Skynet Stats not generated and firewall not blocking anything

BOFH

Occasional Visitor
Hi Guys,

I have the feeling that Skynet doesn't block anything and nothing is shown in the logs neither in the stats. I have reinstalled/restarted/reconfigured Skynet but with the same result.

Syslog config on router side:
- Default message log level, set to: Info
- Log only messages more urgent than, set to: debug


Example:

Bash:
[email protected]:/tmp/mnt/JFFS/skynet#  ipset -L | grep 64.62.197.71
64.62.197.71 comment "BanMalware: blocklist_net_ua.ipset"

[email protected]:/tmp/mnt/JFFS/skynet#  ping 64.62.197.71
PING 64.62.197.71 (64.62.197.71): 56 data bytes
64 bytes from 64.62.197.71: seq=0 ttl=49 time=162.394 ms
64 bytes from 64.62.197.71: seq=1 ttl=49 time=159.376 ms

[email protected]:/tmp/mnt/JFFS/skynet#  iptables -L -n -t raw -v
Chain PREROUTING (policy ACCEPT 22455 packets, 2798K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  br+    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
    0     0 DROP       all  --  br+    *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst
    0     0 LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src LOG flags 7 level 4 prefix "[BLOCKED - INBOUND] "
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist src match-set Skynet-Master src
Chain OUTPUT (policy ACCEPT 11718 packets, 5624K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst LOG flags 7 level 4 prefix "[BLOCKED - OUTBOUND] "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! match-set Skynet-Whitelist dst match-set Skynet-Master dst


Name: Skynet-Whitelist
Type: hash:net
Revision: 6
Header: family inet hashsize 8192 maxelem 65536 comment
Size in memory: 1151258
Number of entries: 13154
Members:
Name: Skynet-Blacklist
Type: hash:ip
Revision: 4
Header: family inet hashsize 131072 maxelem 500000 comment
Size in memory: 14901215
Number of entries: 130691
Members:
Name: Skynet-BlockedRanges
Type: hash:net
Revision: 6
Header: family inet hashsize 4096 maxelem 200000 comment
Size in memory: 914914
Number of entries: 9559
Members:
Name: Skynet-IOT
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 352
Number of entries: 0
Members:
Name: Skynet-Master
Type: list:set
Revision: 3
Header: size 8
Size in memory: 88
Number of entries: 0
Members:


drwxrwxrwx    2 admin    root          4096 Mar 23 00:20 .
drwxrwxrwx    4 admin    root          4096 Mar 23 00:14 ..
-rw-rw-rw-    1 admin    root        173077 Mar 22 14:47 chart.js
-rw-rw-rw-    1 admin    root          9752 Mar 22 14:47 chartjs-plugin-zoom.js
-rw-rw-rw-    1 admin    root         20765 Mar 22 14:47 hammerjs.js
-rw-rw-rw-    1 admin    root         40292 Mar 22 14:47 skynet.asp
-rw-rw-rw-    1 admin    root          3054 Mar 23 00:20 stats.js


Router Model; RT-AX88U
Skynet Version; v7.2.8 (19/10/2021) (cd9e05f9b3897f144dd71260906a761a)
iptables v1.4.15 - (eth0 @ 192.168.90.1)
ipset v7.6, protocol version: 7
IP Address; (192.168.0.10)
FW Version; 386.5_0 (Mar 2 2022) (4.1.51)
Install Dir; /tmp/mnt/JFFS/skynet (8.8G / 14.5G Space Available)
SWAP File; /tmp/mnt/JFFS/myswap.swp (2.0G)
Uptime; 0 days, 1 hours, 48 minutes.
Ram Available; (237M / 882M)


--------------------                | ----------
| Test Description |                | | Result |
--------------------                | ----------

Internet-Connectivity               | [Passed]
Write Permission                    | [Passed]
Config File                         | [Passed]
Firewall-Start Entry                | [Passed]
Services-Stop Entry                 | [Passed]
Service-Event Entry                 | [Passed]
Profile.add Entry                   | [Passed]
SWAP File                           | [Passed]
Cron Jobs                           | [Passed]
NTP Sync                            | [Passed]
IPSet Comment Support               | [Passed]
Log Level 6 Settings                | [Passed]
Duplicate Rules In RAW              | [Passed]
IPSets                              | [Passed]
IPTables Rules                      | [Passed]
Local WebUI Files                   | [Passed]
Mounted WebUI Files                 | [Passed]
MenuTree.js Entry                   | [Passed]


-----------                         | ----------
| Setting |                         | | Status |
----------                          | ----------

Skynet Auto-Updates                 | [Enabled]
Malware List Auto-Updates           | [Enabled]
Logging                             | [Enabled]
Filter Traffic                      | [Enabled]
Unban PrivateIP                     | [Enabled]
Log Invalid Packets                 | [Enabled]
Import AiProtect Data               | [Enabled]
Secure Mode                         | [Enabled]
Fast Switch List                    | [Disabled]
Syslog Location                     | [Default]
IOT Blocking                        | [Disabled]
Country Lookup For Stats            | [Enabled]
CDN Whitelisting                    | [Enabled]
Display WebUI                       | [Enabled]

