Skynet Is default firewall good enough?

[commodoro]

Starlink does things a bit differently:

Can You Get A Static IP From Starlink? - Starlink Hardware

Starlink offers customers a static IP address if you purchase the Business service. Static IP's are not available for Residential customers.

www.starlinkhardware.com

How To Access The Starlink Router Settings - Starlink Hardware

You can access the Starlink router administration page by using the Starlink mobile app, or by visiting the Starlink admin page in a browser.

www.starlinkhardware.com

See Hacks section: https://hackaday.com/2021/05/24/starlink-a-review-and-some-hacks/

Musings from a Starlink user

https://www.reddit.com/r/Starlink_Support/comments/vjtqb3

https://www.reddit.com/r/Starlink/comments/tbuz0a

How To Use Your Own Wi-Fi Router With Starlink

Want to use your own Wi-Fi router or mesh system with Starlink? Chances are it's compatible, if you buy a simple adapter. Here's how to find the best router for Starlink to take your coverage and speeds to the next level.

www.pcmag.com

Starlink Update: February 2021

I wanted to share some additional insights I’ve garnered on Starlink service. Some of it from a YouTube video / its description (Thanks to Phil Armishaw for posting it in a comment on my Dece…

turtleherding.com

Do I get a public IP address with Starlink? Not at this time. Starlink uses Carrier Grade Network Address Translation ( CGNAT ). This is the same technology used by cellular carriers and commonly uses an IP in the 100.64.0.0/10 range.

Thanks for the clarification, I learned a new thing

 

[Phil Mcavity]

I have a similar issue but have just been ignoring it. I have private ip , would you recomend a static ip? My isp does offer one...

 

[John Fitzgerald]

I have a similar issue but have just been ignoring it. I have dynamic ip , would you recomend a static ip? My isp does offer one...

View attachment 48407

Do you have Starlink?
Was your router setup done elsewhere and then deployed at a different location? OR a full switch at your location from a regular ISP to Starlink?
Have you changed Modems when the IP started showing in RED?
Have you rebooted the Modem (router is off) then rebooted the Router after the Modem is UP?

 

[Ubimo]

So Skynet isn't working with the IP adress I get from Starlink? 100.xx.xx.xx

 

[Phil Mcavity]

Do you have Starlink?
Was your router setup done elsewhere and then deployed at a different location? OR a full switch at your location from a regular ISP to Starlink?
Have you changed Modems when the IP started showing in RED?
Have you rebooted the Modem (router is off) then rebooted the Router after the Modem is UP?

My isp (Toob) supplys a fibre box and a router. To use my own router I was advised to connect my Asus router directly to the fibre box. So.....

Internet>Fibre box>AsusRouter
Would you suggest? Internet>Fibre Box>ISP Router>Asus Router?

 

[Adamm]

Thanks, but Starlink router is in bypass mode.

Your IP is a private IP so Skynet marks it red.

So Skynet isn't working with the IP adress I get from Starlink? 100.xx.xx.xx

Skynet will still filter your outbound connections. As your IP is a private IP there is nothing to filter inbound.

 

[BreakingDad]

Your IP is a private IP so Skynet marks it red.



Skynet will still filter your outbound connections. As your IP is a private IP there is nothing to filter inbound.

Hi Adam, what was in the new patch? I could not find any notes.

 

[John Fitzgerald]

My isp (Toob) supplys a fibre box and a router. To use my own router I was advised to connect my Asus router directly to the fibre box. So.....

Internet>Fibre box>AsusRouter
Would you suggest? Internet>Fibre Box>ISP Router>Asus Router?

Is your Skynet situation with a Dynamic IP due to the Modem not being in Bridge Mode. (Fibre box and Router in one box or separate?)

 

[John Fitzgerald]

@Adamm , @SomeWhereOverTheRainBow , @Viktor Jaep

Thank you very much for these improvements. And the explanations /clarifications regarding the new feature set.

 

[Phil Mcavity]

Is your Skynet situation with a Dynamic IP due to the Modem not being in Bridge Mode. (Fibre box and Router in one box or separate?)

They are separate boxes. The fibre box which connects directly to the outside cable cannot be configured.

 

[John Fitzgerald]

They are separate boxes. The fibre box which connects directly to the outside cable cannot be configured.

Not sure why yours is having the issue.
Internet>Fibre box>AsusRouter should work.

I'm guessing that you don't get your own assigned number and it's pooled with others.
You should get a direct answer from your ISP, Toob.

 

[Mogsy]

I have a similar issue but have just been ignoring it. I have dynamic ip , would you recomend a static ip? My isp does offer one...

