Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dynamic DNS gets cached IP as VPN client IP

    Scheduled Pinned Locked Moved DHCP and DNS
    41 Posts 3 Posters 7.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      teknikalcrysis
      last edited by teknikalcrysis

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • T
        teknikalcrysis @gjaltemba
        last edited by

        @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

        Leave your original setup asis. Just put this at the top.

        outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address

        It wont let me type anything but an IP in the destination box

        G 1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate @gjaltemba
          last edited by Derelict

          @gjaltemba Outbound NAT has ZERO to do with how traffic flows. If it is routed out the OpenVPN or policy routed out another interface, Outbound NAT will not change anything. It only determines what NAT occurs when traffic flows out an interface as the routing mechanism has already decided it should.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          T 1 Reply Last reply Reply Quote 0
          • T
            teknikalcrysis @Derelict
            last edited by teknikalcrysis

            @derelict said in Dynamic DNS gets cached IP as VPN client IP:

            @gjaltemba Outbound NAT has ZERO to do with how traffic flows. If it is routed out the OpenVPN or policy routed out another interface, Outbound NAT will not change anything. It only determines what NAT occurs when traffic flows our an interface as the routing mechanism has already decided it should.

            I still think there is a way...I feel I am close... I went back and UNCHECKED the "Do Not Pull Routes" option in the TorGuard OpenVPN Client settings and I just disabled the following NAT OUTBOUND Mappings
            0_1528865810010_disabled.png

            DynDNS Result is a SUCCESSFUL IP from ISP:0_1528866925178_dyndns.png

            However there is still a bit of a DNS leak:0_1528866442295_dnsresult.png

            Before disabling those Outbound NAT mappings were disabled DynDNS would report the IP of the TorGuard VPN and would only have the top DNS result in green, it never listed two servers like this before when the Do Not Pull Routes option was unchecked...with the exception of the config I just tried above with (dnsmasq)

            1 Reply Last reply Reply Quote 0
            • G
              gjaltemba @teknikalcrysis
              last edited by gjaltemba

              @teknikalcrysis said in Dynamic DNS gets cached IP as VPN client IP:

              @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

              Leave your original setup asis. Just put this at the top.

              outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address

              It wont let me type anything but an IP in the destination box

              I am able to type an alias for ***.ddns.net in the destination of outbound nat. The outbound NAT should register your ISP ip on ddns with openvpn client running.

              To test, do a packet capture on WAN interface for traffic heading to ***.ddns.net. You see the pfSense WAN ip.

              T 1 Reply Last reply Reply Quote 0
              • T
                teknikalcrysis @gjaltemba
                last edited by

                @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

                @teknikalcrysis said in Dynamic DNS gets cached IP as VPN client IP:

                @gjaltemba said in Dynamic DNS gets cached IP as VPN client IP:

                Leave your original setup asis. Just put this at the top.

                outbound NAT on WAN interface source This Firewall(self) destination ?.ddns.net NAT address WAN address

                It wont let me type anything but an IP in the destination box

                I am able to type an alias for ***.ddns.net in the destination of outbound nat. The outbound NAT should register your ISP ip on ddns with openvpn client running.

                But then at some point that alias would be obsolete, as my IP is not static and while not frequent (unless I force an ISP IP change by spoofing the MAC on the first router that is connected to the modem directly and then rebooting the modem) is does change from time to time if my power is out to long or in a few other scenarios.. when that happens, the alias would then be configured with an incorrect destination

                G 1 Reply Last reply Reply Quote 0
                • G
                  gjaltemba @teknikalcrysis
                  last edited by gjaltemba

                  @teknikalcrysis The alias can be dns name. To test include dnsleaktest.com in the alias browse to dnsleaktest.com and you will see your ISP ip. Remove dnsleaktest.com from the alias and you will see your vpn ip.

                  DerelictD 1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate @gjaltemba
                    last edited by

                    @gjaltemba I say again. Outbound NAT has nothing to do with which way traffic routes.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    G 1 Reply Last reply Reply Quote 0
                    • G
                      gjaltemba @Derelict
                      last edited by gjaltemba

                      @derelict I get it but what is your point. Quick test from here tells me outbound NAT gives the desired result. To test, the source has to include the browser client ip because the firewall does not have a browser.

                      If for whatever reason outbound NAT does not work then there is always plan B. Setup a ddns client on the edge router outside pfSense.

                      1 Reply Last reply Reply Quote 0
                      • T
                        teknikalcrysis
                        last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • T
                          teknikalcrysis
                          last edited by teknikalcrysis

                          This post is deleted!
                          1 Reply Last reply Reply Quote 0
                          • T
                            teknikalcrysis
                            last edited by

                            I think I fixed it....after playing around with some settings and getting close and talking about Outbound NAT and me disabling those Outbound NAT rules I highlighted earlier and managed to get DynDNS to update properly but still had it pulling two dns servers (the VPN and Unbound Resolver) causing a leak when those Outbound NAT mapping were disabled...it gave me an idea to Map Outbound NAT on TorGuard Interface from Source:WAN NET to Destination:ANY and NAT:TorGuard Address on Static Port:53 to push DNS queries back to TorGuard and stop the leak

                            NEW Outbound NAT Config:
                            0_1528872331820_nat config.png

                            Here is what happens when I DISABLED/DISCONNECT the TorGuard VPN
                            0_1528873074909_proof.png

                            DynDNS updates correctly obviously:
                            0_1528873218491_dyndns.png

                            And DNS result is as expected and desired:
                            0_1528873262206_dnsresult.png

                            Now here is what happens when I ENABLED one of the TorGuard VPN Client connections...(drum roll please!)
                            0_1528873470602_proof_2.png
                            0_1528899148680_connected.png

                            DynDNS Result is STILL actual IP as desired!!!
                            0_1528873656905_dyndns.png

                            And NO DNS LEAK when TorGuard is Active!!!
                            0_1528873827393_result_2.png

                            and just for a second opinion...Confirmed NO LEAKS
                            0_1528874051646_confirmed.png

                            1 Reply Last reply Reply Quote 0
                            • T
                              teknikalcrysis
                              last edited by

                              (NOTE: I went back an UNCHECKED the "Do Not Pull Routes" option)
                              I would say this issue is now resolved, thanks for throwing ideas out there with me...sometimes I'm not the brightest crayon in the box and am about as bright as a burnt out light bulb 😂 but with a little help my brain starts to rattle a bit and eventually bounces onto a good idea or two haha

                              Thanks again for the help!

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.