How to allow incoming traffic from dynamic IP address

JosD · April 25, 2025, 11:52am

I have a question about firewall configuration.

Set-Up:
I have a NAS at my home and another NAS at my parents home. I synchronise the data between my home NAS to the parents home NAS. My home has dynamic IP and changes frequently. This all works but, i only allow my home dynamic IP to connect to my parents home. I have the dynamic IP address manually configured. I also have dynamic dns for my home public IP address.

Question about configuring parents home openwrt router:
How do I setup openwrt at my parents to allow my incoming traffic form my dynamic DNS name in steady of the Wan IP address.

I hope someone can help me. I could not find any useful information in the documention or on the internet.

tboege · April 25, 2025, 11:57am

I have not tried it myself, but I think it can be done with ipset. Try the instructions from https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset
(but change when nescessary, eg you dont want REJECT)

AndrewZ · April 25, 2025, 12:09pm

I suppose you might need to mimic the logic from DDNS updater and create a script that will be executed via Cron every X minutes/hours.
This script should first make name resolution for your DDNS name and compare the result with the IP address currently configured in the firewall rule. If there is a difference - the rule should be updated with the new address.

JosD · April 25, 2025, 12:14pm

Thanks Andrew, i found this myself which looks like your direction. https://www.baeldung.com/linux/allowing-traffic-from-dynamic-ip-address

Unfortunately I am not really an linux expert. I has hoping that it could be done from the luci Gui. I suppose this is not the case

eduperez · April 25, 2025, 1:34pm

Even if you had a static public IP address, and even if you use a secure protocol for the synchronization, you should be using a VPN for this...

JosD · April 25, 2025, 5:22pm

The best solution would be VPN Lan-to-Lan. Currently I do not have the equipment for this.

I was hoping that Openwrt could simply help me with a GUI option in de firewall setup. Many be in a later release.

Thanks all for the answer.

pavelgl · April 25, 2025, 8:02pm

Well, there is an option that is far from perfect.

Go to LuCI->System->Software, remove dnsmasq and install dnsmasq-full.

LuCI->Network->DHCP and DNS->IP Sets

LuCI->Network->Firewall->IP Sets

Make sure the set name is the same in both (IP Sets) tabs and the Packet Field Match is set to src_ip.

Do not set Source address, but set home in the Use ipset field in the Advanced settings of your firewall rule.

Check for (home) IP address changes every 15 minutes.

LuCI->Network->Scheduled Tasks

As an inevitable side effect, the dnsmasq cache will be flushed at the specified interval.

JosD · April 26, 2025, 1:47pm

Dear Pavelgl,

Thanks for this very good instructions.

I follow you approach. I have one question: where do I put my dynamic dns name of source IP? Is this the field FQDN in IP-set ?

Thanks in advance.

pavelgl · April 26, 2025, 3:53pm

Replace home.ddns.net with your actual DDNS hostname in both places where it is specified - the FQDN field and the cron job (Scheduled Tasks).

JosD · April 26, 2025, 8:16pm

Thanks Pavalgl for your support and the provided solution. I first have to buy a openwrt router. I first wanted to know if it can be done.

JosD · May 20, 2025, 1:00pm

I have bought a Openwrt router. The FriendlyArm nanopi r5c. I cannot run your suggested configuration. Because the scheduled taskt gives error when run separate:

Do you have any idea what is wrong here ?

Furthermore is there a command to see if the config is working.

Thanks in advance.

egc · May 20, 2025, 1:51pm

Are you running FriendlyWRT instead of real OpenWRT if so perhaps upgrade to real Openwrt

JosD · May 20, 2025, 6:02pm

Thanks for this advice. I had bad result with flashing openwrt on de r5c. Do you know if i need ext4 or squashf version ?

egc · May 20, 2025, 6:10pm

Sorry I have no experience with your router, but we cannot help you if you are not running the real openwrt

JosD · May 20, 2025, 6:35pm

Oke I need to fix that and install openwrt first. Thanks

JosD · May 21, 2025, 1:57pm

On advice of egc I have updated my NanoPi r5c to Openwrt 24.10.1 with help over youtuber "The Workshop On The Hill" https://youtu.be/GsxuoSXb9A4?si=OJgbYKaj4QPYaI4i

No the scheduled command works see screenshot.

One question remains: How can you check the result of the lookup command ?

Thanks in advance.

pavelgl · May 21, 2025, 5:53pm

Assuming you followed the rest of the instructions, compare the output (IP addresses) of these two commands.

root@MikroTik:~# /usr/bin/killall -HUP dnsmasq; /usr/bin/nslookup hotmail.com
Server:         127.0.0.1
Address:        127.0.0.1:53

Non-authoritative answer:
Name:   hotmail.com
Address: 204.79.197.212

Non-authoritative answer:

root@MikroTik:~# nft list set inet fw4 home
table inet fw4 {
        set home {
                type ipv4_addr
                timeout 14m59s
                elements = { 204.79.197.212 expires 14m56s680ms }
        }
}

JosD · May 21, 2025, 6:34pm

Thanks Pavelgl for your clear answer.

This will help me to check configuration.

Final confirmation can be given when router is at remote location. I have good hopes for a positive result !