pfSense

This report corresponds with mailing list email 'Bug in DynDNS notification sequence'.

PRELUDE

Some DynDNS providers like HE.net Tunnelbroker inspect IP links before accepting changed IP addresses. In the case of HE.net Tunnelbroker, the provider sends ICMP requests to the monitored interface's new IP address. As mentioned in [1], a firewall rule must pass these requests.

[1] http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker#Enable_ICMP

PROBLEM

The problem is that PFSense's interface monitoring logic seems to update the firewall tables after sending notifications (like HTTP POST) to the DynDNS providers. A restrictive firewall rule based on the WAN address will fail to pass the needed traffic from the provider if it sends before the firewall table is updated.

SYMPTOM

If that happens, the DynDNS provider will likely mark the link as down.

REPRODUCE

I've observed this problem only on a PPPoE connection that is severed daily due to setting a custom 'Periodic reset' interval in 'interfaces.php'. When the PPPoE connection is reestablished, the upstream network provider assigns a new IP address and the IPv6 link fails due to Tunnelbroker's ICMP testing policy.

SOLUTION

Update the firewall tables with the changed IP address for the interface in question before notifying DynDNS providers of a change in IP address. This is already carried out correctly when clicking 'Save' or 'Save & Force Update' in the HE.net Tunnelbroker PHP interface 'services_dyndns_edit.php' so we have a model logic sequence to follow.

• WORK AROUND*

Remove firewall restrictions for DynDNS provider hosts. In the case of HE.net Tunnelbroker, allow ICMP to any IP address in the firewall rules for the interface in question (probably WAN.)