Skynet Skynet - Router Firewall & Security Enhancements

[davidlee93]

Hi,

Is it possible for skynet to block all IP ranges that are not on the whilelist? For example, I only want to whitelist Canadian and American IP ranges but block everything else.

Thanks

 

[Adamm]

Hi,

Is it possible for skynet to block all IP ranges that are not on the whilelist? For example, I only want to whitelist Canadian and American IP ranges but block everything else.

Thanks

Unfortunately not, I personally find the internet is too globally connected now for such a solution to work reliably. It would cause more issues then its worth honestly.

 

[dazedv3]

Again, thanks for this it's great @Adamm I would like to try freshjr adaptive qos improvements and was wondering if both these "scripts" work side by side or if there is anything I need to do to allow them to do so?

 

[Therion87]

Again, thanks for this it's great @Adamm I would like to try freshjr adaptive qos improvements and was wondering if both these "scripts" work side by side or if there is anything I need to do to allow them to do so?

They work side by side fine. No special requirements.

 

[visortgw]

Again, thanks for this it's great @Adamm I would like to try freshjr adaptive qos improvements and was wondering if both these "scripts" work side by side or if there is anything I need to do to allow them to do so?

The two scripts play well together.

 

[dazedv3]

thanks!

 

[vdemarco]

I have another question, i used to have upnp up and working, but now it always leaves a message saying it couldn't open a port. (DOn't have the log now)

I have since decided that i really don't need upnp on my net, so i turned it off. Does the Skynet iptable rules stop upnp from working?

I have 398.9 on my AX88.
I have the latest SkyNET and amtm installed along with entware. (if that makes a difference)

 

[joe scian]

Hi Adam
When I use IOT Blocking and execute otion 3 "List Blocked devices" it actually lists all devices NOT Blocked rather than devices that are blocked. Eg My Iphone 7 - Can you confirm this?
Actually its inconsistent as I went to unblock 1 of the IP addresses that I had previously blocked and that IP Address failed to appear in the list when selecting option 3 "list blocked devices"

 

[Adamm]

I have since decided that i really don't need upnp on my net, so i turned it off. Does the Skynet iptable rules stop upnp from working?

No, Skynet doesn't interfere with UPNP at all.

Hi Adam
When I use IOT Blocking and execute otion 3 "List Blocked devices" it actually lists all devices NOT Blocked rather than devices that are blocked. Eg My Iphone 7 - Can you confirm this?
Actually its inconsistent as I went to unblock 1 of the IP addresses that I had previously blocked and that IP Address failed to appear in the list when selecting option 3 "list blocked devices"

This function lists all your devices and shows in a table column weather each is blocked or not.

As you can see here, my CCTV system is the only blocked device which reflects my settings.

 

[joe scian]

Hi Adam
None of my other IOT devices that I have blocked appear in this list - they are all light globes starting with ESP eg

ESP_E102E1    192.168.2.63
36 / 43 Mbps
-70 dBm    23:13:53    n    _ST_AU_
BC:DD:C2:E1:16:6D
ESP_E1166D    192.168.2.201
1 / 52 Mbps
-70 dBm    23:13:53    n    _ST_AU_
BC:DD:C2:E1:12:D6
ESP_E112D6    192.168.2.205
36 / 72 Mbps
-63 dBm    23:13:53    n    _ST_AU_
60:01:94:A1:C3:23
ESP_A1C323    192.168.2.50
24 / 52 Mbps
-63 dBm    28:42:05    n    _ST_AU_
DC:4F:22:23:B7:1A
ESP_23B71A    192.168.2.103
18 / 72 Mbps
-65 dBm    28:43:13    n    _ST_AU_
BC:DD:C2:E0:5D:44
ESP_E05D44    192.168.2.42
18 / 65 Mbps
-64 dBm    28:43:14    n    _ST_AU_
BC:DD:C2:E0:5E:80
ESP_E05E80    192.168.2.190
1 / 43 Mbps
-70 dBm    28:43:15    n    _ST_AU_
BC:DD:C2:E0:2B:47

---------------                          | ------------     | ---------------      | ----------
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |
---------------                          | ------------     | ---------------      | ----------

