Log external IPs

I'd like to log my routers external IP address.
I was expecting to find a premade package or existing log entries, but didn't.
Can anyone advise how to go about doing this?

How do you want to log it (locally, or to an external server)? And to what end -- do you want to track it over time? or just know what it is at any given moment?

A dynamic DNS client is the easiest way to do the latter.

The former could theoretically be done externally by sending logs to a syslog server, or logging locally (although it's not a great idea to log to your internal flash memory if you're using a consumer all-in-one type router -- you'll kill the memory with too many writes). The standard syslog will have this information every time the DHCP (or possibly PPPoE) client gets an address assignment, so you'd just write this to your log. Or you could create a cron job or a hotplug script to write the IP to a log on a periodic basis (or on a renewal/new IP event). You might even be able to log via the data the comes from the dynamic DNS client packages.

Probably easiest to send it to existing rsyslog server, but to be honest I was hoping the openwrt interface would display a snapshot of the most recent via plugin/package.
Looks like I'll need to refresh my memory on how to wrangle rsyslogs

Well if your WAN interface has your external IP it is shown on the Status Page in the Network section under Upstream.
If you are behind a NAT on your WAN you would need a tool (e.g. as it is inlcuded in the DDNS package) to check your IP on an external server.

What is the use case of this external ip logging? (I sort of asked earlier). Understanding what you want to achieve may be useful to point you to a workable solution.

1 Like

Isn’t this information already saved in system log when dnsmasq negotiates and periodically reacquire the wan IP?

So when i get "someone attempted login from IP...was it you?" messages I can know if it was me....even weeks later.
But it also seems like the kind of thing that would be a useful part of the main interface. Without requiring the user to script/search logs. That said; logging stuff like this would only really be persistent between boots when stored external to the router anyway.

Because it's less messing with my router I'll probably just set a cron on my nuc to run a bash script I wrote some time ago that tracks external IP.
...but as others have said: it's possibly already in the rsyslogs i set up and then completely forgot about.

I typically look at those right away, so this isn't really a thing for me... typically I jump on any unrecognized login attempt immediately. Weeks later might be too late.

You are the first person I have seen actually seek out/request this feature, but there are probably other people who could benefit from this... but I don't think it's a particularly large number of users.

OpenWrt is generally designed to avoid writing to disk (flash storage) except when necessary (i.e. config changes) for a few reasons:

  • flash memory durability (especially in embedded devices like all-in-one wifi routers)... a feature like this could have the potential to write to storage frequently and could kill the flash memory in short order. Obviously it depends on how this type of feature would be implemented -- would it write even time there is a renewal even if the same, or would it only write on change. But it would also depend on how often the IP is changing -- this could be essentially never for some users to every few hours for others.
  • flash memory storage space ... in embedded devices, the storage is at a premium. This could easily fill up the storage, and even small writes of just 4 bytes of real data each could actually consume far more (say 64KB per write) because of the minimum block size for writing.
  • resiliency against power loss... when you don't have (m)any open files (write mode), your system becomes much more resilient against power failures and other events that could cause data corruption. OpenWrt is quite good in this respect and it is rare to have data loss due to these events largely because there are almost never any open files under normal circumstances. Having a feature that is writing to storage somewhat frequently could potentially cause issues in this context.

Obviously, recording this to an external/replaceable memory (spinning platter disk, USB stick/SD card - cheap and easy to replace if damaged, syslog server) mitigates all of the above concerns.

IMO, this is probably the easiest plan -- or just using the syslogs sent to an (r)syslog server with persistent storage. It's easy enough to scrape that data, or write a script that can reside on the router and send the data accordingly.

But... with all of that said, since this is a thing you want to do and you're probably not entirely alone... share the script or even make it an installable package and add it to the OpenWrt ecosystem!


Log in attempts from WAN is usually very uncommon/non existent if you haven’t opened up the firewall.

And you shouldn’t open the firewall!

The only time I have ever seen this live is when I used the registered port 1194 for OpenVPN. So don’t use that port or any other registered communication port, they are “radioaktive”.

The only meaningful way to connect to the router from outside (wan) is through a VPN tunnel setup.

SSH access with key-only login is also a decent option. I would still use another port, if available, though.

I use softflowd - but it requires a 2nd device to collect/display. Additionally...I usually wanna see if it wasn't me.

1 Like

lleachii / flygarn12
Stop. Rewind.
"someone attempted login from IP...was it you?"
...from social media platforms.
...for unsuccessful logins.

That is how I interpreted your needs. But that is also why I said this:

Rewind to where?

You first need to decide if you want to allow logins from the internet.
And if you do then you need to set up a meaningful system up to handle that. SSL if needed but VPN is even better.

Just open WAN ports 22, 80 and 443 to dropbear and uhttpd and hope for the best, well it will not end well. So logging doesn’t help you anyway.

And if the ports aren’t open by you to begin with and you get a login attempt from wan then OpenWrt has a very serious security bug to handle.

You can if you want instead run BanIP that will auto block a client trying to get in to the router.

But every login attempt is already logged in the system log and you can send those to rsyslog and from there send a email on specified cases.

1 Like

It's rarely me!

This is why it's recommended not opening direct access from WAN. I would assume it's bots and scanners locating the TCP port then attempting to logon by brute force.

I get login attempts regularly, this is why I use VPNs and key-only SSH.