Skynet Skynet v8 - Router Firewall & Security Enhancements

[Jack-Sparr0w]

Just wanna avoid the oops I didn't know I just fixed it. or just noticed it was missing something. I have been here for long time now and just know how this story goes.

 

[Blacklistedcard]

Running great with v8.0.7 on my BEP98Pro. No problems to report so far. Been running the latest upgrade from the beginning.

 

[Kingp1n]

Just wanna avoid the oops I didn't know I just fixed it. or just noticed it was missing something. I have been here for long time now and just know how this story goes.

So I think you should also know by now there's always a risk using 3rd party scripts

You know what to do if you want to "avoid" any issues!

 

[dave14305]

does his new skynet only allow 15 addresses max, and takes way longer to add a list, or has that been fixed. when i added my list to that version it failed after the 15 mark, just a bunch of failed to loads.

Several changes were already made to accommodate lists like your psychotic list. Try it.

 

[Jeffrey Young]

EDIT: I found the issue.... I had to change the syslog error level from ERROR to WARNING. All tests are passing now. Will have to wait to see if I start getting any stats now.


I finally took the plunge and update Skynet to the most recent version of Ver8.

After a week, I have no stats. All charts say No data to display. I have tried to click on the generate stats button.

I ran the firewall debug info extended command. One failure is reported;

Log Level 4 Settings              ║ [Failed]

How do I go about fixing this error?

 

[JB_1366]

getting message on router reboot only, and its on the top of each hour --> Jan 3 06:00:00 Skynet: [✘] Rule Integrity Violation - Restarting Firewall [ #21 ]
I have to login to amtm and restart skynet to make it go away. this has been happening ever since i upgraded to skynet 8.x.x

 

[Adamm]

EDIT: I found the issue.... I had to change the syslog error level from ERROR to WARNING. All tests are passing now. Will have to wait to see if I start getting any stats now.


I finally took the plunge and update Skynet to the most recent version of Ver8.

After a week, I have no stats. All charts say No data to display. I have tried to click on the generate stats button.

I ran the firewall debug info extended command. One failure is reported;

Log Level 4 Settings              ║ [Failed]

How do I go about fixing this error?

These settings should be left at their default values unless you have a reason to change them...

Default message log level
notice
Log only messages more urgent than
debug

 

[Adamm]

getting message on router reboot only, and its on the top of each hour --> Jan 3 06:00:00 Skynet: [✘] Rule Integrity Violation - Restarting Firewall [ #21 ]
I have to login to amtm and restart skynet to make it go away. this has been happening ever since i upgraded to skynet 8.x.x

#21: Inbound LOG

Something is wrong with your inbound logging rule, please post the output of;

sh /jffs/scripts/firewall debug info

 

[Adamm]

I've pushed v8.0.8

Add settings toggle for Extended Stats (dnsmasq log matching for blocked IP's)
Improve debug watch - reduce chain commands to minimise CPU usage
Rename Extended_DNSStats() > Generate_Ban_Stats()
Set default log size as 10MB
Update readme
Refactor menu information

 

[Boji]

I've pushed v8.0.8

Huge efficiency improvement in logging cpu usage, seems I can force close terminal window with debug open and not see grep indefinitely spiking to 50%, great work! Thanks Adamm.

 

[Twiglets]

FYI:

I have never run the option to check for updates ONLY and it appears to do an update anyway !!!

Select Update Option:
[1]  --> Check For And Install Any New Updates
[2]  --> Check For Updates Only
[3]  --> Force Update Even If No Updates Detected

[e]  --> Exit

[1-3]: 2

[$] /jffs/scripts/firewall update check


=============================================================================================================


[i] Skynet Update Detected - v8.0.8 (4f5770f4192bf4363f9df94fabc9e6e0)
[i] New Version Detected - Updating To v8.0.8 (4f5770f4192bf4363f9df94fabc9e6e0)
[i] Saving Changes
[i] Unloading Skynet Components
[i] No change to chart.js (MD5 matched)
[i] No change to chartjs-plugin-zoom.js (MD5 matched)
[i] No change to hammerjs.js (MD5 matched)
[i] No change to skynet.asp (MD5 matched)
[i] Updated firewall.sh
[i] Restarting Firewall Service

 

[Twiglets]

I've pushed v8.0.8

Thanks for the ability to change the log size.
I have been 'hacking' this by editing the 'firewall' script

 

[Twiglets]

Pretty please ... could you do a 'wrap-around' on the country codes in the nice banner at the top of the 'firewall' display.

