Aegis Aegis (simple yet effective protection)

[jrbmw]

I will start from scratch uninstall and reinstall then wait for new release.
Thanks for your help @HELLO_wORLD

Report back then. Wonder if its something to do with express vpn Im using

Regards

 

[L&LD]

Wonder if its something to do with express vpn Im using

We have a winner (my guess).

 

[HELLO_wORLD]

Aegis has been running great for me...thank you HELLO_wORLD!

However, I too have had some recent struggles with upgrades - at least from the web ui. I had never used the web ui until 1.6.9 and found I like it! I used it to upgrade to 1.6.10 and could not get Aegis to start afterwards. I recall the debug log had an error message at the time. I ended up reinstalling Aegis from the router console and all went well. I have never had a problem downloading/installing via wget and didn't think more about it.

But today I upgraded from 1.6.10 to 1.6.12 via the web ui - and once again Aegis would not re-start (even though the upgrade/restart dialog showed success with no errors). The Aegis status on the web ui showed the shield was down, but I think Aegis-info showed everything running. Perhaps this is the intended behavior and a manual restart is required (even though I thought the update dialog includes restart?). Restarting from the router console did not seem to fix the problem. I was able to restart Aegis from the web ui and all is good now.

I apologize for not having better information - Aegis has been so dependable for me that I haven't been paying much attention and didn't think this may be a problem with Aegis (and perhaps it isn't). I will be more watchful the next time I have an opportunity to upgrade.

BL

Thank you.

Please, report in the future if you notice anything again.
I will have a look at the upgrade code when called from web, and if anyone else experienced any similar problem, please don’t hesitate to report.

 

[blueliner]

Thank you.

Please, report in the future if you notice anything again.
I will have a look at the upgrade code when called from web, and if anyone else experienced any similar problem, please don’t hesitate to report.

Will do - thank you!

 

[HELLO_wORLD]

Will do - thank you!

I think I found what caused that. I corrected it, but on the 1.7 branch only: raising shield from web UI after aegis being unset caused problems (trying to uprear the shield with no directives)

 

[jrbmw]

The latest update 1.7.05 did download .......hooray but still seems the same problem with ip tables

AEGIS​

by bolemo

version 1.7.0b5
external drive



STATUS COMMAND LOG TOOLS LISTS

Status @ 2021-02-25 17:52:05 (router time)​

• Problems found!
• Aegis shield is up for: WAN interface (ppp0) and VPN tunnel (tun21).
• Blocking a total of 619579319 IP addresses (global: 619579319, WAN only: 0, VPN only: 0).
• Bypassing 0 IP addresses (global: 0, WAN only: 0, VPN only: 0).
• Logging is disabled.

Problems​

• directives: there are no blocking directives!
• iptables: current aegis rules were modified since last uprear!

Setting status

• Script firewall-start.sh is set for aegis.
• Script post-mount.sh is set for aegis.

Directives generation times

• Sources cache list latest update: 2021-02-25 17:51:36
• Global block list: 2021-02-25 17:51:36

Uprear information

• Shield was upreared from: aegis script @ 2021-02-25 17:51:41
• ipset: global block list was loaded from file directives.
• iptables: rules were UNSUCCESSFULLY (re)set with: global block, VPN network bypass.
• log daemon: was already off.

