Skynet Skynet - Router Firewall & Security Enhancements

[Adamm]

Hi Adam - Is there anyway to know why a specific website was blocked, whether by country, and if yes, what country, or malware, or for some other reason? I was trying to get to www.springsparade.com but it would not go to that site. But when I whitelisted it, it was fine. I am currently blocking a bunch of countries and the normal malware list.

That website is not currently on any of the default blacklists;

skynet@RT-AX88U-DC28:/tmp/home/root# nslookup www.springsparade.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      www.springsparade.com
Address 1: 35.244.67.249 249.67.244.35.bc.googleusercontent.com



skynet@RT-AX88U-DC28:/tmp/home/root# firewall stats search ip 35.244.67.249
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 11/08/2019 -           Asus Firewall Addition By Adamm v6.8.6                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Debug Data Detected in /tmp/mnt/USB/skynet/skynet.log - 3.3M
[i] Monitoring From Aug 14 05:05:12 To Aug 17 01:14:24
[i] 14471 Block Events Detected
[i] 2064 Unique IPs
[i] 0 Manual Bans Issued

35.244.67.249 is NOT in set Skynet-Whitelist.
35.244.67.249 is NOT in set Skynet-Blacklist.
35.244.67.249 is NOT in set Skynet-BlockedRanges.


Associated Domain(s);
balancer.wixdns.net


[i] IP Location - United States (Google LLC / AS15169)

Also as a future enhancement to your whitelisting procedures, it would save me a step if I could enter a website like the one above, and you would figure out its IP address and add it to the whitelist.

The logs will display this information and specifically show the associated domains with IP's, not only this but there is also a whitelist command (and menu option) for domains which will translate them to an IP.

 

[TonyK132]

Yesterday when I pinged www.springsparade.com from a cmd box in Win10, I initially found that it resolved to balancer.windns.net with a 185.230.60.211 IP address. So I whitelisted that address, and I was able to get to the website. Today when I tried to go to that website, it timed out, so I pinged it again and found it now had a different IP address. So then I did a whois on that website, and after continuing to search a bot, I eventually found that balancer.windns.net is an Israeli company with a bunch of host names that it manages on 4 IP ranges. Israel is one of the countries that I blacklisted, so I now understand why I could not get to it. The logs did not really help me. None of the entries matched that new IP address that ping showed me. I'm not really interested in opening up my system to all IPs in those 4 ranges, so for now, I will deal with these queries as they come up since this was the 1st time since starting Skynet that I had this problem.

Also I tried to use the Whitelist Domain item in the Skynet menus. When I added balancer.windns.net, it said it added it to the whitelist, but when I went to display the manually added whitelisted items, it was not there. When I went to delete a whitelist item with the word windns in it, it did not display any found items, but it said it updated the list anyway, so I'm not sure what it really did.

 

[Adamm]

Also I tried to use the Whitelist Domain item in the Skynet menus. When I added balancer.windns.net, it said it added it to the whitelist, but when I went to display the manually added whitelisted items, it was not there. When I went to delete a whitelist item with the word windns in it, it did not display any found items, but it said it updated the list anyway, so I'm not sure what it really did.

I tried everything you listed and Skynet is working as expected, I can't replicate this behavior.

skynet@RT-AX88U-DC28:/tmp/home/root# firewall whitelist domain balancer.windns.net
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 11/08/2019 -           Asus Firewall Addition By Adamm v6.8.6                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Adding balancer.windns.net To Whitelist
[i] Whitelisting 39.79.45.12
[i] Saving Changes


=============================================================================================================


[#] 151236 IPs (+0) -- 1686 Ranges Banned (+0) || 923 Inbound -- 0 Outbound Connections Blocked! [whitelist] [4s]

skynet@RT-AX88U-DC28:/tmp/home/root# firewall whitelist list domains
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 11/08/2019 -           Asus Firewall Addition By Adamm v6.8.6                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


39.79.45.12 comment "ManualWlistD: balancer.windns.net"

[i] Saving Changes


=============================================================================================================


