OPNsense Forum

Hi,

I have a multi-wan setup with 3 next hop router and want to update 3 freedns records based on those routers wan IPs.

This is what I have configured 3 times (see screenshot), each with its unique hostname and with the "interface to monitor" set to the corresponding interface.

But all records are updated with the IP adresse from the default route and not the different wan ips.

The logs say this:

Aug 9 21:17:30 opnsense: /services_dyndns_edit.php: Dynamic DNS (myfreedns.hostname): (Success) IP Address Changed Successfully!
Aug 9 21:17:30 opnsense: /services_dyndns_edit.php: Dynamic DNS: updating cache file /var/cache/dyndns_opt2_myfreedns.hostname_0.cache: 80.62.134.xxx


The box is running
OPNsense 17.7-amd64
FreeBSD 11.0-RELEASE-p11


Any ideas?
LibreSSL 2.4.5

I don't think this is a dyndns problem, but rather a routing issue since all three interfaces use the default route (naturally). For this to work, you need to have a routing table per interface, or source routing based on the interface address.

The first option can be done with three OPNsense instances as virtual machines. That obviously depends if you have the hardware grunt for it and if the complexity of three configurations weighs up against the complexity of source routing.

Bart...

I digged around a bit and dyndns plugin seems to use curl for updating (see https://github.com/opnsense/plugins/tree/master/dns/dyndns) and checking the required IPs.

In /usr/local/etc/services.inc there is "function get_dyndns_ip" which seems to use curls "--interface" option.

I tried it manually on the pfsense box like that:
curl -v --interface x.x.x.x "http://checkip.dyndns.org"
where x.x.x.x was replaced with the interface IPs of the WAN interfaces.

The result is always the WAN ip from the default route.

So yes, it is a routing problem. Can it be solved?

Hate to say: this used to work on a pfsense 2.3 box I replaced yesterday.

Just another note: in the gui is "diag_ping.php" which allows to select a source address for icmp echo.

But the source address is not honored and the traffic goes out the default route interface.

Checked it on the commandline like that:

One of the WAN interfaces:

root@opnsense:~ # ifconfig igb0_vlan513 inet
igb0_vlan513: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        inet 10.2.2.3 netmask 0xffffff00 broadcast 10.2.2.255


Set up tcpdump to see where traffic is going

root@opnsense:~ # tcpdump -n -i igb0_vlan513 host 193.99.144.85 &


Ping internet host:

root@opnsense:~ # ping -S 10.2.2.3 193.99.144.85
PING 193.99.144.85 from 10.2.2.3: 56 data bytes       
64 bytes from 193.99.144.85: icmp_seq=0 ttl=251 time=23.956 ms       
64 bytes from 193.99.144.85: icmp_seq=1 ttl=251 time=24.151 ms       
64 bytes from 193.99.144.85: icmp_seq=2 ttl=251 time=23.394 ms       
64 bytes from 193.99.144.85: icmp_seq=3 ttl=251 time=23.649 ms       
64 bytes from 193.99.144.85: icmp_seq=4 ttl=251 time=24.501 ms       


But I see no traffic. Instead this shows where traffic is going:

root@opnsense:~ # tcpdump -n -i igb0_vlan515 host 193.99.144.85 &
PING www.heise.de (193.99.144.85) from 10.2.2.3: 56 data bytes                                                                             
14:01:02.952654 IP 10.2.2.3 > 193.99.144.85: ICMP echo request, id 31320, seq 0, length 64                                                 
14:01:02.977134 IP 193.99.144.85 > 10.2.2.3: ICMP echo reply, id 31320, seq 0, length 64                                                   
64 bytes from 193.99.144.85: icmp_seq=0 ttl=251 time=24.639 ms                                                                             
14:01:03.966262 IP 10.2.2.3 > 193.99.144.85: ICMP echo request, id 31320, seq 1, length 64                                                 
14:01:03.990216 IP 193.99.144.85 > 10.2.2.3: ICMP echo reply, id 31320, seq 1, length 64                                                   
64 bytes from 193.99.144.85: icmp_seq=1 ttl=251 time=24.284 ms                                                                             
14:01:04.980931 IP 10.2.2.3 > 193.99.144.85: ICMP echo request, id 31320, seq 2, length 64                                                 
14:01:05.005350 IP 193.99.144.85 > 10.2.2.3: ICMP echo reply, id 31320, seq 2, length 64                                                   
64 bytes from 193.99.144.85: icmp_seq=2 ttl=251 time=24.632 ms           