View attachment 48407

My ISP offers static IP too. If there is no need for you to have remote connection (opvn server) or any sort of remote connections, I don't think static IP is worth it. I had a discussion about this with @Viktor Jaep before and he used static IP previously.

 

[Phil Mcavity]

Sorry for straying off topic in this thread. After a bit of research i have found my isp uses CG-NAT. I'll be calling them and asking for a static ip. I also wondered why I could no longer port forward.

With most of our devices still using IPv4, we can use something called CG-NAT, known as ‘Carrier Grade NAT’ or ‘Carrier Grade Network Address Translation’ to help us with staying on an IPv4 network as IPv6 adoption grows.
CG-NAT is used in IPv4 residential network designed to basically pool out and share public IP addresses among residential areas. CG-NAT future proofs IPv4’s and solves the IPv4 shortage to maintain the existing telecom infrastructure, simply by sharing out a public IPv4 address to a number of houses, rather than you having your own individual IPv4 address. Although CG-NAT doesn’t resolve the IPv4 address exhaustion, it is a necessary interim solution whilst the world transitions to IPv6. At toob, your IPv4 address is part of CG-NAT by default. If you take our 18 month product, you can buy a static IPv4 which isn’t part of CG-NAT, or it’s included for free as part of the business broadband if you want it.

​

 

[Mogsy]

Sorry for straying off topic in this thread. After a bit of research i have found my isp uses CG-NAT. I'll be calling them and asking for a static ip. I also wondered why I could no longer port forward.

​

From my ISP’s FAQ

How do I set up port forwarding?

FAQ | Find more about How do I set up port forwarding? | Hyperoptic - Up to 48x faster than the UK's average upload

www.hyperoptic.com

 

[poudenes]

HI All,

Is there a method to create a filter.list that contains other lists inside it instead of list of IP's?
I read many lists here and want create a filer.list on my Github and put some of the other lists inside it.

So I only have to maintain one list.

I tried it but when import I got a 403 error

 

[Mogsy]

HI All,

Is there a method to create a filter.list that contains other lists inside it instead of list of IP's?
I read many lists here and want create a filer.list on my Github and put some of the other lists inside it.

So I only have to maintain one list.

I tried it but when import I got a 403 error

How did you create your repo? It should be ok with .list format

 

[Viktor Jaep]

HI All,

Is there a method to create a filter.list that contains other lists inside it instead of list of IP's?
I read many lists here and want create a filer.list on my Github and put some of the other lists inside it.

So I only have to maintain one list.

I tried it but when import I got a 403 error

Take a look at how I did it...

GitHub - ViktorJp/Skynet: Asus-Merlin Alternative Skynet Blocklist

Asus-Merlin Alternative Skynet Blocklist. Contribute to ViktorJp/Skynet development by creating an account on GitHub.

github.com

1.) create a "filter.list" file on github
2.) edit this text file, and add whichever lists you want to it... like:

https://feodotracker.abuse.ch/downloads/ipblocklist.txt
https://iplists.firehol.org/files/alienvault_reputation.ipset
https://iplists.firehol.org/files/bds_atif.ipset
https://iplists.firehol.org/files/bi_any_2_30d.ipset
https://iplists.firehol.org/files/blocklist_net_ua.ipset
https://iplists.firehol.org/files/coinbl_hosts_browser.ipset
https://iplists.firehol.org/files/cybercrime.ipset
https://iplists.firehol.org/files/dm_tor.ipset
https://iplists.firehol.org/files/dshield.netset
https://iplists.firehol.org/files/dyndns_ponmocup.ipset
https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset
https://iplists.firehol.org/files/et_spamhaus.netset
https://iplists.firehol.org/files/et_tor.ipset
https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/greensnow.ipset
https://iplists.firehol.org/files/ciarmy.ipset
https://iplists.firehol.org/files/iblocklist_ciarmy_malicious.netset
https://iplists.firehol.org/files/iblocklist_pedophiles.netset
https://iplists.firehol.org/files/malc0de.ipset
https://iplists.firehol.org/files/maxmind_proxy_fraud.ipset
https://iplists.firehol.org/files/normshield_high_attack.ipset
https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
https://iplists.firehol.org/files/spamhaus_drop.netset
https://iplists.firehol.org/files/spamhaus_edrop.netset
https://iplists.firehol.org/files/urlvir.ipset
https://sigs.interserver.net/iprbl.txt
https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst
https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt
https://www.talosintelligence.com/documents/ip-blacklist
https://voipbl.org/update

3.) Save your list...
4.) When picking a custom URL list for skynet, refer to this list using the "raw url"... ie: https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list

Hope that helps!

