Skynet Skynet v8 - Router Firewall & Security Enhancements

[Jack-Sparr0w]

Just wanna avoid the oops I didn't know I just fixed it. or just noticed it was missing something. I have been here for long time now and just know how this story goes.

 

[Blacklistedcard]

Running great with v8.0.7 on my BEP98Pro. No problems to report so far. Been running the latest upgrade from the beginning.

 

[Kingp1n]

Just wanna avoid the oops I didn't know I just fixed it. or just noticed it was missing something. I have been here for long time now and just know how this story goes.

So I think you should also know by now there's always a risk using 3rd party scripts

You know what to do if you want to "avoid" any issues!

 

[dave14305]

does his new skynet only allow 15 addresses max, and takes way longer to add a list, or has that been fixed. when i added my list to that version it failed after the 15 mark, just a bunch of failed to loads.

Several changes were already made to accommodate lists like your psychotic list. Try it.

 

[Jeffrey Young]

EDIT: I found the issue.... I had to change the syslog error level from ERROR to WARNING. All tests are passing now. Will have to wait to see if I start getting any stats now.


I finally took the plunge and update Skynet to the most recent version of Ver8.

After a week, I have no stats. All charts say No data to display. I have tried to click on the generate stats button.

I ran the firewall debug info extended command. One failure is reported;

Log Level 4 Settings              ║ [Failed]

How do I go about fixing this error?

 

[JB_1366]

getting message on router reboot only, and its on the top of each hour --> Jan 3 06:00:00 Skynet: [✘] Rule Integrity Violation - Restarting Firewall [ #21 ]
I have to login to amtm and restart skynet to make it go away. this has been happening ever since i upgraded to skynet 8.x.x

 

[Adamm]

EDIT: I found the issue.... I had to change the syslog error level from ERROR to WARNING. All tests are passing now. Will have to wait to see if I start getting any stats now.


I finally took the plunge and update Skynet to the most recent version of Ver8.

After a week, I have no stats. All charts say No data to display. I have tried to click on the generate stats button.

I ran the firewall debug info extended command. One failure is reported;

Log Level 4 Settings              ║ [Failed]

How do I go about fixing this error?

These settings should be left at their default values unless you have a reason to change them...

Default message log level
notice
Log only messages more urgent than
debug

 

[Adamm]

getting message on router reboot only, and its on the top of each hour --> Jan 3 06:00:00 Skynet: [✘] Rule Integrity Violation - Restarting Firewall [ #21 ]
I have to login to amtm and restart skynet to make it go away. this has been happening ever since i upgraded to skynet 8.x.x

#21: Inbound LOG

Something is wrong with your inbound logging rule, please post the output of;

sh /jffs/scripts/firewall debug info

 

[Adamm]

I've pushed v8.0.8

Add settings toggle for Extended Stats (dnsmasq log matching for blocked IP's)
Improve debug watch - reduce chain commands to minimise CPU usage
Rename Extended_DNSStats() > Generate_Ban_Stats()
Set default log size as 10MB
Update readme
Refactor menu information

 

[Boji]

I've pushed v8.0.8

Huge efficiency improvement in logging cpu usage, seems I can force close terminal window with debug open and not see grep indefinitely spiking to 50%, great work! Thanks Adamm.

 

[Twiglets]

FYI:

I have never run the option to check for updates ONLY and it appears to do an update anyway !!!

Select Update Option:
[1]  --> Check For And Install Any New Updates
[2]  --> Check For Updates Only
[3]  --> Force Update Even If No Updates Detected

[e]  --> Exit

[1-3]: 2

[$] /jffs/scripts/firewall update check


=============================================================================================================


[i] Skynet Update Detected - v8.0.8 (4f5770f4192bf4363f9df94fabc9e6e0)
[i] New Version Detected - Updating To v8.0.8 (4f5770f4192bf4363f9df94fabc9e6e0)
[i] Saving Changes
[i] Unloading Skynet Components
[i] No change to chart.js (MD5 matched)
[i] No change to chartjs-plugin-zoom.js (MD5 matched)
[i] No change to hammerjs.js (MD5 matched)
[i] No change to skynet.asp (MD5 matched)
[i] Updated firewall.sh
[i] Restarting Firewall Service

 

[Twiglets]

I've pushed v8.0.8

Thanks for the ability to change the log size.
I have been 'hacking' this by editing the 'firewall' script

 

[Twiglets]

Pretty please ... could you do a 'wrap-around' on the country codes in the nice banner at the top of the 'firewall' display.

