@IzaacJ

I am using cloudflare ddns - I just did a forced update of one of them, and don't see any issues.

cloudflare.jpg

@ndemarco Uh, this is resolved.

I had chosen, for the DDNS provider CloudFlare v6 not realizing the fairly obvious fact that "v6" portion wasn't the version of CloudFlare DDNS protocol. It is a short reference to IPv6.

After selecting the correct CloudFlare for IPv4, all my problems are in the past 😁.

Now, to impement IPv6 on my internal network...

@viragomann
I see. This is all still ridiculously new to me. I will make adjustments.

Yeah still not working. I'm about to give up on this.

@Gertjan I reapplied the patch after upgrading to 22.05 and it worked without the timeout issues. Thanks again for all your help!

the issue has ben resolved, I'm no longer getting the error

@DavidIr I just tried configuring Azure DNS in Dynamic DNS and I am seeing the same. I am on version 23.05-RELEASE.

The record exists already in the zone, I am trying to get pfsense to keep it up-to-date.

Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _update() ending. Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkStatus() ending. Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: phpDynDNS (test.<mydomain.com>): (Unknown Response) Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: phpDynDNS (test.<mydomain.com>): PAYLOAD: 400 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkStatus() starting. Jun 3 16:32:37 php-fpm 13896 </html> Jun 3 16:32:37 php-fpm 13896 </body>\x0d Jun 3 16:32:37 php-fpm 13896 </div>\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</p>\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DispatchOperationRuntime.DeserializeInputs(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.UriTemplateDispatchFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DemultiplexingDispatchMessageFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.SingleBodyParameterMessageFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.SingleBodyParameterDataContractMessageFormatter.ReadObject(Message message)\x0d Jun 3 16:32:37 php-fpm 13896 at System.Runtime.Serialization.Json.DataContractJsonSerializer.ReadObject(XmlDictionaryReader reader, Boolean verifyObjectName)\x0d Jun 3 16:32:37 php-fpm 13896 <p> at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)\x0d Jun 3 16:32:37 php-fpm 13896 <p>The server encountered an error processing the request. The exception message is 'There was an error deserializing the object of type Microsoft.WindowsAzure.Dns.Frontend.Common.DataStructures.API.Dns.CsmResourceRecordsPackageBody. The value '' cannot be parsed as the type 'Int64'.'. See server logs for more details. The exception stack trace is: </p>\x0d Jun 3 16:32:37 php-fpm 13896 <p class="heading1">Request Error</p>\x0d Jun 3 16:32:37 php-fpm 13896 <div id="content">\x0d Jun 3 16:32:37 php-fpm 13896 <body>\x0d Jun 3 16:32:37 php-fpm 13896 </head>\x0d Jun 3 16:32:37 php-fpm 13896 <style>BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; } #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; } A:link { color: #336699; font-weight: bold; text-decoration: underline; } A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; } A:active { color: #336699; font-weight: bold; text-decoration: underline; } .heading1 { background-color: #003366; border-bottom: #336699 6px solid; color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal;margin: 0em 0em 10px -20px; padding-bottom: 8px; padding-left: 30px;padding-top: 16px;} pre { font-size:small; background-color: #e5e5cc; padding: 5px; font-family: Courier New; margin-top: 0px; border: 1px #f0f0e0 solid; white-space: pre-wrap; white-space: -pre-wrap; word-wrap: break-word; } table { border-collapse: collapse; border-spacing: 0px; font-family: Verdana;} table th { border-right: 2px white solid; border-bottom: 2px white solid; font-weight: bold; background-color: #cecf9c;} table td { border-right: 2px white solid; border-bottom: 2px white solid; background-color: #e5e5cc;}</style>\x0d Jun 3 16:32:37 php-fpm 13896 <title>Request Error</title>\x0d Jun 3 16:32:37 php-fpm 13896 <head>\x0d Jun 3 16:32:37 php-fpm 13896 <html xmlns="http://www.w3.org/1999/xhtml">\x0d Jun 3 16:32:37 php-fpm 13896 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\x0d Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Data: <?xml version="1.0" encoding="utf-8"?>\x0d Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: date: Sat, 03 Jun 2023 14:32:37 GMT Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-routing-request-id: GERMANYWESTCENTRAL:20230603T143237Z:62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-correlation-request-id: 62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-request-id: 62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-powered-by: ASP.NET Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: server: Microsoft-IIS/10.0 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-ratelimit-remaining-subscription-resource-requests: 11999 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: strict-transport-security: max-age=31536000; includeSubDomains Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-content-type-options: nosniff Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: content-type: text/html Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: content-length: 3221 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: cache-control: private Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: HTTP/2 400 Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _update() starting. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS (test.<mydomain.com>): running get_failover_interface for wan. found pppoe0 Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): <myip> extracted from local system. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkIP() starting. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS: updatedns() starting Jun 3 16:32:35 check_reload_status 436 Syncing firewall Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Configuration Change: admin@192.168.20.199 (Local Database): Dynamic DNS client configured.

