Skynet Skynet v8 - Router Firewall & Security Enhancements

[Adamm]

Is that a normal behaviour, that after every reboot, Skynet detects a lock file?

Yes, firewall-start is called up to 4 times during startup, Skynet handles all this in the background.

 

[Boji]

Prior to v8 I recall if I was using skynets built in debug log tail, it uses lots of cpu; if the ssh window that spawned it was force closed it would continue consuming resources in the background running the operation; but if control+C it would stop; the only solution I had at the time was a reboot. Unless I'm mistaken, it seems the problem persists.

 

[Adamm]

Prior to v8 I recall if I was using skynets built in debug log tail, it uses lots of cpu

This is normal as all log entries are processed, I'll look into if the regex can be improved.

if the ssh window that spawned it was force closed it would continue consuming resources in the background running the operation; but if control+C it would stop; the only solution I had at the time was a reboot. Unless I'm mistaken, it seems the problem persists.

Is there some way for me to reproduce this as I am unable to.

 

[Boji]

This is normal as all log entries are processed, I'll look into if the regex can be improved.



Is there some way for me to reproduce this as I am unable to.

Well in htop I am seeing this line constantly when skynet debug output log is running
grep -E reply .* is 164\.138\.125\.249 /opt/var/log/dnsmasq.log /opt/var/log/dnsmasq.logl /opt/var/log/dnsmasq.log2

If firewall log not closed gracefully (Ctrl+C), this grep command pops up intermittently consuming significant resources in brief spikes; not steady like when the firewall log is open, but every few seconds. Compare it to gracefully closing the firewall log.... you will see far less cpu usage and no intermittent grep command. Happens to me every time. I have to reboot my router now after this last test. CPU spikes to 50% sometimes a bit more sometimes a bit less every few seconds on AC66UB1. With graceful exit, maybe 5-8% average cpu.

May be more easily detectable with minimal setup. I disabled all amtm app related ui for router gui. (diversion webui disabled)

║ Country Lookup For Stats ║ [Disabled]
║ Display WebUI ║ [Disabled]

Am using bitvise xterm as ssh.

 

[SG2088]

I am still using 7.6.5 and have been following this thread. Having said this, is the latest version stable enough to upgrade? Or shall I wait? I do not want to break anything as I work from home and cannot afford an outage. Thanks!

 

[Viktor Jaep]

I am still using 7.6.5 and have been following this thread. Having said this, is the latest version stable enough to upgrade? Or shall I wait? I do not want to break anything as I work from home and cannot afford an outage. Thanks!

I have a big list of country blocks and a healthy set of blocklists, but things have been pretty quiet on this front. I've been waiting for an all-green before pulling the trigger as well. I will probably wait for the weekend to get a last fresh backup and try again.

 

[SG2088]

I have a big list of country blocks and a healthy set of blocklists, but things have been pretty quiet on this front. I've been waiting for an all-green before pulling the trigger as well. I will probably wait for the weekend to get a last fresh backup and try again.

Thanks. I'll wait a few more days as well.

 

[fanasus]

hello,

Since updating my router (v3006.102.6), I can't get Skynet (v8.0.6) working again (I've tried restarting it, forcing an update), I don't know what to do.
here the errores:
SWAP | [Failed]
Cron Jobs | [Failed]
IPSets | [Failed]
IPTables Rules | [Failed]

thanks

 

[dave14305]

Since updating my router (v3006.102.6), I can't get Skynet (v8.0.6) working again (I've tried restarting it, forcing an update), I don't know what to do.

Do you have a USB plugged in? ls -l /tmp/mnt/
What is shown in firewall-start? cat /jffs/scripts/firewall-start
Is the router's firewall enabled? nvram get fw_enable_x

 

[John Fitzgerald]

hello,

Since updating my router (v3006.102.6), I can't get Skynet (v8.0.6) working again (I've tried restarting it, forcing an update), I don't know what to do.
here the errores:
SWAP | [Failed]
Cron Jobs | [Failed]
IPSets | [Failed]
IPTables Rules | [Failed]

thanks

What happened to me: myswap file disappeared. v8.0.7 is newest. Uninstall via #15, including old swap file, option. Then reinstall, and it will ask you to create a new swap file : select the 2GB option.

 

[fanasus]

Hello @dave14305 @John Fitzgerald Thank you for your replies
- I recreated the swap file as specified, but only restarted Skynet, and finally it came back! . thanks !
regards

 

[Kingp1n]

@Adamm

After running latest Skynet for few weeks...it has been running smoothly without any issues and/or router slow downs.

We appreciate the continued support!!!

 

[SG2088]

What happened to me: myswap file disappeared. v8.0.7 is newest. Uninstall via #15, including old swap file, option. Then reinstall, and it will ask you to create a new swap file : select the 2GB option.

Before I upgrade from 7.6.5, is it recommended to uninstall skynet and the swap file, then re-install and recreate swap?

 

[John Fitzgerald]

Before I upgrade from 7.6.5, is it recommended to uninstall skynet and the swap file, then re-install and recreate swap?

Yes, and be very sure to delete the old swap file with the uninstall routine. (I think it's the last prompt)
After you reinstall and create the new swap, reboot the router to make sure that it all survives a reboot. (not deleting the old swap file will cause problems if it remains)

 

[SG2088]

Yes, and be very sure to delete the old swap file with the uninstall routine. (I think it's the last prompt)
After you reinstall and create the new swap, reboot the router to make sure that it all survives a reboot. (not deleting the old swap file will cause problems if it remains)

Thanks! I am thinking of rebooting after deleting both, format usb (yes, use one as I have been lucky), then reinstall, etc.

 

[John Fitzgerald]

Thanks! I am thinking of rebooting after deleting both, format usb (yes, use one as I have been lucky), then reinstall, etc.