IPHONE-7                                 | 192.168.2.244    | 20:ee:28:f0:11:f2    | Unblocked
MT7681                                   | 192.168.2.27     | 28:f3:66:e9:4f:15    | Unblocked
iPhone6                                  | 192.168.2.51     | Unknown              | Unblocked
Unknown                                  | 192.168.2.73     | 00:05:fe:85:23:55    | Blocked
amazon-ddc7438e8                         | 192.168.3.56     | Unknown              | Blocked
LinksysPAP                               | 192.168.2.54     | Unknown              | Unblocked
amazon-06802718a                         | 192.168.3.175    | Unknown              | Blocked
amazon-d869a9f78                         | 192.168.3.186    | Unknown              | Blocked
surfacepc                                | 192.168.2.119    | 50:1a:c5:f6:9a:85    | Unblocked
amazon-c16dc9d27                         | 192.168.3.192    | 6c:56:97:dc:67:ea    | Blocked
Chromecast                               | 192.168.3.201    | 6c:ad:f8:f5:e7:41    | Blocked
ESP_13C0EA                               | 192.168.3.10     | 60:01:94:13:c0:ea    | Blocked
Ring                                     | 192.168.2.35     | Unknown              | Unblocked
FLIPSSURFACE                             | 192.168.2.76     | Unknown              | Unblocked
COM-MID1                                 | 192.168.4.75     | bc:30:7e:04:00:bb    | Blocked
Chromecast_5Ghz                          | 192.168.2.143    | 54:60:09:7c:93:9e    | Blocked
Unknown                                  | 192.168.2.200    | 7c:2f:80:b5:b8:ed    | Unblocked

 

[Adamm]

Hi Adam
None of my other IOT devices that I have blocked appear in this list - they are all light globes eg

Skynet generates this data based on output from the following command;

ip neigh

I see 9 blocked devices in your output, how many are missing?

 

[joe scian]

about 9

 

[joe scian]

Adam
This is the Output from skynet.ipset showing all IOT blocked devices - therefore 10 devices missing from list output using ip neigh

create Skynet-IOT hash:net family inet hashsize 1024 maxelem 65536 comment
add Skynet-IOT 192.168.2.143 comment "IOTBan: Mar 09 11:10:34"
add Skynet-IOT 192.168.2.201 comment "IOTBan: Mar 09 10:25:13"
add Skynet-IOT 192.168.2.63 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.2.189 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.2.73 comment "IOTBan: Mar 09 11:49:10"
add Skynet-IOT 192.168.2.50 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.4.75 comment "IOTBan: Mar 09 11:26:46"
add Skynet-IOT 192.168.2.56 comment "IOTBan: Mar 09 09:58:48"
add Skynet-IOT 192.168.2.103 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.3.201 comment "IOTBan: Mar 09 10:30:00"
add Skynet-IOT 192.168.3.10 comment "IOTBan: Mar 09 11:06:44"
add Skynet-IOT 192.168.3.175 comment "IOTBan: Mar 09 11:10:34"
add Skynet-IOT 192.168.3.186 comment "IOTBan: Mar 09 11:07:59"
add Skynet-IOT 192.168.2.42 comment "IOTBan: Mar 09 09:58:48"
add Skynet-IOT 192.168.3.192 comment "IOTBan: Mar 09 11:10:34"
add Skynet-IOT 192.168.2.205 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.3.56 comment "IOTBan: Mar 09 11:10:34"
add Skynet-IOT 192.168.2.163 comment "IOTBan: Mar 09 09:58:48"
add Skynet-IOT 192.168.2.190 comment "IOTBan: Mar 09 09:58:48"

 

[Adamm]

Adam
This is the Output from skynet.ipset showing all IOT blocked devices - therefore 10 devices missing from list output using ip neigh

