ddns: vlan2 not find External WAN IP, go retry.(10)

[RT-N66U]

I'm experiencing an issue with my Dynamic Domain Name System (DDNS) not updating when the WAN cable is reconnected on my RT-AC68U router running the latest Merlin firmware. This problem seems to have emerged in the recent firmware releases. To address this issue, I have to manually click 'Apply' on the WAN > DDNS page for the update to take effect. I've noticed the same outcome across various DDNS services, including Afraid and dns-o-matic. It's worth mentioning that my router is operating under double/triple NAT.

Dec 25 06:12:33 kernel: nvram: consolidating space!
Dec 25 06:12:51 kernel: nvram: consolidating space!
Dec 25 06:13:12 kernel: nvram: consolidating space!
Dec 25 06:13:17 kernel: nvram: consolidating space!
Dec 25 06:13:23 kernel: nvram: consolidating space!
Dec 25 06:13:54 kernel: nvram: consolidating space!
Dec 25 06:13:55 WAN_Connection: WAN(0) link down.
Dec 25 06:14:00 kernel: nvram: consolidating space!
Dec 25 06:14:07 WAN_Connection: WAN(0) link up.
Dec 25 06:14:07 rc_service: wanduck 191:notify_rc restart_wan_if 0
Dec 25 06:14:07 lldpd[344]: removal request for address of 192.168.1.27%10, but no knowledge of it
Dec 25 06:14:07 dnsmasq[12874]: read /etc/hosts - 24 names
Dec 25 06:14:10 dnsmasq[12874]: read /etc/hosts - 24 names
Dec 25 06:14:12 dnsmasq[12874]: read /etc/hosts - 24 names
Dec 25 06:14:12 wan: finish adding multi routes
Dec 25 06:14:13 ddns: vlan2 not find External WAN IP, go retry.(10)
Dec 25 06:14:13 rc_service: udhcpc_wan 19130:notify_rc stop_samba
Dec 25 06:14:13 rc_service: udhcpc_wan 19130:notify_rc start_samba
Dec 25 06:14:13 rc_service: waitting "stop_samba" via udhcpc_wan ...
Dec 25 06:14:13 Samba_Server: smb daemon is stopped
Dec 25 06:14:13 kernel: gro disabled
Dec 25 06:14:13 WAN_Connection: WAN was restored.
Dec 25 06:14:13 dnsmasq[12874]: read /etc/hosts - 24 names
Dec 25 06:14:14 dhcp_client: bound 192.168.1.27/255.255.255.0 via 192.168.1.1 for 86400 seconds.
Dec 25 06:14:14 dnsmasq[12874]: exiting on receipt of SIGTERM
Dec 25 06:14:14 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Dec 25 06:14:14 admin: Changed to DNS Servers on port 5300
Dec 25 06:14:14 dnsmasq[19226]: started, version 2.89 cachesize 1500
Dec 25 06:14:14 dnsmasq[19226]: compile time options: IPv6 GNU-getopt no-RTC no-DBus no-UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset no-nftset no-auth cryptohash DNSSEC no-ID loop-detect no-inotify no-dumpfile
Dec 25 06:14:14 dnsmasq[19226]: warning: interface br2 does not currently exist
Dec 25 06:14:14 dnsmasq[19226]: warning: interface br1 does not currently exist
Dec 25 06:14:14 dnsmasq[19226]: warning: interface pptp* does not currently exist
Dec 25 06:14:14 dnsmasq[19226]: asynchronous logging enabled, queue limit is 5 messages
Dec 25 06:14:14 dnsmasq-dhcp[19226]: DHCP, IP range 192.168.102.2 -- 192.168.102.254, lease time 1d
Dec 25 06:14:14 dnsmasq-dhcp[19226]: DHCP, IP range 192.168.101.2 -- 192.168.101.254, lease time 1d
Dec 25 06:14:14 dnsmasq-dhcp[19226]: DHCP, IP range 192.168.2.20 -- 192.168.2.254, lease time 1d
Dec 25 06:14:14 dnsmasq[19226]: using nameserver xxx.xxx.xxx.xxx#5300
Dec 25 06:14:14 dnsmasq[19226]: read /etc/hosts - 24 names
Dec 25 06:14:39 kernel: nvram: consolidating space!
Dec 25 06:15:54 acsd: selected channel spec: 0x1003 (3)
Dec 25 06:15:54 acsd: Adjusted channel spec: 0x1003 (3)
Dec 25 06:15:54 acsd: selected channel spec: 0x1003 (3)
Dec 25 06:15:54 acsd: acs_set_chspec: 0x1003 (3) for reason APCS_CSTIMER
Dec 25 06:20:30 rc_service: httpd 17786:notify_rc restart_ddns (THIS HERE IS WHEN I HIT "APPLY" ON WAN > DDNS)
Dec 25 06:20:30 ddns: update WWW.DNSOMATIC.COM default@dnsomatic.com, wan_unit 0
Dec 25 06:20:30 ddns: Clear ddns cache.
Dec 25 06:20:30 ddns: Start Inadyn(10).
Dec 25 06:20:30 inadyn[19761]: In-a-dyn version 2.10.0 -- Dynamic DNS update client.
Dec 25 06:20:31 inadyn[19761]: Update forced for alias all.dnsomatic.com, new IP# 111.111.111.111
Dec 25 06:20:32 inadyn[19761]: Updating cache for all.dnsomatic.com (SUCCESS)
Dec 25 06:21:45 kernel: nvram: consolidating space!
Dec 25 06:25:42 kernel: nvram: consolidating space!
Dec 25 06:30:59 acsd: selected channel spec: 0x1001 (1)
Dec 25 06:30:59 acsd: Adjusted channel spec: 0x1001 (1)
Dec 25 06:30:59 acsd: selected channel spec: 0x1001 (1)
Dec 25 06:30:59 acsd: acs_set_chspec: 0x1001 (1) for reason APCS_CSTIMER
Dec 25 06:33:27 kernel: nvram: consolidating space!
Dec 25 06:46:02 acsd: selected channel spec: 0x1009 (9)
Dec 25 06:46:02 acsd: Adjusted channel spec: 0x1009 (9)
Dec 25 06:46:02 acsd: selected channel spec: 0x1009 (9)
Dec 25 06:46:02 acsd: acs_set_chspec: 0x1009 (9) for reason APCS_CSTIMER

