DDNS not functioning after router change

James92 · Mar 6, 2024, 2:32 PM

As a follow up to: https://forum.netgate.com/topic/186436/dynamic-dns-not-functioning-properly-after-a-router-change

Originally it seemed the issues was CG-NAT with a temporary router. That router has now been replaced with a permanent fixture with a static IP however the DDNS is still not functioning. For clarity. The old router in this network was sending a PPPoE WAN to the firewall, the new router has a static IP and I've assigned a static lease to the WAN port on the firewall.

All the port forwards etc were configured prior to the router change and had been without issue for years. The DDNS client also correctly pulls through the new static IP.
I presume I need to configure some port forwards on the router or firewall but can't work out what they should be. I've tried sending HTTP and HTTPS as well as port 3389 as suggested on DynDNS documentation (although I'm not sure this is actually necessary) from the router to the firewall. I've also tried setting the firewall as the DMZ to see if that made a difference (it didn't). The router is configurable in bridge mode but I don't think this is a possibility since it provides internet to the whole building but the network behind the firewall is only a small section that we control.

I might be being really dumb but I can't seem to wrap my head around why it isn't functioning.

SteveITS · Mar 6, 2024, 2:48 PM

I don’t understand the title and then saying the IP is correct? Is it correct and you’re asking about getting port forwarding to work?

James92 · Mar 6, 2024, 3:00 PM

@SteveITS Sorry, poor wording on my part. The DDNS client within PFSense is pulling the correct IP, and is functioning in that respect but the hostname does not work when trying to connect.

SteveITS · Mar 6, 2024, 3:17 PM

@James92 If you are connecting from LAN ensure reflection is enabled for the rule.

If you are connecting from the Internet, then if your pfSense has a public IP it should just need ports forwarded. If it is not a public IP then the ISP router has to also forward the same ports. Or if using CG-NAT there is no way to do incoming outside of a VPN relay.

3389 is Remote Desktop, are you sure you want that enabled from the entire Internet?

James92 · Mar 6, 2024, 4:34 PM

@SteveITS

This is for connection from the internet, LAN is not relevant as a client device exists that can monitor the equipment locally. The router has a public IP but the firewall is within a private network (192.168.1.x). Would the router need to mirror all related port forwarding rules on the firewall? Currently only HTTP and HTTPS are forwarded.

It isn't CG-NAT, that was a prior issue which has now been resolved.

3389 was recommended by DynDNS but I have since disabled as it seems this is not necessary at all.

SteveITS · Mar 6, 2024, 4:52 PM

@James92 Yes the ISP router would need to forward the ports also. Or on most routers you can forward all ports if it has a DMZ setting, by setting pfSense as its DMZ.

James92 · Mar 6, 2024, 4:53 PM

@SteveITS I tried setting it as a DMZ to be honest but I didn't try to mirror all port forwards. I'll fiddle with that and see if it brings any joy, thank you.

viragomann · Mar 6, 2024, 4:53 PM

@James92
If your router has a static IP, why do you need DDNS at all? Just configure your public DNS to point to its WAN IP.

However, on the outer router incoming traffic has to be forwarded.
Do you have your own public IP on this router? Or is it just one shared to all?
If the IP is shared, note that e.g. HTTP access to it can only be forwarded to a single device (router) behind.

James92 · Mar 6, 2024, 4:58 PM

@viragomann I have explained to the team that now it is static they are best to move away from DDNS. This was more a temporary measure to get the network back up and running as it is a key part of critical infrastructure.

There is only one public IP on the router, so shared amongst all clients however all the other clients that are separate from our network are just connected via DHCP. As such, forwarding HTTP to our firewall shouldn't be a problem.

viragomann · Mar 6, 2024, 5:02 PM

@James92 said in DDNS not functioning after router change:

I have explained to the team that now it is static they are best to move away from DDNS. This was more a temporary measure to get the network back up and running as it is a key part of critical infrastructure.

Your topic is "DDNS not functioning after router change". So I'm wondering, what's your problem now if it's not DDNS.

James92 · Mar 6, 2024, 5:04 PM

@viragomann short term the DDNS is the issue. The network has been running DDNS for years (since we didn't have a static IP).
Long term it will be switched to DNS based on the static IP but that isn't possible immediately (although, given the DDNS connection isn't working currently there may be no choice)

viragomann · Mar 6, 2024, 5:25 PM

@James92
And what doesn't work exactly?