[#] 151236 IPs (+0) -- 1686 Ranges Banned (+0) || 923 Inbound -- 0 Outbound Connections Blocked! [whitelist] [4s]

skynet@RT-AX88U-DC28:/tmp/home/root# firewall whitelist remove comment windns
#############################################################################################################
#                     _____ _                     _             __                      #
#                    / ____| |                   | |           / /                      #
#                   | (___ | | ___   _ _ __   ___| |_  __   __/ /_                      #
#                    \___ \| |/ / | | | '_ \ / _ \ __| \ \ / / '_ \                     #
#                    ____) |   <| |_| | | | |  __/ |_   \ V /| (_) |                    #
#                   |_____/|_|\_\\__, |_| |_|\___|\__|   \_/  \___/                     #
#                                 __/ |                                                 #
#                                |___/                                                  #
#                                                                                     #
## - 11/08/2019 -           Asus Firewall Addition By Adamm v6.8.6                    #
##                   https://github.com/Adamm00/IPSet_ASUS                            #
#############################################################################################################


=============================================================================================================


[i] Removing All Entries With Comment Matching "windns" From Whitelist
[i] Saving Changes


=============================================================================================================


[#] 151236 IPs (+0) -- 1686 Ranges Banned (+0) || 924 Inbound -- 0 Outbound Connections Blocked! [whitelist] [4s]

 

[Ozioh]

Hi,
I am trying to ban roblox (online game) on the network. I tried to add roblox.com to ban list.
However, it does not block IOS game. When I open the app, initially it seems like it is working, then it refreshes and everything comes back online.
So, I am guessing, they use different servers.

Is there anyway to block IOS app(roblox) on the network?

I found IP range for roblox. (https://ipinfo.io/AS22697) Do I need to block them all?

I think this question is more general question which can be applied to any IOS game (or online game) blocking.
Thank you.

 

[Xentrk]

Hi,
I am trying to ban roblox (online game) on the network. I tried to add roblox.com to ban list.
However, it does not block IOS game. When I open the app, initially it seems like it is working, then it refreshes and everything comes back online.
So, I am guessing, they use different servers.

Is there anyway to block IOS app(roblox) on the network?

I found IP range for roblox. (https://ipinfo.io/AS22697) Do I need to block them all?

I think this question is more general question which can be applied to any IOS game (or online game) blocking.
Thank you.

This is just an idea.

You could use the load_ASN_ipset.sh script that is part of the x3mRouting project to create an ipset list containing the IP addresses for AS22697.

sh load_ASN_ipset.sh ROBLOX AS22697

Then, export the ipset list contents to a file

ipset -L ROBLOX | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' > roblox_blacklist

#cat roblox_blacklist
103.140.28.0
209.206.41.0
128.116.20.0
128.116.3.0
128.116.41.0
<snip>

Use [5] --> Import IP List import function on Skynet to import the file as a blocklist.

 

[Adamm]

Hi,
I am trying to ban roblox (online game) on the network. I tried to add roblox.com to ban list.
However, it does not block IOS game. When I open the app, initially it seems like it is working, then it refreshes and everything comes back online.
So, I am guessing, they use different servers.

Is there anyway to block IOS app(roblox) on the network?

I found IP range for roblox. (https://ipinfo.io/AS22697) Do I need to block them all?

I think this question is more general question which can be applied to any IOS game (or online game) blocking.
Thank you.

To block that particular ASN, run the following two commands;

curl -fsL --retry 3 "https://ipinfo.io/AS22697" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}' > /tmp/roblox.txt


sh /jffs/scripts/firewall import blacklist /tmp/roblox.txt

 

[Ozioh]

Thank you very much for replies. Will try suggested solutions and update on the process.
Very helpful.

 

[Ozioh]

Worked flawlessly.
I tried both import and deport options.
IOS app and desktop version, both were unplayable.
Thank you, xentrk, adamm and developers.

 

[andresmorago]

hello
im having some issues with skynet.

Time zone and time is correctly set on router but skynet log shows time is ahead several hours.

how can I fix this?

 

[dave14305]

hello
im having some issues with skynet.

Time zone and time is correctly set on router but skynet log shows time is ahead several hours.

how can I fix this?

This might have more to do with Scribe and syslog-ng time zone variables than specifically Skynet.

 

[pepsican]

I'm trying to Rsync into the router externally, and added the source domain to the whitelist. When doing other stuff, it works fine, but as soon as I trigger Rsync on the router, the IP gets NEW BAN despite being on the whitelist. Any ideas why, and what can I do to stop this?

