Dynamic DNS old IP

zkab

I have Dynamic DNS (account.dyn.com) and upgraded my Internet speed ... therefore I got a new WAN IP from my ISP.
In pfSense 'Services/Dynamic DNS' the new WAN IP is in 'cached IP' (green checkmark) ... so everything seems OK.

When I start an OpenVPN client (Android) I can see from the log that the client is trying to connect to my old WAN IP instead to the new WAN IP.

Nothing has changed except the new WAN IP ... the OpenVPN client worked OK with the old WAN IP.

rcoleman-netgate

@zkab DNS changes take time to propogate, and that time depends on your host configuration.

In your DynDNS host what is the "TTL" set to for your subdomain?

zkab

@rcoleman-netgate In my account.dyn.com TTL=60 sec for the dynamic DNS host zerone.dyndns-remote.com

Gertjan

@zkab

Wild guess : in your openvpn client config file, you use the host name, or an IP ?

zkab

@gertjan In the OpenVPN client I just import the .ovpn that I got from pfSense (client export).
That is the only config I do ... and it worked before the WAN IP address was changed by my ISP.
Can it have anything do do with my ISP ... that they do not allow VPN connection?

Bob.Dig

@zkab Open the file in a text editior of your choice and have a look.

viragomann

@zkab
The question is if there is the IP or the host name in the remote line in the .ovpn file.

zkab

@viragomann Here is an extract of .ovpn

remote 100.70.111.232 1194 udp4
nobind
verify-x509-name "zerone.dyndns-remote.com" name

Don't understand '100.70.111.232' ... I have not given that IP anywhere.
'zerone.dyndns-remote.com' is my dyndns
name for my pfSense

Bob.Dig

@zkab You can just edit this line and you are good.
If you use the client exporter, there you can change it too. It is not fully automated because you can have many WANs and DDNS addresses etc.

viragomann

@zkab
Your IP seems to be a CG-NAT. So there is no way to access it from outside. It's only for upstream traffic.

zkab

@viragomann Have no experience of CG-NAT.
Is this an ISP issue?
Should my ISP change something?
What must be done to get it working?
Don't understand why it worked OK with my old WAN IP before the speed change.

viragomann

@zkab
https://en.wikipedia.org/wiki/Carrier-grade_NAT.

It's a private network of the ISP and it's natted to the public address space. So the WAN IP seen by your pfSense isn't a real public IP at all.
You can checkout your public IP on https://whatismyipaddress.com.
But there is nothing forwarded to you in the ISP network.

ISPs use CG-NAT just to save public IPs.

You can ask your ISP to get a real public IP again. Or to forward certain ports to you.

Gertjan

@zkab said in Dynamic DNS old IP:

Don't understand '100.70.111.232' ... I have not given that IP anywhere.
'zerone.dyndns-remote.com' is my dyndns

Check the OpenVPN client export :

By default, it's the IP, or WAN IP.
Chose the "host name", as it would incorporate the host name, would be wise ;)
You've noticed that the hos name doesn't change, but the IP where it points to, does.
That's what dyndns is all about.

( but if you can't reach it,

@zkab said in Dynamic DNS old IP:

Have no experience of CG-NAT.
Is this an ISP issue?
Should my ISP change something?
What must be done to get it working?

See https://en.wikipedia.org/wiki/Carrier-grade_NAT
edit : Viragoman had the same idea ;)
The issue is : there are no more IPv4 available. So ISPs start to share the same IPv4 among many clients.

zkab

@gertjan I asked my ISP to get a real public IP and got one ... but sadly for a monthly fee.
This solved the problems I had with OpenVPN.
Thanks again for all your support ... I have learned alot about CG-NAT ... that was a white spot on my map.