And this is the default route:

root@nt0002:~ # route show default
   route to: default
destination: default
       mask: default
    gateway: nt0028
        fib: 0
  interface: igb0_vlan519
      flags: <UP,GATEWAY,DONE,STATIC>
recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0


So dyndns IP checking and this diagnostic ping behave differently than expected? I searched github for any notes on localhost route selection / traffic originating from the firewall but did not find help. Could it be something with the 17.7 release?

I'm still struggeling with this issue. Currently my old pfsense box is running to just update my Freedns entries.

I did a quick test with vanilla FreeBSD 11.1, two interfaces and curl using --interface parameter: it didn't work. Could this have been introduced with FreeBSD 11? Didn't had time yet to check with vanilla FreeBSD 10/older OPNsense releases.

If somebody is using 17.7 and dyndns package to update multiple dynamic DNS entries with multiwan, please respond. :-)

Try again with 17.7.1 tomorrow, I think we are addressing this indirectly via:

https://github.com/opnsense/core/commit/e0cad8c3


Cheers,
Franco

Thx, I will try that and report back.

Updating to 17.7.1 fixed it! Thx a lot for that update!

Ping on console also works as expected:

root@opnsense:~ # tcpdump -n -i igb0_vlan513 host 193.99.144.85 &
[1] 2966
root@opnsense:~ # tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on igb0_vlan513, link-type EN10MB (Ethernet), capture size 262144 bytes

root@opnsense:~ #
root@opnsense:~ #
root@opnsense:~ # ping -S 10.2.2.3 193.99.144.85
PING 193.99.144.85 (193.99.144.85) from 10.2.2.3: 56 data bytes
07:24:47.322036 IP 10.2.2.3 > 193.99.144.85: ICMP echo request, id 37439, seq 0, length 64
07:24:47.367752 IP 193.99.144.85 > 10.2.2.3: ICMP echo reply, id 37439, seq 0, length 64
64 bytes from 193.99.144.85: icmp_seq=0 ttl=248 time=46.071 ms
07:24:48.330244 IP 10.2.2.3 > 193.99.144.85: ICMP echo request, id 37439, seq 1, length 64
07:24:48.379195 IP 193.99.144.85 > 10.2.2.3: ICMP echo reply, id 37439, seq 1, length 64
64 bytes from 193.99.144.85: icmp_seq=1 ttl=248 time=49.127 ms
07:24:49.338332 IP 10.2.2.3 > 193.99.144.85: ICMP echo request, id 37439, seq 2, length 64
07:24:49.386903 IP 193.99.144.85 > 10.2.2.3: ICMP echo reply, id 37439, seq 2, length 64
64 bytes from 193.99.144.85: icmp_seq=2 ttl=248 time=48.761 ms
07:24:50.339520 IP 10.2.2.3 > 193.99.144.85: ICMP echo request, id 37439, seq 3, length 64
07:24:50.388825 IP 193.99.144.85 > 10.2.2.3: ICMP echo reply, id 37439, seq 3, length 64
64 bytes from 193.99.144.85: icmp_seq=3 ttl=248 time=49.403 ms
^C
--- 193.99.144.85 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 46.071/48.340/49.403/1.330 ms


No I can reinstall the old pfsense box with opnsense and have a backup router. :-)

Hooray, thanks for reporting back. :)