Skynet Skynet - Router Firewall & Security Enhancements

[dave14305]

Perhaps I am describing it wrong.

I've been using this country block script which blocks incoming IPs from certain countries. I can still access content and websites from blocked countries if the connection is outgoing. The downside to the script is that it has a 64k hard limit which shouldn't be an issue on my router as my ipset version is 6.32 but I guess that's the limitation of the script. This is partly why I wanted to switch to Skynet but I still like to be able to access content and websites from a country that I have otherwise blocked for incoming connections. This is what I'm hoping to get out of Skynet.

That script works on the filter table in the firewall, while Skynet works on the raw table, which for simplicity is at a level lower than your former script.

However, I don’t understand how you could still browse outgoing because that script blocks all forwarded traffic to a country as either source or destination. Maybe the IP list isn’t as comprehensive (I haven’t compared)?

 

[Diamond67]

Disk check only takes seconds on my 8GB flash drive formatted as ext4. If your checks are taking longer then 2 minutes there's unfortunately no avoiding this issue as your device isn't mounted (thus Skynet can't find the files). You will have to either continue as-is or remove the automated disk checking.

I have three (slow) 8GB usb flash drives connected. So it seems that under these circumstances Disk check takes a bit too long (to go thru all the drives and finish in time). But no problem (just trouble).

 

[Khadanja]

Anyone using konnected boards I believe skynet is blocking the konencted cloud app as it shows my devices when I disable skynet?

 

[quant88]

I noticed that Skynet is not updating properly in the stats page. I also tried to reinstall SkyNet but still see the same outcome in the UI and log.


Mar 22 13:14:58 RT-AC86U-6558 amas_lib[1177]: Error locking /var/lock/amas_node_list.lock: 0 Already locked
Mar 22 13:14:58 RT-AC86U-6558 amas_lib[1177]: Error unlocking -1: 9 Bad file descriptor
Mar 22 14:10:13 RT-AC86U-6558 rc_service: httpd 999:notify_rc start_SkynetStats
Mar 22 14:10:13 RT-AC86U-6558 custom_script: Running /jffs/scripts/service-event (args: start SkynetStats)
Mar 22 14:10:46 RT-AC86U-6558 rc: received unrecognized event: SkynetStats[/CODE]

Any ideas?

Router Model; RT-AC86U
Skynet Version; v7.1.4 (18/03/2020) (bccc22b2edd848d6c7a93967de81d4ce)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (XXXXXX)
FW Version; 384.15_0 (Feb 8 2020) (4.1.27)
Install Dir; /tmp/mnt/entware/skynet (1.4G / 1.9G Space Available)
SWAP File; /tmp/mnt/data/myswap.swp (2.0G)

158435 IPs (+0) -- 1794 Ranges Banned (+0) || 41 Inbound -- 13 Outbound Connections Blocked!

 

[Adamm]

Anyone using konnected boards I believe skynet is blocking the konencted cloud app as it shows my devices when I disable skynet?

Halp - BestApp.exe or BestWebsite.com Is Being Blocked;

Don't worry, tracking down false positive bans was at the core of design. Generally speaking you can follow these steps to find (and whitelist) anything incorrectly on your Blacklist!

1.) Enable Logging

sh /jffs/scripts/firewall settings logmode enable

2.) Open the blocked application/website and use the command;

sh /jffs/scripts/firewall debug watch

Now look for a flood of [BLOCKED - OUTBOUND] coming from the same IP. This most likely will be the IP you are looking for if its being spammed in large numbers.

3.) Copy the IP following "DST=" it should look something like this;

DST=175.115.37.52

4.) Double check the IP is not actually something that should be banned, use a search tool like alienvault. If its related to a domain additional "Associated Domain" information should be printed beneath the log.

https://otx.alienvault.com/indicator/ip/175.115.37.52/

5.) Great we have confirmed we found the IP of the blocked website/application we are looking for, lets whitelist it!

sh /jffs/scripts/firewall whitelist ip 175.115.37.52

 

[Adamm]

I noticed that Skynet is not updating properly in the stats page. I also tried to reinstall SkyNet but still see the same outcome in the UI and log.