Yes, I deleted ,rebooted, reinstalled, and rebooted again.

 

[XxUnkn0wnxX]

I took the plunge and updated to 8.0.7.

Before updating I did a full uninstall of Skynet and removed the swap file. After the update I re-applied my config and filter list exclusions. The only “dirty” thing I did was copy over my old .ipset, since I’ve got a lot of custom rules in there.

It does survive a reboot, but my ~30MB ipset has now grown to almost 50MB even though I’m using the exact same filter lists as before. It also now takes a little over 4 minutes for iptables to fully populate, whereas on 7.6.5 it was just over a minute.

Not particularly impressed with the performance side of things so far (Iptables).

 

[Adamm]

Skynet is perfectly fine to update from 7.x.x to 8.x.x, an uninstall isn't necessary. Skynet's swap file handling was simplified to be more unified with Diversion. Anyone with SWAP issues probably had some edge case where existing file didn't align with the new standard, Skynet in these cases would have alerted to the SWAP issue in the syslog. If someone is able to reproduce it I'd be happy to take a look.

It does survive a reboot, but my ~30MB ipset has now grown to almost 50MB even though I’m using the exact same filter lists as before. It also now takes a little over 4 minutes for iptables to fully populate, whereas on 7.6.5 it was just over a minute.

Skynet v8 does a better job of whitelisting & downloading (not skipping) slow resolving lists. Your lists are the issue, not Skynet. The default banmalware process takes 9 seconds to finish.

skynet@GT-BE98-38A4:/tmp/home/root# sh /jffs/scripts/firewall banmalware
#############################################################################################################
# #
# ███████╗██╗ ██╗██╗ ██╗███╗ ██╗███████╗████████╗ #
# ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗ ██║██╔════╝╚══██╔══╝ #
# ███████╗█████╔╝ ╚████╔╝ ██╔██╗ ██║█████╗ ██║ #
# ╚════██║██╔═██╗ ╚██╔╝ ██║╚██╗██║██╔══╝ ██║ #
# ███████║██║ ██╗ ██║ ██║ ╚████║███████╗ ██║ #
# ╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═══╝╚══════╝ ╚═╝ #
# #
# Router Firewall And Security Enhancements #
# By Adamm - https://github.com/Adamm00/IPSet_ASUS #
# 24/11/2025 - v8.0.7 #
#############################################################################################################


=============================================================================================================


Downloading filter.list | [0s]
Refreshing Whitelists | [5s]
Start Blacklist Consolidation |
[✔] Downloaded https://iplists.firehol.org/files/firehol_level2.netset
[✔] Downloaded https://iplists.firehol.org/files/et_block.netset
[✔] Downloaded https://iplists.firehol.org/files/dyndns_ponmocup.ipset
[✔] Downloaded https://iplists.firehol.org/files/spamhaus_drop.netset
[✔] Downloaded https://iplists.firehol.org/files/firehol_level3.netset
[✔] Downloaded https://iplists.firehol.org/files/cybercrime.ipset
[✔] Downloaded https://iplists.firehol.org/files/bds_atif.ipset
[✔] Downloaded https://iplists.firehol.org/files/et_compromised.ipset
Finish Blacklist Consolidation | [3s]
Applying New Blacklist | [1s]
Refreshing AiProtect Bans | [0s]
Saving Changes | [0s]

For Whitelisting Assistance -
https://www.snbforums.com/threads/r...wall-security-enhancements.16798/#post-115872


=============================================================================================================


[#] 29342 IPs (-3697) -- 2361 Ranges Banned (-32) || 9146 Inbound -- 0 Outbound Connections Blocked! [banmalware] [9s]

Not particularly impressed with the performance side of things so far (Iptables).

What metric do you measure that with?

 

[John Fitzgerald]

Skynet is perfectly fine to update from 7.x.x to 8.x.x, an uninstall isn't necessary. Skynet's swap file handling was simplified to be more unified with Diversion. Anyone with SWAP issues probably had some edge case where existing file didn't align with the new standard, Skynet in these cases would have alerted to the SWAP issue in the syslog. If someone is able to reproduce it I'd be happy to take a look.



Skynet v8 does a better job of whitelisting & downloading (not skipping) slow resolving lists. Your lists are the issue, not Skynet. The default banmalware process takes 9 seconds to finish.






What metric do you measure that with?

Hi, @Adamm. If you look at post #188, the same error that was happening with the initial 8.0 release was somehow present on 8.0.6 .

Even with a full wipe and uninstall it happened to me when switching routers to update other units. .6 to .7
When I replugged the AX86U in after removing power completely the initial error persisted like in post #188 and that’s after many Skynet uninstalls from 8.0.0 release to .7 , so somehow the part that reads where the myswap file is, is lost or becomes unreadable. The uninstall routine is able to locate it for removal.

When I updated from 8.0.6 to .7 I had to be sure to wipe the old swap file. The settings have been good since.

I’m not sure if it makes a difference if the original swap file 7.6.5 was made using the sw command from amtm first or from Skynet creating it upon install.

Thanks.

EDIT: Just to add, the only v8 version I didn't try was 8.0.1, and I thought once 8.0.4 was working, surviving a reboot, that this issue was gone. I was surprised that it happened again on 8.0.6 and at first I tried not uninstalling the old swap file but the nice red "Failed" message happened. Somewhere around 8.0.2 i did a long format of the SSD drive from my desktop PC. So it's not a drive issue, as it's all a fresh rebuild.

 

[Jack-Sparr0w]

does his new skynet only allow 15 addresses max, and takes way longer to add a list, or has that been fixed. when i added my list to that version it failed after the 15 mark, just a bunch of failed to loads.