Dynamic DNS Updates Correctly but Widget Colour is Wrong

matt84

I updated to pfSense 2.5.2 from 2.5.1 and Dynamic DNS with Free No-IP and the Widget was working correctly. After updating to 2.5.2 Dynamic DNS was no longer updating so I applied the fix outlined in pfSense Reddit post.

Now there is still an issue on the widget that is strange. The IP address displayed is always the correct one, however sometimes they are red and other times they are green.

I have two *.ddns.net free domains linked back to the same IP address. The strangest thing is one ddns.net address can be red while the other is green, both reporting the same IP address

I've blurred out the hostname and cached IP. The two host names differ of course, but the cached IP for each hostname always matches the other, and does reflect my real public IP address. The other interesting thing is the two cached IP colours yoyo between red and green a few times per minute, and it seems random the colours each one changes to.

The Web UI call to dyn_dns_status.widget.php returns

<span class="text-success">CorrectPublicIP</span>|<span class="text-danger">CorrectPublicIP</span>

I take it this is just presentation of the underlying issue. I turned on verbose logging for Dynamic DNS and found these log entries

How is pfSense having trouble to determine my public IP? The only thing I can think of is my ISP makes us use their modem which doesn't work properly bridged so my WAN IP is in the private address range of my ISP's modem. I have the WAN IP of my pfSense device as the DMZ pass through IP configured in my ISP's modem and it seems to work mostly.

UPnP doesn't work as it doesn't like WAN having a private IP address, but I see that as a security feature. I have "Block private networks" and "Block bogon networks" deselected on my WAN interface as well.

What could be causing pfSense Dynamic DNS client to not be able to determine my public IP?

Edit:
I think I found the cause. Testing using curl checkip.dyndns.org on my pfSense unit itself results in intermittent HTTP 502 Bad Gateway responses The question is why? Why only after the 2.5.2 upgrade

A trace route to see if pfSense is making the call to checkip.dyndns.org shows that the call is going out through my default WAN interface and not one of my other VPN interfaces.

matt84

I think i've found the cause. checkip.dydns.org resolves to 5 IP addresses:

[2.5.2-RELEASE][root@pfSense.localdomain]/root: host checkip.dyndns.org
checkip.dyndns.org is an alias for checkip.dyndns.com.
checkip.dyndns.com has address 193.122.130.0
checkip.dyndns.com has address 193.122.6.168
checkip.dyndns.com has address 158.101.44.242
checkip.dyndns.com has address 132.226.8.169
checkip.dyndns.com has address 132.226.247.73

Two of which give a HTTP 502 intermittently

curl 193.122.130.0
curl 193.122.6.168
curl 158.101.44.242 HTTP 502
curl 132.226.8.169
curl 132.226.247.73 HTTP 502

matt84

I've found a fix for now. Use DNS Resolver to remove the offending two IP addresses. This feels like a dirty hack, but it works. If someone more knowledgeable has a better idea then please share

I tried to configure a different check service but I couldn't find one that conforms to the "Current IP Address: x.x.x.x" standard set by pfSense

_igor_

@matt84
You made my day!!!!!

That entry made my dyndns working again!
I had that blocked/bad gateway too and added a supress-entry with snort (Alert for curl was created), but that didnt help. I didnt get the Gateway-error, but dyndns-update failed still.
Thanks a lot!!!

matt84

@_igor_
No worries. I thought I'd reply to my own post with the solution i found hoping it would help someone else out in the future, but jeez that was quick.