18/18 Tests Sucessful              


################################################
## Generated By Skynet - Do Not Manually Edit ##
## Mar 23 00:46:42                            ##

## Installer ##
model="RT-AX88U"
localver="v7.2.8"
autoupdate="enabled"
banmalwareupdate="daily"
forcebanmalwareupdate=""
logmode="enabled"
filtertraffic="all"
swaplocation="/tmp/mnt/JFFS/myswap.swp"

## Counters / Lists ##
blacklist1count="130691"
blacklist2count="9559"
customlisturl="http://changed/custom.list"
customlist2url="http://changed/custom.list"
countrylist=""
excludelists=""

## Settings ##
unbanprivateip="enabled"
loginvalid="enabled"
banaiprotect="enabled"
securemode="enabled"
extendedstats="enabled"
fastswitch="disabled"
syslogloc="/tmp/syslog.log"
syslog1loc="/tmp/syslog.log-1"
iotblocked="disabled"
iotports=""
iotproto="udp"
lookupcountry="enabled"
cdnwhitelist="enabled"
displaywebui="enabled"

################################################

=============================================================================================================


[#] 130691 IPs (+0) -- 9559 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [debug] [2s]
 

dave14305

Part of the Furniture
IP Address; (192.168.0.10)
You seem to have a double NAT situation where the Asus router is not directly exposed to the Internet. Skynet probably warns you about this during install.

I don’t understand why the ping works, however. It should be blocked in the OUTPUT chain of the raw table. Only if it was whitelisted should it be allowed, such has having a larger CIDR block that includes the address.
 

BOFH

Occasional Visitor
Hi @dave14305 ,

Yep, the router is not exposed to outside directly but I have full control for that setup. Skynet detect that I have a local IP but should not disturb the base (iptables+ipset) it was working as expected until recently.

The evidence are simple as you said, why the ping is working for an IP that should be blocked by iptables as it's listed on the ipset. The IP is not whitelisted, also tested others IPs/ranges as well.
 

Ronald Schwerer

Very Senior Member
I just noticed the same thing. Stats and log have nothing new since Feb 11,2022. My RT-AX58U (192.168.1.1) is behind my ISP provided router so it has a local WAN IP address (192.168.0.60). Is this a problem? If so, what changed since it worked before.
I just now reset the skynet stats through amtm and the gui and now they are all blank. BTW, I got curious because I now have unfettered access to some sites that used to be blocked (like the Amazon app). The last time I used the amtm plug-in was about 1 month ago to try to whitelist amazon.com to get their app working. Maybe related?
 
Last edited:

dave14305

Part of the Furniture
Going back to your original test, is the IP in the whitelist set?
Code:
ipset test Skynet-Whitelist 64.62.197.71
ipset test Skynet-Master 64.62.197.71
 

Tech Junky

Very Senior Member
local WAN IP address (192.168.0.60)

RT-AX58U (192.168.1.1)
You have a double NAT situation here with 2 x RFC1918 IP's in different subnets.

(eth0 @ 192.168.90.1)
Plus your IPtables has another IP in a different subnet.

IP Address; (192.168.0.10)

I would be curious to see the output of iptables rules.v4 to see exactly what rules are setup.

cat /etc/iptables/rules.v4

My thought is you probably have everything set to ACCEPT rather than DROP.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

This DROP option forces everything to have a rule or it gets dropped and doesn't do anything.


There's a lot going on here.....
 

dave14305

Part of the Furniture
I would be curious to see the output of iptables rules.v4 to see exactly what rules are setup.

cat /etc/iptables/rules.v4

My thought is you probably have everything set to ACCEPT rather than DROP.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

This DROP option forces everything to have a rule or it gets dropped and doesn't do anything.
Skynet lives in the raw table, so its drops should override any accepts in filter. That file doesn’t exist in Merlin firmware, btw.
 
Last edited:

dave14305

Part of the Furniture
Name: Skynet-Master
Type: list:set
Revision: 3
Header: size 8
Size in memory: 88
Number of entries: 0
Members:
This looks like the problem. Skynet-Master should contain both Skynet-Blacklist and Skynet-BlockedRanges. This listing shows 0 entries/members. Should be 2, at least.
Bash:
# ipset -L Skynet-Master
Name: Skynet-Master
Type: list:set
Revision: 3
Header: size 8
Size in memory: 184
References: 6
Number of entries: 2
Members:
Skynet-Blacklist
Skynet-BlockedRanges
Run these commands and look for errors:
Bash:
ipset -A Skynet-Master Skynet-Blacklist
ipset -A Skynet-Master Skynet-BlockedRanges
Then test again.
 
Last edited:

Tech Junky

Very Senior Member
Skynet lives in the raw table, so its drops should override ant accepts in filter. that file doesn’t exist in Merlin firmware, btw.
Good to know. I don't use Asus but a DIY from scratch setup w/ Linux and have built IPtables from scratch. Same function but different location.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top