Debug

• device info: R7800 R7800 V1.0.2.82.2SF
• aegis info: aegis 1.7.0b5-ext
• status codes: ck:2111|dna:66|dir:224689|ablc:619579319|awlc:0|wblc:0|wwlc:0|tblc:0|twlc:0|wifpp0|wnt:150.143.158.7|tif:tun21|tnt:10.101.0.14
• info file: tst:1614275501|nfo:12582931|dna:66|wifpp0|wnt:150.143.158.7|tif:tun21|tnt:10.101.0.14
• conf:
  • aegis.wan=net-iface
  • aegis.tun=net-iface
  • aegis.log=log
  • aegis.up=1
  • aegis_web.log=subsection
  • aegis_web.log.len='300'
  • aegis_web.log.basetime='1614237983'
  • aegis_web.log.pos='0'
• iptables engine rules:
  • -N aegis_vpn_dst
  • -N aegis_vpn_src
  • -N aegis_wan_dst
  • -N aegis_wan_src
  • -A INPUT -i ppp0 -m comment --comment "jump to aegis WAN src chain" -j aegis_wan_src
  • -A INPUT -i tun21 -m comment --comment "jump to aegis VPN src chain" -j aegis_vpn_src
  • -A FORWARD -i ppp0 -m comment --comment "jump to aegis WAN src chain" -j aegis_wan_src
  • -A FORWARD -o ppp0 -m comment --comment "jump to aegis WAN dst chain" -j aegis_wan_dst
  • -A FORWARD -i tun21 -m comment --comment "jump to aegis VPN src chain" -j aegis_vpn_src
  • -A FORWARD -o tun21 -m comment --comment "jump to aegis VPN dst chain" -j aegis_vpn_dst
  • -A OUTPUT -o ppp0 -m comment --comment "jump to aegis WAN dst chain" -j aegis_wan_dst
  • -A OUTPUT -o tun21 -m comment --comment "jump to aegis VPN dst chain" -j aegis_vpn_dst
  • -A aegis_vpn_dst -d 10.101.0.14/32 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_vpn_dst -m set ! --match-set aegis_all_bl dst -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_vpn_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
  • -A aegis_vpn_src -s 10.101.0.14/32 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_vpn_src -m set ! --match-set aegis_all_bl src -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_vpn_src -m comment --comment "aegis drop incoming" -j DROP
  • -A aegis_wan_dst -m set ! --match-set aegis_all_bl dst -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_wan_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
  • -A aegis_wan_src -m set ! --match-set aegis_all_bl src -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_wan_src -m comment --comment "aegis drop incoming" -j DROP
• ipset engine sets:
  • aegis_all_bl:
    • Name: aegis_all_bl
    • Type: hash:net
    • Revision: 7
    • Header: family inet hashsize 32768 maxelem 51083 bucketsize 12 initval 0x3fedae18
    • Size in memory: 1334864
    • References: 4
    • Number of entries: 51083

 

[HELLO_wORLD]

The latest update 1.7.05 did download .......hooray but still seems the same problem with ip tables

AEGIS​

by bolemo

version 1.7.0b5
external drive



STATUS COMMAND LOG TOOLS LISTS

Status @ 2021-02-25 17:52:05 (router time)​

• Problems found!
• Aegis shield is up for: WAN interface (ppp0) and VPN tunnel (tun21).
• Blocking a total of 619579319 IP addresses (global: 619579319, WAN only: 0, VPN only: 0).
• Bypassing 0 IP addresses (global: 0, WAN only: 0, VPN only: 0).
• Logging is disabled.

Problems​

• directives: there are no blocking directives!
• iptables: current aegis rules were modified since last uprear!

Setting status

• Script firewall-start.sh is set for aegis.
• Script post-mount.sh is set for aegis.

Directives generation times

• Sources cache list latest update: 2021-02-25 17:51:36
• Global block list: 2021-02-25 17:51:36

Uprear information

• Shield was upreared from: aegis script @ 2021-02-25 17:51:41
• ipset: global block list was loaded from file directives.
• iptables: rules were UNSUCCESSFULLY (re)set with: global block, VPN network bypass.
• log daemon: was already off.

