Skynet Skynet - Router Firewall & Security Enhancements

[martinr]

Thanks, but I think this is not working anymore. Skynet takes again several minutes to start.
Was good until now.

I’ve just done the minor update, and my lockfile message turns green in just over one minute on my RT-AC68U.

 

[Ubimo]

Ok, thanks, then it must be something on my side. Trying to figure out now...

 

[martinr]

Ok, thanks, then it must be something on my side. Trying to figure out now...

Maybe an uninstall and reinstall would be the most effective and quickest way?

 

[Adamm]

Ok, thanks, then it must be something on my side. Trying to figure out now...

A better test to confirm if its the same issue;

curl -vfsL "https://ipapi.co/1.1.1.1/country/"; echo

curl -vfsL -A "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "https://ipapi.co/1.1.1.1/country/"; echo

curl -vfsL -A "ASUSWRT-Merlin" "https://ipapi.co/1.1.1.1/country/"; echo

 

[Ubimo]

Ok, thanks, but I cannot read anything out of this:

Spoiler

admin@myrouter-CD47:/tmp/home/root# curl -vfsL "https://ipapi.co/1.1.1.1/country/"; echo
* Trying 2606:4700:20::681a:92c:443...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700:20::681a:92c: Network is unreachable
* Trying 104.26.8.44:443...
* TCP_NODELAY set
* Connected to ipapi.co (104.26.8.44) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Nov 13 00:00:00 2019 GMT
* expire date: Oct 9 12:00:00 2020 GMT
* subjectAltName: host "ipapi.co" matched cert's "ipapi.co"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
> GET /1.1.1.1/country/ HTTP/1.1
> Host: ipapi.co
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* The requested URL returned error: 429 Too Many Requests
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

admin@myrouter-CD47:/tmp/home/root# curl -vfsL -A "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "https://ipapi.co/1.1.1.1/country/"; echo
* Trying 2606:4700:20::681a:82c:443...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700:20::681a:82c: Network is unreachable
* Trying 104.26.9.44:443...
* TCP_NODELAY set
* Connected to ipapi.co (104.26.9.44) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Nov 13 00:00:00 2019 GMT
* expire date: Oct 9 12:00:00 2020 GMT
* subjectAltName: host "ipapi.co" matched cert's "ipapi.co"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
> GET /1.1.1.1/country/ HTTP/1.1
> Host: ipapi.co
> User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 14 Mar 2020 17:19:51 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 2
< Connection: keep-alive
< Set-Cookie: __cfduid=d71c08b52d01bcf823e3d83779e755e6c1584206390; expires=Mon, 13-Apr-20 17:19:50 GMT; path=/; domain=.ipapi.co; HttpOnly; SameSite=Lax
< X-Frame-Options: SAMEORIGIN
< Vary: Host
< Allow: GET, OPTIONS, HEAD, OPTIONS, POST
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 573fa976ab487cbe-MUC
<
* Connection #0 to host ipapi.co left intact
AU
admin@myrouter-CD47:/tmp/home/root# curl -vfsL -A "ASUSWRT-Merlin" "https://ipapi.co/1.1.1.1/country/"; echo
* Trying 2606:4700:20::681a:82c:443...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700:20::681a:82c: Network is unreachable
* Trying 104.26.8.44:443...
* TCP_NODELAY set
* Connected to ipapi.co (104.26.8.44) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Nov 13 00:00:00 2019 GMT
* expire date: Oct 9 12:00:00 2020 GMT
* subjectAltName: host "ipapi.co" matched cert's "ipapi.co"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
> GET /1.1.1.1/country/ HTTP/1.1
> Host: ipapi.co
> User-Agent: ASUSWRT-Merlin
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 14 Mar 2020 17:19:59 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 2
< Connection: keep-alive
< Set-Cookie: __cfduid=dfa704c9d349dcb4aac884394722919251584206399; expires=Mon, 13-Apr-20 17:19:59 GMT; path=/; domain=.ipapi.co; HttpOnly; SameSite=Lax
< Allow: HEAD, POST, OPTIONS, OPTIONS, GET
< Vary: Host
< X-Frame-Options: SAMEORIGIN
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 573fa9ab6cca7cbe-MUC
<
* Connection #0 to host ipapi.co left intact
AU
admin@myrouter-CD47:/tmp/home/root#

