I need a help as I’m running out of ideas on the following configuration:
Setup:
Dynamic public IP address assigned to the WAN interface on TO
VLAN (called DMZ) with Webserver (running as LXC container)
Using DDNS to access the TO or Webserver in DMZ - port 443 only. Let’s say I’m using myrouter.noip.me
Configuration:
From WAN - everything works fine and there is no problem with it.
config redirect
option target 'DNAT'
option src 'wan'
option dest 'dmz'
option proto 'tcp'
option src_dport '443'
option dest_ip '192.168.13.130'
option dest_port '443'
option name 'HTTPS (WAN->DMZ)'
Now the challenge. I’d like devices within my own private networks to use also the myrouter.noip.me dns name. The IP however resolves to WAN interface of the router. So I created following rules:
config redirect
option target 'DNAT'
option src 'lan'
option dest 'dmz'
option proto 'tcp'
option src_dip '<assigned public ip address>'
option src_dport '443'
option dest_ip '192.168.13.130'
option dest_port '443'
option name 'HTTPS (LAN->DMZ)'
This approach works but has two limitations:
I cannot set up such a rule when using the dns name from the TO directly
More importantly as the public IP address it dynamic it stops working when the public IP address changes
Second approach I tried is to add 192.168.13.130 myrouter.noip.me to host file on TO and add corresponding firewall rules from other vlans to DMZ. It works however DDNS script doesn’t work as the myrouter.noip.me resolves to the local private IP address and not the public one.
Any suggestion on an approach which would work and wouldn’t have any limitations?
Did you use lxc.uts.name = in the lxc container config? If not you may try it, say lxc.uts.name = webserver and than either in the hostfile or through the given resolver associate webserver with 192.168.13.130
This is what I tried (2nd approach) but then I had problems with DDNS update scripts as the public domain resolved to the local IP address and then it didn’t pick up the change of public IP address on wan interface.
I changed the resolver config right now so that I would have the logs now. First update looked fine even when you can see that the script detected the private ip address 192.168.13.130 for the domain.
173508 : verbose mode : 0 - run normal, NO console output
173508 : check interval: 600 seconds
173508 : force interval: 259200 seconds
173508 : retry interval: 60 seconds
173508 : retry counter : 0 times
173508 : No old process
173508 : last update: 2018-08-02 19:54
173508 : Detect registered/public IP
173508 : #> /usr/bin/nslookup <my_domain>.noip.me >/var/run/ddns/noip.dat 2>/var/run/ddns/noip.err
173508 : Registered IP '192.168.13.130' detected
173508 info : Starting main loop at 2018-08-05 17:35
173508 : Detect local IP on 'network'
173508 : Local IP '<public ip>' detected on network 'wan'
173508 : Update needed - L: '<public ip>' <> R: '192.168.13.130'
173508 : parsing script '/usr/lib/ddns/update_no-ip_com.sh'
173508 : sending dummy IP to 'no-ip.com'
173508 : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=127.0.0.1'
173509 : 'no-ip.com' answered:\ngood 127.0.0.1
173510 : sending real IP to 'no-ip.com'
173510 : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=<public ip>'
173511 : 'no-ip.com' answered:\ngood <public ip>
173511 info : Update successful - IP '<public ip>' send
173511 info : Forced update successful - IP: '<public ip>' send
173511 : Waiting 600 seconds (Check Interval)
For the subsequent updates (every 10 mins) you can see the warning that the Update of IP address failed and the increasing number of retries. So the logging is kind of confusing as it says that the update failed but forced update successful. These warning are not in the logs when the resolver resolves the hostname to public IP. Also the warning messages are there and the number of retries increases with every run.