Mar 22 13:14:58 RT-AC86U-6558 amas_lib[1177]: Error locking /var/lock/amas_node_list.lock: 0 Already locked
Mar 22 13:14:58 RT-AC86U-6558 amas_lib[1177]: Error unlocking -1: 9 Bad file descriptor
Mar 22 14:10:13 RT-AC86U-6558 rc_service: httpd 999:notify_rc start_SkynetStats
Mar 22 14:10:13 RT-AC86U-6558 custom_script: Running /jffs/scripts/service-event (args: start SkynetStats)
Mar 22 14:10:46 RT-AC86U-6558 rc: received unrecognized event: SkynetStats[/CODE]

Any ideas?

View attachment 22097

Router Model; RT-AC86U
Skynet Version; v7.1.4 (18/03/2020) (bccc22b2edd848d6c7a93967de81d4ce)
iptables v1.4.15 - (eth0 @ 192.168.1.1)
ipset v6.32, protocol version: 6
IP Address; (XXXXXX)
FW Version; 384.15_0 (Feb 8 2020) (4.1.27)
Install Dir; /tmp/mnt/entware/skynet (1.4G / 1.9G Space Available)
SWAP File; /tmp/mnt/data/myswap.swp (2.0G)

158435 IPs (+0) -- 1794 Ranges Banned (+0) || 41 Inbound -- 13 Outbound Connections Blocked!

Skynet looks like it is working perfectly, you only have 16KB of logs so ofcoarse there isn't much to display.

 

[randomName]

Top 50 Targeted ports, all from Speedguide.net ???

 

[amplatfus]

Hi,

Thank you so much for this Firewall options.
I would have a question, if you can please provide some help, I will appreciate.
There is a option to stop it/ start it from command line?
Thank you!

All the best,
amplatfus

 

[bluepoint]

Top 50 Targeted ports, all from Speedguide.net ???

Those are your targeted 50 ports that have nothing to do with speedguide.net. The speedguide.net is your reference of what the port represents. If you are looking at the stats through ssh, copy the speedguide URL reference then paste it to your browser to understand what the targetted port is, if you are seing the link from the webui, click it to send you to speedguide's guide to understand the port.

 

[JT Strickland]

Can anyone tell me if this line from system log is the result of an attack, or something configured incorrectly?
And, are all of those WLCEVENTD Disassoc, ReAssoc, and Auth's the result of an attack, or just the router doing it's business?

Mar 23 04:33:32 RT-AC86U-8F38 kernel: br0: received packet on eth6 with own address as source address

RT-AC86U with Merlin 314.15, RT-AC68U aimesh node with same f/w, amtm, diversion, uidivstats, Skynet, scribe, uiscribe, conmon, spdMerlin, scmerlin, nsrum, FreshJR's Adaptive QOS

 

[Ubimo]

When skynet is restarting, why is this appearing 3x in syslog within 2 minutes?

Edit:
I had troubles inserting this code and uploading .txt file.
snbforums blocked it.
So I uploaded a .png of syslog.

Edit2:
After experimenting around and factory resetting my router I think skynet has a problem with strict DoT DNS server settings:

Skynet takes much longer to restart when I have set 9.9.9.9 as a strict DoT DNS.
Skynet restarts faster when I set to "Connect automatically to DNS server" via my ISP. (which is 8.8.8.8)

 

[Butterfly Bones]

Can anyone tell me if this line from system log is the result of an attack, or something configured incorrectly?
And, are all of those WLCEVENTD Disassoc, ReAssoc, and Auth's the result of an attack, or just the router doing it's business?

Mar 23 04:33:32 RT-AC86U-8F38 kernel: br0: received packet on eth6 with own address as source address

RT-AC86U with Merlin 314.15, RT-AC68U aimesh node with same f/w, amtm, diversion, uidivstats, Skynet, scribe, uiscribe, conmon, spdMerlin, scmerlin, nsrum, FreshJR's Adaptive QOS

No it is left over debug code from the Wireless Client Event Daemon. This has been asked so many times in the last few months without searching I bookmarked Merlin's reply.
https://www.snbforums.com/threads/r...13-is-now-available.57860/page-35#post-515660

 

[Adamm]

When skynet is restarting, why is this appearing 3x in syslog within 2 minutes?

View attachment 22121

Edit:
I had troubles inserting this code and uploading .txt file.
snbforums blocked it.
So I uploaded a .png of syslog.

Edit2:
After experimenting around and factory resetting my router I think skynet has a problem with strict DoT DNS server settings:

Skynet takes much longer to restart when I have set 9.9.9.9 as a strict DoT DNS.
Skynet restarts faster when I set to "Connect automatically to DNS server" via my ISP. (which is 8.8.8.8)

Completely unrelated to Skynet, we don't interfere with DNS at all.