 

[Adamm]

Ok, thanks, but I cannot read anything out of this:

Spoiler

admin@myrouter-CD47:/tmp/home/root# curl -vfsL "https://ipapi.co/1.1.1.1/country/"; echo
* Trying 2606:4700:20::681a:92c:443...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700:20::681a:92c: Network is unreachable
* Trying 104.26.8.44:443...
* TCP_NODELAY set
* Connected to ipapi.co (104.26.8.44) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Nov 13 00:00:00 2019 GMT
* expire date: Oct 9 12:00:00 2020 GMT
* subjectAltName: host "ipapi.co" matched cert's "ipapi.co"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
> GET /1.1.1.1/country/ HTTP/1.1
> Host: ipapi.co
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* The requested URL returned error: 429 Too Many Requests
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

admin@myrouter-CD47:/tmp/home/root# curl -vfsL -A "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "https://ipapi.co/1.1.1.1/country/"; echo
* Trying 2606:4700:20::681a:82c:443...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700:20::681a:82c: Network is unreachable
* Trying 104.26.9.44:443...
* TCP_NODELAY set
* Connected to ipapi.co (104.26.9.44) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Nov 13 00:00:00 2019 GMT
* expire date: Oct 9 12:00:00 2020 GMT
* subjectAltName: host "ipapi.co" matched cert's "ipapi.co"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
> GET /1.1.1.1/country/ HTTP/1.1
> Host: ipapi.co
> User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 14 Mar 2020 17:19:51 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 2
< Connection: keep-alive
< Set-Cookie: __cfduid=d71c08b52d01bcf823e3d83779e755e6c1584206390; expires=Mon, 13-Apr-20 17:19:50 GMT; path=/; domain=.ipapi.co; HttpOnly; SameSite=Lax
< X-Frame-Options: SAMEORIGIN
< Vary: Host
< Allow: GET, OPTIONS, HEAD, OPTIONS, POST
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 573fa976ab487cbe-MUC
<
* Connection #0 to host ipapi.co left intact
AU
admin@myrouter-CD47:/tmp/home/root# curl -vfsL -A "ASUSWRT-Merlin" "https://ipapi.co/1.1.1.1/country/"; echo
* Trying 2606:4700:20::681a:82c:443...
* TCP_NODELAY set
* Immediate connect fail for 2606:4700:20::681a:82c: Network is unreachable
* Trying 104.26.8.44:443...
* TCP_NODELAY set
* Connected to ipapi.co (104.26.8.44) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
* start date: Nov 13 00:00:00 2019 GMT
* expire date: Oct 9 12:00:00 2020 GMT
* subjectAltName: host "ipapi.co" matched cert's "ipapi.co"
* issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
* SSL certificate verify ok.
> GET /1.1.1.1/country/ HTTP/1.1
> Host: ipapi.co
> User-Agent: ASUSWRT-Merlin
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 14 Mar 2020 17:19:59 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 2
< Connection: keep-alive
< Set-Cookie: __cfduid=dfa704c9d349dcb4aac884394722919251584206399; expires=Mon, 13-Apr-20 17:19:59 GMT; path=/; domain=.ipapi.co; HttpOnly; SameSite=Lax
< Allow: HEAD, POST, OPTIONS, OPTIONS, GET
< Vary: Host
< X-Frame-Options: SAMEORIGIN
< CF-Cache-Status: DYNAMIC
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 573fa9ab6cca7cbe-MUC
<
* Connection #0 to host ipapi.co left intact
AU
admin@myrouter-CD47:/tmp/home/root#

The fix is working fine, your problem is elsewhere.

 

[WMConey]

Whats the output of;

sh /jffs/scripts/firewall debug info

Router Model; RT-AC86U
Skynet Version; v7.1.3 (13/03/2020) (11855137d302091048cc3f4cfbf369e8)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
IP Address; (192.168.100.50) - (/)
FW Version; 384.15_0 (Feb 8 2020) (4.1.27)
Install Dir; /tmp/mnt/HpNoRegrets/skynet (6.0G / 7.4G Space Available)
SWAP File; /tmp/mnt/HpNoRegrets/myswap.swp (1.0G)
Uptime; 0 days, 2 hours, 38 minutes.
Ram Available; (84M / 430M)

...and then a list of who is online.