(private info redacted from logs)

Confirmed this worked for me as well. On 2 installs of pfSense CE with latest stable 2.5.2. 👍

Just try to resolve it somewhere. In Diag > DNS Lookup in pfSense for example.

If you use an IP address or something actually resolves it must match the actual address IPSec is using.

@bigtfromaz said in DDNS pfSense to Windows AD DNS DHCPv6:

I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important.

It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme.

Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk.

I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here.

Yeah, there are several avenues to deal with the IPv6 and Netflix thing, but the kids are only here rarely and I have plenty of IDS/IPS protections for critical stuff. Also, it's only a home network. There are no national defense secrets, Democratic National Committee emails, or documents relating to secret payoffs to porn stars stored here ... LOL.

And yes, Netflix blocks HE IPv6 blocks for precisely the reason you stated: users without strict morals use those to get around geoip blocks that Netflix has in place to enforce their distribution contracts with content owners.

I wish all the ISPs of the world would just start supporting IPv6. Unfortunately that appears to be a very slow process. Even some of those that are supporting it are doing so in strange ways. They seem to be doing their darndest to avoid giving out static IPv6 addresses, for instance.

The benefit is that you don't need to use port forwarding at all and you only need to have one port open. You can have HAproxy listen on the WAN on port 443 and send requests to the appropriate backend server based on the requested URL.
You don't have to remember what port the services are running on externally just the FQDN.
It isn't necessarily any more secure though. You only have one firewall rule on WAN so you can't apply different rules to each service at the firewall level. Connection limiting, traffic shaping etc.
You still can have HAprxy listen on different ports though if you found you needed that.

Steve

@jimp On my installation, the default route is set to the cable modem static gateway, so no gateway group issue in play for me.

"Link#6" is igb5 which is my OPT4 interface going to the DSL modem. The modem has an IP of 192.168.254.254/24 (it's from Windstream), the pfSense box has .1, which we set statically.

"Link #2" is igb1 which is the static IP (/30) from Spectrum / Time Warner Business.

netstat -nr Routing tables Internet: Destination Gateway Flags Netif Expire default 70.60.x.y UGS igb1 1.0.0.1 192.168.254.254 UGHS igb5 1.1.1.1 70.60.x.y UGHS igb1 4.2.2.4 192.168.254.254 UGHS igb5 4.2.2.5 70.60.x.y UGHS igb1 8.8.4.4 192.168.254.254 UGHS igb5 8.8.8.8 70.60.x.y UGHS igb1 9.9.9.9 70.60.x.y UGHS igb1 10.17.0.0/24 link#1 U igb0 10.17.0.1 link#1 UHS lo0 10.254.254.0/24 10.254.254.2 UGS ovpns1 10.254.254.1 link#11 UHS lo0 10.254.254.2 link#11 UH ovpns1 70.60.x.w/30 link#2 U igb1 70.60.x.z link#2 UHS lo0 127.0.0.1 link#8 UH lo0 149.112.112.112 192.168.254.254 UGHS igb5 192.168.254.0/24 link#6 U igb5 192.168.254.1 link#6 UHS lo0 ping -c 4 192.168.254.254 PING 192.168.254.254 (192.168.254.254): 56 data bytes 64 bytes from 192.168.254.254: icmp_seq=0 ttl=64 time=1.170 ms 64 bytes from 192.168.254.254: icmp_seq=1 ttl=64 time=1.071 ms 64 bytes from 192.168.254.254: icmp_seq=2 ttl=64 time=1.084 ms 64 bytes from 192.168.254.254: icmp_seq=3 ttl=64 time=1.083 ms --- 192.168.254.254 ping statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.071/1.102/1.170/0.040 ms arp -i igb5 -a ? (192.168.254.254) at 4c:17:eb:21:26:09 on igb5 expires in 1178 seconds [ethernet] ? (192.168.254.1) at 00:08:a2:09:5a:15 on igb5 permanent [ethernet] traceroute -I -i igb5 checkip.dyndns.com traceroute: Warning: checkip.dyndns.com has multiple addresses; using 216.146.43.71 traceroute to checkip.dyndns.com (216.146.43.71), 64 hops max, 48 byte packets 1 * * * 2 * * * 3 * * * 4 * * * ^C ping -c 4 -S 192.168.254.1 checkip.dyndns.com PING checkip.dyndns.com (216.146.43.71) from 192.168.254.1: 56 data bytes --- checkip.dyndns.com ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss [This seems like it might be some of the problem...]

