Coud you test pfSense with my free dynamic dns service?



  • Hi.
    This is my first post here. I don't have pfSense. However, I recently wrote my own dynamic DNS service. It's just a hobby project. It's free, no ads, not even login required. So I hope this post is not going to be considered advertising.
    I need your help to test whether my service works correctly with pfSense. I believe it should, and I even included it in my Help file, but it would be great if someone could check it on their end. The service is available at https://freemyip.com

    Here is the instruction on how to configure it: Go to the Dyndns Services page. In Service type dropdown, choose Custom. Leave Username and Password fields empty. In the Update URL field, copy and paste the following, and click Save button.:

    https://freemyip.com/update?token=YOUR_TOKEN&domain=YOUR_DOMAIN
    

    It takes literally 10 seconds to generate your dynamic domain on my website. So hopefully it's going to be just few minutes of your time to confirm it. I will give you a credit for testing this on my page :)

    Thanks in advance,
    Tom



  • @Tomko:

    The service is available at https://freemyip.com
    Here is the instruction on how to configure it: Go to the Dyndns Services page. In Service type dropdown, choose Custom. Leave Username and Password fields empty. In the Update URL field, copy and paste the following, and click Save button.:

    https://freemyip.com/update?token=YOUR_TOKEN&domain=YOUR_DOMAIN
    

    It takes literally 10 seconds to generate your dynamic domain on my website. So hopefully it's going to be just few minutes of your time to confirm it. I will give you a credit for testing this on my page :)

    Works great ! Took me less then a minute.
    I tested with the sub domaine "pfsensetest".



  • It works fine (xyzxyz registered by me) provided the request comes from the IP address that is being requested.  However, pfSense supports virtual IP addresses (CARP) which are useful for clustering multiple physical firewalls.

    Here, the request will come from one address but actually want to be something else in the same range.  With say FreeDNS you can specify the required IP address by adding the desired IP as a parameter.  For example:

    https://user:pass@freedns.afraid.org/nic/update?hostname=myhostname.mydomain&myip=1.2.3.4

    Yours could be similar:

    https://freemyip.com/update?token=YOUR_TOKEN&domain=YOUR_DOMAIN&myip=1.2.3.4

    I checked via a browser and your webserver responds with OK which can be put in the Result Match field in pfSense to check that the update succeeds.  It responds with ERROR otherwise.  However playing with curl to check more permutations I notice that you can put a typo in the domain field and still get OK.    I could even misspell domain and get OK. So it seems that OK is always returned provided the token is valid.

    Cheers
    Jon



  • Thank you Gertjan and Jon Gerdes for taking the time to test my service. I really appreciate. I will credit you in the What's New section. I checked the access.log records that you guys generated, and everything looks exactly as expected. Perfect.

    As to your suggestion Jon, I'm planning to add myip parameter at some point. I wanted to see if anybody will actually ask for this feature first, and so far two people have asked me for it.

    You are correct that even if the domain has a typo, the server will return "OK". You did a good job with the testing. This is because the server actually ignores the domain parameter completely. Each subdomain in my service has a corresponding unique token. That's why the domain parameter is not really required. The only reason I use it in all examples is so that people can actually see in the URL that they configured, what domain name is this for. Only the token parameter is really required. The rest is just to make the URL more human-readable.
    So you can use just the token, without the domain name, if you like. This design is actually part of the 'privacy-first' approach I took with this service. You might potentially want to hide the subdomain name in some cases. For example, if more than one person has access to your router, and you don't want them to see that you are updating IP for domain i.am.secret.kgb.agent.freemyip.com :)  But, honestly, I couldn't come up with a good scenario for this, so I didn't even mention it in the Help section.

    Cheers,
    Tom



  • @Jon:

    However, pfSense supports virtual IP addresses (CARP) which are useful for clustering multiple physical firewalls.

    Here, the request will come from one address but actually want to be something else in the same range.  With say FreeDNS you can specify the required IP address by adding the desired IP as a parameter.  For example:

    https://user:pass@freedns.afraid.org/nic/update?hostname=myhostname.mydomain&myip=1.2.3.4

    Yours could be similar:

    https://freemyip.com/update?token=YOUR_TOKEN&domain=YOUR_DOMAIN&myip=1.2.3.4

    Ok Jon, I implemented this feature the way you suggested it above. You can now specify myip (or ip) parameter, and force the system to update the IP to whatever you want. This parameter is optional. If you don't specify it, everything will work the way it used to.
    I still need some time to do more tests to make sure it plays nice with other parameters, and that you cannot specify invalid IP address, but you can already start using it if you want to play around. Consider it Beta feature for now :)

    Cheers,
    Tom



  • @Tomko:

    Ok Jon, I implemented this feature the way you suggested it above. You can now specify myip (or ip) parameter, and force the system to update the IP to whatever you want. This parameter is optional. If you don't specify it, everything will work the way it used to.
    I still need some time to do more tests to make sure it plays nice with other parameters, and that you cannot specify invalid IP address, but you can already start using it if you want to play around. Consider it Beta feature for now :)

    Cheers,
    Tom

    Cool, I'll give it a go tomorrow sometime.  I'll try various scenarios on some nonsense hostnames, it would be a bit rude to take decent names whilst testing.

    Cheers
    Jon



  • That's great. Thanks. Let me know if you find any issues.



  • @Tomko:

    That's great. Thanks. Let me know if you find any issues.

