Skynet Skynet - Router Firewall & Security Enhancements

[dazedandlost]

Thank you for your reply. My skynet install issues seem solved atm.

First of all your ISP modem ideally should be put in bridge mode as you are currently in a Double-NAT situation which isn't ideal.

I have given up trying to put the router in media bridge mode because I have been unable to find the new router ip. Nmap, traceroute, ipconfig, various web based tools, etc don't give output that is useful to me. Asus discover.exe complains, iirc, that my router and computer are on different subnet masks. I'm not smart enough to figure this double-nat situation out, and it does not seem to be a showstopper right now.

Secondly I highly recommend one unified partition rather then 3 separate, there isn't any good reason on these devices to-do so and this can cause issues with scripts.

Done.

This indicates some sort of connection issue between your router and GitHub rather then Skynet its-self as Skynet fails to download necessary files

After the above, a clean upgrade process and reconfig after factory defaults (as detailed by L&LD, thank you) my problems getting skynet to install seem to have gone away.

 

[Adamm]

I have given up trying to put the router in media bridge mode because I have been unable to find the new router ip. Nmap, traceroute, ipconfig, various web based tools, etc don't give output that is useful to me. Asus discover.exe complains, iirc, that my router and computer are on different subnet masks. I'm not smart enough to figure this double-nat situation out, and it does not seem to be a showstopper right now.

I think you misunderstood, its your ISP modem that needs to go into "Bridge mode" (not Media bridge, that's something entirely different). This basically means your ISP modem will stick to modem duties and offload all router duties to your Asus device.

In any case, happy to hear you resolved most of your issues.

 

[dazedandlost]

I think you misunderstood, its your ISP modem that needs to go into "Bridge mode" (not Media bridge, that's something entirely different). This basically means your ISP modem will stick to modem duties and offload all router duties to your Asus device.

In any case, happy to hear you resolved most of your issues.

You’re right, I misunderstood. Which is good, because I get to learn something.

I suspect this might be getting off-topic for your skynet thread, but the isp here is xplornet LTE wireless. Apparently their modem does not include any router functionality. If that’s true I obviously have something else going on here. Looking around the web a bit, I found a post from 2017 suggesting that, at least at that time, it was extremely difficult to escape from what was referred to as “xplornet’s intolerable double NAT.” The writer’s solution was to deploy an openVPN server on Linode. I doubt I’m at the point where I want to do that, at least not yet.

 

[elnash]

Hello good, how could you unblock outgoing traffic from a device. Thanks in advance.

 

[Wanabo]

Thanks, oversight on my behalf, we checked the content of remote files before converting the line endings (local files were converted properly though). I've gone ahead and pushed a hotfix.

I just started recently with skynet and getting familiar with it. I really like it and was surprised to see how many in- and outbound connections were blocked.

Question. If I choose whitelist menu# 4 and then domain# 2. Is it correct that the domain is looked up and the corresponding ip is used/stored for whitelisting? That would not work for domains with dynamic ip's, they change over time.

 

[Bogey]

I think you misunderstood, its your ISP modem that needs to go into "Bridge mode" (not Media bridge, that's something entirely different). This basically means your ISP modem will stick to modem duties and offload all router duties to your Asus device.

In any case, happy to hear you resolved most of your issues.

Adamm, I have a similar situation. I received these messages: "Please Put Your Modem In Bridge Mode / Disable CG-NAT"
My modem is a Fritz!box 7490 and it does not have a bridge mode. My router is the Asus RT-AC88U with Skynet and Unbound.
The Fritz gives the Asus 192.168.178.23 as IP address (Asus reports this as , then the Asus give my home network 192.168.0.xxx addresses.
I don't know if it's a coincidence but since the firmware upgrade from 384.18 to 384.19 (both Merlin) my Philips Hue bridge is misbehaving.
The Hue bridge had it's IP address assigned via DHCP by the Asus router and it worked 4 years perfectly. Then after the Asus update it went pear shape.
I tried adding the Hue to DMZ, but had no luck with that. What did work was assigning it a fixed IP address 192.168.0.123 until tonight... after a week of service it just quit working (the internet connection light stays off). Only thing now that works is f I connect it to the Fritz.
But... since my TV is connected to the Asus router ... then the TV cannot find the Hue bridge.
How can fix all of this?

 

[Smokey613]

I have had no issues with my Hue Bridge running 384.19 and though my cable modem is in bridge mode, it still gives my router an internal IP because my ISP uses CG-NAT.