It seems like I can't get a traceroute (ICMP) through the crappy DSL modem. However, apinger is not complaining about the connection being down, and it is set to ping 4.2.2.4 from that interface (instead of using the gateway IP). So maybe there's an apinger bug in play here and my connection is actually down but not correctly showing it?
It would be immensely more helpful if BSD ping could be forced to send from a specific interface... I'm wondering if ping -S <int_ip> is trying to send the traffic out the wrong interface somehow and is maybe a red herring?

So let's play some more - adding a static route to 216.146.43.71 (which is one of the IPs for checkip.dyndns.com) to force it through the DSL gateway:

route add -host 216.146.43.71 192.168.254.254 add host 216.146.43.71: gateway 192.168.254.254 ping 216.146.43.71 PING 216.146.43.71 (216.146.43.71): 56 data bytes 64 bytes from 216.146.43.71: icmp_seq=0 ttl=49 time=149.241 ms 64 bytes from 216.146.43.71: icmp_seq=1 ttl=49 time=150.749 ms 64 bytes from 216.146.43.71: icmp_seq=2 ttl=49 time=151.432 ms ^C --- 216.146.43.71 ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss traceroute -I 216.146.43.71 traceroute to 216.146.43.71 (216.146.43.71), 64 hops max, 48 byte packets 1 192.168.254.254 (192.168.254.254) 1.165 ms 0.912 ms 0.930 ms 2 h3.176.142.40.ip.windstream.net (40.142.176.3) 20.753 ms 20.375 ms 19.908 ms 3 ae2-0.agr03.hdsn01-oh.us.windstream.net (40.136.113.108) 21.559 ms 22.031 ms 21.936 ms 4 et9-0-0-0.cr01.cley01-oh.us.windstream.net (40.136.97.135) 24.981 ms 20.902 ms 24.131 ms 5 et11-0-0-0.cr01.chcg01-il.us.windstream.net (40.128.248.71) 27.746 ms 30.224 ms 30.609 ms 6 chi-b21-link.telia.net (80.239.194.41) 30.788 ms 32.021 ms 28.424 ms 7 nyk-bb3-link.telia.net (80.91.246.163) 147.362 ms 149.769 ms 147.627 ms 8 ldn-bb3-link.telia.net (62.115.135.95) 144.829 ms 144.190 ms 144.030 ms 9 hbg-bb1-link.telia.net (80.91.249.11) 140.047 ms 132.839 ms 130.322 ms 10 war-b1-link.telia.net (62.115.135.187) 145.479 ms 146.117 ms 145.660 ms 11 dnsnet-ic-320436-war-b1.c.telia.net (213.248.68.135) 151.281 ms 147.401 ms 151.799 ms 12 checkip.dyndns.com (216.146.43.71) 150.409 ms 152.881 ms 151.245 ms curl -v --interface igb5 http://216.146.43.71 * Rebuilt URL to: http://216.146.43.71/ * Trying 216.146.43.71... * TCP_NODELAY set * Local Interface igb5 is ip 192.168.254.1 using address family 2 * Local port: 0 * Connected to 216.146.43.71 (216.146.43.71) port 80 (#0) > GET / HTTP/1.1 > Host: 216.146.43.71 > User-Agent: curl/7.61.1 > Accept: */* > < HTTP/1.1 200 OK < Content-Type: text/html < Server: DynDNS-CheckIP/1.0.1 < Connection: close < Cache-Control: no-cache < Pragma: no-cache < Content-Length: 104 < <html><head><title>Current IP Check</title></head><body>Current IP Address: 75.90.aaa.bbb</body></html> * Closing connection 0 [!! WORKS !!]

Something really weird is going on here. For whatever reason the traffic is not correctly egressing through the specified interface when using curl --interface, and it's only going the way we want if I manually add a static route. I'm not exactly sure how the PHP code is hitting checkip.dyndns.com directly via a given interface, but something has changed behavior-wise that is making this fail. (Guessing maybe it's an underlying OS thing at this point, but I suppose it could also be something with curl if that is just being called via PHP?)