 

[poudenes]

Take a look at how I did it...

GitHub - ViktorJp/Skynet: Asus-Merlin Alternative Skynet Blocklist

Asus-Merlin Alternative Skynet Blocklist. Contribute to ViktorJp/Skynet development by creating an account on GitHub.

github.com

1.) create a "filter.list" file on github
2.) edit this text file, and add whichever lists you want to it... like:

https://feodotracker.abuse.ch/downloads/ipblocklist.txt
https://iplists.firehol.org/files/alienvault_reputation.ipset
https://iplists.firehol.org/files/bds_atif.ipset
https://iplists.firehol.org/files/bi_any_2_30d.ipset
https://iplists.firehol.org/files/blocklist_net_ua.ipset
https://iplists.firehol.org/files/coinbl_hosts_browser.ipset
https://iplists.firehol.org/files/cybercrime.ipset
https://iplists.firehol.org/files/dm_tor.ipset
https://iplists.firehol.org/files/dshield.netset
https://iplists.firehol.org/files/dyndns_ponmocup.ipset
https://iplists.firehol.org/files/et_block.netset
https://iplists.firehol.org/files/et_compromised.ipset
https://iplists.firehol.org/files/et_spamhaus.netset
https://iplists.firehol.org/files/et_tor.ipset
https://iplists.firehol.org/files/firehol_level1.netset
https://iplists.firehol.org/files/firehol_level2.netset
https://iplists.firehol.org/files/firehol_level3.netset
https://iplists.firehol.org/files/greensnow.ipset
https://iplists.firehol.org/files/ciarmy.ipset
https://iplists.firehol.org/files/iblocklist_ciarmy_malicious.netset
https://iplists.firehol.org/files/iblocklist_pedophiles.netset
https://iplists.firehol.org/files/malc0de.ipset
https://iplists.firehol.org/files/maxmind_proxy_fraud.ipset
https://iplists.firehol.org/files/normshield_high_attack.ipset
https://iplists.firehol.org/files/normshield_high_bruteforce.ipset
https://iplists.firehol.org/files/spamhaus_drop.netset
https://iplists.firehol.org/files/spamhaus_edrop.netset
https://iplists.firehol.org/files/urlvir.ipset
https://sigs.interserver.net/iprbl.txt
https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst
https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt
https://www.talosintelligence.com/documents/ip-blacklist
https://voipbl.org/update

3.) Save your list...
4.) When picking a custom URL list for skynet, refer to this list using the "raw url"... ie: https://raw.githubusercontent.com/ViktorJp/Skynet/main/filter.list

Hope that helps!

https://raw.githubusercontent.com/poudenes/skynet/main/filter.list

This is the list I created now and this is the error message of Skynet:

This Function Extracts All IPs And Adds Them ALL To Blacklist
Remote Custom List Detected: https://raw.githubusercontent.com/poudenes/skynet/main/filter.list
[*] 404 Error Detected - Stopping Import

 

[Viktor Jaep]

https://raw.githubusercontent.com/poudenes/skynet/main/filter.list

This is the list I created now and this is the error message of Skynet:

This Function Extracts All IPs And Adds Them ALL To Blacklist
Remote Custom List Detected: https://raw.githubusercontent.com/poudenes/skynet/main/filter.list
[*] 404 Error Detected - Stopping Import

Just in case, I'd remove all #'s and spaces... Second, it could just be that one of the lists links no longer works, and that's what's causing the 404? You can run your list through @SomeWhereOverTheRainBow and my Skynet filter validator to see what it's failing on?

Skynet - Filter Validator v0.7 - Skynet Firewall Filter List IPv4 Integrity Validator

Filter Validator v0.7 A collaborative project between @Viktor Jaep and @SomeWhereOverTheRainBow! Filter Validator tests the IPv4 addresses (and IPv6 if present) on a given filter list that are to be used with the Skynet Firewall running on Asus-Merlin Firmware in order to block...

www.snbforums.com

Also... as a side-note, I'm pretty sure that skynet has an upper limit on the number of IPs that can be on the blocklist, and don't believe it can exceed 500,000. Just so you're aware.

 

[SomeWhereOverTheRainBow]

https://raw.githubusercontent.com/poudenes/skynet/main/filter.list

This is the list I created now and this is the error message of Skynet:

This Function Extracts All IPs And Adds Them ALL To Blacklist
Remote Custom List Detected: https://raw.githubusercontent.com/poudenes/skynet/main/filter.list
[*] 404 Error Detected - Stopping Import

What do you get when you try to run

ping -w3 -c1 raw.githubusercontent.com from the ssh terminal?