 

[BikeHelmet]

Just FYI, but on my RT-AC3200 running 384.13_10 Skynet dragged my router to a crawl. Something didn't work right. I have AMTM, Diversion, FlexQOS, YazFi, connmon, ntpMerlin, scMerlin. After installing Skynet and letting it activate.... putty froze, as did the webUI. Waited 15 minutes... still frozen. Rebooted... still couldn't access either. Went out for a few hours, came back to find putty had loaded. WebUI - nope. Launched AMTM... took about 40 minutes. Then slowly made my way into Skynet and temporarily disabled it. Only took about 10 hours for it to load in.

Once disabled, performance was immediately fine. I uninstalled it. No idea what caused it, but it was abnormally slow. Like 99% of CPU was being used for something improperly.

Regular load level with Skynet off:

 

[Adamm]

Hello good, how could you unblock outgoing traffic from a device. Thanks in advance.

As per the readme;

Example Unban Commands;
( firewall unban ip 8.8.8.8 ) This Unbans The IP Specified
( firewall unban range 8.8.8.8/24 ) This Unbans the CIDR Block Specified
( firewall unban domain google.com ) This Unbans the URL Specified
( firewall unban comment "Apples" ) This Unbans Entries With The Comment Apples
( firewall unban country ) This Unbans Entries Added By The "Ban Country" Feature
( firewall unban asn AS123456 ) This Unbans the ASN Specified
( firewall unban malware ) This Unbans Entries Added By The "Ban Malware" Feature
( firewall unban nomanual ) This Unbans Everything But Manual Bans
( firewall unban all ) This Unbans All Entries From Both Blacklists

I just started recently with skynet and getting familiar with it. I really like it and was surprised to see how many in- and outbound connections were blocked.

Thanks, great to hear!

Question. If I choose whitelist menu# 4 and then domain# 2. Is it correct that the domain is looked up and the corresponding ip is used/stored for whitelisting? That would not work for domains with dynamic ip's, they change over time.

Correct, they are looked up at the time of whitelisting and refreshed at regular intervals, its not fool proof but its pretty good for most situations.

Adamm, I have a similar situation. I received these messages: "Please Put Your Modem In Bridge Mode / Disable CG-NAT"
My modem is a Fritz!box 7490 and it does not have a bridge mode. My router is the Asus RT-AC88U with Skynet and Unbound.
The Fritz gives the Asus 192.168.178.23 as IP address (Asus reports this as , then the Asus give my home network 192.168.0.xxx addresses.

I'm not familiar with the device but a quick google search shows PPoE passthrough as being the next best option on that device. In any case if this is not possible with your device you can safely ignore this warning.

I don't know if it's a coincidence but since the firmware upgrade from 384.18 to 384.19 (both Merlin) my Philips Hue bridge is misbehaving.
The Hue bridge had it's IP address assigned via DHCP by the Asus router and it worked 4 years perfectly. Then after the Asus update it went pear shape.
I tried adding the Hue to DMZ, but had no luck with that. What did work was assigning it a fixed IP address 192.168.0.123 until tonight... after a week of service it just quit working (the internet connection light stays off). Only thing now that works is f I connect it to the Fritz.
But... since my TV is connected to the Asus router ... then the TV cannot find the Hue bridge.
How can fix all of this?

Err, I don't believe this is related to Skynet so I won't be of any use, sorry!

Just FYI, but on my RT-AC3200 running 384.13_10 Skynet dragged my router to a crawl. Something didn't work right. I have AMTM, Diversion, FlexQOS, YazFi, connmon, ntpMerlin, scMerlin. After installing Skynet and letting it activate.... putty froze, as did the webUI. Waited 15 minutes... still frozen. Rebooted... still couldn't access either. Went out for a few hours, came back to find putty had loaded. WebUI - nope. Launched AMTM... took about 40 minutes. Then slowly made my way into Skynet and temporarily disabled it. Only took about 10 hours for it to load in.

Once disabled, performance was immediately fine. I uninstalled it. No idea what caused it, but it was abnormally slow. Like 99% of CPU was being used for something improperly.

Regular load level with Skynet off:
View attachment 25743

I can't see how Skynet would cause this, your best bet would be to monitor the "top" processes and see what is eating away at your CPU usage if your stuck at 99%.

 

[Bogey]

I'm not familiar with the device but a quick google search shows PPoE passthrough as being the next best option on that device. In any case if this is not possible with your device you can safely ignore this warning.

Thank you Adamm. The message in the log just scared me a little
It has worked properly in the past. If I need to open a port I just have to remember to do it in both devices.

