Firewall rule for NAS Google Domains Dynamic DNS IPv6

openwrtforever · September 22, 2019, 4:49am

Found this really nice script here for updating firewall rule. The problem is that it does not do anything in the firewall section. Is the script old and something changed in the firmware? I could not figure out anything.

I get
Getting your IPv6 address...
Your current IPv6: {xxx:xx:x:xxx:xxxx:.......}

and nothing after that, I see nothing in the firewall section.
Can someone check for me where the error is!

#!/bin/sh

# CONFIGURABLE PARAMETER: PREFIX
# Set the prefix to the name of the rules that need to be updated. (Can update multiple rules with same name)
PREFIX=Synology
PREFIX_LEN=${#PREFIX}

# CONFIGURABLE PARAMETER: getIP
# Set your method of getting IPv6 address in here
# Current method is through ip neighbor with MAC address (Lowercase, :)(getIP=$(ip neighbor | grep "Your MAC Here" | grep -v "STALE" | cut -d" " -f1))
# One example is wget which accesses a page on the web-server showing current IP address (getIP=$(wget --read-timeout=10 http://checkipv6.dyndns.com -q -O -))
# Another option could be nslookup your domain to get the IPv6 address. getIP=$(nslookup -query=AAAA $hostname)
printf "Getting your IPv6 address... \n"
getIP=$(ip -6 neigh | grep "65:11:32:53:8f:a4" | grep -v "fe80" | cut -d" " -f1)

if [ "$getIP" = "" ]
then
    printf "Failed to get IP."
    exit 0
fi

# Set m flag accordingly, only first match is accepted.
prefix6=$(echo "$getIP" | grep -m 1 -E -o "([0-9a-fA-F]{1,4}(:?)){8}")

if [ "$prefix6" = "" ]
then
    printf "Request successful, but no IPv6 detected. \n"
    exit 0
fi

printf "Your current IPv6: {$prefix6}\n\n"

changed=0
index=0
name=$(uci get firewall.@rule[$index].name 2> /dev/null)

while [ "$name" != "" ]
do
    subname=${name:0:$PREFIX_LEN}

    if [ "$subname" == "$PREFIX" ]
    then
        dest_ip=$(uci get firewall.@rule[$index].dest_ip 2> /dev/null)
        printf "Current stored IP address: {$dest_ip} \n"

        if [ "$dest_ip" != "$prefix6" ]
        then
            printf "The IP has changed! \n"
            printf "Updating\n\n"
            changed=1
            uci set firewall.@rule[$index].dest_ip=$prefix6
            uci commit firewall
        else
            printf "IP is the same, no changes made.\n"
        fi

        break 2
    fi

    index=$(expr $index + 1)
    name=$(uci get firewall.@rule[$index].name 2> /dev/null)
done

if [ $changed -eq 1 ] 
then
    printf "Restarting firewall... \n"
    /etc/init.d/firewall reload 2> /dev/null
    printf "All up to date. \n"
fi

exit 0

type or paste code here

Broseidon · September 22, 2019, 4:57am

Did a quick read through that tutorial it says you need to create the firewall rule yourself and then the script updates the rule.
So it stops just short of reading the "rule" and then updating that rule with the new ip,

openwrtforever · September 22, 2019, 5:10am

Thanks, what is the command for creating a firewall rule. Is it "Open ports on router" or " New forward rule"

UPDATE
Got it working, thanks!

vgaetera · September 22, 2019, 5:26am

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_ipv6_examples#dynamic_prefix_forwarding

openwrtforever · September 22, 2019, 6:17pm

I got it working completely with Google Domains DNS, here is the script if someone needs to update their device with Google Domains DNS.

#!/bin/sh

# CONFIGURABLE PARAMETER: PREFIX
# Set the prefix to the name of the rules that need to be updated. (Can update multiple rules with same name)
PREFIX=Synology
PREFIX_LEN=${#PREFIX}

# CONFIGURABLE PARAMETER: getIP
# Set your method of getting IPv6 address in here
# Current method is through ip neighbor with MAC address (Lowercase, :)(getIP=$(ip neighbor | grep "Your MAC Here" | grep -v "STALE" | cut -d" " -f1))
# One example is wget which accesses a page on the web-server showing current IP address (getIP=$(wget --read-timeout=10 http://checkipv6.dyndns.com -q -O -))
# Another option could be nslookup your domain to get the IPv6 address. getIP=$(nslookup -query=AAAA $hostname)
printf "Getting your IPv6 address... \n"
getIP=$(ip -6 neigh | grep "xx:xx:xx:xx:xx" | grep -v "fe80" | cut -d" " -f1)

if [ "$getIP" = "" ]
then
    printf "Failed to get IP."
    exit 0
fi

# Set m flag accordingly, only first match is accepted.
prefix6=$(echo "$getIP" | grep -m 1 -E -o "([0-9a-fA-F]{1,4}(:?)){8}")

if [ "$prefix6" = "" ]
then
    printf "Request successful, but no IPv6 detected. \n"
    exit 0
fi

printf "Your current IPv6: {$prefix6}\n\n"

changed=0
index=0
name=$(uci get firewall.@rule[$index].name 2> /dev/null)

while [ "$name" != "" ]
do
    subname=${name:0:$PREFIX_LEN}

    if [ "$subname" == "$PREFIX" ]
    then
        dest_ip=$(uci get firewall.@rule[$index].dest_ip 2> /dev/null)
        printf "Current stored IP address: {$dest_ip} \n"

        if [ "$dest_ip" != "$prefix6" ]
        then
            printf "The IP has changed! \n"
            printf "Updating\n\n"
            changed=1
			# Google Domains DNS
			wget --user=ASusahdouasUAUnsA --password='IuandluauYAH' https://domains.google.com/nic/update?hostname=subdomain.example.com&myip={$prefix6} --user-agent='Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)'
            uci set firewall.@rule[$index].dest_ip=$prefix6
            uci commit firewall
        else
            printf "IP is the same, no changes made.\n"
        fi

        break 2
    fi

    index=$(expr $index + 1)
    name=$(uci get firewall.@rule[$index].name 2> /dev/null)
done

if [ $changed -eq 1 ] 
then
    printf "Restarting firewall... \n"
    /etc/init.d/firewall reload 2> /dev/null
    printf "All up to date. \n"
fi

exit 0