What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Don’t apologise: many of us started out like that (and some of us still feel that way. ;). Problem is there’s always a tacit, assumed foundation of knowledge and experience required. I spend a lot of my time trawling through YouTube videos and tutorials just to understand some of the questions on this forum let alone making sense of the answers! All one can do is plod on and work on the basis that if you fling enough sh!t at a wall, some of it eventually sticks.

Thanks for those kind words, I appreciate it. I haven't been able to find anything on Youtube about Skynet, Diversion, or other scripts. There are a few tutorials on Asus routers and Asus-Merlin firmware, mostly about download and installation. I used to watch TV in my spare time, now I watch Youtube and try to learn something. They are not all good, though, you got to pick 'em. Some are real duds.
 
I'm trying to find a fallback solution for times that Banmalware runs, takes so long that many IPs are removed from the blocking list, like this on 28 Feb.
Code:
Feb 28 04:29:05 RT-AC86U Skynet: [#] 78495 IPs (-45062) -- [banmalware] [245s]
Feb 29 04:25:40 RT-AC86U Skynet: [#] 128732 IPs (+50237) --[banmalware] [40s]
I have never seen that occur two days in a row. As you see this is a AC86U that normally processes the banmalware update in 35-45 seconds, except at least once weekly it runs long, well over 100 minutes up to 300 minutes. I might be the servers are busy, my thoughts are there are conflicting events on my router. I know Skynet sets random times to download IP updates. I still see these long times every 7-10 days. Oddly the "random" times Skynet like to choose is 0525, shortly after the 0520 time Diversion rotates dnsmasq log files and those processes overlap.

My thought is to somehow scan the skynet.log daily for banmalware, say 0613 daily, and if times are long, maybe over 100 minutes (TBD) it will run the banmalware update command again? As many here know from my posts thorough time, and am a script retard / dunce. Adamm, could that be added as a feature to Skynet, or does someone have a quick script that I can run in a cron job once a day to accomplish this? I try to check the Skynet log after I get up to see what banmalware update results are and manually run it again if needed, but I forget or get busy.
 
except at least once weekly it runs long, well over 100 minutes up to 300 minutes.

I think you mean seconds, and this most likely indicates downloading a particular list timed out and curl kept retrying as per its default parameters.

I still see these long times every 7-10 days. Oddly the "random" times Skynet like to choose is 0525, shortly after the 0520 time Diversion rotates dnsmasq log files and those processes overlap

We choose a random hour at 25 minutes past to avoid essentially DDOS'ing firehol's servers with thousands of Skynet users download requests. fwiw today's large change in numbers was due to this commit where we removed some inactive lists and switched to using bi_any_2_30d.ipset to replace them.
 
Thanks for those kind words, I appreciate it. I haven't been able to find anything on Youtube about Skynet, Diversion, or other scripts. There are a few tutorials on Asus routers and Asus-Merlin firmware, mostly about download and installation. I used to watch TV in my spare time, now I watch Youtube and try to learn something. They are not all good, though, you got to pick 'em. Some are real duds.
Yes indeed: some real duds out there. (Sometimes I shut it down as soon as I hear the audio.). No, I was thinking of the more basic stuff like how DNS works, what a recursive server does, how public key infrastructure works, how certificates are used ....

For the more detailed stuff, like specific tutorials on items directly relevant to this forum, you’d do well to ask, because some of the experts here have written one or 2 guides. They are mostly buried in posts so they can be hard to find without help, but some of us have them bookmarked, And if there isn’t a specific guide, you only need to query anything you don’t understand and someone will put you right.

Usually, the very first post (and maybe the next one or 2) for a specific script contain most of what you need to know to get started at least. But you’ll already have found that out.
 
Hi. I know I should probably be able to find the answer somewhere in this thread - but searching on IOT is not allowed, and after reading a few hundred posts I decided to give up :(
I'm trying to setup a guest network for my IOT sensors, and want to ban them from accessing the internet.
I did a factory reset of my AC87U running latest firmware, installed AMTM (no 385 firmware available for that device yet), Diversion, Skynet and YazFi.
The IOT network i using 10.0.3.0 as subnet, so I added the complete IP range to Skynet IOT banned devices 10.0.3.2-10.0.3.254.