Debug

• device info: R7800 R7800 V1.0.2.82.2SF
• aegis info: aegis 1.7.0b5-ext
• status codes: ck:2111|dna:66|dir:224689|ablc:619579319|awlc:0|wblc:0|wwlc:0|tblc:0|twlc:0|wifpp0|wnt:150.143.158.7|tif:tun21|tnt:10.101.0.14
• info file: tst:1614275501|nfo:12582931|dna:66|wifpp0|wnt:150.143.158.7|tif:tun21|tnt:10.101.0.14
• conf:
  • aegis.wan=net-iface
  • aegis.tun=net-iface
  • aegis.log=log
  • aegis.up=1
  • aegis_web.log=subsection
  • aegis_web.log.len='300'
  • aegis_web.log.basetime='1614237983'
  • aegis_web.log.pos='0'
• iptables engine rules:
  • -N aegis_vpn_dst
  • -N aegis_vpn_src
  • -N aegis_wan_dst
  • -N aegis_wan_src
  • -A INPUT -i ppp0 -m comment --comment "jump to aegis WAN src chain" -j aegis_wan_src
  • -A INPUT -i tun21 -m comment --comment "jump to aegis VPN src chain" -j aegis_vpn_src
  • -A FORWARD -i ppp0 -m comment --comment "jump to aegis WAN src chain" -j aegis_wan_src
  • -A FORWARD -o ppp0 -m comment --comment "jump to aegis WAN dst chain" -j aegis_wan_dst
  • -A FORWARD -i tun21 -m comment --comment "jump to aegis VPN src chain" -j aegis_vpn_src
  • -A FORWARD -o tun21 -m comment --comment "jump to aegis VPN dst chain" -j aegis_vpn_dst
  • -A OUTPUT -o ppp0 -m comment --comment "jump to aegis WAN dst chain" -j aegis_wan_dst
  • -A OUTPUT -o tun21 -m comment --comment "jump to aegis VPN dst chain" -j aegis_vpn_dst
  • -A aegis_vpn_dst -d 10.101.0.14/32 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_vpn_dst -m set ! --match-set aegis_all_bl dst -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_vpn_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
  • -A aegis_vpn_src -s 10.101.0.14/32 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_vpn_src -m set ! --match-set aegis_all_bl src -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_vpn_src -m comment --comment "aegis drop incoming" -j DROP
  • -A aegis_wan_dst -m set ! --match-set aegis_all_bl dst -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_wan_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
  • -A aegis_wan_src -m set ! --match-set aegis_all_bl src -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_wan_src -m comment --comment "aegis drop incoming" -j DROP
• ipset engine sets:
  • aegis_all_bl:
    • Name: aegis_all_bl
    • Type: hash:net
    • Revision: 7
    • Header: family inet hashsize 32768 maxelem 51083 bucketsize 12 initval 0x3fedae18
    • Size in memory: 1334864
    • References: 4
    • Number of entries: 51083

Ok, good that the download worked.

Now, I will need to dig to understand why the status is incorrect for you.
I will need to simulate VPN here to reproduce your environment.

Good news is that even if the status reports (wrongly here) problems, the advanced and debug status shows that aegis is working properly.

 

[HELLO_wORLD]

@jrbmw : I think I found the problem. /32 subnets are saved without CIDR extension in variable, and compared to a string with the extension, so it thinks IPs are different when they are not.
Other minor problem is wrong reporting of directives missing.

Will release a beta6 that should fix it, but probably tomorrow.

 

[jrbmw]

Ok...and Thanks

 

[HELLO_wORLD]

Ok...and Thanks

I sent you a PM with a version you can try to see if I solved it for you.

 

[jrbmw]

Unfortunately it wont upgrade again using either commands you sent me.

 

[jrbmw]

Finally got it to update and it looks like youve cracked it @HELLO_wORLD .
Thanks for your hard work and help.
I do like the new Gui.

Best Regards

AEGIS​

by bolemo

version 1.7.0b6
external drive



STATUS COMMAND LOG TOOLS LISTS

Status @ 2021-02-26 06:04:53 (router time)​

• Aegis shield is up for: WAN interface (ppp0) and VPN tunnel (tun21).
• Blocking a total of 619579319 IP addresses (global: 619579319, WAN only: 0, VPN only: 0).
• Bypassing 0 IP addresses (global: 0, WAN only: 0, VPN only: 0).
• Logging is enabled.

Setting status

• Script firewall-start.sh is set for aegis.
• Script post-mount.sh is set for aegis.

