pfSense

I have a simple setup with dual-wan links and dynamic IPs. I use a No-ip Round Robin setup like this

WAN1FailsToWAN2 -> my.hostname.com@gw1
WAN2FailsToWAN1 -> my.hostname.com@gw2

where

• WAN1FailsToWAN2 is a gateway group with GW_WAN on Tier 1 and GW_WAN2 on Tier 2

• WAN2FailsToWAN1 is a gateway group with GW_WAN2 on Tier 1 and GW_WAN on Tier 2

• my.hostname.com is my No-Ip hostname

• gw1 and gw2 are labels I set up in No-Ip hostname when I selected the "RoundRobin" type.

And, for years now, this have been working flawlessly:

a) If both links are up a "nslookup my.hostname.com" returns both public IP addresses (WAN1 and WAN2).
b) If WAN1 link is down a "nslookup my.hostname.com" returns only WAN2 public IP address.
c) If WAN2 link is down a "nslookup my.hostname.com" returns only WAN1 public IP address.

The update is very quick (less than 1 minute). Everything is good.

Problem is: This doesn't work with a CloudFlare domain. In the event of a link down, the unreachable IP address is not removed from the CloudFlare dns record.

Like No-Ip, Cloudflare supports RoundRobin hostnames (https://www.cloudflare.com/learning/dns/glossary/round-robin-dns). However, unlike No-Ip, Cloudflare doesn't have "labels" for each record.

When one of the links is down, I can see (via "Dynamic DNS Status" widget on main pfSense page) that the link change was detected by pfSense and that CloudFlare hostname was updated with only the working IP address. However a "nslookup my.hostname.com" shows me that the unreachable IP address was not removed.