25.07(.1) change to DynDNS? Incorrect VIP detection for GW groups!

JeGr

Hi,

we are using a DynDNS address for a customer with an Multi-WAN IPsec VPN that requires automatic failover to another WAN without any reconfiguration on the remote side.

So the remote end we do NOT control has set up their end of the P1 tunnel with the DynDNS address as remote ID. To make that work, we created a gateway group with both WANs and set the address of both Gateways to the appropriate VIP that is used for VPN. Up until Plus 24.11 that worked absolutely fine.

With 25.07.1 something changed:

GW Group is still working as intended (it seems) and hasn't changed
IPsec configuration (P1) of that setup still uses above GW Group and reads the correct VIP IPs for the connection. So instead of e.g. 192.0.2.2/3 (node IPs), it uses .8 (VPN VIP) just fine. You can see that in the VPN logs, that it tries to utilize .8 as outgoing IP.
DynDNS is broken:
We set it up as type "custom" and used a DynDNS provider, that could utilize an API URI where we could use the %IP% placeholder. Interface to monitor and Interface to send update from are BOTH set to the GW Group that is also used by the VPN.
When you now hit "Force Update" the DynDNS URI gets called bot the placeholder %IP% wrongly inserts the node IP (.2) instead of the VIP from the GW Group

So to verify that I checked in our lab:

create a dummy CARP WAN VIP with any other IP you can recognize
use 24.11
create a dummy GW Group with WAN as Tier 1 and select the Dummy IP created above as the address
head over to dyndns and set up a test DynDNS update which selects the GW Group
force update

the dummy IP is used successfully as it is intended.

instead use 25.07.1
do the above steps
force update

the node IP is wrongly used and makes the IPsec P1 unusable as the node IP mismatches with the dedicated VPN VIP utilized by the cluster.

Also the WAN VIPs aren't listed at all (OK they weren't with the older version either), but it would be extremely useful to have them there for reasons like above. (e.g. simple DNS failover WAN handling for proxy, VPN etc. services)

Cheers

stephenw10

Try applying the commit/patch from here: https://redmine.pfsense.org/issues/16326

JeGr

@stephenw10 said in 25.07(.1) change to DynDNS? Incorrect VIP detection for GW groups!:

Try applying the commit/patch from here: https://redmine.pfsense.org/issues/16326

I tried applying #691852a2 from that post, but after applying and force updating, the IP still stands at the node IP?
Is that only for 2.8.1 and somehow incompatible with 25.7.1?

Edit: seems that only is on the standby node, but I'm not as sure as Marcos about DDNS only running on the master node and not on standby as I've seen DDNS update messages on the standby node quite a few times so... perhaps include a toggle or function to actively disable DDNS on a CARP standby node would solve that AND clear the confusion about the IPs displayed wrong?

stephenw10

That patch should apply to both 2.8.1 and 25.07.1.

So it is working as expected on the primary node? When it's master?