 

[JT Strickland]

No it is left over debug code from the Wireless Client Event Daemon. This has been asked so many times in the last few months without searching I bookmarked Merlin's reply.
https://www.snbforums.com/threads/r...13-is-now-available.57860/page-35#post-515660

Thank you. Do you have an opinion on the:
kernel: br0: received packet on eth6 with own address as source address.

I don't know how long this has been going on, but I have a switch between my RT-AC68U aimesh node and RT-AC86U and wondered if that might be where it was coming from, if it's not attacks. There is a NAS, (WD MyCloudEX2Ultra) coming out of the switch in addition to the ethernet backhaul from the node. It has been working OK seems like. My thinking was with the switch, the router wouldn't have to deal with any extra traffic.

thanks again,
jts

RT-AC86U with Merlin 314.15, RT-AC68U aimesh node with same f/w, amtm, diversion, uidivstats, Skynet, scribe, uiscribe, conmon, spdMerlin, scmerlin, nsrum, FreshJR's Adaptive QOS

 

[Adamm]

Thank you. Do you have an opinion on the:
kernel: br0: received packet on eth6 with own address as source address.

I don't know how long this has been going on, but I have a switch between my RT-AC68U aimesh node and RT-AC86U and wondered if that might be where it was coming from, if it's not attacks. There is a NAS, (WD MyCloudEX2Ultra) coming out of the switch in addition to the ethernet backhaul from the node. It has been working OK seems like. My thinking was with the switch, the router wouldn't have to deal with any extra traffic.

thanks again,
jts

RT-AC86U with Merlin 314.15, RT-AC68U aimesh node with same f/w, amtm, diversion, uidivstats, Skynet, scribe, uiscribe, conmon, spdMerlin, scmerlin, nsrum, FreshJR's Adaptive QOS

I found this

 

[JT Strickland]

I found this

Yes, sir, I read some of those links yesterday, but I also found threads here on this forum, that senior members said an unmanaged switch was plug-and-play, which was what I thought too. So I got thinking maybe it was attacks, possibly spoofing something.
I just have a netgear 5 hub GS205. Actually a couple of them.
thanks again,
jts

 

[amplatfus]

Hi all,

I do not know why, but when Skynet is running, the speed reported by spdmerlin (speedtest addon in Merlin firmware) is with 90 Download (Mbps) lower than it should be.
The upload is not affected.

When I temporary manual stop the Skynet, the speed is back to normal.
I am on Merlin 394.15 powerd by AC88U with entware updated.

Could you please advice?
I tried to disable Skynet for outgoing, but without success.

Thank you,
amplatfus

 

[Adamm]

Hi all,

I do not know why, but when Skynet is running, the speed reported by spdmerlin (speedtest addon in Merlin firmware) is with 90 Download (Mbps) lower than it should be.
The upload is not affected.

When I temporary manual stop the Skynet, the speed is back to normal.
I am on Merlin 394.15 powerd by AC88U with entware updated.

Could you please advice?
I tried to disable Skynet for outgoing, but without success.

Thank you,
amplatfus

I can't see any reason this would affect that plugin at all, Skynet doesn't have any background running processes per say that would affect system performance. Speedtest-cli is notoriously inaccurate on low powered devices like routers, take the results as a grain of salt and instead use browser based options.

 

[amplatfus]

Thank you very much. Yes, the results in browsers are not affected.
I suspect is something related to USB 2.0 limitation, if Skynet or spdmerlin use the the external HDD with entware installed. I have to test it by moving all to a USB 3.0 HDD compatible and plugged it in the USB 3.0 port, if this is the case.

That's why I asked how can I stop and start Skynet with a script, in order to create a script with: disable skynet, do the test and than enable it back.

All the best,
amplatfus

 

[CaptainSTX]

Thank you very much. Yes, the results in browsers are not affected.
I suspect is something related to USB 2.0 limitation, if Skynet or spdmerlin use the the external HDD with entware installed. I have to test it by moving all to a USB 3.0 HDD compatible and plugged it in the USB 3.0 port, if this is the case.

That's why I asked how can I stop and start Skynet with a script, in order to create a script with: disable skynet, do the test and than enable it back.

All the best,
amplatfus

Using AMTM install the scMerlin utility

You then have the option to start stop Skynet by selecting option S in the scMerlin script.