Can I set DynDNS in my pfSense NAT-Router while it is hidden behind my ISP's mandatory NAT Router

  • Hello. It seems to me my question looks like the question "How can I get DynDNS to update the WAN IP with the public frontend IP? Or at least listen to the real WAN IP" ( of October 2017 which remained unanswered. Bad luck for the OP and for me. So, here we go:

    The WAN Side of my SG-1000 firewall is connected to the private LAN-side of my ISP's mandatory NAT-Router, which connects to the internet by PPPoE: a VDSL connection. Its public WAN address may change. I have no way of obtaining a fixed IP, nor can I set my ISP's modem in bridge mode. Thus I believe I am compelled to either use double NAT or refrain from using my SG-1000 firewall. I use double NAT, and it works well.

    Now, I want to install a home automation server on the LAN side of my SG-1000 and, to access it from the outside at a fixed URL, I want to use a DynDNS provider. Setting DynDNS on my ISP's router is difficult to impossible. In any event, I prefer to set it on my pfSense SG-1000 if I may.

    First I have set up an account with ChangeIP for dynamic DNS and selected a subdomain of their domain.

    Second, after having looked into the SG-1000 GUI, I have also opened an account with DNS-O-Matic and instructed DNS-O-Matic to inform ChangeIP of my public IP. So far, so good.

    Third I have configured DnS-O-Matic in the SG-1000 GUI and selected WAN in "Interface to Monitor". In view of the fact my SG-1000 WAN address (which it knows) is private, I wonder how my SG-1000 can actually know my public address without asking from my ISP's modem.

    Is that going to work ?

    I have tried a test with apparent success: On Speedtest, I believe my public IP is written. On the changeIP website at my account, I can see the same IP as on Speedtest, which seems like success. I doubt that. Maybe I was lucky, maybe this was manually set-up by magic when I registered yesterday to changeIP. Whenever my public IP gets changed by my ISP, can I believe ChangeIP will know and propagate its ?

    TIA for any opinion, any suggestion on this.

  • Hi,

    Many of us use a router after router. I'm in the same exact case as you.
    Some good news : the problem doesn't exist.

    You, as a person, on a PC, hooked up to your LAN on SG-1000 can see your real WAN IP with one click :
    Visit and see for your self.

    pfSense does exactly the same thing !!
    See here :


    So a router after router after router after ..... is not an issue anymore.

    Btw : if your DNS-O-Matic can do the job on a PC behind your pfSense, then pfSense can do the same thing,

    The manual :

  • Thanks Gertjan. That was it... I checked my account on the DNS-O-Matic website, clicked the link to 'documentation' and found:

    "An HTTP request to will return the public IP of the client."

    The whole process seems to be automated, so my setting works. No need for any change or update. This is great. Thanks Gertjan.

Log in to reply