create Skynet-IOT hash:net family inet hashsize 1024 maxelem 65536 comment
add Skynet-IOT 192.168.2.143 comment "IOTBan: Mar 09 11:10:34"
add Skynet-IOT 192.168.2.201 comment "IOTBan: Mar 09 10:25:13"
add Skynet-IOT 192.168.2.63 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.2.189 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.2.73 comment "IOTBan: Mar 09 11:49:10"
add Skynet-IOT 192.168.2.50 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.4.75 comment "IOTBan: Mar 09 11:26:46"
add Skynet-IOT 192.168.2.56 comment "IOTBan: Mar 09 09:58:48"
add Skynet-IOT 192.168.2.103 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.3.201 comment "IOTBan: Mar 09 10:30:00"
add Skynet-IOT 192.168.3.10 comment "IOTBan: Mar 09 11:06:44"
add Skynet-IOT 192.168.3.175 comment "IOTBan: Mar 09 11:10:34"
add Skynet-IOT 192.168.3.186 comment "IOTBan: Mar 09 11:07:59"
add Skynet-IOT 192.168.2.42 comment "IOTBan: Mar 09 09:58:48"
add Skynet-IOT 192.168.3.192 comment "IOTBan: Mar 09 11:10:34"
add Skynet-IOT 192.168.2.205 comment "IOTBan: Mar 09 10:22:29"
add Skynet-IOT 192.168.3.56 comment "IOTBan: Mar 09 11:10:34"
add Skynet-IOT 192.168.2.163 comment "IOTBan: Mar 09 09:58:48"
add Skynet-IOT 192.168.2.190 comment "IOTBan: Mar 09 09:58:48"

Perhaps these devices haven't connected to the internet in a long period of time so the connection is no longer considered active? Is this causing any issues on these devices or are you just concerned visually?

 

[joe scian]

No Just visually - not a big deal - actually some of the lights have just come on - on a schedule- and I reran list and now only a few are missing

---------------                          | ------------     | ---------------      | ----------
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |
---------------                          | ------------     | ---------------      | ----------

IPHONE-7                                 | 192.168.2.244    | 20:ee:28:f0:11:f2    | Unblocked
MT7681                                   | 192.168.2.27     | 28:f3:66:e9:4f:15    | Unblocked
iPhone6                                  | 192.168.2.51     | 74:1b:b2:76:f0:98    | Unblocked
Unknown                                  | 192.168.2.73     | 00:05:fe:85:23:55    | Blocked
amazon-ddc7438e8                         | 192.168.3.56     | 78:e1:03:c0:35:fb    | Blocked
ESP_23B71A                               | 192.168.2.103    | dc:4f:22:23:b7:1a    | Blocked
amazon-06802718a                         | 192.168.3.175    | fc:a1:83:ae:45:99    | Blocked
amazon-d869a9f78                         | 192.168.3.186    | 18:74:2e:9a:d2:bd    | Blocked
ESP_E05D44                               | 192.168.2.42     | bc:dd:c2:e0:5d:44    | Blocked
surfacepc                                | 192.168.2.119    | 50:1a:c5:f6:9a:85    | Unblocked
amazon-c16dc9d27                         | 192.168.3.192    | 6c:56:97:dc:67:ea    | Blocked
Chromecast                               | 192.168.3.201    | 6c:ad:f8:f5:e7:41    | Blocked
ESP_E05E80                               | 192.168.2.190    | bc:dd:c2:e0:5e:80    | Blocked
ESP_13C0EA                               | 192.168.3.10     | 60:01:94:13:c0:ea    | Blocked
Ring                                     | 192.168.2.35     | 0c:b2:b7:61:a4:a6    | Unblocked
ESP_E02B47                               | 192.168.2.163    | bc:dd:c2:e0:2b:47    | Blocked
COM-MID1                                 | 192.168.4.75     | bc:30:7e:04:00:bb    | Blocked
Chromecast_5Ghz                          | 192.168.2.143    | 54:60:09:7c:93:9e    | Blocked
Unknown                                  | 192.168.2.200    | 7c:2f:80:b5:b8:ed    | Unblocked

 

[Adamm]

No Just visually - not a big deal

Okay well the best I can tell you is that Skynet appears to be working fine, im sure there's a valid reason these devices aren't visually showing up.

 

[joe scian]

sure - no problem - thanks for a great script

 

[martinr]

In Skynet's Settings (Option 11), Option 5 is "Unban PrivateIP", and mine is Enabled by default.

What does it do? I've searched using Google and on the forum without finding an answer.

 

[Adamm]

In Skynet's Settings (Option 11), Option 5 is "Unban PrivateIP", and mine is Enabled by default.

What does it do? I've searched using Google and on the forum without finding an answer.

Its a failsafe that regularly scans blocked entries for anything that shouldn't be there which would cause connection issues.

 

[martinr]

Its a failsafe that regularly scans blocked entries for anything that shouldn't be there which would cause connection issues.

Thanks Adam. So no-one would have any valid reason to disable it?