174511 : Detect registered/public IP
174511 : #> /usr/bin/nslookup <my_domain>.noip.me >/var/run/ddns/noip.dat 2>/var/run/ddns/noip.err
174511 : Registered IP '192.168.13.130' detected
174511 WARN : Updating IP at DDNS provider failed - starting retry 1/0
174511 : Detect local IP on 'network'
174511 : Local IP '<public ip>' detected on network 'wan'
174511 : Update needed - L: '<public ip>' <> R: '192.168.13.130'
174511 : parsing script '/usr/lib/ddns/update_no-ip_com.sh'
174511 : sending dummy IP to 'no-ip.com'
174511 : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=127.0.0.1'
174512 : 'no-ip.com' answered:\ngood 127.0.0.1
174513 : sending real IP to 'no-ip.com'
174513 : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=<public ip>'
174514 : 'no-ip.com' answered:\ngood <public ip>
174514 info : Update successful - IP '<public ip>' send
174514 info : Forced update successful - IP: '<public ip>' send
174514 : Waiting 600 seconds (Check Interval)
175514 : Detect registered/public IP
175514 : #> /usr/bin/nslookup <my_domain>.noip.me >/var/run/ddns/noip.dat 2>/var/run/ddns/noip.err
175514 : Registered IP '192.168.13.130' detected
175514 WARN : Updating IP at DDNS provider failed - starting retry 2/0
175514 : Detect local IP on 'network'
175514 : Local IP '<public ip>' detected on network 'wan'
175514 : Update needed - L: '<public ip>' <> R: '192.168.13.130'
175514 : parsing script '/usr/lib/ddns/update_no-ip_com.sh'
175514 : sending dummy IP to 'no-ip.com'
175514 : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=127.0.0.1'
175515 : 'no-ip.com' answered:\ngood 127.0.0.1
175516 : sending real IP to 'no-ip.com'
175516 : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/noip.dat -o /var/run/ddns/noip.err --no-proxy 'http://username:*password*@dynupdate.no-ip.com/nic/update?hostname=<my_domain>.noip.me&myip=<public ip>'
175517 : 'no-ip.com' answered:\ngood <public ip>
175517 info : Update successful - IP '<public ip>' send
175517 info : Forced update successful - IP: '<public ip>' send
175517 : Waiting 600 seconds (Check Interval)
I have a similar setup. I think (I am not at home atm) you can define which DNS Server should be used to resolve domains for ddns(e.g. Use 8.8.8.8 so your domain points to your wan ip), check it‘s LuCi Page. Or you can force the ddns script to look up a different domain (e.g. public.myrouter.noip.me) when using wilcard redirects in noip. Sorry I know these are no precise instructions but maybe it gives you a hint.
thank you @protree for a hint. noip unfortunately doesn’t offer wild domains like e.g. dynu and I was worried about atomic updates with multiple configurations both checking the same lookup host. However I solved it by creating another record and configured dnsomatic service as a single provider. dnsomatic then updates both entries hopefully at the same time.
@ssdnvv I’m not sure this helps. the ip_source is used to define the ip address and this works fine in my setup - the wan interface returns the public IP address. The issue was with the lookup_host. According to https://wiki.openwrt.org/doc/uci/ddns the dns_server option could be used (as @protree mentioned too)
I have a setup similar to yours. To resolve myrouter.noip.me to 192.168.13.130 on the local network, I configured the DNS Knot resolver appropriately using its static hints module.
The main configuration file of Knot Resolver is /etc/config/resolver. This file is likely to be updated every time a new version of Knot Resolver is installed. So it’s better to add custom settings to a separated configuration file, for example /etc/kresd/custom.conf, which has then to be included in the main configuration file.
To include a custom configuration file to the main configuration file, add the following line in the config resolver 'kresd' section of the /etc/config/resolver file:
option include_config ‘/etc/kresd/custom.conf’
Then add the following directive to the /etc/kresd/custom.conf file to instruct Knot that is should resolve myrouter.noip.me to 192.168.13.130:
it should be faster to resolve myrouter.noip.me to 192.168.13.130 as the host name resolution is done by your TO instead of an external DNS server on the Internet
accessing to your DMZ web server from your local network should also be faster as your request does not have to go out of your LAN to re-enter by the WAN port once resolved by the external DNS server
the host name resolution works even if you Internet connection is down