ddclient doesn't support multi-wan ip update

[macafee]

I use the opnsense version 23.1.7_3.
Now I have two isp lines connected to internet with pppoe methond on the opnsense box.
I have set the ddclient with two dyndns records to Zoneedit DNS provider.
I found that two dyndns records had been pointed to same ip address. The ip address is the Main line. So the ddclient can't get the ip address of the Slave line.
Now I change the ddclient to DynDNS. That's working.

[tiermutter]

I was just migrating from legacy DDNS to ddclient (OPNsense backend) and stumbled about the same issue.

It looks like IP-check traffic is always originated at primary WAN interface, no matter which interface is monitored.
This will always result in A/AAAA records for primary WAN.

To work around I did as follows:
1. Set up DDNS for primary WAN as desired.
2. Set up DDNS for secondary WAN and make sure to choose another check IP method than used for primary WAN.
3. Under Firewall/Alias create an alias, name it "check IP" or anything else, type = host and add URL from IP check method on 2nd WAN, e.g. nsupdate.info, ip4.me
4. Create a firewall rule on primary WAN interface with direction= out, destination = the new alias and set gateway to secondary WAN / GW to monitor.

Now ddclient works as it should for both interfaces even if both interfaces are up.

[franco]

Neat. This would be a very helpful addition in the documentation. Care to contribute?


Cheers,
Franco

[tiermutter]

Thank you... for sure I like to contribute.

I will start over creating a .doc file, including the option to update the active interface's IP instead of both / all separated.

[Sakata_T]

I'm having a similar issue and got referred over here.

@tiermutter -- did your interface show the correct IPs while having the issue, but still update the provider incorrectly?

I'm having the same issue on namecheap being updated with the wrong address, but I'm not 100% sure it's the same issue under the hood (I think they've done some updating to the client?). See the screenshot - they show correctly on it.

I'll still give the workaround you supplied a shot - wondering if the plugin is presenting data one way and getting it wrong during submission.

[tiermutter]

I am not really sure if the values was consistend, but I think I would have them double checked. I cannot remember any differences...

[nicesense]

Can you please post more detailed configurations?
I tried it as you described on July 25, 2023, 12:41:26 pm. But as soon as I enable both DDNS entries, no IP address update happens.
For the firewall rule, I'm not sure what the gateway settings "set gateway to secondary WAN / GW to monitor" mean. As I understand it, the rule is supposed to block the connection on the primary WAN interface.
Does this mean that the DDNS update for secondary WAN fails as long as the primary gateway is active and after the primary gateway is gone the DDNS update for secondary WAN runs via the secondary gateway (since this is then the only/primary one)?

[tiermutter]

Hi there, I'll answer tomorrow, maybe with kinda tutorial and screenshots provided.

[tiermutter]

Here we go... this is what I already wrote for the docs (since I am not familar with github, I am not able to provide it there). I also added some screenshots (please note that the description is not based on the screenshots):

Multi-WAN
In multi-WAN environments you would like to update your domain with primary WAN's IP address even if other WAN interfaces are available, or separately for each WAN. You will be quite fine, if your desired IP address is issued directly on your OPNSense's interface, but not if you have upstream router or modem connected to your sense.
In the latter case ddclient might check the IP address on the wrong interface, resulting in wrong IP address issued to your domain.

The following describes different secenarios and how to deal with it in multi-WAN environments to make sure that the desired IP address will be issued to your domain.

IP addresse(s) directly issued on your OPNsense interface
If the desired IP address for an interface is issued directly on your OPNsense, you are fine using ,,Interface IPvX" as check IP method in ddclient. For those interfaces there is no need for further configuration, as long as you are using separate domains for each interface.

Note:
This will always grab the IP address from the chosen interface. This is not suitable if you want to achieve, that the IP address of the actual active WAN will be issued to one and the same domain.

Upstream router / modem connected to OPNsense
For interfaces with upstream devices you usally want to issue your upstream device's public IP to your domain (but usually not for IPv6). In this case the check IP method ,,Interface IPvX" mentioned above may not give you the desired public IP address and you need to choose one of the other methods. All those other methods will use external services to check the public IP address, but, as mentioned at the beginning, ddclient may use the wrong interface to perform its IP checks.

Depending on what is to be achieved you need one of the following configurations:

A) Seperate domains for each interface
1.   Set up DDNS for WAN 1 as desired.
2.   Set up DDNS for WAN 2 and make sure to choose another check IP service (e.g. nsupdate.info) than used 
        for primary WAN.
        If there are more WAN interfaces, choose different check IP services for each.
3.   At Firewall/Alias create an alias as follows:

Enabled = checked
Name =  Check IP WAN 2 (or anything suitable)
Type = Host(s)
Content = URL from IP check service configured for WAN 2 (in this example nsupdate.info). Please see notes below.

