Hi Everybody,

I am pretty new to RouterOS and I am experimenting a lot at the moment.

A problem that I am facing right now is that the ChangeIP script will not run properly due to the firewall.
When I disable the firewall rule that blocks other traffic (rule placed at the end of the list) then
this script does run properly. I have successfully allowed PPTP and GRE to get through the firewall
with the this rule enabled. So it looks like I have to allow incomming traffic from a certain address
and port to get ChangeIP through.

Anyone any idea's?

Thanks..

Friendly regards,
Luc, The Netherlands

Hi

You mean ChangeIp, the ddns service? Then it will make a http(s) call to update your current ip in dns. you need to allow outgoing http(s) from your router (to changeip).

Regards

Hi

You mean ChangeIp, the ddns service? Then it will make a http(s) call to update your current ip in dns. you need to allow outgoing http(s) from your router (to changeip).

Regards

Hi Sebastia,

Thanks, I am going to try this. But I don't understand why to allow outgoing http traffic specific to ChangeIP
because every device in the network can access websites. Is this because the conenction to ChangeIP is
made from within the router and not behind the NAT? Thanks..


Luc

You can also consult the log, for any errors during script execution. If you still have issues, please copy paste the log entries of script execution. And include the actual script too.

You can also consult the log, for any errors during script execution. If you still have issues, please copy paste the log entries of script execution. And include the actual script too.

The log reports a timeout. It looks like that the firewall needs to accept incoming traffic from changeip.com somehow.
The script is Ok, because when I disable a firewall rule related to incoming traffic, then the script works... so it must be
an incoming traffic problem.

The script:

# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# EDIT YOUR DETAILS / CONFIGURATION HERE
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:global ddnsuser "****"
:global ddnspass "****"
:global ddnshost "****"
:global ddnsinterface "****"
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# END OF USER DEFINED CONFIGURATION
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:global ddnssystem ("mt-" . [/system package get [/system package find name=system] version] )
:global ddnsip [ /ip address get [/ip address find interface=$ddnsinterface] address ]
:global ddnslastip

:if ([:len [/interface find name=$ddnsinterface]] = 0 ) do={ :log info "DDNS: No interface named $ddnsinterface, please check configuration." }

:if ([ :typeof $ddnslastip ] = "nothing" ) do={ :global ddnslastip 0.0.0.0/0 }

:if ([ :typeof $ddnsip ] = "nothing" ) do={

:log info ("DDNS: No ip address present on " . $ddnsinterface . ", please check.")

} else={

:if ($ddnsip != $ddnslastip) do={

:log info "DDNS: Sending UPDATE: $ddnsip!"
:log info [ :put [/tool dns-update name=$ddnshost address=[:pick $ddnsip 0 [:find $ddnsip "/"] ] key-name=$ddnsuser key=$ddnspass ] ]
:global ddnslastip $ddnsip

} else={

:log info "DDNS: No changes necessary: $ddnsip."

}

}

# END OF SCRIPT


the log reports:

ddns, error | timeout
script, error | script error: timeout

You could learn what is being blocked / not allowed by adding a logging rule to your firewall. Once you know what you need to let pass ...

To respond to your earlier question: yes, the ddns updates will originate from router and that is not same as your internal natted network.
Traffic "from router" leaves on output chain, "to router" enters the input chain.
Traffic between your intenal network <> internet goes over forward chain.

You could learn what is being blocked / not allowed by adding a logging rule to your firewall. Once you know what you need to let pass ...

How do I do that please?

It could be something as simple as:

/ip firewall filter add chain=input in-interface=<internet interface> action=log

This will add log action on incoming chain from internet (replace with right name). It will log any packet reaching this point in firewall.
(You may want to disable that rule once you don't need it)

Another option would be to enable log function on your "policy" drop rule. That's easiest done through WinBox: check the "Log" checkmark under Action of the drop rule.

Trying and trying but I am unable to find out the correct information...

You meant you don't get any log entries?

Yes, I do get log entries... But I don't know what the IP is related to ChangeIP, just can't find it.

The same issue is happening with RouterOS update check b.t.w.

I've tested the update process for you. The tool makes two calls:
1. a dns resolve for ip
2 a https call doing the actual ip change/update

Hence:
0 (dns traffic from router is already allowed)
1. you need to allow router to make outgoing calls to port 443.
/ip firewall filter add action=accept chain=output comment="Accept: HTTP/S" dst-port=80,443 protocol=tcp
2. you need to allow incoming related traffic
/ip firewall filter add action=accept chain=input comment="Accept: established & related" connection-state=established,related

Good luck

Thanks Sebastia!

That worked out very well.
Also the firmware update check works again now.

Happy New Year!