: print("⚠️ Some updates failed. IP not saved to ensure retry next time.") except Exception as e: print(f"🚫 Script failed: {e}") if __name__ == '__main__': main()
  • 0 Votes
    3 Posts
    329 Views
    N

    @Gertjan thanks for that reply, I went ahead and just left the gateway monitoring IP field blank and it defaults to the ISP gateway but the problem keeps happening. I didn’t have this problem when I had the Starlink in passthrough mode connected to the OPT. Now with the T-Mobile gateway, I can’t put it into passthrough mode so could this be an issue because of that configuration? How can I change the pfSense settings to accommodate for the fact that the T-Mobile gateway can’t be passthrough?

  • 1:1 NAT through Tier-2 gateway

    6
    0 Votes
    6 Posts
    564 Views
    F

    @viragomann

    You are absolutely correct ... we had a reply-to issue.

    The issue was cause by there not being a default gateway set on the Tier-2 interface, so it wasn't spotted as a WAN interface, so reply-to wasn't enabled.

    Heaven only knows how long it had been that way, but now its set, everything works as advertised.

    Thanks again for your time and effort ... much appreciated.

    May the force be with you.

    ChIP.

  • Seeing a non-trivial amount of traffic on failover WAN

    1
    0 Votes
    1 Posts
    140 Views
    No one has replied
  • Trying to open ports to VM

    5
    0 Votes
    5 Posts
    531 Views
    S

    @tknospdr Where are you running ./discourse-setup, on something outside your network?

    Have you gone through https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html ?

  • Gateway Failover and Failback Thresholds

    3
    0 Votes
    3 Posts
    361 Views
    P

    @viragomann
    Thank you, I was assuming this would be under Gateway Groups, time to do some reading now!

  • Clients behind WireGuard-connected travel router can't use personal VPNs

    1
    0 Votes
    1 Posts
    154 Views
    No one has replied
  • dpinger not reliable - ping request/replies

    9
    0 Votes
    9 Posts
    880 Views
    patient0P

    @siegmarb said in dpinger not reliable - ping request/replies:

    no, i did not set the id manually

    Ok, seeing the same on 2.7.2 (I'm on 25.03-BETA on prod), that's normal then.

  • Load balancing on an SG-2100 works but failover doesn't

    5
    0 Votes
    5 Posts
    510 Views
    A

    @SteveITS the issue of duplicate IP#s is one that I didn't see (or that didn't strike me as odd for some reason, but you would be right). I need to set this aside for a couple of days and maybe pick it up after I get some higher priority issues taken care of. Thx.

  • Cannot communicate off-LAN after upgrade to 24.03

    2
    0 Votes
    2 Posts
    295 Views
    K

    @kj32

    User error. I found some old notes that included this observation:

    "Lan gateway should be defined under System | Routing, not interface."

    Removed the spurious definition under interface, and now it works again.

  • Multi-Wan Comcast And Starlink - dpinger restarts every few minutes

    8
    0 Votes
    8 Posts
    898 Views
    S

    I am hoping this fairly ancient -5100 appliance holds on. It's been through a lot including several dead cable modems. However, physical intervention has to wait until my next in-person visit. I only have non-technical people on site (as indicated by the hard power off recovery).

    The site is in an area with buried cable and a high water table which is a recipe for disaster (eats a cable modem every 18 months) and explains the starlink back-up. We use tailscale so remote access is fairly tolerant of CGNAT and our windows DC / local users can phone home and network admin can remote in. When the comcast circuit is down I lose remote admin via the fqdn/public IP which is stressful as I'm reliant on tailscale coming up using starlink.

    As a first order trouble shooting step I'm stepping up a local VM as a tailscale client to give myself a back door if the netgate box becomes unreachable again and potentially to automatically attempt a pfsense reboot in the event of a sustained loss of connectivity.

    I will experiment with turning off gateway monitoring after that and watch for physical events. Next time I'm on site I'm going to insert a fiber media converter between the cable modem and the netgate (or it's successor if I can get the budget for it) to remove physical plug events from cable modem reboots and risk of electrical shocks on the wan port.

  • Configuring DMZ hosting for my new pfsense , on my home router

    21
    0 Votes
    21 Posts
    2k Views
    G

    @netblues And UPnP is also port forward.. just automagic. But as I said, never got it to work behind private IP using STUN. There is a feature request active to get a setting to allow UPnP to accept WAN with private IP though...

  • Installing pfsense without ISP router on Bridge-Mode

    12
    0 Votes
    12 Posts
    1k Views
    E

    If the OP needs remote access or host services, they should be using a VPN like Tailscale, which will traverse any level of NAT, including CGNAT

  • HA Setup

    11
    0 Votes
    11 Posts
    979 Views
    patient0P

    @laurens-DS said in HA Setup:

    The problem was I had WAN2 set up but nothing stuck in yet because I don't have a 2nd provider right now

    That is not the classic HA from the documentation. What you're want to do is HA with Multi-WAN.
    Have a read through Netgate doc: High Availability Configuration Example with Multi-WAN.

  • Problem with Forcing Asymmetric Traffic Through Specific Gateway

    7
    0 Votes
    7 Posts
    512 Views
    P

    @viragomann
    Hello,

    Thank you for your help. I changed the default routing to create an additional static route for this unique IP, in order to replace the subnet route. And for accesses that require it, I create policy-based rules.

    Have a very good day.

  • 0 Votes
    1 Posts
    149 Views
    No one has replied
  • Static Route Across Subnets?

    12
    0 Votes
    12 Posts
    806 Views
    D

    I finally got Ping working in Windows. Had to accept ANY source for Remote Address in Windows Defender Firewall for Private.Public Profile.
    And I am getting sub ms response times from the Pi to Windows (~0.56ms). So the route seems to be direct without any detours.

    Traceroute still fails, but that could be the ISP modem/router not allowing it.

    So, it appears ~75Mb/s is the best I can expect. 5x faster than before!!!

    Thanks Everyone!

    P.S. ICMP also needed to be added to the Firewall Rules in pfSense on the WAN interface to allow Pings through

  • [SOLVED] Need Help: Can't Reach Host from VPN Network

    3
    0 Votes
    3 Posts
    309 Views
    manjotscM

    @patient0 Thank you

  • 0 Votes
    9 Posts
    556 Views
    chpalmerC

    @ddbnj Awesome!

  • Traffic through Site to Site Wireguard between pfsense and opnsense

    4
    0 Votes
    4 Posts
    384 Views
    V

    @drmarian0
    Yes, the rule should work.

    Ensure that the policy routing rule on pfSense is applied. Is it configured for any protocol? If it's TCP only ping will not work.
    Enable logging, then try to access a public IP and check the log
    after.

    Or run a packet capture on OPNsense on the WG interface to verify that the upstream traffic is routed over the VPN.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.