Saturday, September 1, 2018

Configure Fortigate DDNS with free DDNS service noip.net

Using a Dynamic Domain Name Service (DDNS) means that users can reach your network by means of a domain name that remains constant even when its IP address changes. FortiOS has supported this feature in Network - DNS settings -  Fortiguard DDNS service, which sounds great. Unfortunately, it does not work well in my home lab environment. My FortiGate is behind ISP modem and WAN port is using private ip address 192.168.20.2.

1. FortiGuard DDNS service
When use baisc FortiGuard DDNS settings wthout enabling 'Public IP Address", my WAN ip (192.168.20.2) got updated with my defined subdomin 51sec.fortiddns.com in the Intenet. On this configuration page, you also got a warning message, "the interface has a private ip address (192.168.20.2) which may not be publicly accessible".

In this example, the domain fortiddns.com is used. This domain is owned by Fortinet, as are the float-zone.comdomains  and fortidyndns.com.




C:\Users\johny>nslookup
Default Server:  UnKnown
Address:  208.91.112.53
> 51sec.fortiddns.com
Server:  [208.91.112.53]
Address:  208.91.112.53

Non-authoritative answer:
Name:    51sec.float-zone.com
Address:  192.168.20.2



If enabled FortiGuard DDNS, the sub domain 51sec.fortiddns.com will not update in FortiGuard DDNS at all. Nslookup will show it is non-existent domain.



C:\Users\johny>nslookup
Default Server:  UnKnown
Address:  208.91.112.53

> 51sec.fortiddns.com
Server:  [208.91.112.52]
Address:  208.91.112.52

*** [208.91.112.52] can't find 51sec.fortiddns.com: Non-existent domain




2. NOIP.COM DDNS Service
Should we give up here? Lets check the CLI. You will find Fortigate has put all those populous DDNS provider into the configuration, but they are not showing in Web GUI.

FWF60D # config system ddns
 
FWF60D (ddns) # edit 1
 
FWF60D (1) # set ddns-server 
dyndns.org        members.dyndns.org and dnsalias.com
dyns.net          www.dyns.net
tzo.com           rh.tzo.com
vavic.com         Peanut Hull
dipdns.net        dipdnsserver.dipdns.com
now.net.cn        ip.todayisp.com
dhs.org           members.dhs.org
easydns.com       members.easydns.com
genericDDNS       Generic DDNS based on RFC2136.
FortiGuardDDNS    FortiGuard DDNS service.
noip.com          dynupdate.no-ip.com


Although there are 11 DDNS service provider listing in configuration, most of them have stopped working, even the website could not open. I found noip.com is still working although it requires confirmation every 30 days.

Here is my configuration for noip.com. After put your username and password in, enable use-public-ip and monitor-interface, you will find it magically works in your noip.com account.

FWF60D (ddns) # show
config system ddns
    edit 1
        set ddns-server noip.com
        set ddns-domain "51nec.ddns.net"
        set ddns-username "jonya"
        set ddns-password ENC 8T9QIraIpi5XMKlZpC0ZTTM3B9rJKv8VVGDhpXkLy3RxjnLGjfoO7stFRQsvIq/6Yp3vWq5Fvsu0QW4t9JScsfkZhDoblghYitftNWIapto0I+5RWVO5zR9vEjxZO0f/g+ZiDNs12IOfJMcJa1DGmM4t18BiVtcpO4t+xO8h0fi7/rsOvyksA==
        set use-public-ip enable
        set ssl-certificate ''
        set monitor-interface "wan1"
    next
end




C:\Users\johny>nslookup
Default Server:  UnKnown
Address:  192.168.2.1

> 51nec.ddns.net
Server:  UnKnown
Address:  192.168.2.1

Non-authoritative answer:
Name:    51nec.ddns.net
Address:  217.175.109.134

>



Free noip account will give you three subdomains, and you will need to confirm it every 30 days. It will remind you in 7 days before it expired and deleted. I am trying to find a way to schedule a script to click this confirm button for me every 30 days.



Reference:










No comments:

Post a Comment