Double NAT custom DDNS script

[roundaway]

And if you wait a bit longer, I have a new solution that will make it no longer necessary to use a script to handle double NAT.

Standing by for that great day. My ISP, within the last 6 months, added double NAT and that killed OpenVPN Server at home. Using freedns.afraid .org as DDNS.

 

[chncar]

New version: https://pastebin.com/P18y0nS7 (will upload to github once asuswrt has been verified)

@Grisu: Added amazon as default ip lookup provider - i expect them to follow the law In any case. You can enter whomever you like. No default backup procider though.

@chncar: Please try this version. A silent mode has been added. It should only write in case ip has change. Please confirm. Sorry, crond and ddns is out my hand.

@mmjlmjl: Added asuswrt ddns in this version. Please check if it works - i cannot do that myself.

In all cases please add logs. E.g. execute manually sh -x ddns-start (remember to remove personal information.) Thank you.

I have problem with new script.

I made wrong typing about the DDNS username and password in the script. The DDNS update failed tonight when operator changed my ext. IP. The problem is the new NVRAM parameter EXTERNALIP has set the new IP already so the script just keep going, "not need to update", "no need to update", every 10 min.

Bellowed is the router log.

Sep 3 21:00:00 crond[765]: USER admin pid 14791 cmd /jffs/scripts/ddns-start
Sep 3 21:00:03 ddns: Completed custom ddns update
Sep 3 21:10:00 crond[765]: USER admin pid 14855 cmd /jffs/scripts/ddns-start
Sep 3 21:10:10 ddns: Custom ddns update failed <----------- Caused by wrong typing username/password
Sep 3 21:20:00 crond[765]: USER admin pid 14923 cmd /jffs/scripts/ddns-start
Sep 3 21:20:03 ddns: Completed custom ddns update <----------------- The script keep going....
Sep 3 21:30:00 crond[765]: USER admin pid 14987 cmd /jffs/scripts/ddns-start
Sep 3 21:30:02 ddns: Completed custom ddns update
Sep 3 21:40:00 crond[765]: USER admin pid 15051 cmd /jffs/scripts/ddns-start
Sep 3 21:40:02 ddns: Completed custom ddns update

The temporary solution for me is "nvram set EXTERNALIP="9,9,9,9" and correct the username/password in the script. So next 10 min the script will make it right by itself.

bellowed is the router log, the script make it right by itself.

Sep 3 23:10:00 crond[765]: USER admin pid 15862 cmd /jffs/scripts/ddns-start
Sep 3 23:10:18 ddns: Completed custom ddns update
Sep 3 23:10:18 admin: CustomUpdateDDNS: (good) DNS hostname successfully updated to *.*.*.*.

My sugesstion to new script V3.0:

1. Flush the EXTERNALIP value in case of any DDNS update failure.
2. If the DDNS update failure resaon was wrong username/password, the script shall be fully stop immediately since the router is a machine which can not handle this kind of mistake.
3. For other DDNS failure, I think the script can try 10 times and then stop.

 

[joe scian]

New version: https://pastebin.com/P18y0nS7 (will upload to github once asuswrt has been verified)

@Grisu: Added amazon as default ip lookup provider - i expect them to follow the law In any case. You can enter whomever you like. No default backup procider though.

@chncar: Please try this version. A silent mode has been added. It should only write in case ip has change. Please confirm. Sorry, crond and ddns is out my hand.

@mmjlmjl: Added asuswrt ddns in this version. Please check if it works - i cannot do that myself.

In all cases please add logs. E.g. execute manually sh -x ddns-start (remember to remove personal information.) Thank you.

I tested on asuswrt and it seems to work fine - thank you. My ISP charges extra $10/month in Australia for a static IP in a carrier nat environment. I have been paying for a static IP for 18 months to host IP Cameras/NVR and OVPN. I can now save myself some money !

 

[Steffe]

@chncar and @joe scian Thank you very much for the feedback. I agree that the handling of failtures definitely can be improved. I'm just not sure it's worth the extra effort if rmerlin pushes a way to handle it with the firmware. Seems like people are more interested in that based on the last weeks of comments.

