New Skynet User Question

[armsAC3100]

I have installed Skynet on my AC-3100 router running Merlin Firmware Version:384.17. I recently added an old Asus RT-N56U running Asus Firmware Version:3.0.0.4.380_7378 to my network as an access point in order to get better WiFi coverage to backyard security devices.

This morning Skynet reported blocked outbound request to 158.69.35.227 (a known "bad guy") showing the RT-N56U IP address as the origin. Firmware on the N56U was freshly installed and full reset to Factory Defaults.

The only setup changes to the N56U were to change router name / password and SSID / Password for both 2.4 and 5.0 Ghz wireless. The N56U IP address is a reserved IP provided by the AC-3100 via DHCP.

The connection to the AC-3100 is via Ethernet through a 5 port TP-Link Gigabit Ethernet switch.
I have two devices that have been connected via WiFi to the Access Point. A Galaxy S9 phone and a Windows 10 PC. Both devices are running latest versions of firmware / software and there are no entries in the Skynet Log for either device.

Any thoughts for a Skynet Newbie?

Al

 

[ColinTaylor]

That address appears to be a TOR exit node. Do you have anything related to TOR on your network?

 

[armsAC3100]

That address appears to be a TOR exit node. Do you have anything related to TOR on your network?

No, Never have. My Router is virgin Asus code and my Other machines have never had anything TOR related installed in my network.

What puzzles me is that the IP address that was blocked for outbound traffic is the Asus Access Point.

 

[ColinTaylor]

Looks like the same address was previously reported in the Skynet thread:

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-298#post-547003

Dave seemed to think it was an NTP server address.

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-299#post-547018
https://otx.alienvault.com/indicator/ip/158.69.35.227

Maybe try changing the NTP server on the N56U.

 

[armsAC3100]

NTP Server is currently set to "pool.ntp.org" . I did change it to one of the nist.gov servers. Will wait and see. I rebooted the N56 and time is working with that config. The N56 logged three updates in the system log vs one with the original NTP server, but somethings are not worth trying to understand! Have a great day and don't forget the flowers candy's for you favorite on Sunday. I have not heard the media predicting shortage

Thanks for the suggestion.

Looks like the same address was previously reported in the Skynet thread:

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-298#post-547003

Dave seemed to think it was an NTP server address.

https://www.snbforums.com/threads/r...urity-enhancements.16798/page-299#post-547018
https://otx.alienvault.com/indicator/ip/C
Maybe try changing the NTP server on the N56U.

I have changed the NTP server from pool.ntp.org to one of the nist.gov servers. Re booted system and will wait and see what happens. Only difference in system log was it accessed NTP server three times in boot process. Not sure why, but, some mysteries are not worth solving!!!

Thanks for your help, Al

 

[pirx73]

pool.ntp.org is generic address, sort of "DNS for NTP" - your NTP client queries it, then pool.ntp.org tries to determine where are your client is located and offers specific NTP server addresses closer to you.
If you want to narrow pool of addresses use your_continent, your_country.pool.ntp.org - you can check https://www.pool.ntp.org/ and see which are closer to you. You can also specify exact server addresses and NTP
client in router will use them exclusively.