    $ dig xyxyxy.freemyip.com
    
    ; <<>> DiG 9.11.0-P2 <<>> xyxyxy.freemyip.com
    ....
    ;; ANSWER SECTION:
    xyxyxy.freemyip.com.    60      IN      A       1.2.3.4
    

    Nice  8)

    The only downside with pfSense Custom DDNS entries is that the "Cached IP" displayed in the GUI is the one for the interface being tracked rather than the IP address that is registered.

    How serious are about running this thing?  You'll need to make a living or at least subsidize the costs of running it.

    Jon

    PS Just read your What's New section - ta for the name check.  Put your site through this:  https://observatory.mozilla.org/ - it covers all the main tests for SSL and headers etc.  There is a lot of good advice there.  Do it regularly.  If you are not already, you might want to put HA Proxy on the front for rate limiting, loadbalancing etc etc.

    PPS Just noticed that you mention DynDNS and DynDNS2 protocols. There seem to be three DynDNS "drivers" in pfSense.  Not sure if they are the same or how to use them.  I'll do some research.



  • @Jon:

    Nice  8)

    The only downside with pfSense Custom DDNS entries is that the "Cached IP" displayed in the GUI is the one for the interface being tracked rather than the IP address that is registered.

    Is there anything I can do about it on my side? Or is it just how pfSense GUI works?

    @Jon:

    How serious are about running this thing?  You'll need to make a living or at least subsidize the costs of running it.

    Very serious. I'm hosting this at Amazon AWS and I have already pre-paid for the required instances for 3 years in advance (got cheaper rate this way). My motivation is that I want to contribute something useful to the community, and it's a great opportunity to learn things on the way. On a more cynical side, I also plan to add this project into my portfolio. Some of my income comes from contract jobs, and having a successful and well-maintained DDNS service to show off to potential employers will give me an advantage when bidding for new projects. So even though I have to subsidize it, in the end it is to my own benefit as it can potentially give me more projects, hence more income. So rest assured I have very good reason to make sure this service is successful and well-maintained for many years, even though it costs me money and time.

    @Jon:

    PS Just read your What's New section - ta for the name check.  Put your site through this:  https://observatory.mozilla.org/ - it covers all the main tests for SSL and headers etc.  There is a lot of good advice there.  Do it regularly.  If you are not already, you might want to put HA Proxy on the front for rate limiting, loadbalancing etc etc.

    It's cool website. I got an "F" though, ha ha. I tried a few more websites (including some other DDNS services) and they all got F. So I think it's going to be tricky to get a better grade, but I will definitely look into their suggestions and see if I can improve it. I used to get "D" on ssllabs.com test, but now I upped it to "A". So maybe I can do that again here :)

    I don't have load balancing yet. The traffic so far is relatively low, and I implemented my service in a way that uses resources very sparingly. For example my main website is around 150kB and is made up of all static elements, so once you visit it everything gets cached. I put lots of thought into how I use the database and how the whole backend works, to make sure the CPU, memory and disk usage stay very low.
    All the components of the system are designed as microservices, and it is going to be very easy to scale them up if bottlenecks start forming anywhere (I have already tested that before I launched the system - it is as easy as spinning up some more instances on AWS and changing few configuration files).

    @Jon:

    PPS Just noticed that you mention DynDNS and DynDNS2 protocols. There seem to be three DynDNS "drivers" in pfSense.  Not sure if they are the same or how to use them.  I'll do some research.

    I believe I'm compatible with DynDNS and DynDNS2. I don't know what the third one is (maybe "DynDNS Custom"?). But if you encounter any issues, just let me know and I will fix it.



  • I was going to ask if you support sub-domains, but I noticed on your website that you do. However, if I understand correctly, they all return the same ip address, or am I mistaken? (I hope so.) Does your service support ipv6? It would be great if a sub-domain could return a difference address, since if it supports ipv6, there will be a unique address for each host. Will you be providing a client to update the address of a host or are you only looking at routers?



  • @bimmerdriver:

    I was going to ask if you support sub-domains, but I noticed on your website that you do. However, if I understand correctly, they all return the same ip address, or am I mistaken? (I hope so.)

    Unfortunately, you cannot currently configure different ip addresses for your subdomains. Do you think that would be useful?
    I could implement that for you. I will think over the weekend on how I could potentially implement it.

    @bimmerdriver:

    Does your service support ipv6? It would be great if a sub-domain could return a difference address, since if it supports ipv6, there will be a unique address for each host. Will you be providing a client to update the address of a host or are you only looking at routers?

    This service runs on Amazon AWS EC2 instances and they don't yet support IPv6 in there. Once they do, I will definitely look into it. They added IPv6 support for their VPC networks, so I hope support for normal EC2 instances is also coming soon.

    I don't have any Windows client for updating IP. However, you can just use home page in your browser to update your IP address - it can even redirect you to your regular home page once the IP is updated. It's mentioned in the Help section.
    For Mac and Linux, you can use crontab as described in the Help files.



  • @Jon:

    @Tomko:

    That's great. Thanks. Let me know if you find any issues.

    $ dig xyxyxy.freemyip.com
    
    ; <<>> DiG 9.11.0-P2 <<>> xyxyxy.freemyip.com
    ....
    ;; ANSWER SECTION:
    xyxyxy.freemyip.com.    60      IN      A       1.2.3.4
    

    Nice  8)

    After testing it the whole last week, I'm confident that it works pretty well now.
    It's now officially added to the Help section, and as usual I credited you in the What's New section :)

    I'm now looking into implementing support for different IPs per subdomain, as what bimmerdriver asked for. It's a bit tricky and there are quite a few edge cases that I need to account for it, so it might take a while to implement, but so far it looks like I will be able to do it. I'll let you guys know once that is ready for testing.

    Thanks,
    Tom