Directives generation times

• Sources cache list latest update: 2021-02-26 06:03:59
• Global block list: 2021-02-26 06:03:59

Uprear information

• Shield was upreared from: firewall-start.sh @ 2021-02-26 06:04:44
• ipset: latest global block list was already loaded and conform with directives.
• iptables: rules were (re)set with: global block, VPN network bypass.
• log daemon: was already off.

Debug

• device info: R7800 R7800 V1.0.2.82.2SF
• aegis info: aegis 1.7.0b6-ext
• status codes: ck:32831|dna:66|dir:224689|ablc:619579319|awlc:0|wblc:0|wwlc:0|tblc:0|twlc:0|wifpp0|wnt:150.143.158.7/32|tif:tun21|tnt:10.105.0.26/32
• info file: tst:1614319484|nfo:14680069|dna:66|wifpp0|wnt:150.143.158.7/32|tif:tun21|tnt:10.105.0.26/32
• conf:
  • aegis.wan=net-iface
  • aegis.tun=net-iface
  • aegis.log=log
  • aegis.up=1
  • aegis_web.log=subsection
  • aegis_web.log.len='300'
  • aegis_web.log.basetime='1614237983'
  • aegis_web.log.pos='0'
• iptables engine rules:
  • -N aegis_vpn_dst
  • -N aegis_vpn_src
  • -N aegis_wan_dst
  • -N aegis_wan_src
  • -A INPUT -i ppp0 -m comment --comment "jump to aegis WAN src chain" -j aegis_wan_src
  • -A INPUT -i tun21 -m comment --comment "jump to aegis VPN src chain" -j aegis_vpn_src
  • -A FORWARD -i ppp0 -m comment --comment "jump to aegis WAN src chain" -j aegis_wan_src
  • -A FORWARD -o ppp0 -m comment --comment "jump to aegis WAN dst chain" -j aegis_wan_dst
  • -A FORWARD -i tun21 -m comment --comment "jump to aegis VPN src chain" -j aegis_vpn_src
  • -A FORWARD -o tun21 -m comment --comment "jump to aegis VPN dst chain" -j aegis_vpn_dst
  • -A OUTPUT -o ppp0 -m comment --comment "jump to aegis WAN dst chain" -j aegis_wan_dst
  • -A OUTPUT -o tun21 -m comment --comment "jump to aegis VPN dst chain" -j aegis_vpn_dst
  • -A aegis_vpn_dst -d 10.105.0.26/32 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_vpn_dst -m set ! --match-set aegis_all_bl dst -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_vpn_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
  • -A aegis_vpn_src -s 10.105.0.26/32 -m comment --comment "aegis inet bypass" -j RETURN
  • -A aegis_vpn_src -m set ! --match-set aegis_all_bl src -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_vpn_src -m comment --comment "aegis drop incoming" -j DROP
  • -A aegis_wan_dst -m set ! --match-set aegis_all_bl dst -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_wan_dst -m comment --comment "aegis reject outgoing" -j REJECT --reject-with icmp-admin-prohibited
  • -A aegis_wan_src -m set ! --match-set aegis_all_bl src -m comment --comment "not in aegis blocklists" -j RETURN
  • -A aegis_wan_src -m comment --comment "aegis drop incoming" -j DROP
• ipset engine sets:
  • aegis_all_bl:
    • Name: aegis_all_bl
    • Type: hash:net
    • Revision: 7
    • Header: family inet hashsize 32768 maxelem 51083 bucketsize 12 initval 0x6dfa720c
    • Size in memory: 1334264
    • References: 4
    • Number of entries: 51083

 

[mith_y2k]

Hi @HELLO_wORLD I haven't been following for a week or two. Yesterday I upgraded from .10 to .12 via the Web companion. Something went wrong during the upgrade, it took a long time and from the Web companion it was hard to track what was happening behind. For unrelated reasons I also had to restart my router so aegis has been down for a day or so. Today I connected via SSH and tried a manual upgrade which completed successfully, but now I cannot start aegis anymore. Two things that might be helpful to you.

Web Companion​

• Something is not right!

Errors

• iptables: shield chains are not right!

Warnings

• directives: ipset blocklist is different than file.
• directives: no ipset whitelist is set but file exists.