 

[djphilosophy]

I'm encountering the same issue running RT-AC68U 386.12_4 in a double NAT setup (RT-AC68U getting a private IP from the provider's gateway, with DMZ setup on gateway pointing to the RT-AC68U).

It seems to happen each night after a timer outlet does a power off/on to reset the cable modem and RT-AC68U. Any time the next day when I log in to the RT-AC68U, I see the notification about the DDNS error. I also noticed that clicking Apply on the DDNS page fixes it, but I also suspect that just viewing the DDNS page (not even clicking Apply) somehow fixes it, as I experienced just now (DDNS updated right after viewing the page without clicking Apply).

Did you find any solution since posting this?

Mar 1 08:07:44 ddns: eth0 not find External WAN IP, go retry.(3)
Mar 1 08:08:14 watchdog: start ddns.
Mar 1 08:08:14 ddns: eth0 not find External WAN IP, go retry.(2)
Mar 1 08:08:44 watchdog: start ddns.
Mar 1 08:08:44 ddns: eth0 not find External WAN IP, go retry.(1)
Mar 1 08:09:14 watchdog: DDNS Retry reach MAX.(0), DDNS Recover Time set 38

Mar 1 08:37:06 kernel: asd/240: potentially unexpected fatal signal 11.
Mar 1 08:37:06 kernel: Pid: 240, comm: asd
Mar 1 08:37:06 kernel: CPU: 1 Tainted: P (2.6.36.4brcmarm #1)
Mar 1 08:37:06 kernel: PC is at 0x4051b7a8
Mar 1 08:37:06 kernel: LR is at 0x40516050
Mar 1 08:37:06 kernel: pc : [<4051b7a8>] lr : [<40516050>] psr: a0000010
Mar 1 08:37:06 kernel: sp : bea609a0 ip : 4054ada0 fp : 00000000
Mar 1 08:37:06 kernel: r10: 0000001c r9 : bea60b28 r8 : 00000020
Mar 1 08:37:06 kernel: r7 : 00000000 r6 : 0000016d r5 : 0000000b r4 : bea60a20
Mar 1 08:37:06 kernel: r3 : 0000016d r2 : 00000000 r1 : ffffffff r0 : 0000016d
Mar 1 08:37:06 kernel: Flags: NzCv IRQs on FIQs on Mode USER_32 ISA ARM Segment user
Mar 1 08:37:06 kernel: Control: 10c53c7d Table: 9d9a404a DAC: 00000015
Mar 1 08:37:17 rc_service: service 5017:notify_rc restart_firewall
Mar 1 08:37:18 miniupnpd[611]: SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Mar 1 08:47:14 watchdog: DDNS Recover Time reached, recover DDNS Retry.
Mar 1 08:47:14 watchdog: start ddns.
Mar 1 08:47:14 ddns: update WWW.ASUS.COM update@asus.com, wan_unit 0
Mar 1 08:47:14 ddns: Clear ddns cache.
Mar 1 08:47:14 ddns: Start Inadyn(10).
Mar 1 08:47:14 inadyn[6043]: In-a-dyn version 2.10.0 -- Dynamic DNS update client.
Mar 1 08:47:15 inadyn[6043]: Update forced for alias XXXXX.asuscomm.com, new IP# 73.23.XX.XX
Mar 1 08:47:15 inadyn[6043]: alias address=<73.23.XX.XX>
Mar 1 08:47:15 inadyn[6043]: request<GET /ddns/update.jsp?hostname=XXXXX.asuscomm.com&myip=73.23.XX.XX&model=RT-AC68U&fw_ver=3.0.0.4.386.12_4 HTTP/1.0^M Authorization: Basic (XXXXXXXXXXXX) Host: ns1.asuscomm.com^M User-Agent: inadyn/2.10.0 https://github.com/troglobit/inadyn/issues^M ^M >
Mar 1 08:47:16 inadyn[6043]: [response_update]HTTP/1.1 200 OK^M Date: Fri, 01 Mar 2024 08:47:16 GMT^M Server: Apache^M Content-Length: 0^M Connection: close^M Content-Type: text/html; charset=UTF-8^M ^M
Mar 1 08:47:16 inadyn[6043]: Updating cache for XXXXX.asuscomm.com