After rebooting and connecting a smartphone and a couple of sensors to the new guest network the list of blocked IOT devices look like this. Most Unblocked devices are removed from the list.(the Unknown devices are a couple of ESP8266's with static IP's):
Code:
---------------                          | ------------     | ---------------      | ----------
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |
---------------                          | ------------     | ---------------      | ----------
ESP-Kontor-0                             | 10.0.0.245       | dc:4f:xx:xx:xx:xx    | Unblocked
Unknown                                  | 10.0.3.11        | 2c:3a:xx:xx:xx:xx    | Blocked
Unknown                                  | 10.0.3.13        | dc:4f:xx:xx:xx:xx    | Blocked
KA_OP5T                                  | 10.0.3.154       | 94:65:xx:xx:xx:xx    | Blocked

IPtables look like this:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
YazFiINPUT  all  --  anywhere             anywhere
logdrop    icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             match-set Skynet-IOT src tcp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere             match-set Skynet-IOT src udp dpt:ntp
LOG        all  --  anywhere             anywhere             match-set Skynet-IOT src LOG level warning tcp-sequence t"
DROP       all  --  anywhere             anywhere             match-set Skynet-IOT src
YazFiFORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
logdrop    all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain DNSFILTER_DOT (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere

Chain NSFW (1 references)
target     prot opt source               destination
DROP       gre  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere             tcp dpt:1723

Chain OVPN (2 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain YazFiFORWARD (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain YazFiINPUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             multiport dports bootps,ntp
ACCEPT     icmp --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             multiport dports bootps,ntp
ACCEPT     icmp --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere

Chain YazFiREJECT (3 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain default_block (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-o"
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (9 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain other2wan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Now - I guess everything looks as it should - but the smartphone still has full internet access (rebooted and disabled mobile data).
Have I misunderstood something about how IOT blocking works, oram I missing some steps?
 
@Kenneth Andersen, the 'latest firmware' isn't descriptive enough. Which actual firmware are you running? RT-AC87U: 384.13_4 is the latest and supports amtm 'built-in' which means you shouldn't have had to install amtm manually.

Depending on what you did to get to where you are, I may be tempted to start over fresh with a full M&M Config (please see the link in my signature below).

You can get around any in-forum search restrictions by using the search engine of your choice and using a variation of 'site: snbforums.com' on the end too.
 
I think you mean seconds, and this most likely indicates downloading a particular list timed out and curl kept retrying as per its default parameters.



We choose a random hour at 25 minutes past to avoid essentially DDOS'ing firehol's servers with thousands of Skynet users download requests. fwiw today's large change in numbers was due to this commit where we removed some inactive lists and switched to using bi_any_2_30d.ipset to replace them.
Yes, seconds not minutes. :oops:

I understand and remember why the random xx25 cron job times. I was half joking on that 0525 comment on running right after Diversion. That is what alerted me to this long xxx seconds processing and list update failure.

So no comments on a fallback feature, the point of my entire post?
 
Hi. I know I should probably be able to find the answer somewhere in this thread - but searching on IOT is not allowed, and after reading a few hundred posts I decided to give up :(
I'm trying to setup a guest network for my IOT sensors, and want to ban them from accessing the internet.
I did a factory reset of my AC87U running latest firmware, installed AMTM (no 385 firmware available for that device yet), Diversion, Skynet and YazFi.
The IOT network i using 10.0.3.0 as subnet, so I added the complete IP range to Skynet IOT banned devices 10.0.3.2-10.0.3.254.

After rebooting and connecting a smartphone and a couple of sensors to the new guest network the list of blocked IOT devices look like this. Most Unblocked devices are removed from the list.(the Unknown devices are a couple of ESP8266's with static IP's):
Code:
---------------                          | ------------     | ---------------      | ----------
| Device Name |                          | | Local IP |     | | MAC Address |      | | Status |
---------------                          | ------------     | ---------------      | ----------
ESP-Kontor-0                             | 10.0.0.245       | dc:4f:xx:xx:xx:xx    | Unblocked
Unknown                                  | 10.0.3.11        | 2c:3a:xx:xx:xx:xx    | Blocked
Unknown                                  | 10.0.3.13        | dc:4f:xx:xx:xx:xx    | Blocked
KA_OP5T                                  | 10.0.3.154       | 94:65:xx:xx:xx:xx    | Blocked