Help is much appreciated

 

[Adamm]

I'm trying to Rsync into the router externally, and added the source domain to the whitelist. When doing other stuff, it works fine, but as soon as I trigger Rsync on the router, the IP gets NEW BAN despite being on the whitelist. Any ideas why, and what can I do to stop this?

Help is much appreciated

Skynet prioritises the whitelist over any blacklist entries. Make sure the IP of the target device is whitelisted following the guide in the second post of this thread.

 

[pepsican]

Skynet prioritises the whitelist over any blacklist entries. Make sure the IP of the target device is whitelisted following the guide in the second post of this thread.

Thanks Adam. I's already added as a domain and I've double-checked by adding the actual IP...

Whitelisting 123.123.123.123
ipset v6.32: Element cannot be added to the set: it's already added

But then in the log... I saw this...

Aug 29 15:59:24 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=[MAC address SRC=123.123.123.123 DST=[MY WAN IP] LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=32150 DF PROTO=TCP SPT=12345 DPT=[My SSH port] SEQ=2628979443 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40101234567890)

I wonder if it's because it's the SSH port? I tried disabling Ban AIprotect in case it flagged it, no go...

 

[Adamm]

But then in the log... I saw this...

Aug 29 15:59:24 kernel: [BLOCKED - NEW BAN] IN=eth0 OUT= MAC=[MAC address SRC=123.123.123.123 DST=[MY WAN IP] LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=32150 DF PROTO=TCP SPT=12345 DPT=[My SSH port] SEQ=2628979443 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B40101234567890)

I wonder if it's because it's the SSH port? I tried disabling Ban AIprotect in case it flagged it, no go..

Thats the SSH brute force protection kicking in which Skynet taps into. You can only make 4 new connections over 60 seconds with this setting enabled.

I also recommend using an OpenVPN connection for remote access rather then exposing your SSH to the web.

 

[Rhialto]

I'm curious if that was reported before. I have a 400+ Mbps throughput from ISP and yesterday I found out I could hardly reach 300. I removed the router (RT-AC1900P @ 1.4GHz) to connect PC to modem directly and had 400+ back. What was strange is that I remember having 400+ before with the router. I'm running Skynet for a few months now but never tested speed after installing it, it's only yesterday that I've noticed the speed drop and began investigating. I never read anything about Skynet affecting max speed throughput so I never thought it could be it but that's exactly what happens with my router.

Now I wonder if I'm missing much by not running Skynet. I guess 95% of routers in the world don't run it so no big deal I guess but what feature I could miss the most? For now I haven't uninstalled, just disabled it. I hope to read some more testing by others... and maybe an input by the author.

EDIT: problem solved, read below.

 

[L&LD]

I'm curious if that was reported before. I have a 400+ Mbps throughput from ISP and yesterday I found out I could hardly reach 300. I removed the router (RT-AC1900P @ 1.4GHz) to connect PC to modem directly and had 400+ back. What was strange is that I remember having 400+ before with the router. I'm running Skynet for a few months now but never tested speed after installing it, it's only yesterday that I've noticed the speed drop and began investigating. I never read anything about Skynet affecting max speed throughput so I never thought it could be it but that's exactly what happens with my router.

Now I wonder if I'm missing much by not running Skynet. I guess 95% of routers in the world don't run it so no big deal I guess but what feature I could miss the most? For now I haven't uninstalled, just disabled it. I hope to read some more testing by others... and maybe an input by the author.

If you don't get an answer that fixes your 25% speed loss in the next few hours or couple of days, I would be doing a full reset to factory defaults instead.

I have no such issues with a 1Gbps up/down ISP connection. It is not Skynet that is the issue here.

 

[Rhialto]

I have no such issues with a 1Gbps up/down ISP connection. It is not Skynet that is the issue here.

Maybe the 86U is more powerful and don't suffer from running Skynet?

 

[L&LD]

Maybe the 86U is more powerful and don't suffer from running Skynet?

That may be true, but I was relying on my experience with customer's routers that don't have any issues with lower-end hardware than your RT-AC1900 has.

 

[Rhialto]

After searching a bit more and the help of Merlin, I found out IP Traffic was enabled with the consequence of turning off NAT Acceleration which caused the slowdown. I don't remember when I switched IP Traffic ON because I almost never log in the router so it must be a while ago...

I wish there would be a warning when you turn a feature ON which will disable another one.

 

[L&LD]

With the limited processing power our routers currently have, it's safe to assume that not all features can be used concurrently.