Debug messages​

1614550384 aegis: aegis 1.6.12 launched [/usr/bin/aegis up -vvv] [RBR50 RBR50 V9.2.5.2.8SF-HW]
   - aegis.wan=net-iface
   - aegis.tun=net-iface
   - aegis.log=log
   - aegis.log.len='5000'
   - aegis.log.enabled='1'
   - aegis.up=1
   - aegis.debug=/mnt/sda1/aegis.debug
1614550384 aegis: main routing with args:  up -vvv
1614550384 aegis: sc_init
1614550384 aegis: check_path
1614550384 aegis: check_conf
1614550384 aegis: shield_up
1614550385 aegis: shield_init
1614550385 aegis: check_conf
1614550385 aegis: check_firewall_start
1614550385 aegis: check_postmount
1614550385 aegis: |---> shield_uprear 3
1614550385 aegis: _cipset_init (dir: /tmp/aegis_ESJAjB)
1614550385 aegis: _cipset_copy_set aegis_bl
1614550385 aegis: _cipset_diff_set_file aegis_bl /opt/bolemo/etc/aegis.bl.directives
1614550385 aegis: _cipset_swap_set_file aegis_bl /opt/bolemo/etc/aegis.bl.directives
1614550401 aegis: _cipset_trap
1614550401 aegis: _cipset_end

My aegis.source is simply:

https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset

And my aegis.whitelist is:
192.168.0.0/24
23.227.38.65
156.96.151.131

Any ideas?

 

[HELLO_wORLD]

Hi @HELLO_wORLD I haven't been following for a week or two. Yesterday I upgraded from .10 to .12 via the Web companion. Something went wrong during the upgrade, it took a long time and from the Web companion it was hard to track what was happening behind. For unrelated reasons I also had to restart my router so aegis has been down for a day or so. Today I connected via SSH and tried a manual upgrade which completed successfully, but now I cannot start aegis anymore. Two things that might be helpful to you.

Web Companion​

• Something is not right!

Errors

• iptables: shield chains are not right!

Warnings

• directives: ipset blocklist is different than file.
• directives: no ipset whitelist is set but file exists.

Debug messages​

1614550384 aegis: aegis 1.6.12 launched [/usr/bin/aegis up -vvv] [RBR50 RBR50 V9.2.5.2.8SF-HW]
   - aegis.wan=net-iface
   - aegis.tun=net-iface
   - aegis.log=log
   - aegis.log.len='5000'
   - aegis.log.enabled='1'
   - aegis.up=1
   - aegis.debug=/mnt/sda1/aegis.debug
1614550384 aegis: main routing with args:  up -vvv
1614550384 aegis: sc_init
1614550384 aegis: check_path
1614550384 aegis: check_conf
1614550384 aegis: shield_up
1614550385 aegis: shield_init
1614550385 aegis: check_conf
1614550385 aegis: check_firewall_start
1614550385 aegis: check_postmount
1614550385 aegis: |---> shield_uprear 3
1614550385 aegis: _cipset_init (dir: /tmp/aegis_ESJAjB)
1614550385 aegis: _cipset_copy_set aegis_bl
1614550385 aegis: _cipset_diff_set_file aegis_bl /opt/bolemo/etc/aegis.bl.directives
1614550385 aegis: _cipset_swap_set_file aegis_bl /opt/bolemo/etc/aegis.bl.directives
1614550401 aegis: _cipset_trap
1614550401 aegis: _cipset_end

My aegis.source is simply:

https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset

And my aegis.whitelist is:
192.168.0.0/24
23.227.38.65
156.96.151.131

Any ideas?

Hi,

I will release 1.7.0 today.
1.7 is a major upgrade from 1.6.
The upgrade procedure by itself should resolve your issue.

If it continues, please report in the new thread.

 

[HELLO_wORLD]

1.7.0 and up (continuation of this thread): https://www.snbforums.com/threads/aegis-1-7-0-and-up.70761/

 

[kamoj]

My PC (eth) as well as my android tv box (wifi) both lose intenet.