Err, I don't believe this is related to Skynet so I won't be of any use, sorry!

Turns out it was a coincidence. For test purposes I have a webserver, so on both the router and the modem port 80 was forwarded. For some weird reason the Hue bridge doesn't like that. It never bothered the Hue bridge except for when it (re)boots or has it's lost connection. So when I upgrade the firmware, the router rebooted and... the Hue bridge started it weird behaviour. Now that I removed the port forward of port 80 all is well again.

If I want to open the port 0 for the webserver again, I think I should use port 80 as external port and something like 8080 for internal, right?

 

[BikeHelmet]

I can't see how Skynet would cause this, your best bet would be to monitor the "top" processes and see what is eating away at your CPU usage if your stuck at 99%.

I would've, but top/htop wouldn't start. It took forever to open amtm and temporarily disable skynet. I can only assume that a dynamically updating program would've never loaded.

If there are any log files or anything that would be useful, then I can fetch them. But otherwise I will just leave it be and stick with the addon/script set that I outlined above. It seems to be working very well.

 

[strike]

What might be considered a normal amount of inbound and outbound blocks? I currently host a plex server on this network and the device that hosts the plex server seems to be constantly sending out data to blocked IPs. Attached is an example of some of the filtered traffic.

 

[L&LD]

There is no normal for inbound, but there should be zero outbound.

 

[strike]

Interesting, so is this implying my network is compromised in some way? It probably doesn't help that I'm also seeing a lot of traffic like this:

 

[leon]

Now I have Skynet running and all seems to be well, I like to know more about the reports.

I understand I should not be too worried about inbound connections blocked, and should look at outbound connections blocked. For that I have an entry that says: Ban Reason: alienvault_reputation.ipset. What does this mean? What are the other possible reasons and are there any other reaons that I should be concern about?

 

[Adamm]

What might be considered a normal amount of inbound and outbound blocks? I currently host a plex server on this network and the device that hosts the plex server seems to be constantly sending out data to blocked IPs. Attached is an example of some of the filtered traffic.View attachment 25792

Interesting, so is this implying my network is compromised in some way? It probably doesn't help that I'm also seeing a lot of traffic like this:

View attachment 25797

If both Skynet and AiProtect are indicating your PLEX server is connecting to bad addresses its probably worth investigating.

For that I have an entry that says: Ban Reason: alienvault_reputation.ipset. What does this mean? What are the other possible reasons and are there any other reaons that I should be concern about?

That simply means the IP is blacklisted on that individual list (in this case alienvault_reputation.ipset) for whatever reason, you would have to investigate with alienvault as to why it was flagged.

 

[PRoeleert]

Hi,

I'm brand new user to skynet and have some questions.
I've got some iot devices and set up some wifi guest networks on my RT-AC68U running latest merlin fw.
I've also got YazFi set up. So I got a 192.168.3.X range where all my IOT devices are.

Question can I block all outbound traffic to the WAN for just that range or 1 ip address in that range?

I see the following in the help on https://github.com/Adamm00/IPSet_ASUS
( firewall settings iot unban|ban 8.8.8.8,9.9.9.9 ) Unban|Ban IOT Device(s) (or CIDR) From Accessing WAN (Allow NTP / Remote Access Via OpenVPN Only) (Use Comma As Separator)

The help is not really clear on what these options do and if it's related to inbound or outbound or both traffic.

Thanks

 

[leon]

That simply means the IP is blacklisted on that individual list (in this case alienvault_reputation.ipset) for whatever reason, you would have to investigate with alienvault as to why it was flagged.

I setup Skynet such that Malware list is updated on a dayly. May I know from were would the list be taken from? Are there only one list or is this a list of lists?

 

[Adamm]

The help is not really clear on what these options do and if it's related to inbound or outbound or both traffic.

It blocks all traffic to WAN (inbound and outbound) besides NTP/OpenVPN and any custom ports you add. LAN traffic is still allowed.

I setup Skynet such that Malware list is updated on a dayly. May I know from were would the list be taken from? Are there only one list or is this a list of lists?

IPSet_ASUS/filter.list at master · Adamm00/IPSet_ASUS

Skynet - Advanced IP Blocking For ASUS Routers Using IPSet. - Adamm00/IPSet_ASUS

github.com

 

[wbartels]

For your information
The blocklist.de website seems to be down.
https://iplists.firehol.org/files/blocklist_de.ipset serves an older version.
Witch is an importend part of firehol_level2

I hope it will be back shortly