 

[Adamm]

Router Model; RT-AC86U
Skynet Version; v7.1.3 (13/03/2020) (11855137d302091048cc3f4cfbf369e8)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
IP Address; (192.168.100.50) - (/)
FW Version; 384.15_0 (Feb 8 2020) (4.1.27)
Install Dir; /tmp/mnt/HpNoRegrets/skynet (6.0G / 7.4G Space Available)
SWAP File; /tmp/mnt/HpNoRegrets/myswap.swp (1.0G)
Uptime; 0 days, 2 hours, 38 minutes.
Ram Available; (84M / 430M)

...and then a list of who is online.

Please post the full output, you can redact the client list that’s not so important

 

[TheLyppardMan]

Skynet is blocking internet access for my route-planning program (ITN Converter), but I'm not sure exactly what I need to whitelist as I've not used that feature yet. Do I just need to add all the associated domains shown below?

This is what the log is showing:-
Mar 15 12:36:54 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=04:d4:c4:51:cd:08:a0:51:0b:7e:89:7a:08:00 SRC=10.0.4.121 DST=217.160.123.2 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15565 DF PROT)

Associated Domain(s) - [benichou-software.com download.benitools.info itnconv.benitools.info geoip.benitools.info]

 

[TheLyppardMan]

Skynet is blocking internet access for my route-planning program (ITN Converter), but I'm not sure exactly what I need to whitelist as I've not used that feature yet. Do I just need to add all the associated domains shown below?

This is what the log is showing:-
Mar 15 12:36:54 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=04:d4:c4:51:cd:08:a0:51:0b:7e:89:7a:08:00 SRC=10.0.4.121 DST=217.160.123.2 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15565 DF PROT)

Associated Domain(s) - [benichou-software.com download.benitools.info itnconv.benitools.info geoip.benitools.info]

Actually, I've just added all the associated domains and it seems to be working now.

 

[dave14305]

Skynet is blocking internet access for my route-planning program (ITN Converter), but I'm not sure exactly what I need to whitelist as I've not used that feature yet. Do I just need to add all the associated domains shown below?

This is what the log is showing:-
Mar 15 12:36:54 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= MAC=04:d4:c4:51:cd:08:a0:51:0b:7e:89:7a:08:00 SRC=10.0.4.121 DST=217.160.123.2 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15565 DF PROT)

Associated Domain(s) - [benichou-software.com download.benitools.info itnconv.benitools.info geoip.benitools.info]

Run this command to see why it’s blocked:

firewall stats search ip 217.160.123.2

It’s not in my blocklist, so it might by from AiProtection.

 

[Ubimo]

The last line, does anyone know what this is? Is this normal?

Mar 15 17:54:36 dropbear[1305]: Running in background
Mar 15 17:54:36 custom_script: Running /jffs/scripts/service-event (args: restart leds)
Mar 15 17:54:36 custom_script: Running /jffs/scripts/service-event (args: restart usb_idle)
Mar 15 17:54:36 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Mar 15 17:54:37 hour_monitor: daemon is starting
Mar 15 17:54:37 hour_monitor: daemon terminates
Mar 15 17:54:37 nat: apply nat rules (/tmp/nat_rules_ppp0_eth0)
Mar 15 17:54:37 custom_script: Running /jffs/scripts/firewall-start (args: ppp0)
Mar 15 17:54:37 custom_script: Running /jffs/scripts/service-event (args: restart bhblock)
Mar 15 17:54:37 rc: received unrecognized event: bhblock

Here is the file /jffs/scripts/service-event:

#!/bin/sh

if [ "$1" = "start" ] && [ "$2" = "SkynetStats" ]; then sh /jffs/scripts/firewall debug genstats; fi # Skynet Firewall Addition

 

[Rhialto]

I've been running Skynet for about three weeks now and I have yet to get any blocked inbound connection attempts. Outbound, yes, but inbound is completely clean ["No Data To Display"] which I find hard to believe. Any suggestions on how to investigate this?

Weird for me it's the opposite, outboud are empty.

sh /jffs/scripts/firewall debug info gives normal result

 

[vdemarco]

Weird for me it's the opposite, outboud are empty.

sh /jffs/scripts/firewall debug info gives normal result

Also for me i have no outbound blocks either.