4.    Create a firewall rule on WAN 1 as follows:
Action = Pass
Direction = out
Destination = the new created alias for this interface
TCP/IP Version = depending on your needs; in doubt v4+v6 will be fine
Description = Route check IP WAN 2 (or anything suitable)
Gateway = WAN 2

Note:
For alias content do not add the check IP service as it is specified in ddclient, as this is only the service's name. You need to determine the domain for this service. E.g.
dyndns = checkip.dyndns.org
nsupdate.info-ipv4 = ipv4.nsupdate.info
nsupdate.info-ipv6 = ipv6.nsupdate.info
ip4only.me = ip4only.me, ip4.me (add both to alias)
ip6only.me = ip6only.me, ip6.me (add both to alias)

Note:
If there are more WAN interfaces, you need to create this rule on all WAN interfaces, except the interface to monitor. In such cases you are good to go using floating rules.
Also remember that in this case there are further rules, following the same scheme, for each gateway to monitor required.



Requests to the desired check IP service(s) will now be routed over the given gateway in the firewall rule, resulting in getting the public IP address of the upstream device.


Tip:
For IPv6 you should use ,,Interface IPv6" as IP check method in ddclient, as long as you are not intended to update a single domain for the actual active interface.


B) Single domain for actual active interface
Without routing IP checks to a certain gateway as previously described under A), ddclient will always use the active gateway (online with highest priority and marked as ,,upstream"), even if you have set up policy based routing for your LAN and other subnets.
To make sure ddclient uses the desired gateway, the gateway priority at System/Gateways/Single should match the tiers configured at System/Gateways/Group.

Note:
A lower value means a higher priority.
Gateways marked as ,,upstream" will always be used favor to those that are not. To just go by priority, mark all involved gateways as upstream.

In this scenario you have to use any IP check method in ddclient but ,,Interface IPvX".

Requests to the check IP service will now be routed over the active gateway, resulting in getting the public IP address of the corresponding upstream device.

Tip:
For sure, the different scenarios can be combined, e.g. having separate domains for WAN 1 and WAN 2 and one domain for the active one. Make sure you are using different IP check services for each, as long as you are not using ,,Interface IPvX" method for WAN 1 and WAN 2.

[tiermutter]

Now some explanations about the last screenshot:

1a marked entries are those routed over secondary WAN via created rule described in A).

3a marked entries are those for primary WAN using "Interface IPv6". Those v6 addresses are issued directly on OPNsense WAN interface, so there is no need for external check IP services.

2a marked entry is just a test (since 1st WAN is CGNAT there is no usable public IPv4).
This one will use the active gateway since chosen check IP method (nsupdate) is not part of the alias shown in first screenshot. This one is what is described in B).

[tiermutter]

But as soon as I enable both DDNS entries, no IP address update happens.

This may be another issue. I had some troubles when I changed backend and I had to add all services from scratch after change.

For the firewall rule, I'm not sure what the gateway settings "set gateway to secondary WAN / GW to monitor" mean.

See first screenshot, column "Gateway". This is to be configured in the rule on the bottom of the page (right above advanced options). With this, you set that traffic for IP check will always be redirected to this gateway when it tries to leave from primary / wrong gateway.

As I understand it, the rule is supposed to block the connection on the primary WAN interface.

Yes, but it is more likely a redirection to the desired gateway.

Does this mean that the DDNS update for secondary WAN fails as long as the primary gateway is active

No. This rules is intended to always use secondary gateway, even if first gateway is online / active.
Without that rule DDNS update also should not fail, but always use the avtive gateway (as desribed in B) ).

[nicesense]

Thank you very much for your detailed explanations. These where very helpful to understand what happens.
But using your proposal for the firewall rule it doesn't work for me.

Therefore I set up the following configuration (a little modification of your guide):
- Set up DDNS for WAN 1 with Check ip method "nsupdate.info-ipv4"
- Set up DDNS for WAN 2 with THE SAME Check ip method "nsupdate.info-ipv4"
- Create Firewall->Alias "check IP - WAN Failover" with Type = "Hosts(s)" and Content = "ipv4.nsupdate.info"
- On Firewall settings on BOTH Interfaces WAN 1 (primary) and WAN 2 (secondary) create a rule how you described with Action="Pass", "Drection="out", Destination="check IP - WAN Failover" BUT WITH Gateway = <Your Group Gateway> (this entry is located under System->Gateways->Group if you are using Multi-WAN)
- Move the 2 new rules to the top of the list of rules of the interfaces

That works for me.

I explaine this for me so, that the firewall rules takes care of all enquiries are routed by the group-gateway (which coordinate the both WAN-gateways).

Thank you very much again!

[tiermutter]

That's interesting, I never came to the idea to try that. However, as I described works fine for me.

[nicesense]

Addendum: It works for me even if I configure only 1 DDNS for WAN 1 and only 1 rule on the WAN 1 interface with gateway <group gateway>. I think it works because the so configured periodic DDNS service always sends its check-ip-method over the WAN 1 interface and this request is then always routed over the <group gateway> because of the firewall rule.

[nicesense]

Unfortunately, my last statements/explanations do not work as desired.
I tried out a bit more and got stuck on the magic word "active" gateway. There is a setting under System -> Settings -> General at the bottom called "Gateway switching". If you switch this on, the ddclient works with only 1 entry with the interface "none".