Skynet Skynet - Router Firewall & Security Enhancements

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Rhialto

Regular Contributor
Emphasis on the "or". Skynet will automatically handle this in the background assuming you have entware installed. Although the latest firmware version is generally recommended for the best user experience.
I can't find that in first post under installation, maybe I'm not looking at the right place.

Does it check the curl package from Entware then? How can I check if I have latest? I'm willing to try to update, I just want to avoid see it does not work and have to uninstall and look for/install again the version I use now.
 

Adamm

Part of the Furniture
Does it check the curl package from Entware then? How can I check if I have latest?

Code:
opkg update
opkg upgrade curl
/opt/bin/curl --version


With that being said, v380.68_4 is over 2 years old and a security risk. If you care about your network I'd consider upgrading.
 

Val D.

Very Senior Member
Well it is a free world after all is it not? That also means that I can decide not to let some countries be acceptable for connection.

Feel free to continue blocking entire parts of Internet, but don't cross the line. Think about your personal safety also. Make sure your physical firewall is fully operational and is capable of preventing the impact of that fast approaching cast iron frying pan, dispatched in your direction by your better half.
 

Adamm

Part of the Furniture


How did that tab get there :eek::p
 

Kenji

Occasional Visitor
Hey friends,

I have a question about the settings. I have my router RT-AC86U which runs over a VPN client.
So Fritzbox> Asus Router> Openvpn Client> Home network via WiFi:

I have installed all scripts here. This also works. Unfortunately after about a day I have the problem that my PC shows that no internet connection can be established. Something is probably blocked by Skynet here. After restarting Skynet, it works again for a day. I have the log here:

Dec 29 13:25:18 lul kernel: [BLOCKED - INVALID] IN = eth0 OUT = MAC = b0: 6e: bf: 64: 95: a0: cc: ce: 1e: 0f: 09: 30: 08: 00 SRC = 192.168.178.1 DST = 192.168.178.33 LEN = 60 TOS = 0x00 PREC = 0x00 TTL = 64 ID = 14401 DF PROTO = TCP SPT = 38905 DPT = 80 SEQ = 3251262362 ACK = 0 WINDOW = 14600 RES = 0x00 SYN URGP = 0 OPT (020405B40101080A089F6CD10000000001030304) MARK = 0x8000000

I have now looked at what belongs to which IP.

That would be the WAN IP of the Asus router: WAN IP: 192.168.178.33 and the 192.168.178.1 would be the IP of the Fritzbox. I added this to the whitelist via IP. Would that be okay? Why is the connection to the Fritzbox blocked, where does the connection to the Internet come from? I had repeated the problem this morning.


Thanks for the help and sorry for the Google translation

lg. Philipp
 

Attachments

  • 2019-12-30 08_59_49-Window.png
    2019-12-30 08_59_49-Window.png
    36.9 KB · Views: 134

Mutzli

Very Senior Member

wbartels

Occasional Visitor
It took me some time. But now I have a working version.
See github for more info: https://github.com/Adamm00/IPSet_ASUS/issues/27

This proof of concept will demonstrate two new features:
  • Only download new or changes ipsets (already implemented in Skynet 7)
  1. Only update new or changed ipsets.
  2. Use the ipset swap feature:
  • Keep the current ipset working and load an (inactive) temp ipset in the background.
  • Swap these two sets without any delay or downtime!
 

XIII

Very Senior Member
I was visiting a family member earlier today and tried to remote SSH into my own router (at home) from my iPad, a few times. While this worked initially, it stopped suddenly. Initially I thought my router had crashed, but after changing the IP address of my iPad using a commercial VPN I could log in again and noticed that SkyNet had blocked the “regular” IP! After unbanning it, everything was fine again.

How can I prevent this in the future?

I’m not sure whether this family member has a static IP address, so I’m not sure I can/should whitelist it.
 

5stringdeath

Regular Contributor
I was visiting a family member earlier today and tried to remote SSH into my own router (at home) from my iPad, a few times. While this worked initially, it stopped suddenly. Initially I thought my router had crashed, but after changing the IP address of my iPad using a commercial VPN I could log in again and noticed that SkyNet had blocked the “regular” IP! After unbanning it, everything was fine again.

How can I prevent this in the future?

I’m not sure whether this family member has a static IP address, so I’m not sure I can/should whitelist it.

May I suggest you not turn on SSH from WAN, and instead VPN in first :)
 

dave14305

Part of the Furniture
I was visiting a family member earlier today and tried to remote SSH into my own router (at home) from my iPad, a few times. While this worked initially, it stopped suddenly. Initially I thought my router had crashed, but after changing the IP address of my iPad using a commercial VPN I could log in again and noticed that SkyNet had blocked the “regular” IP! After unbanning it, everything was fine again.

How can I prevent this in the future?

I’m not sure whether this family member has a static IP address, so I’m not sure I can/should whitelist it.
If they can setup a DDNS name for their WAN IP, you can add that name to your whitelist.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top