IPtables look like this:
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
YazFiINPUT  all  --  anywhere             anywhere
logdrop    icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere             state INVALID
PTCSRVWAN  all  --  anywhere             anywhere
PTCSRVLAN  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW
OVPN       all  --  anywhere             anywhere             state NEW
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
INPUT_ICMP  icmp --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             match-set Skynet-IOT src tcp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere             match-set Skynet-IOT src udp dpt:ntp
LOG        all  --  anywhere             anywhere             match-set Skynet-IOT src LOG level warning tcp-sequence t"
DROP       all  --  anywhere             anywhere             match-set Skynet-IOT src
YazFiFORWARD  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
other2wan  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere             state INVALID
NSFW       all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate DNAT
OVPN       all  --  anywhere             anywhere             state NEW
logdrop    all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ACCESS_RESTRICTION (0 references)
target     prot opt source               destination

Chain DNSFILTER_DOT (0 references)
target     prot opt source               destination

Chain FUPNP (0 references)
target     prot opt source               destination

Chain INPUT_ICMP (1 references)
target     prot opt source               destination
RETURN     icmp --  anywhere             anywhere             icmp echo-request
RETURN     icmp --  anywhere             anywhere             icmp timestamp-request
ACCEPT     icmp --  anywhere             anywhere

Chain NSFW (1 references)
target     prot opt source               destination
DROP       gre  --  anywhere             anywhere
DROP       tcp  --  anywhere             anywhere             tcp dpt:1723

Chain OVPN (2 references)
target     prot opt source               destination

Chain PControls (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain PTCSRVLAN (1 references)
target     prot opt source               destination

Chain PTCSRVWAN (1 references)
target     prot opt source               destination

Chain SECURITY (0 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/SYN
RETURN     tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
logdrop    tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,ACK/RST
RETURN     icmp --  anywhere             anywhere             icmp echo-request limit: avg 1/sec burst 5
logdrop    icmp --  anywhere             anywhere             icmp echo-request
RETURN     all  --  anywhere             anywhere

Chain YazFiFORWARD (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain YazFiINPUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             multiport dports bootps,ntp
ACCEPT     icmp --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             multiport dports bootps,ntp
ACCEPT     icmp --  anywhere             anywhere
YazFiREJECT  all  --  anywhere             anywhere

Chain YazFiREJECT (3 references)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain default_block (0 references)
target     prot opt source               destination

Chain logaccept (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             state NEW LOG level warning tcp-sequence tcp-options ip-o"
ACCEPT     all  --  anywhere             anywhere

Chain logdrop (9 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain other2wan (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
logdrop    all  --  anywhere             anywhere

Now - I guess everything looks as it should - but the smartphone still has full internet access (rebooted and disabled mobile data).
Have I misunderstood something about how IOT blocking works, oram I missing some steps?

Try an IP on your regular notwork (not guest), I did a test on my end and that much seems to work smoothly. I'll have to investigate and see if guest networks/yazfi interfere somehow.
 
Try an IP on your regular notwork (not guest), I did a test on my end and that much seems to work smoothly. I'll have to investigate and see if guest networks/yazfi interfere somehow.
Shouldn't do, looks like Skynet's IOT rules are above YazFi's in the FORWARD chain. Unless you match specifically against br0?

EDIT:

Looks like you assume br0 for the incoming iface:
Code:
Load_IOTTables() {
if [ "$iotblocked" = "enabled" ]; then
    iptables -I FORWARD -i br0 -m set --match-set Skynet-IOT src ! -o tun2+ -j DROP 2>/dev/null
    if [ -n "$iotports" ]; then
        if [ "$iotproto" = "all" ] || [ "$iotproto" = "udp" ]; then
            iptables -I FORWARD -i br0 -m set --match-set Skynet-IOT src -o "$iface" -p udp -m udp -m multiport --dports "$iotports" -j ACCEPT 2>/dev/null
        fi
        if [ "$iotproto" = "all" ] || [ "$iotproto" = "tcp" ]; then
            iptables -I FORWARD -i br0 -m set --match-set Skynet-IOT src -o "$iface" -p tcp -m tcp -m multiport --dports "$iotports" -j ACCEPT 2>/dev/null
        fi
    else
        if [ "$iotproto" = "all" ] || [ "$iotproto" = "udp" ]; then
            iptables -I FORWARD -i br0 -m set --match-set Skynet-IOT src -o "$iface" -p udp -m udp --dport 123 -j ACCEPT 2>/dev/null
        fi
        if [ "$iotproto" = "all" ] || [ "$iotproto" = "tcp" ]; then
            iptables -I FORWARD -i br0 -m set --match-set Skynet-IOT src -o "$iface" -p tcp -m tcp --dport 123 -j ACCEPT 2>/dev/null
        fi
    fi
fi
}
 
Update: Has anyone figured out how to successfully whitelist QVC? I've added their IP address 167.140.19.0/24 in the VPN rules table, and I tried adding the AS number AS15086 in Skynet, but QVC still detects that I'm on a VPN.
 