 

[kevinkonster]

I'm encountering the same issue running RT-AC68U 386.12_4 in a double NAT setup (RT-AC68U getting a private IP from the provider's gateway, with DMZ setup on gateway pointing to the RT-AC68U).

I have this exact same problem with AC1900 and 386.12_4 firmware. Setup is also having double NAT, because I have 4G modem/router for internet connection. This worked really well several years, but after OpenVPN got outdated I updated firmware to newest and this problem with DDNS arised.

I could try to change modem to bridge mode so that Asus gets public IP, but then I am not able to login to my 4G router remotely anymore. This is really important, because these devices are in remote location in my farm and I have to drive 30 minutes if something goes wrong.

Fortunately internet connetion works and I can connect PC with Anydesk in that location. That way I can manually update DDNS and get VPN up again.

I am using Dyndns.org (custom) script for DDNS update and it has worked with this double NAT setup several years. I hope someone has found a fix for this?

 

[ColinTaylor]

I have this exact same problem with Netgear R7000 and (Xwrt-Vortex) 386.12_4 firmware.

You are using an illegal port of the Merlin firmware. You will get no support for it here.

[Announcement] Running Asuswrt-Merlin and forks on non-Asus devices is ILLEGAL

Asuswrt-Merlin contains numerous proprietary components that are only licensed for legal use on original Asus devices. These include (but are not limited to) components from Asus themselves, Broadcom, Trend Micro and Tuxera. Using any of these components on devices for which they haven't been...

www.snbforums.com

 

[kevinkonster]

You are using an illegal port of the Merlin firmware. You will get no support for it here.

Sorry, but I didn't know that! Beside this Netgear I have two Asus routers (RT-AX86S and AC1900) and AC1900 uses same firmware version, but it is not in double NAT configuration. I switch their places and edit my post.

 

[djphilosophy]

I haven't found any solution to this on my RT-AC68U.

 

[kevinkonster]

I actually have triple NAT configuration in that location and last router is 12 year old Buffalo running DD-WRT version from 2016. It is really really stable and runs usually 6-12 months without interrupts. Maybe longer, but power outtages cause it reboot sometimes. And on top of that it is located in old barn/cow house where it can be -5°C and moisture up to 95% so not best condition. But still has been working 3 years now.

I started DDNS service on Buffalo too so it can update Dyndns if AC1900 fails to do it. I think it should work even if there is two routers doing it after each other.

 

[kevinkonster]

I just updated to 386.13 firmware and now it seems to be fixed! I restarted 4G router, but not Asus AC1900 behind it and it took about 25 minutes to DDNS get updated. It is weird that changelog didn't mention anything about this problem but still it got fixed.

I think this quite acceptable that my VPN connection is down about 30 minutes after IP-change/router restart. Now I can change my 4G-router to reboot every night again without hassling with DDNS update.

Below is log capture after restarting 4G-router if you are interested. I removed some lines and tried to keep only lines that are interesting in this case.

Apr  8 14:24:18 WAN_Connection: WAN(0) link up.

Apr  8 14:24:38 wan: finish adding multi routes
Apr  8 14:24:38 ddns: vlan2 not find External WAN IP, go retry.(10)

Apr  8 14:24:55 WAN_Connection: WAN was restored.

waiting 25 minutes... removed some lines.