Just checked Logs from Netgear and amongst all other entries, I see the below:

[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 19:07:35
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 18:14:14
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 17:20:54
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 16:27:34
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 15:34:14
[Internet connected] IP address: my-public-ip, Sunday, February 21, 2021 14:40:54

Which means every 53 mins and 20 secs my Internet gets disconnected and reconnected? Any thoughts? I even get them with Aegis + Adguard disabled. Could this be ISP related? I have the ISP modem/router bridged with my R7800. Additional info: Everytime i restart the router Internet led stays red and i have to unplug and plug back in the WAN cable on my R7800.

From kamoj addon release_note 2021-12-31 5.5b13:
" (Both R7800 and R9000 write logs to /var/log/messages, like this once every 2:37:30 (Once every 9450 second):
[Internet connected] IP address: xxx.xxx.xxx.xxx, Tuesday, December 28, 2021 19:13:04
There is no corresponding [Internet disconnected], and connection has never been down.
Does anyone know what is the cause of these logs? @Voxel @HELLO_wORLD @R. Gerrits ? )"

The log comes from net-wan.

I made a short script to be used for the interested:

awk '/Internet connected/ {print $0" "substr($NF,1,2)*3600+substr($NF,4,2)*60+substr($NF,7,2)}' </var/log/messages | while IFS= read -r S; do
current="$(echo "$S"|awk '{print $NF}')"
[ -n "$prev" ] && delta="$(echo "$prev $current"|awk '{print ($NF-$1)}')"
prev="$current"
echo "$S delta=$delta" | sed -r 's/(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/xxx.xxx.xxx.xxx/g'
done

[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 02:50:08 10208 delta=
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 05:27:38 19658 delta=9450
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 08:05:09 29109 delta=9451
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 10:42:39 38559 delta=9450
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 13:20:10 48010 delta=9451
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 15:57:40 57460 delta=9450
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 18:35:11 66911 delta=9451
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 21:12:41 76361 delta=9450
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 23:50:10 85810 delta=9449

 

[HELLO_wORLD]

From kamoj addon release_note 2021-12-31 5.5b13:
" (Both R7800 and R9000 write logs to /var/log/messages, like this once every 2:37:30 (Once every 9450 second):
[Internet connected] IP address: xxx.xxx.xxx.xxx, Tuesday, December 28, 2021 19:13:04
There is no corresponding [Internet disconnected], and connection has never been down.
Does anyone know what is the cause of these logs? @Voxel @HELLO_wORLD @R. Gerrits ? )"

The log comes from net-wan.

I made a short script to be used for the interested:

awk '/Internet connected/ {print $0" "substr($NF,1,2)*3600+substr($NF,4,2)*60+substr($NF,7,2)}' </var/log/messages | while IFS= read -r S; do
current="$(echo "$S"|awk '{print $NF}')"
[ -n "$prev" ] && delta="$(echo "$prev $current"|awk '{print ($NF-$1)}')"
prev="$current"
echo "$S delta=$delta" | sed -r 's/(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/xxx.xxx.xxx.xxx/g'
done

[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 02:50:08 10208 delta=
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 05:27:38 19658 delta=9450
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 08:05:09 29109 delta=9451
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 10:42:39 38559 delta=9450
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 13:20:10 48010 delta=9451
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 15:57:40 57460 delta=9450
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 18:35:11 66911 delta=9451
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 21:12:41 76361 delta=9450
[Internet connected] IP address: xxx.xxx.xxx.xxx, Thursday, June 08, 2023 23:50:10 85810 delta=9449

Interesting…
Could be a micro cut, so short that you don't notice is usage.
Now why is this happening so regularly…?
The script generating this log is in /etc/init.d/net-wan, so something might be calling net-wan restart every 9450 seconds?