Last edited:
@Kenneth Andersen, the 'latest firmware' isn't descriptive enough. Which actual firmware are you running? RT-AC87U: 384.13_4 is the latest and supports amtm 'built-in' which means you shouldn't have had to install amtm manually.

Depending on what you did to get to where you are, I may be tempted to start over fresh with a full M&M Config (please see the link in my signature below).

You can get around any in-forum search restrictions by using the search engine of your choice and using a variation of 'site: snbforums.com' on the end too.
Thanks.. I'm running 384.13_4, but missed that amtm was added even though RT-AC87U still hasn't been bumbed to 385.
Followed your instruction for M&M.

Try an IP on your regular notwork (not guest), I did a test on my end and that much seems to work smoothly. I'll have to investigate and see if guest networks/yazfi interfere somehow.
On the fresh install I added Diversion and Skynet. Created a new guest network for IOT devices, but deferred from YazFi. IOT ban working fine.

Then added YazFi (I want client isolation on my normal guest network and the IOT network), but now IOT ban isn't working anymore.
So either YazFi itself breaks the ban, or the VLAN it creates does it (requires new subnet for each network).
 
Update: Has anyone figured out how to successfully whitelist QVC? I've added their IP address 167.140.19.0/24 in the VPN rules table, and I tried adding the AS number AS15086 in Skynet, but QVC still detects that I'm on a VPN.

Uh, wrong thread? If some website detects your on a VPN its because they blacklisted your providers IP space.

On the fresh install I added Diversion and Skynet. Created a new guest network for IOT devices, but deferred from YazFi. IOT ban working fine.

Then added YazFi (I want client isolation on my normal guest network and the IOT network), but now IOT ban isn't working anymore.
So either YazFi itself breaks the ban, or the VLAN it creates does it (requires new subnet for each network).

Right, I'm aware of the issue as it appears these guest networks listen on a different interface then our regular br0. Its on my todo list ;)
 
Look in AddOns / Diversion Stats
5string, I found the addons. I had to add a couple of scripts, but now I've got the GUI's and can review logs.
thanks.
 
Uh, wrong thread? If some website detects your on a VPN its because they blacklisted your providers IP space.

Oops, sorry.
 
Uh, wrong thread? If some website detects your on a VPN its because they blacklisted your providers IP space.
Oops, sorry.
 
Skynet: No Data to Display

Hello, I'm running Skynet v7.1.2 via Merlin 384.15 on a RT-AC86U router and for some reason the Skynet logging function is not recording the dropped connections. If I click on the 'Advanced Settings/Firewall/Skynet' tab of the UI, I get: No Data to Display in all fields. I haven't re-started Skynet if over three days and still don't see any dropped packets...

Additionally if I type the following command in the CLI: sh /jffs/scripts/firewall stats, it gives the following result:
[*] No Logging Data Detected - Give This Time To Generate

I have rebooted the router multiple times and have tried different browsers (Firefox, IE, Chrome) with the same result. How do I go about troubleshooting this issue?

Thx

upload_2020-3-2_20-52-38.png
 

Attachments

  • upload_2020-3-2_20-49-26.png
    upload_2020-3-2_20-49-26.png
    96.5 KB · Views: 161
Skynet: No Data to Display

Hello, I'm running Skynet v7.1.2 via Merlin 384.15 on a RT-AC86U router and for some reason the Skynet logging function is not recording the dropped connections. If I click on the 'Advanced Settings/Firewall/Skynet' tab of the UI, I get: No Data to Display in all fields. I haven't re-started Skynet if over three days and still don't see any dropped packets...

Additionally if I type the following command in the CLI: sh /jffs/scripts/firewall stats, it gives the following result:
[*] No Logging Data Detected - Give This Time To Generate

I have rebooted the router multiple times and have tried different browsers (Firefox, IE, Chrome) with the same result. How do I go about troubleshooting this issue?

Thx

View attachment 21710
Check if logging is enabled in Skynet Settings. Bring up Skynet menu, choose 11 Settings, then number 3 will show status,
Code:
3]  --> Logging                    | [Enabled]
 
Thanks for the reply @ Butterfly Bones.

Yes logging is enabled:
upload_2020-3-2_21-20-30.png
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top