 

[dave14305]

Weird for me it's the opposite, outboud are empty.

sh /jffs/scripts/firewall debug info gives normal result

Also for me i have no outbound blocks either.

Having no outbound blocks is a good thing. Nothing in your network is trying to communicate with known malware ip addresses.

I was getting a new outbound block yesterday trying to read work emails in the Outlook client for iOS. An edge.net ip was blocked, so messages wouldn’t load. But usually outbound is rare for me, thankfully.

 

[R1-Limited]

Just installed on Johns Fork 374.43_42D5j9527
Unable to see TAB under Firewall. It is running I see in stats . See in debug

Local WebUI Files | [Failed]
Mounted WebUI Files | [Failed]

I think I may know why as it is none GA I see

[$] ./firewall settings webui enable


=============================================================================================================


[*] Firmware Version Not Supported - Please Update To Use This Feature

 

[Makaveli]

@Adamm Can expand on this.

I don't believe john's fork is up to date enough to use these new features.

 

[WMConey]

Please post the full output, you can redact the client list that’s not so important

Router Model; RT-AC86U
Skynet Version; v7.1.3 (14/03/2020) (e3e9b2ef939c8c1f0bf79d30bdd245ca)
iptables v1.4.15 - (eth0 @ 192.168.2.1)
ipset v6.32, protocol version: 6
IP Address; (192.168.100.50)
FW Version; 384.16_beta1 (Mar 14 2020) (4.1.27)
Install Dir; /tmp/mnt/HpNoRegrets/skynet (6.0G / 7.4G Space Available)
SWAP File; /tmp/mnt/HpNoRegrets/myswap.swp (1.0G)
Uptime; 0 days, 0 hours, 56 minutes.
Ram Available; (87M / 430M)


--------------- | ------------ | ---------------
| Device Name | | | Local IP | | | MAC Address |
--------------- | ------------ | ---------------



-------------------- | ----------
| Test Description | | | Result |
-------------------- | ----------

Internet-Connectivity | [Passed]
Write Permission | [Passed]
Firewall-Start Entry | [Passed]
Services-Stop Entry | [Passed]
Service-Event Entry | [Passed]
SWAP File | [Passed]
Cron Jobs | [Passed]
NTP Sync | [Passed]
IPSet Comment Support | [Passed]
Log Level 4 Settings | [Passed]
Duplicate Rules In RAW | [Passed]
IPSets | [Passed]
IPTables Rules | [Passed]
Local WebUI Files | [Passed]
Mounted WebUI Files | [Passed]
MenuTree.js Entry | [Passed]


----------- | ----------
| Setting | | | Status |
---------- | ----------

Skynet Auto-Updates | [Enabled]
Malware List Auto-Updates | [Enabled]
Logging | [Enabled]
Filter Traffic | [Enabled]
Unban PrivateIP | [Enabled]
Log Invalid Packets | [Disabled]
Ban AiProtect | [Enabled]
Secure Mode | [Enabled]
Fast Switch List | [Disabled]
Syslog Location | [Default]
IOT Blocking | [Disabled]
Country Lookup For Stats | [Enabled]
CDN Whitelisting | [Enabled]
Display WebUI | [Enabled]

16/16 Tests Sucessful


================================================================================


[#] 145594 IPs (+0) -- 1784 Ranges Banned (+0) || 0 Inbound -- 1 Outbound Conne]

 

[dave14305]

@Adamm Can expand on this.

I don't believe john's fork is up to date enough to use these new features.

The issue with the Skynet UI in the fork is that the router webui is old design and not as easy to integrate with as the Merlin 384 branch. I’ve tried a couple times, but it’s way beyond my skill level. Perhaps a sample from @john9527 on how to create a new page in the UI as Merlin has documented in the wiki: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Addons-API

At this point I don’t think it’s easy for anyone to work on without direct engagement with John.

 

[Jack Yaz]

The issue with the Skynet UI in the fork is that the router webui is old design and not as easy to integrate with as the Merlin 384 branch. I’ve tried a couple times, but it’s way beyond my skill level. Perhaps a sample from @john9527 on how to create a new page in the UI as Merlin has documented in the wiki: https://github.com/RMerl/asuswrt-merlin.ng/wiki/Addons-API

At this point I don’t think it’s easy for anyone to work on without direct engagement with John.

I likely could do it - but it adds a whole new dimension for support which I don't have the capacity to take on right now.