¦ Install Dir          ¦ /tmp/mnt/RT-AX86UPro/skynet                                                        ¦
¦ FW Version           ¦ ASUSWRT-Merlin v102.5_0 (Kernel 4.19.183) (Aug 3 2025)                             ¦
¦ iptables             ¦ iptables v1.4.15                                                                   ¦
¦ ipset                ¦ ipset v7.6, protocol version: 7                                                    ¦
¦ Public IP            ¦ xxx.xxx.xxx.xxx                                                                    ¦
¦ WAN Info             ¦ ppp0 - pppoe                                                                       ¦
¦ Banned Countries     ¦ ad ae af ag ai al am ao aq ar as aw ax az ba bb bd bf bg bh bi bj bl bm bn bo bq br bs bt bv bw bz cc cd cf cg ci ck cl cm cn co cr cu cv cw cx cy cz dj dm do dz ec¦
¦ Custom Filter URL    ¦ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX                                                 ¦
+-----------------------------------------------------------------------------------------------------------+

 

[JB_1366]

Something is wrong with your inbound logging rule, please post the output of;

I upgraded to 8.0.8 and rebooted router, same result. restart skynet and problem fixed.

admin@RT-AX86U_PRO:/tmp/home/root# sh /jffs/scripts/firewall debug info
################################################################################
#                                                                              #
#                           ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████#
#                           ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══#
#                           ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║  #
#                           ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║  #
#                           ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║  #
#                           ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝  #
#                                                                              #
#                                 Router Firewall And Security Enhancements    #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS#
#                                            04/01/2026 - v8.0.8               #
################################################################################


================================================================================


╔═════════════════════ System ═════════════════════════════════════════════════╗
║ Router Model         │ RT-AX86U_PRO                                          ║
║ Skynet Version       │ v8.0.8 (04/01/2026)                                   ║
║ └── Hash             │ 4f5770f4192bf4363f9df94fabc9e6e0                      ║
║ FW Version           │ ASUSWRT-Merlin v102.6_0 (Kernel 4.19.183) (Nov 25 2025║
║ iptables             │ iptables v1.4.15                                      ║
║ ipset                │ ipset v7.6, protocol version: 7                       ║
║ Public IP            │                                                       ║
║ WAN Info             │ wan0 - dhcp                                           ║
╚══════════════════════╧═══════════════════════════════════════════════════════╝


╔═════════════════════ Storage ════════════════════════════════════════════════╗
║ Install Dir          │ /tmp/mnt/Asus/skynet                                  ║
║ └── Used/Total       │ 2.1G / 7.3G                                           ║
║ SWAP File            │ /tmp/mnt/Asus/myswap.swp                              ║
║ └── Size             │ 2.0G                                                  ║
╚══════════════════════╧═══════════════════════════════════════════════════════╝


╔═════════════════════ Runtime ════════════════════════════════════════════════╗
║ Uptime               │ 0 days, 0 hours, 19 minutes.                          ║
║ RAM Used/Total       │ (425M / 994M)                                         ║
╚══════════════════════╧═══════════════════════════════════════════════════════╝


╔═════════════════════ Logging ════════════════════════════════════════════════╗
║ Syslog Locations     │ /jffs/syslog.log /jffs/syslog.log-1                   ║
║ Skynet Log           │ /tmp/mnt/Asus/skynet/skynet.log                       ║
║ └── Used/Total       │ 900.0K / 10MB                                         ║
║ Block Events         │ 2734 (815 Unique IPs)                                 ║
║ Monitor Span         │ Jan 4 02:00:04 → Jan 4 06:59:40                       ║
╚══════════════════════╧═══════════════════════════════════════════════════════╝


╔══════════════════════════════════════════╦══════════════════╦════════════════╗
║ Device Name                              ║ Local IP         ║ MAC Address    ║
╠══════════════════════════════════════════╬══════════════════╬════════════════╣


╔═══════════════════════════════════╦══════════════════════════════════════════╗
║ Test Description                  ║ Result                                   ║
╠═══════════════════════════════════╬══════════════════════════════════════════╣
║ Internet-Connectivity             ║ [Passed]                                 ║
║ Public IP Address                 ║ [Passed]                                 ║
║ Write Permission                  ║ [Passed]                                 ║
║ Config File                       ║ [Passed]                                 ║
║ Firewall-Start Entry              ║ [Passed]                                 ║
║ Services-Stop Entry               ║ [Passed]                                 ║
║ Service-Event Entry               ║ [Passed]                                 ║
║ Profile.add Entry                 ║ [Passed]                                 ║
║ SWAP File                         ║ [Passed]                                 ║
║ Cron Jobs                         ║ [Passed]                                 ║
║ NTP Sync                          ║ [Passed]                                 ║
║ Log Level 5 Settings              ║ [Passed]                                 ║
║ Duplicate Rules In RAW            ║ [Passed]                                 ║
║ IPSets                            ║ [Passed]                                 ║
║ IPTables Rules                    ║ [Failed]                                 ║
║ Local WebUI Files                 ║ [Passed]                                 ║
║ Mounted WebUI Files               ║ [Passed]                                 ║
║ MenuTree.js Entry                 ║ [Passed]                                 ║
╠═══════════════════════════════════╩══════════════════════════════════════════╣
║ 17/18 Tests Sucessful                                                        ║
╚══════════════════════════════════════════════════════════════════════════════╝


