pfSense

Hi.

I have recently upgraded my pfSense installation from a custom Supermicro server (old 2.1 version) to a NetGate XG-7100 1U with the latest pfSense available version (2.4.4-p3).

My configuration is:

• a WAN interface with a CARP VIP (xx.xx.188.226)
• a WAN2 interface with a CARP VIP (xx.xx.190.104)
• a WANGW gateway (for WAN interface) with external monitor IP
• a WAN2GW gateway (for WAN2 interface) with external monitor IP
• a WANGWGROUP gateway group with WAN (CARP VIP) as Tier 1 and WAN2 (CARP VIP) as Tier 2, the Trigger Level is Member Down with default settings (>20% packet loss)
• the WANGWGROUP is configured as default gateway
• a No-IP (free) DynDNS with WANGWGROUP as monitored interface

My obtective is to use the DynDNS name to setup a fail-over for OpenVPN and IPsec.

When I set the WAN gateway down manually in the interface, the DynDNS is updated (new IP : WAN2 CARP VIP):
The check_reload_status Updating all dyndns is triggered and the DynDNS is updated.
The log is :

Aug 2 13:16:01    check_reload_status        Syncing firewall
Aug 2 13:16:01    php-fpm        /system_gateways.php: MONITOR: WANGW is down, omitting from routing group WANGWGROUP xx.xx.0.224|xx.xx.188.226|WANGW|1.528ms|0.956ms|0.0%|force_down
Aug 2 13:16:02    php-cgi        notify_monitor.php: Message sent to admin@xx.xx OK
Aug 2 13:16:03    php-fpm        /system_gateways.php: Gateway, switch to: WAN2GW
Aug 2 13:16:03    php-fpm        /system_gateways.php: Default gateway setting Routeur de secours Cisco WAN2 (cpe2) as default.
Aug 2 13:16:04    check_reload_status        Reloading filter
Aug 2 13:16:04    php-fpm        /system_gateways.php: Removing static route for monitor xx.xx.0.224 and adding a new route through xx.xx.188.225
Aug 2 13:16:04    php-fpm        /system_gateways.php: Removing static route for monitor xx.xx.142.9 and adding a new route through xx.xx.190.97
Aug 2 13:16:05    check_reload_status        Updating all dyndns
Aug 2 13:16:07    php-fpm        /rc.dyndns.update: phpDynDNS: updating cache file /conf/dyndns_WANGWGROUPnoip-free'xxxx.ddns.net'0.cache: xx.xx.190.104
Aug 2 13:16:07    php-fpm        /rc.dyndns.update: phpDynDNS (xxxx.ddns.net): (Success) DNS hostname update successful.

When the WAN gateway is naturally down, the DynDNS is not updated (tested by removing the correct VLAN tag on the switch port).
It is displayed as RED in the interface and never updated, it stays on WAN CARP VIP.

The log is :

Aug 2 11:55:56    rc.gateway_alarm    28265    >>> Gateway alarm: WANGW (Addr:xx.xx.0.224 Alarm:1 RTT:1.414ms RTTsd:.134ms Loss:21%)
Aug 2 11:55:56    check_reload_status        updating dyndns WANGW
Aug 2 11:55:56    check_reload_status        Restarting ipsec tunnels
Aug 2 11:55:56    check_reload_status        Restarting OpenVPN tunnels/interfaces
Aug 2 11:55:56    check_reload_status        Reloading filter
Aug 2 11:55:57    php-fpm        /rc.openvpn: MONITOR: WANGW is down, omitting from routing group WANGWGROUP xx.xx.0.224|xx.xx.188.226|WANGW|1.414ms|0.135ms|23%|down
Aug 2 11:55:57    php-fpm        /rc.openvpn: Gateway, switch to: WAN2GW
Aug 2 11:55:57    php-fpm        /rc.openvpn: Default gateway setting Routeur de secours Cisco WAN2 (cpe2) as default.
Aug 2 11:55:57    php-fpm        /rc.openvpn: OpenVPN: One or more OpenVPN tunnel endpoints may have changed its IP. Reloading endpoints that may use WANGW.
Aug 2 11:56:12    php-fpm        /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Aug 2 11:56:12    check_reload_status        Reloading filter

The check_reload_status Updating all dyndns event seems to not be triggered.
Instead, there is a check_reload_status updating dyndns WANGW event which seems to do nothing.