Apr  8 14:50:05 watchdog: Hostname/IP mapping error! Restart ddns.
Apr  8 14:50:05 ddns: update WWW.DYNDNS.ORG(CUSTOM) default@dyndns.org, wan_unit 0
Apr  8 14:50:05 ddns: Clear ddns cache.
Apr  8 14:50:05 ddns: Start Inadyn(10).
Apr  8 14:50:05 rc_service: watchdog 244:notify_rc start_amas_lanctrl
Apr  8 14:50:05 inadyn[4990]: In-a-dyn version 2.10.0 -- Dynamic DNS update client.
Apr  8 14:50:05 rc_service: watchdog 244:notify_rc start_cfgsync
Apr  8 14:50:08 inadyn[4990]: Update forced for alias xxxxx.dyndns.info, new IP# xx.xx.11.151
Apr  8 14:50:09 inadyn[4990]: Updating cache for xxxxx.dyndns.info

 

[L&LD]

Changelogs can't always specify everything. That is why properly testing the firmware in your specific router/network is important. After all, new firmware isn't created just for laughs, there is always reasons.

 

[kevinkonster]

Unfortunately problem in double NAT environment persists, just in other way. Now when IP address of 4G router changes, DDNS service in Asus router does not detect it. This causes site to be unreachable after every IP update.

It seems that Asus noticed WAN connection was down (WAN was restored), but on the other hand DDNS service says "IP address have not changed". I have tried both www.dyndns.org and www.dyndns.org(custom) scripts, but both seem they cannot handle this.

Apr 26 04:14:56 rc_service: watchdog 244:notify_rc start_cfgsync
Apr 26 04:15:12 WAN_Connection: WAN was restored.
Apr 26 04:15:12 dnsmasq[2062]: read /etc/hosts - 30 names
Apr 26 04:15:12 dnsmasq[2062]: using nameserver 192.168.8.1#53
Apr 26 04:15:12 dnsmasq[2062]: using nameserver 192.168.8.1#53
Apr 26 04:15:26 rc_service: watchdog 244:notify_rc start_amas_lanctrl

lines removed....

Apr 26 04:35:31 rc_service: watchdog 244:notify_rc start_cfgsync
Apr 26 04:36:01 watchdog: Hostname/IP mapping error! Restart ddns.
Apr 26 04:36:01 ddns: IP address, server and hostname have not changed since the last update.

 

[kevinkonster]

Is there any workaround invented? I am so frustrated to connect remote site with Anydesk and restart router's (RT-AC68U) DDNS service every 2 weeks.

I think some watchdog script to compare DNS and actual IP and if they don't match, restart inadyn/ddns?

 

[eibgrad]

Is there any workaround invented? I am so frustrated to connect remote site with Anydesk and restart router's (RT-AC68U) DDNS service every 2 weeks.

I think some watchdog script to compare DNS and actual IP and if they don't match, restart inadyn/ddns?

I threw together the following script. Using ssh, copy/paste it into the terminal window. It will create and start a script that monitors for a change in the public IP every 20 mins, and if it does change, restarts ddns.

SCRIPT_DIR='/tmp'
#SCRIPT_DIR='/jffs/scripts'
SCRIPT="$SCRIPT_DIR/monitor-ddns.sh"

# kill/purge any currently active script
killall -q $(basename $SCRIPT)

# create script
cat << 'EOF' > $SCRIPT
#!/bin/sh
{
set -x # uncomment/comment to enable/disable debug mode

# url of public ip checker/publisher
URL='api.ipify.org'

# time (in secs) between public ip checks (1200 or more recommended)
INTERVAL=1200

# function get_public_ip()
get_public_ip() {
    local pip tries=3

    # try multiple times if necessary
    while [ $tries -gt 0 ]; do
        pip="$(wget -T 10 -qO - $URL)"
        if [ "$pip" ]; then
            pip="$(echo $pip | grep -Eom1 '([0-9]{1,3}\.){3}[0-9]{1,3}')"
            [ "$pip" ] && { echo "$pip"; return 0; } || return 1
        fi
        [ $((--tries)) -gt 0 ] && sleep 10
    done