¦ Install Dir          ¦ /tmp/mnt/RT-AX86UPro/skynet                                                        ¦
¦ FW Version           ¦ ASUSWRT-Merlin v102.5_0 (Kernel 4.19.183) (Aug 3 2025)                             ¦
¦ iptables             ¦ iptables v1.4.15                                                                   ¦
¦ ipset                ¦ ipset v7.6, protocol version: 7                                                    ¦
¦ Public IP            ¦ xxx.xxx.xxx.xxx                                                                    ¦
¦ WAN Info             ¦ ppp0 - pppoe                                                                       ¦
¦ Banned Countries     ¦ ad ae af ag ai al am ao aq ar as aw ax az ba bb bd bf bg bh bi bj bl bm bn bo bq br bs bt bv bw bz cc cd cf cg ci ck cl cm cn co cr cu cv cw cx cy cz dj dm do dz ec¦
¦ Custom Filter URL    ¦ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX                                                 ¦
+-----------------------------------------------------------------------------------------------------------+

 

[JB_1366]

Something is wrong with your inbound logging rule, please post the output of;

I upgraded to 8.0.8 and rebooted router, same result. restart skynet and problem fixed.

 

[Ripshod]

@JB_1366 That appears to be a very small external drive you're using. Is it a thumb drive?

 

[JB_1366]

@JB_1366 That appears to be a very small external drive you're using. Is it a thumb drive?

yes, 8gb - 3gb used / 5gb open

 

[dave14305]

I upgraded to 8.0.8 and rebooted router, same result. restart skynet and problem fixed.

After your next reboot, please capture the output of:

iptables-save -t raw
nvram get wan0_ifname

Odd that in the log you posted the wan iface was listed as wan0.

 

[JB_1366]

After your next reboot, please capture the output of:

iptables-save -t raw
nvram get wan0_ifname

Odd that in the log you posted the wan iface was listed as wan0.

admin@RT-AX86U_PRO:/tmp/home/root# iptables-save -t raw
# Generated by iptables-save v1.4.15 on Sun Jan 4 09:51:44 2026
*raw
REROUTING ACCEPT [2594:670511]
:OUTPUT ACCEPT [5880:6237578]
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-ses
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-seP
-A PREROUTING -i wan0 -m set ! --match-set Skynet-MasterWL src -m set --match-ss
-A PREROUTING -i wan0 -m set ! --match-set Skynet-MasterWL src -m set --match-sP
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Mas
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-MaP
COMMIT
# Completed on Sun Jan 4 09:51:44 2026
admin@RT-AX86U_PRO:/tmp/home/root# nvram get wan0_ifname
wan0

 

[dave14305]

iptables-save -t raw

The output lines are truncated by the terminal program.

What is your wan setup? I thought I saw the original reply with eth0, then it showed as wan0. Maybe I imagined it.

 

[JB_1366]

The output lines are truncated by the terminal program.

What is your wan setup? I thought I saw the original reply with eth0, then it showed as wan0. Maybe I imagined it.

not sure what your asking, but I have Quantum Fiber using vlan201

i reran with skynet restarted & here is output:
admin@RT-AX86U_PRO:/tmp/home/root# iptables-save -t raw
# Generated by iptables-save v1.4.15 on Sun Jan 4 10:31:14 2026
*raw
REROUTING ACCEPT [88872:26037810]
:OUTPUT ACCEPT [75011:44122182]
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A PREROUTING -i br+ -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP
-A PREROUTING -i wan0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j LOG --log-prefix "[BLOCKED - INBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A PREROUTING -i wan0 -m set ! --match-set Skynet-MasterWL src -m set --match-set Skynet-Master src -j DROP
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j LOG --log-prefix "[BLOCKED - OUTBOUND] " --log-tcp-sequence --log-tcp-options --log-ip-options
-A OUTPUT -m set ! --match-set Skynet-MasterWL dst -m set --match-set Skynet-Master dst -j DROP
COMMIT
# Completed on Sun Jan 4 10:31:14 2026