Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Skynet - Asus Firewall Addition (Dynamic Malware/Country/Manual IP Blocking)

Discussion in 'Asuswrt-Merlin' started by Adamm, Apr 16, 2014.

  1. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Give the latest version a crack, let me know if it makes any difference. You will need to re-run the installer to get the implemented changes. Will continue working on a better solution this week.
     
    Butterfly Bones likes this.
  2. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    Up and running, so far so good! Will be reporting any possible issues. Tanks again for your efforts.
     
    Butterfly Bones likes this.
  3. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,220
    Location:
    Canada
    I think I remember there is an nvram setting that contains an OpenVPN client's local IP, can't remember it off hand tho. Check the code in the ajax_openvpn_something.asp file ( can't check at the moment).
     
  4. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779

    Yeah I found most of the relevant values, I think the issue in the case about was that the IP changed and because I'm only updating it on the firewall restart event I didn't catch it. I white-list the following;

    Code:
            ipset -q -A Whitelist "$(nvram get vpn_server1_sn)"/24 comment "nvram: vpn_server1_sn"
            ipset -q -A Whitelist "$(nvram get vpn_server2_sn)"/24 comment "nvram: vpn_server2_sn"
            ipset -q -A Whitelist "$(nvram get vpn_server_sn)"/24 comment "nvram: vpn_server_sn"
            ipset -q -A Whitelist "$(nvram get vpn_client1_addr)"/24 comment "nvram: vpn_client1_addr"
            ipset -q -A Whitelist "$(nvram get vpn_client2_addr)"/24 comment "nvram: vpn_client2_addr"
            ipset -q -A Whitelist "$(nvram get vpn_client3_addr)"/24 comment "nvram: vpn_client3_addr"
            ipset -q -A Whitelist "$(nvram get vpn_client4_addr)"/24 comment "nvram: vpn_client4_addr"
            ipset -q -A Whitelist "$(nvram get vpn_client5_addr)"/24 comment "nvram: vpn_client5_addr"
     
  5. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,706
    Location:
    United States
    I may be mistaken, but IIRC you only called that ajax asp when visiting the VPN Status page. It may need to be moved if it's going to be generally available.
     
  6. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,220
    Location:
    Canada
    It's also used on the OpenVPN Client page to determine the connection status (and now I also report both remote and public tunnel IPs on that page).

    It only polls nvram values tho, I'm not sure I understand what you mean by moving it.
     
  7. john9527

    john9527 Part of the Furniture

    Joined:
    Mar 28, 2014
    Messages:
    4,706
    Location:
    United States
    Working from memory, so may be wrong...but I remember thinking the nvram wouldn't be set unless you actually opened the status page where you report the ip's.
     
  8. RMerlin

    RMerlin Part of the Furniture

    Joined:
    Apr 14, 2012
    Messages:
    24,220
    Location:
    Canada
    Nah, ajax pages only do a bunch of nvram_get() calls to refresh the local JS variables, they don't affect stored values.
     
  9. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    Still no problem here!
     
    Butterfly Bones and Adamm like this.
  10. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    After every restart it connects after me choosing disconnect and reconnect the vpn.


    I must say that i am not using the openvpn client from merlins firmware as you my think. I am using the PIA app on my iMac (High Sierra).
     
  11. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Well that makes a lot more sense, Skynet has no way to get this information. The two choices you have here are;

    1. Whitelist the IP Ranges you commonly connect to if you are having frequent issues of VPN servers getting blocked.
    2. Disable autobanning in Skynet
     
  12. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    How come this last update made it a lot better then??? I am just asking, dont mean to be rude!
     
  13. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    I would say partially a placebo effect. Also I personally don't have any issues using my VPN providers windows client so it may have just been a 1 off blocking incident.
     
  14. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    Ok, thanks for your help anyways. Keep the good work going.
     
  15. Jan Adelsson

    Jan Adelsson Occasional Visitor

    Joined:
    Oct 8, 2017
    Messages:
    10
    Is it possible to exclude a client from the firewall?
     
  16. Butterfly Bones

    Butterfly Bones Occasional Visitor

    Joined:
    Apr 10, 2017
    Messages:
    38
    I got a VPN failure after a TLS handshake timeout, that I get once a week or so, and then a complete VPN restart with a new server. All went well, with this in the log. This seems to show that the Skynet whitelist VPN IP is working. Running
    sh /jffs/scripts/firewall whitelist list
    show it updated. :cool:

    Code:
    Oct 13 22:33:03 openvpn-routing: Configuring policy rules for client 1
    Oct 13 22:33:04 openvpn-routing: Tunnel re-established, restoring WAN access to clients
    Oct 13 22:33:04 custom_script: Running /jffs/scripts/openvpn-event (args: tun11 1500 1558 xxx.21.56.235 )
    Oct 13 22:33:04 Samba_Server: daemon is started
    Oct 13 22:33:05 Skynet: [INFO] Updating VPN Whitelist...
    Oct 13 22:33:05 openvpn[1555]: Initialization Sequence Completed
     
  17. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Possible? Probably. But not in its current state. I'll keep it in mind for the future as it would require some significant design changes.

    Great to hear.
     
  18. SeaConn

    SeaConn Occasional Visitor

    Joined:
    Jul 21, 2017
    Messages:
    19
    Location:
    Seattle
    I know it's probably low on the priority list for 382.1, but I was just curious as to the nature of the situation with IPSec and Skynet on the RT-AC86U and the following installation error? Forgive my ignorance... just curious. No need to respond if it requires a lengthy time-consuming response, either. I'm happy to wait :)

    Skynet: [ERROR] IPSet Extensions Not Enabled - Please Update To 380.68 / V26E3 Or Newer Firmware
     
  19. Adamm

    Adamm Very Senior Member

    Joined:
    Mar 26, 2013
    Messages:
    779
    Trying very hard on my end to get in contact with Asus's marketing department about device availability, but unfortunately I can't find a reliable contact channel they actually respond too.

    Beyond that there is another issue with the actual IPSet implementation from my understanding, that will be up to @john9527 and @RMerlin to eventually fix, but as this firmware is still in a very early Beta and they have a lot on their plate all we can do is patiently wait.
     
    SeaConn likes this.
  20. heysoundude

    heysoundude Regular Contributor

    Joined:
    Sep 20, 2016
    Messages:
    90
    @Adamm would you please help me?
    RT-n66u with AsusMerlin v380.68_4 and ab-solution 3.9.1 with pixelserv-tls v3.9.2
    I ran the script at the top of this thread. I ran the script to update, and currently have Skynet v5.(whatever came out yesterday, 2017-10-15).

    SkyNet seems to run, but I get an error that tells me that my version of IPSet isn't supported. My linux-fu isn't strong, yet I've scrolled through 15 or so pages of this thread and people say they have or have had this running on the n66u. what am I missing? what must I do?
     

Share This Page