Watchguard to Cloudflare Dynamic DNS Setup

on under Homelab
2 minute read

I didn’t see any writeups for this on either Wathguard’s or Cloudflare’s documentation, so I’m writing it up here.

How to set up DDNS from Watchguard to Cloudflare DNS


  1. DNS Hosted in Cloudflare (Free or higher tier)
  2. A Watchguard connected to WAN
  3. Admin privs for both

Cloudflare-side Setup

  1. Log into Cloudflare
  2. Go to Home > Websites > Overview > Get Your API Token
  3. Click Create Token
  4. Select the API Token Template named “Edit Zone DNS”
  5. Under Permissions, click +Add More
  6. For the new perm, use the dropdowns to select Zone > Zone > Read
  7. Under Permissions, click +Add More again
  8. For the new perm, use the dropdowns to select Zone > Zone Settings > Read
  9. Under Zone Resources, use the dropdowns to select Include > Specific Zone > yourdomain
  10. Click Continue to Summary
  11. Click Back to Table
  12. Next to Global API Key, click View
  13. Copy the token to your clipboard

Watchguard-side Setup

  1. Log into your Firebox webGUI
  2. Go to Network > Dynamic DNS
  3. Select an interface and click CONFIGURE
  4. Check the “Enable Dynamic…” checkbox
  5. In the Provider dropdown, select Cloudflare
  6. In the Username field, enter your Cloudflare Account email address
  7. In the Password field, paste your clipboard (the Global API Key from above)
  8. In the Domain field, enter your desired newsubdomain.yourdomain.tld
  9. Click Save

Double-Checking Your Work

  • If the API Key, Email, and Zone Permissions are correct from the above steps, then by the time you switch tabs back to Cloudflare you will see your new subdomain listed in DNS.
  • It will be listed as DNS Only. You can flip this to Proxied without breaking anything.
  • It should list the IP of your Firebox public WAN IP.
  • This will do DDNS’ thing of updating when changed, or every 28 days, whichever comes first.
  • Here are some simple checks to make you feel better:
    1. In Firebox, go to Dashboard > Traffic Monitor
    2. In your PC, load up Zenmap/nmap and scan newsubdomain.yourdomain.tld with “nmap -sV -T4 -O -F –version-light”
    3. Watch the Traffic Monitor for all those delicious blocked TCP packets.
    4. If you cannot reach anything in the browser under your new subdomain, try hitting the ports listed in the nmap results.
    5. If that fails then I don’t know what to tell you, you still have to type http:// or https:// buddy! Don’t forget to get your signed certificates going afterward.
Homelab, Cloudflare, Firewall, DDNS
comments powered by Disqus