 

[chncar]

It is good news RMerlin will introduce this function into firmware. And I just keep using this script untill RMerlin’s new solution comes out, and then I have to wait john9527 put it in the LTS firmware.

This script fixes my “double nat” issue and thanks again Steffe!

 

[joe scian]

@chncar and @joe scian Thank you very much for the feedback. I agree that the handling of failtures definitely can be improved. I'm just not sure it's worth the extra effort if rmerlin pushes a way to handle it with the firmware. Seems like people are more interested in that based on the last weeks of comments.

384.7 Alpha 3 out and supports external option to retrieve WAN IP from either the local
interface (like before) or through a remote server
(which works through double NAT). Remote server not configurable in GUI but seems to work flawlessly

 

[roundaway]

@Steffe Appears the RT-AC-56U won't be getting firmware updates anymore. If someone wanted to use your script with freedns.afraid.org, would it be as simple as replacing line 57 with the direct URL provided by feedns.afraid.org?
"http://freedns.afraid.org/dynamic/update.php?secretkey==" or use
"http://$USERNAME:$PASSWORD@freedns.afraid.org/nic/update?hostname=$HOSTNAME&myip=$NEWIP" ??

Thank you.

 

[RMerlin]

Appears the RT-AC-56U won't be getting firmware updates anymore

Says who?

 

[grifo]

@chncar and @joe scian Thank you very much for the feedback. I agree that the handling of failtures definitely can be improved. I'm just not sure it's worth the extra effort if rmerlin pushes a way to handle it with the firmware. Seems like people are more interested in that based on the last weeks of comments.

Hi Steffe, I think your script would still be very useful. While the functionality built into the firmware will make setting up double-nat ddns easier, it won't be able to provide the same level of granularity that a script does since it can be changed it to suit one's preferences, for example I also don't want too many logs but I like to keep the script letting me know it's working properly, so I changed it to only log the "CustomUpdateDDNS: (nochange) External IP address is current: $NEWIP" line if the ip hasn't changed. It can also be adapted to use any provider and be made to run at any interval (eg. no minimum interval).

 

[roundaway]

Says who?

My apologies if post #106 in the Alpha 384.7 thread was interpreted incorrectly. I thought it said 384.7 won't be available for the RT-AC56U.

 

[RMerlin]

My apologies if post #106 in the Alpha 384.7 thread was interpreted incorrectly. I thought it said 384.7 won't be available for the RT-AC56U.

That's correct. But I never said that future releases won't support it. Model support will change for each release based on which GPL code is available from Asus at that time. 384.6 had no compatible RT-AC87U code available. 384.7 does, but this one lacks RT-AC3200 and RT-AC56U code.

 

[roundaway]

That's correct. But I never said that future releases won't support it. Model support will change for each release based on which GPL code is available from Asus at that time. 384.6 had no compatible RT-AC87U code available. 384.7 does, but this one lacks RT-AC3200 and RT-AC56U code.

Thank you for the clarification and great firmware.

 

[vienna0001]

I have a RT-N66U, which is connected to the internet with an LTE stick plugged into the USB port.

Challenge is to reach the router (and connected devices) from outside, as it is apparently behind a double NAT scenario.

I tried out the script posted here and ran into some trouble with updating the IP on my no-ip account.
(Read there is a fixed script, will try it out in the evening.)

Nevertheless I checked for the public IP the operator is assigning after connecting, which is from the range 212.95.5.x

I assigned it to the wan0 port of the modem with nvram set command and the router showed it on the start screen of the web UI.

Nevertheless I cannot reach the router from outside.

Can anyone knowledgable tell if I might succeed at all in reaching my router from outside?
If this may be impossible I may save time not trying out the fixed script.

Thanks in advance! G

 

[Steffe]

@vienna0001 This script retrieves your ip from an exernal service, so it should not be a problem, and, yes, if you have a double nat situation this might help.

 

[Pila]

I started from here and with @Steffe help over 2 years ago, and now my ddns script has close to 3000 lines and everythign is merged into it. It even works at Raspberrry Pi So, I wish to share some ideas.

Important: when in DoubleNAT, the only way to be sure of your WAN IP address is to read it from your modem. External reading (e.g. icanhazip.com) will hide many problems from you! I never use external read any more!