setup_interface_static_ip()
{
    local mtu=$($CONFIG get wan_dhcp_mtu)
    ifconfig $WAN_IF mtu ${mtu:-1500}
    ifconfig $WAN_IF $($CONFIG get wan_ipaddr) netmask $($CONFIG get wan_netmask)
    if ! same_subnet $($CONFIG get wan_ipaddr) $($CONFIG get wan_gateway) $($CONFIG get wan_netmask); then
        route add -net $($CONFIG get wan_gateway) netmask 255.255.255.255 dev $WAN_IF
    fi
    route add default gw $($CONFIG get wan_gateway)
   
    $FIREWALL restart
   
    # static route & ripd
    /sbin/cmdroute stop
    /usr/bin/killall -SIGINT ripd
    /sbin/cmdroute start
    /usr/sbin/ripd
    /sbin/cmdigmp stop
    /sbin/cmdigmp start
   
    /sbin/ledcontrol -n wan -c green -s on
    # if IP address re-assigned, we will check qos bandwidth.
    local qos_enable=`$CONFIG get qos_endis_on`
    local qos_bandwidth_enable=`$CONFIG get qos_threshold`
    local qos_bandwidth_type=`$CONFIG get qos_bandwidth_type`
    if [ "x$qos_enable" = "x1" -a "x$qos_bandwidth_enable" = "x1" ]; then
        if [ "x$qos_bandwidth_type" = "x1" ]; then
            /etc/bandcheck/band-check &
        fi
    fi
   
    # log for static mode when wan gets ip.
    local wan_log="[Internet connected] IP address: "$($CONFIG get wan_ipaddr)","
    /usr/bin/logger "$wan_log"
}

 

[kamoj]

Interesting…
Could be a micro cut, so short that you don't notice is usage.
Now why is this happening so regularly…?
The script generating this log is in /etc/init.d/net-wan, so something might be calling net-wan restart every 9450 seconds?

setup_interface_static_ip()
{
    local mtu=$($CONFIG get wan_dhcp_mtu)
    ifconfig $WAN_IF mtu ${mtu:-1500}
    ifconfig $WAN_IF $($CONFIG get wan_ipaddr) netmask $($CONFIG get wan_netmask)
    if ! same_subnet $($CONFIG get wan_ipaddr) $($CONFIG get wan_gateway) $($CONFIG get wan_netmask); then
        route add -net $($CONFIG get wan_gateway) netmask 255.255.255.255 dev $WAN_IF
    fi
    route add default gw $($CONFIG get wan_gateway)
  
    $FIREWALL restart
  
    # static route & ripd
    /sbin/cmdroute stop
    /usr/bin/killall -SIGINT ripd
    /sbin/cmdroute start
    /usr/sbin/ripd
    /sbin/cmdigmp stop
    /sbin/cmdigmp start
  
    /sbin/ledcontrol -n wan -c green -s on
    # if IP address re-assigned, we will check qos bandwidth.
    local qos_enable=`$CONFIG get qos_endis_on`
    local qos_bandwidth_enable=`$CONFIG get qos_threshold`
    local qos_bandwidth_type=`$CONFIG get qos_bandwidth_type`
    if [ "x$qos_enable" = "x1" -a "x$qos_bandwidth_enable" = "x1" ]; then
        if [ "x$qos_bandwidth_type" = "x1" ]; then
            /etc/bandcheck/band-check &
        fi
    fi
  
    # log for static mode when wan gets ip.
    local wan_log="[Internet connected] IP address: "$($CONFIG get wan_ipaddr)","
    /usr/bin/logger "$wan_log"
}

OK, I'll make a stack dump next time net-wan is called, to see what's going on.

 

[HELLO_wORLD]

OK, I'll make a stack dump next time net-wan is called, to see what's going on.

Please, keep us updated on your findings. This made me curious.
FYI, I don't have this behavior in my logs, but my R7800 is in AP mode…

 

[kamoj]

The trap in net-wan didn't trig...
So now I suspect udhcpc. It's loaded at boot and not easy to debug.
I'll keep debugging going on, and post here if I make any progress.
(Also pppd may get involved, but not in my system).

FYI:
For next addon release:
Just added auto-loading of aegis "private" lists from USB device at start of aegis.
Viva Aegis!!!
Thank you @HELLO_wORLD, for your fantastic aegis!