Page 1 of 1

changing IP address in NAT rule

Posted: Wed May 28, 2008 3:16 pm
by highdraw
Hi,

i need a script for changing an IP address in firewall-->NAT rule. I have DDNS script yet with an "ddnslastip" variable, and PPPoE on the WAN port (i have ADSL input) Can i use that variable to change the IP address in the firewall rule? In other words, the script seen also at the time (Mikrotik RouterOS v3.10):
:log info "DDNS: IP cím frissítésének kezdte" 

:global ddnsuser "USERNAME" 
:global ddnspass "PASSWORD" 
:global ddnshost "USERNAME.changeip.net" 
:global ddnsinterface "pppoe-out" 
:global ddnslastip

:global ddnsip [ /ip address get [/ip address find interface=$ddnsinterface] address ] 

:if ([ :typeof $ddnslastip ] = nil ) do={ :global ddnslastip 0.0.0.0/0 } 

:if ([ :typeof $ddnsip ] = nil ) do={ 

:log info ("DDNS: Nincs ip cím a " . $ddnsinterface . ", ellenőrizd!!!.") 

} else={ 

:if ($ddnsip != $ddnslastip) do={ 

:log info "DDNS: FRISSÍTÉS!!!" 
:log info [ /tool dns-update name=$ddnshost address=[:pick $ddnsip 0 [:find $ddnsip "/"] ] key-name=$ddnsuser key=$ddnspass ] 
:global ddnslastip $ddnsip 

} else={ 

:log info "DDNS: Nincs változás!" 

} 

} 

:log info "DDNS: Vége"
I need this script to complement with a line, that the dst-address in NAT rule enroll.

The NAT rule:
/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=\
    "[color=#FF0000]i need IP address from ddnslastip variable here[/color]" dst-port=3600-3800 in-interface=pppoe-out protocol=tcp \
    to-addresses=192.168.1.199 to-ports=3600-3800
add action=dst-nat chain=dstnat comment="" disabled=yes dst-address=\
    "[color=#FF0000]i need IP address from ddnslastip variable here[/color]" dst-port=3600-3800 in-interface=pppoe-out protocol=udp \
    to-addresses=192.168.1.199 to-ports=3600-3800
Thanks for advance! And sorry for my bad english! :)

Re: changing IP address in NAT rule

Posted: Wed May 28, 2008 6:08 pm
by changeip
just leave off dst-address= all together. If the packet comes in the WAN port (whatever it's IP is) then it will work. THen you don't need to try to keep changing the filter everytime your WAN ip changes.

Sam

Re: changing IP address in NAT rule

Posted: Mon Jun 02, 2008 11:06 pm
by dssmiktik
Here's my script to retrieve IP address given via DHCP on internet side. It then adds that IP to an address list. Any reference to that list in ANY rule on router can stay as is, and only the list entry itself will change to reflect any new IP. Please critique and let me know what I can do better. Hope this helps!

Variables might not be named as should be... was in a hurry to write this.. Tested and works good. Handles any reboots or non-existant lists, etc..

-----------------------------------------------------------------


:local WAN-INTERFACE-NAME ether4
:local WAN-LIST-NAME list2


# Set variable to current WAN IP
:local DDNSCURWANIP [/ip dhcp-client get $WAN-INTERFACE-NAME address]

# modify the IP retrived to strip of trailing netmask value
:set tmpDDNSCURWANIP ""
:set LENGTH [:len $DDNSCURWANIP]
:set x 0
:while ($x >= 0) do={
:set tmpChar [:pick $DDNSCURWANIP $x]
:if ($tmpChar = "/") do={
:set x -1
}else={
:set tmpDDNSCURWANIP ($tmpDDNSCURWANIP . $tmpChar)
:set x ($x + 1)
}
}
# Check if we got back something. If not output error only
:if ([:len $tmpDDNSCURWANIP] = 0) do={
:log error "No IP returned. Cannot add IP to list Aborting"
}else={

:local DDNSCURWANIP $tmpDDNSCURWANIP

# Check for global variable is set If it's not, set to 0.0.0.0
# Unset local var (only global var should be checked)
:local DDNSWANIP
:if ([:len $DDNSWANIP] = 0) do={
:global DDNSWANIP 0.0.0.0
}

# Check if there's an entry in the address list. If not create one with old IP
:set CURITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSWANIP]
:if ([:len $CURITEM] = 0) do={
:if ($DDNSWANIP = 0.0.0.0) do={
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSWANIP disabled=yes
}else={
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSWANIP disabled=no
}
:log warning ($WAN-LIST-NAME . " list created")
}


# -- If WAN IP changes, here's where changes occur. --
# -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

# Check if past WAN IP matches current WAN IP. If they don't,
# do any other action necessary if WAN IP has changed
# then set past IP to current IP

:if ($DDNSCURWANIP != $DDNSWANIP) do={
:log warning ($WAN-INTERFACE-NAME . " IP changed from " . $DDNSWANIP . " to " . $DDNSCURWANIP)

:set NEWITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSCURWANIP]
:set CURITEM [/ip firewall address-list find list=$WAN-LIST-NAME address=$DDNSWANIP]

:if ([:len $NEWITEM] > 0) do={
:log warning ($WAN-LIST-NAME . " already contains " . $DDNSCURWANIP)
}

:if (([:len $CURITEM] = 1) && ([:len $NEWITEM] = 0)) do={
:log warning "Found old WAN IP in list"
/ip firewall address-list set $CURITEM address=$DDNSCURWANIP disabled=no
}

:if (([:len $CURITEM] = 0) && ([:len $NEWITEM] = 0)) do={
:log warning "Not found old WAN IP in list"
/ip firewall address-list add list=$WAN-LIST-NAME address=$DDNSCURWANIP disabled=no
}

:if (([:len $CURITEM] > 0) && ([:len $NEWITEM] > 0)) do={
:log warning ("Removing old entry " . $DDNSWANIP); /ip firewall address-list remove $CURITEM
}

:log warning ($WAN-LIST-NAME . " list updated")
:global DDNSWANIP $DDNSCURWANIP
}
}

# Unset all unneeded variables
:set CURITEM
:set NEWITEM
:set DDNSCURWANIP
:set LENGTH
:set tmpChar
:set tmpDDNSWANIP

Re: changing IP address in NAT rule

Posted: Wed Jun 04, 2008 1:35 pm
by aandcp
Here is a script I just put together that combines dynamic DNS lookups of a remote site VPN connection and updates both the firewall rules and the VPN connection details for the newly resolved address... if it has changed.

Maybe you can adapt it... or post again if you still need more help!
# Local variables
:local vpnintname "pptp-out1"
:local vpndnsname "host.name.com"
:local newvpnip [ :resolve $vpndnsname ]
:local curvpnip [ /interface pptp-client get $vpnintname connect-to ]
:local rulenum

:log info ("VPN DDNS script running for interface " . $vpnintname);
:log info ("DNS Name is: " . $vpndnsname);

:if ($curvpnip != $newvpnip) do={
   :log info ("VPN IP must be updated from " . $curvpnip . " to " . $newvpnip);
   :foreach rulenum in=[ /ip firewall filter find src-address=$curvpnip ] do={
      /ip firewall filter set $rulenum src-address=$newvpnip
   }
   /interface pptp-client set [ /interface pptp-client find name=$vpnintname ] connect-to=$newvpnip
} else={
   :log info "No update required."
}