Description

This article describes how to update the public IP address when a upstream router is being used. An example configuration for FortiGuard DDNS service is provided.

Scope

FortiGate (FortiOS) updates the IP address on the FortiGuard DDNS server when it detects a change on a monitored interface. For example, a new lease from DHCP, PPPoE, an interface flap, etc.

Consider this network diagram:

Internet === (upstream router) === [wan1](FortiGate)[internal1] === LAN

The above includes:

• An upstream router with PPPoE and public IP.
• A FortiGate with a private IP at the wan1 interface.

DDNS configuration in this setup:

config system ddns

    edit 1

        set ddns-server FortiGuardDDNS

        set ddns-domain "fg.fortiddns.com"

        set use-public-ip enable

        set monitor-interface "wan1"

    next

end

How it works:

• DDNS monitors the wan1 interface.
• With an unstable ISP line, the public IP on the upstream router can change, but FortiGate is not aware of this change. The connection on FortiGate’s wan1 interface is stable and without any change.
• As a result, the public IP in the FortiGuard DDNS service is not updated.

Solution

The following solutions can be deployed to use DDNS with this scenario:

Solution 1(All versions):

Use the DDNS service on the upstream router with another DDNS service provider. The instability or changes on the ISP line will trigger changes on the upstream router.

Solution 2 (FortiOS 5.6, 6.0 and 6.2):

With FortiOS 5.6, a new 'update-interval' option has been introduced to periodically update the FortiGuard DDNS service with the proper IP address. By default, the value is set to 300 seconds.

Configuration with versions 5.6, 6.0, and 6.2:

config system ddns

    edit 1

       set ddns-server FortiGuardDDNS

       set ddns-domain "fg.fortiddns.com"

       set use-public-ip enable

       set monitor-interface "wan1"

       set update-interval 300

    next

end

Solution 2 (FortiOS 5.4):

FortiOS version 5.4 does not have an 'update-interval' option. Regardless, the following workaround can be used.

Configure the following:

• A link-monitor option over the wan1 interface.
• On link failover, flap another physical interface.
• The flapped interface is monitored by DDNS.

The final workaround configuration:

config system ddns

    edit 1

       set ddns-server FortiGuardDDNS

       set ddns-domain "fg.fortiddns.com"

       set use-public-ip enable

       set monitor-interface "internal1"

    next

end

config system interface

    edit wan1

       set fail-detect enable

       set fail-detect-option detectserver

       set fail-alert-interfaces "internal1"

    next

end

config system link-monitor

    edit isp

       set srcintf “wan1”

       set server “x.x.x.x” “y.y.y.y”

    next

end

How it works:

• Link-monitor monitors the ISP line over the wan1 interface.
• When the ISP line is down, link-monitor detects the failure and flaps the internal1 interface.
• The internal1 interface is monitored by the DDNS process.
• When the internal1 interface flaps, the DDNS process updates the IP address in the FortiGuard DDNS service.

Note: The 'use-public-ip' option is only available when using 'FortiGuardDDNS' as the DDNS server.