Skynet Skynet - Router Firewall & Security Enhancements

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you will not be able to reply to threads 6 months after the thread is opened. Threads will not be locked, so posts may still be edited by their authors.

Dee dee

Regular Contributor
Diversion is better suited to blocking a website via hostname instead of trying to block individual IPs that can be affiliated with multiple websites (and a website can have multiple IPs).
I tried nslookup and it shows one ip address.

Is there a website I can use as a example to test skynet that it's working correctly?
 

Adamm

Part of the Furniture
Also does it matter if my IP address is in RED?
IP Address; (192.168.1.4)
Your first issue is that your ISP modem isn't in bridge mode and you are running a double-nat situation.

You will be unable to block this IP in Skynet effectively because its hosted on a CDN. We whitelist some major CDN's by default to prevent false positives. You will need to use something like diversion instead.

Lastly im getting the "tail " error, unsure what this means(when trying to debug)?
What is the output of;

Code:
firewall debug info
 

Dee dee

Regular Contributor
Your first issue is that your ISP modem isn't in bridge mode and you are running a double-nat situation.



You will be unable to block this IP in Skynet effectively because its hosted on a CDN. We whitelist some major CDN's by default to prevent false positives. You will need to use something like diversion instead.



What is the output of;

Code:
firewall debug info
@Adamm

My router is a Verizon ActionTec Router. How do i set this into bridge mode to fix the double NAT issue?

my debug info is below.

Code:
--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Config File                         | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
Profile.add Entry                   | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Disabled]
Malware List Auto-Updates           | [Disabled]
Logging                             | [Disabled]
Filter Traffic                      | [Selective]
Unban PrivateIP                     | [Disabled]
Log Invalid Packets                 | [Disabled]
Import AiProtect Data               | [Disabled]
Secure Mode                         | [Disabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Custom]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Disabled]
CDN Whitelisting                    | [Disabled]
Display WebUI                       | [Disabled]

15/15 Tests Sucessful

Alot of items were disabled so i enabled them and filter traffic was a [].

Code:
--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Config File                         | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
Profile.add Entry                   | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 5 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Passed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Selective]
Unban PrivateIP                     | [Disabled]
Log Invalid Packets                 | [Disabled]
Import AiProtect Data               | [Disabled]
Secure Mode                         | [Disabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Custom]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

18/18 Tests Sucessful


=============================================================================================================


[#] 312938 IPs (+0) -- 1784 Ranges Banned (+0) || 13 Inbound -- 0 Outbound Connections Blocked! [debug] [11s]

i enabled them, should filter traffic be inbound outbound or both.?


Should i just reinstall skynet as it might have not installed correctly?
 

Adamm

Part of the Furniture
My router is a Verizon ActionTec Router. How do i set this into bridge mode to fix the double NAT issue?
https://bfy.tw/P5da

Should i just reinstall skynet as it might have not installed correctly?
Not sure if you manually disabled a lot of those settings or if your config somehow got corrupted, but in any case I would uninstall/reinstall and start fresh as many are incorrect.
 

grifo

Regular Contributor
Hi Adam, I've noticed a problem with the logs, multiple events are being logged on just one line with the date and time missing on all but the first event, see below.
Code:
Sep 18 21:06:36 r1 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=178.128.154.242 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=5632 <4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=192.35.169.44 DST=x.x.x.x LEN=44 TOS=0x00 PREC=0x00 TTL=38 ID=45996 <4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=199.195.254.38 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=54321 <4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=192.241.237.167 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=54321 <4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC=<4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=94.102.50.155 DST=x.x.x.x <4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC=<4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=179.96.62.29 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=3296 <4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=103.204.188.22 DST=x.x.x.x LEN=56 TOS=0x00 PREC=0x00 TTL=112 ID=30722 DF <4>[BLOCKED - INBOUND] IN=ppp0 OUT= MAC=WINDOW=23901 RES=0x00 SYN URGP=0
Recently I've run the latest Skynet (Version v7.2.2 - 9aae16544adf0c1c4a20b67dfdba9e00) and Entware updates. This is on my RT-AC87U running Merlin 384.13_10 with Scribe and UIScribe, it also happens on the skynet.log file.

I've rebooted the router just in case but it still does it. firewall debug info shows 18/18 Tests Successful.

EDIT: fixed it by reinstalling Scribe.
 
Last edited:

JaimeZX

Senior Member
Probably a dumb question but would skynet work with VPN traffic? ie..block IPs?
Depends what you mean.
* If you have a client device on your LAN/WLAN that is individually connected to a remote VPN, then the traffic is encrypted and neither the router nor Skynet will see or do anything about the traffic (internals.)
* If you have a VPN server set up on your router, as well as Skynet, and are connecting to that server from other devices remotely while away from home, then that traffic would be protected by Skynet (and Diversion, etc.) (This is what I do.)
* If you have a VPN client set up on your router to send *all* of your traffic to another VPN server somewhere... I don't know. Not sure the order of operations there.
 