Recently, providers started introducing private WAN IP addresses starting with 10. or 100 (CGN and Shared Address space RFC6598 and similar). If you get them, incoming VPN or ssh will not work.

How to read from the modem? I could telnet to one older and reboot it that way. Newer ones are stupid, I must steal data from their wep pages. For ZTE it is easy, for Huawei is quite complicated. Method varies by the modem. My router reboots my modems directly when there is a problem with them.

For the DDNS servers, I propose ones almost nobody heard of: dynu.com and duckdns.org. Free for 5 names, work for e-mail too, ttl is <90 sec. No need to force updates (I have had single address for 88 days without the need for updates). I am using them for years and they work perfectly. My VPN clients are set to autoamtically use 3 DDNS providers should there be a problem. Third one is twodns.de but they do not help if you need e-mail (MX) and over last years, they had problems twice. But are excellent as a third backup.

I have incorporated tests if Internet is actually alive and if my 3 networks can communicate with each other. These test required my ddns script to be run by cru every 5 minutes. Side benefit: I become free from Asus if it will run the script or forget to do so when it was needed. This happend sometimes on my routers.

Asus router can sometimes forget to start ddns script. Do not ask me why. I have added to one other computer (Raspberry Pi) on the same netork to check every 12 minutes if ddns script is running, and if it is not, RPi will run it. Not often, but my routers sometime mess up their cru which runs my ddns-start.

So, to fix this, it is enough for a RPi to to check if cru entry is well, and if it is not, run the program.

ssh router@192.168.1.1 (cru l | grep "ddns-start" 1>&-) || { /jffs/scripts/ddns-start; } '

How this helps? I added into my ddns script to build its own cru entry if it is not present. My script become a program I call DoubleDDNS, adjust name as you like, and it is set to run every 5 minutes.

[ ! "$(cru l | grep DoubleDDNS)" ] && cru a DoubleDDNS "03-59/5 * * * * /jffs/scripts/ddns-start"

Since everything is logged, my script can make statistics how long did I have a WAN IP addresses, how many problems did I have and which and similar. On several ocassions, thanks to my stats, I noticed problems before my provider did and by reporting them, forced my provider to fix them quicker.

I hope this may give someone usefull ideas.

 

[Pila]

And if you wait a bit longer, I have a new solution that will make it no longer necessary to use a script to handle double NAT.

It is great that the inbuilt DDNS service will be improved, but there are many situations where it will likely never be usefull. So, ones who have such funny demands will have to take control by themselves, even with newer and better solution. But, for most users, this will be a significant improvement. At least, be aware of the following points.

1. demand for 99,99% 24/7 availability: sometimes Asus routers forget to triger ddns-start script so they may forget the inbuilt job, too. Sometimes they trigger it several times concurently which may also lead to the problems if allowed. Or the router itself may have a problem.

2. unsuported DDNS servers. I use 3 DDNS servers and none of them is at the supported list. All of them are superior to services on (my) router's list.

3. multiple DDNS servers. Refering back to point 1. all of my systems maintain 3 different DDNS servers. All incoming access to my systems is configured to seamlessly use the next server if one fails

These next 2 points may appear not to be linked, but impact accesibility and are real problems for many of us.

4. Internet Life is a real problem. How often we need to manually reboot a modem and/or a router because the Internet does not work? Monthly? Daily? Too much. My DDNS script does all the testing and rebooting for me (ping is useless here). One of my ac68 with a very old fw is curently 96 days up. Memory is checked and offenders are restarted automatically.

5. over the last 1-2 years, the providers started to issue regular private (10.*) addresses, CGN private addresses (100.*) or they simply fail to route properly if a particular address (in my case 109.227.*) was issued as a WAN IP. All of these will disable any incoming connections, regardless of DDNS. Possibly for a long time.

Having my own script, I can log and monitor statistics. Five months ago, I noticed my provider at one location issued 72 WAN IP addresses to me over one week period. They ignored it until I started complaining. Also, my stats tell me my longest WAN IP runs were 88 and 73 days. Now, imagine I had an address issued from the pools in the above point 5! I could wonder for months why stuff does not work. Or blindly reboot the modem and the router manually which I do not consider a solution.