    # fall-thru == url failure
    return 1
}

# wait until internet access is available
until ping -qc1 -W3 8.8.8.8 &>/dev/null; do sleep 10; done

# immediately force a restart of ddns
pip_save='0.0.0.0'

# periodically check public ip for changes
while :; do
    pip_curr="$(get_public_ip)"

    if [[ $? -eq 0 && "$pip_curr" ]]; then
        if [ "$pip_save" != "$pip_curr" ]; then
            echo "info: public ip has changed ($pip_save -> $pip_curr); restarting ddns..."
            service restart_ddns
            pip_save="$pip_curr"
        fi
    else
        echo 'error: public ip NOT available'
    fi

    sleep $INTERVAL
done
} 2>&1 | logger -t $(basename $0 | grep -Eo '^.{0,23}')[$$]
EOF
chmod +x $SCRIPT

# start script as background job
nohup $SCRIPT &>/dev/null &

# monitor syslog for this script's specific output
tail -Fn0 /tmp/syslog.log | grep -E --line-buffered $(basename $SCRIPT)

Things to note:

- Debug mode is enabled by default.
- All output is written to the syslog.
- It automatically monitors the syslog for you (during testing)

Beware, it's NOT a good idea to hit websites like this too often lest you end up getting banned. I choose 20 mins for demonstration purposes.

If it works to your satisfaction, you could change the install directory to /jffs/scripts and call it from an init-start script w/ the nohup command.

Frankly, if you're behind multi-NAT, you're probably better off using a different kind of solution, one that creates an outbound connection from which you can tunnel back into your home network (Cloudflare (tunnels), Twingate, Tailscale, ZeroTier, etc.). This eliminates the need for port forwarding and DDNS entirely. Something like Cloudflare offers additional security features as well (MFA, geo-blocking, free and managed certs, etc.). Of course, you could manage your own similar VPS solution, but these third-parties simplify things considerably.

 

[kevinkonster]

I threw together the following script. Using ssh, copy/paste it into the terminal window. It will create and start a script that monitors for a change in the public IP every 20 mins, and if it does change, restarts ddns.

Thank you Eibgrad!

Sorry it took a while to put it in use, I've been busy with harvesting in my farm where this problematic connection is in use. I will give feedback in few weeks, because DDNS-service fails about every 2 weeks when ISP changes my IP.

 

[djphilosophy]

Just want to add in here that I resolved this issue by simply switching DDNS providers to freedns.afraid.org (they offer free DDNS of [yourhostname].mooo.com).

 

[lgkahn]

tried script in latest release merlin. gt11000 pro.. didnt like grep command

grep: unrecognized option '--line-buffered'
BusyBox v1.25.1 (2024-07-31 19:48:48 EDT) mult

 

[eibgrad]

tried script in latest release merlin. gt11000 pro.. didnt like grep command

grep: unrecognized option '--line-buffered'
BusyBox v1.25.1 (2024-07-31 19:48:48 EDT) mult

It's quite common for router firmware to NOT support all options for various commands in order to save space. Used to be a LOT worse years ago when storage was much more limited. But even now, you'll find missing options for unknown reasons.

Frankly, the --line-buffered option isn't really necessary here (it was working w/ my own RT-AC68U, so I assumed it was available w/ all Merlin firmware). Normally grep will buffer its output for efficiency reasons. Once the buffer is full, THEN you'll see output. But when you specify the --line-buffered option, it tells grep to output each line as it's processed. It makes monitoring something like the syslog a bit more effective, esp. when activity is low.

For now you can just remove that option. It should work well enough since there will be a significant amount of writing to the syslog given that debug mode is enabled in the script by default.

 

[lgkahn]

thanks got script working but doesn't alleviate the issue. my issue is that the router itself is not updating the correct public ip when behind cgnat..(it retains the last true public ip but even when restarting ddns it is not updating to the new one) obviously it can because rebooting the router and it immediately gets the new true public ip). and other devices on the networks ddns such as my qnap nas or gli secondary router get the correct ip all the time.. unfortunately i cannot manually disconnect and reconnect the wan (as that does fix it also) because most of the time it is remote and when i tried that remotely i lost ALL connectivity till i returned to the location.

i know everyone says it doesn't matter what the true semi public ip is with cgnat but it does to me because i have a rule in another location on my home automation hub that needs to know the ip that incoming connections for weather station monitoring and other rules are coming in from to allow the connections.. so it regularly needs to monitor and compare the ddns name to the ip to make sure it has the latest otherwise the connections are blocked.

 

[eibgrad]

Seems mighty odd the DDNS update would NOT update your current public IP. We know it actually works since a reset of the WAN works.

Might help to see a full, unfiltered dump of the syslog (at least the portion where a change is about to take place) so we can see what inadyn is reporting for its own results.

 

[lgkahn]

i will post it next time but i dont think it is inadyn the nvram variable (wano_realip_ip) still shows the old ip and even if i make sure that the ddns process runs it is updating it witth the old ip.