Livin

Regular Contributor
I tried to install and it hang forever at "Creating SWAP File"... I tried deleting the scripts but that didnt help. After this failed about 10 times I just installed FlexQOS from AMTM so I know the router can install things fine.

any ideas? thx!
 

L&LD

Part of the Furniture
It takes a long time to create a swap file. How long did you give it? What USB drive are you using? Is it a new drive?
 

Livin

Regular Contributor
It takes a long time to create a swap file. How long did you give it? What USB drive are you using? Is it a new drive?
thx, I let it run while I slept... it finished

One more Question

I want to block specific web sites (like YouTube) from ONLY my kids devices (specific IPs and/or MACs)

Can I easily block URLs from only some devices? (ASUS built-in Firewall block URLs for ALL devices.)

thx
 

QuikSilver

Very Senior Member
thx, I let it run while I slept... it finished

One more Question

I want to block specific web sites (like YouTube) from ONLY my kids devices (specific IPs and/or MACs)

Can I easily block URLs from only some devices? (ASUS built-in Firewall block URLs for ALL devices.)

thx
Take a look at the parental controls section of the router. That may be what your looking for.
 

Adamm

Part of the Furniture
thx, I let it run while I slept... it finished

One more Question

I want to block specific web sites (like YouTube) from ONLY my kids devices (specific IPs and/or MACs)

Can I easily block URLs from only some devices? (ASUS built-in Firewall block URLs for ALL devices.)

thx
You will need to find a DNS based solution.
 

Livin

Regular Contributor
You will need to find a DNS based solution.
I'm surprised this is not asked for frequently by people. I suspect it would be highly used feature that solves a lot of Parental Control problems. Basically just : 'These 5 devices can not access these 15 websites.'
 

Adamm

Part of the Furniture
I'm surprised this is not asked for frequently by people. I suspect it would be highly used feature that solves a lot of Parental Control problems. Basically just : 'These 5 devices can not access these 15 websites.'
Parental controls are a losing battle, any slightly tech savvy kid can and will bypass them weather it be via VPN, Proxy or Encrypted DNS
 
Last edited:

Willing to...

Occasional Visitor
Hi, I encounter the same problem as poster on #7,585 regarding update of blacklist with error " Consolidating Blacklist | curl: no URL specified! curl: try 'curl --help' for more information...."

I understand that his problem was that he had tried to import list in wrong format - list like in hosts format my problem is that I tried to import list in "good" format but still got the same error.


Reading around the forum I found that if I just import this list through amtm/skynet/import IP list/blacklist - this list will not be updated on daily bases but is 1 time import only - I did it this way and everything went fine, but later on when I found that I need to import it differently (if I want automatic update) I use the following command:

firewall banmalware https://iplists.firehol.org/files/firehol_level4.netset

I got before mention error.

What I am doing wrong, and what is the correct way to import new black list which will be updated regularly (I set update to be on daily bases)?
Also will that list survive reboouting of router (when someone advise how to import it correctly - so that it will be added to 13 default lists)?

Thanks
 

Livin

Regular Contributor
Parental controls are a losing battle, any slightly tech savvy kid can and will bypass them weather it be via VPN, Proxy or Encrypted DNS
Young kids 6-12 wont know those things, and mine are not 'techies' ...they just watch videos and play games
 

Adamm

Part of the Furniture
What I am doing wrong, and what is the correct way to import new black list which will be updated regularly (I set update to be on daily bases)?
The malware blacklist feature requires a filter list as input, not an IP list.

Also will that list survive reboouting of router (when someone advise how to import it correctly - so that it will be added to 13 default lists)?
Using a custom filter list will replace the default one included that is linked above (and will survive reboots etc)

Young kids 6-12 wont know those things, and mine are not 'techies' ...they just watch videos and play games
Gotcha, in any case a DNS based solution is your best bet.
 

Willing to...

Occasional Visitor
The malware blacklist feature requires a filter list as input, not an IP list.

Willing to... said:
Also will that list survive reboouting of router (when someone advise how to import it correctly - so that it will be added to 13 default lists)?
Thanks for your answer, but I still don't get it completelly...
How I can add https://iplists.firehol.org/files/firehol_level4.netset to be the 14th on default filter list (I don't want to delete or damage default list - is it even possible to add lists to default filter list if yes how)?

Using a custom filter list will replace the default one included that is linked above (and will survive reboots etc)
Does this mean that my 1 list will replace 13 default lists?

Thanks
 

andywee

Occasional Visitor
on the lame side of things. how fast does the thumbdrive needs to be? does it have to be a USB3 drive or a old USB2 @ 2-5mb/s will do?
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top