╔═══════════════════════════════════╦══════════════════════════════════════════╗
║ Setting                           ║ Status                                   ║
╠═══════════════════════════════════╬══════════════════════════════════════════╣
║ Skynet Auto-Updates               ║ [Enabled]                                ║
║ Malware List Auto-Updates         ║ [Enabled]                                ║
║ Logging                           ║ [Enabled]                                ║
║ Filter Traffic                    ║ [Enabled]                                ║
║ Unban PrivateIP                   ║ [Enabled]                                ║
║ Log Invalid Packets               ║ [Enabled]                                ║
║ Log Size                          ║ [10MB]                                   ║
║ Import AiProtect Data             ║ [Enabled]                                ║
║ Secure Mode                       ║ [Enabled]                                ║
║ Extended Stats                    ║ [Enabled]                                ║
║ Fast Switch List                  ║ [Disabled]                               ║
║ Syslog Location                   ║ [Default]                                ║
║ IOT Blocking                      ║ [Disabled]                               ║
║ IOT Logging                       ║ [Enabled]                                ║
║ Country Lookup For Stats          ║ [Enabled]                                ║
║ CDN Whitelisting                  ║ [Enabled]                                ║
║ Display WebUI                     ║ [Enabled]                                ║
╚═══════════════════════════════════╩══════════════════════════════════════════╝

[*] Rule Integrity Violation - [ #21 ]


================================================================================


[#] 30422 IPs (+0) -- 3608 Ranges Banned (+0) ||  Inbound --  Outbound Connecti]

 

[Ripshod]

@JB_1366 That appears to be a very small external drive you're using. Is it a thumb drive?

 

[JB_1366]

@JB_1366 That appears to be a very small external drive you're using. Is it a thumb drive?

yes, 8gb - 3gb used / 5gb open

 

[dave14305]

I upgraded to 8.0.8 and rebooted router, same result. restart skynet and problem fixed.

After your next reboot, please capture the output of:

iptables-save -t raw
nvram get wan0_ifname

Odd that in the log you posted the wan iface was listed as wan0.

 

[JB_1366]

After your next reboot, please capture the output of:

iptables-save -t raw
nvram get wan0_ifname

Odd that in the log you posted the wan iface was listed as wan0.

admin@RT-AX86U_PRO:/tmp/home/root# iptables-save -t raw

# Generated by iptables-save v1.4.15 on Sun Jan  4 09:51:44 2026

*raw

PREROUTING ACCEPT [2594:670511]

:OUTPUT ACCEPT [5880:6237578]

-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-ses

-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-seP

-A PREROUTING -i wan0 -m set ! --match-set Skynet-MasterWL src -m set --match-ss

-A PREROUTING -i wan0 -m set ! --match-set Skynet-MasterWL src -m set --match-sP

-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Mas

-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-MaP

COMMIT

# Completed on Sun Jan  4 09:51:44 2026

admin@RT-AX86U_PRO:/tmp/home/root# nvram get wan0_ifname

wan0

 

[dave14305]

iptables-save -t raw

The output lines are truncated by the terminal program.

What is your wan setup? I thought I saw the original reply with eth0, then it showed as wan0. Maybe I imagined it.

 

[JB_1366]

The output lines are truncated by the terminal program.

What is your wan setup? I thought I saw the original reply with eth0, then it showed as wan0. Maybe I imagined it.

not sure what your asking, but I have Quantum Fiber using vlan201

i reran with skynet restarted & here is output:

admin@RT-AX86U_PRO:/tmp/home/root# iptables-save -t raw

# Generated by iptables-save v1.4.15 on Sun Jan  4 10:31:14 2026

*raw

PREROUTING ACCEPT [88872:26037810]

:OUTPUT ACCEPT [75011:44122182]

-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options

-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP

-A PREROUTING -i wan0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j LOG --log-prefix "[BLOCKED - INBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options

-A PREROUTING -i wan0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j DROP

-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options

-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP

COMMIT

# Completed on Sun Jan  4 10:31:14 2026