What's new

Skynet WAN ip outbound blocked

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

K3r1m0

New Around Here
Hello,
I have noticed that Skynet is blocking traffic from my WAN IP address for the past week. Is there any risk of it being compromised?

Code:
May 25 10:33:39 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=* DST=188.114.96.0 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40455 DF PROTO=TCP SPT=42955 DPT=443 SEQ=1784405608 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT

RT-AX86U
388.2_2
 
Last edited:
Hello,
I have noticed that Skynet is blocking traffic from my WAN IP address for the past week. Is there any risk of it being compromised?

Code:
May 25 10:33:39 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=* DST=188.114.96.0 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40455 DF PROTO=TCP SPT=42955 DPT=443 SEQ=1784405608 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT

RT-AX86U
388.2_2
if you network isn't broken, then you are fine.
 
I see this with the normal firewall, I don't use skynet. If it ain't broke don't fix it - learn to ignore it.
 
What do you see if you search for the destination? There is a subnet at Cloudflare Brazil blacklisted. One of your devices (SRC) is trying to connect there. Does your device have malware or is it trying to connect to a legitimate site which happens to be on the same subnet? Hard to say.
 
What do you see if you search for the destination? There is a subnet at Cloudflare Brazil blacklisted. One of your devices (SRC) is trying to connect there. Does your device have malware or is it trying to connect to a legitimate site which happens to be on the same subnet? Hard to say.
The problem is precisely that it does not show which device it is because my WAN ip address is showing in "SRC" and not a LAN ip.
 
I don't know if there is a solution, but I'm going to install uiDivStats and see if I can find the culprit there via Query Logs.
 
It is the router itself making the connection, not a client.
Code:
May 25 10:33:39 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=* DST=188.114.96.0 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40455 DF PROTO=TCP SPT=42955 DPT=443 SEQ=1784405608 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT

Does this look like the router is making the connection? To me it does. See it looks like it is destined for port 443 .


I wonder if this is skynet actually doing this block, or is skynet just capturing a dropped packet. Because according to the lines of code above in the skynet script, it should not be picking these up inside its statistics.

Code:
grep -F "OUTBOUND" "$skynetlog" | grep -vE 'DPT=80 |DPT=443 ' |

But then you look at this code..


which this time includes the 443 and 80 traffic as HTTP(S) blocks.

Code:
grep -E 'DPT=80 |DPT=443 ' "$skynetlog" | grep -F "OUTBOUND" | grep -oE ' DST=[0-9,\.]*' |
 
Last edited:
How do you mean? If I have any device in the network that is infected, then a local IP address should be blocked and not the router itself?
What I mean is, if your router is functioning, and your devices are able to access the internet, then I would not worry about this. The log shows a dropped HTTP(s) connection attempt. Why your router would be attempting http(s) connection attempts is anyones guess. I have no clue what it could have been unless you are also blocking advertisements with diversion, and the destination IP address is a shared IP from one of your blocked domains. But alas, that is just an attempt at an inquisitive guess; these tech gurus (@dave14305 and @ColinTaylor ) might be better at explaining what is happening here.
 
Last edited:
The IP 188.114.96.0 should have been whitelisted because it's in Cloudflare's IPv4 list that Skynet downloads, as long as CDN Whitelisting is left enabled. So maybe a false positive.

On the other hand, the IP shows some activity on Alienvault, and I don't know why the router would be contacting an IP in Columbia, unless the user is in South America, or there is a malware on the router.


I guess I would first figure out which Skynet list the IP belongs to, then decide if you think it's a false positive or not.
 
The IP 188.114.96.0 should have been whitelisted because it's in Cloudflare's IPv4 list that Skynet downloads, as long as CDN Whitelisting is left enabled. So maybe a false positive.

On the other hand, the IP shows some activity on Alienvault, and I don't know why the router would be contacting an IP in Columbia, unless the user is in South America, or there is a malware on the router.


I guess I would first figure out which Skynet list the IP belongs to, then decide if you think it's a false positive or not.
That is where I was going next, some of the blocks could be coming from AI Protect. If the user has that enabled..

This is an example of mine:

1685027713959.png
 
Hello,
I have noticed that Skynet is blocking traffic from my WAN IP address for the past week. Is there any risk of it being compromised?

Code:
May 25 10:33:39 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=* DST=188.114.96.0 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40455 DF PROTO=TCP SPT=42955 DPT=443 SEQ=1784405608 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT

RT-AX86U
388.2_2
@dave14305 is right..

If you turn on CDNwhitelisting, that address would be whitelisted through cloudflare entries.

Code:
ipset list | grep 188.114.96.0
188.114.96.0/20 comment "CDN-Whitelist: CloudFlare"
 
Hello,
I have noticed that Skynet is blocking traffic from my WAN IP address for the past week. Is there any risk of it being compromised?

Code:
May 25 10:33:39 kernel: [BLOCKED - OUTBOUND] IN= OUT=eth0 SRC=* DST=188.114.96.0 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=40455 DF PROTO=TCP SPT=42955 DPT=443 SEQ=1784405608 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT

RT-AX86U
388.2_2
@K3r1m0

what does ipset list | grep 188.114.96.0 give you from command line? it will atleast tell you if one of your blocklists is blocking it, or if it was a ban that came from AI Protect.
 
Last edited:
On my router, Skynet shows that IP whitelisted as described earlier in thread
Code:
# firewall stats search ip 188.114.96.0
#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            14/05/2023 - v7.4.1                                            #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/ent/skynet/skynet.log - 8.5M
[i] Monitoring From May 22 23:00:02 To May 25 14:10:46
[i] 31680 Block Events Detected
[i] 5396 Unique IPs
[i] 0 Manual Bans Issued

Warning: 188.114.96.0 is in set Skynet-Whitelist.
188.114.96.0 is NOT in set Skynet-Blacklist.
188.114.96.0 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 188.114.96.0/20 "CDN-Whitelist: CloudFlare"


[i] IP Location - Canada (CLOUDFLARENET / AS13335)

[i] 188.114.96.0 First Tracked On
[i] 188.114.96.0 Last Tracked On
[i] 0 Blocks Total

Event Log Entries From 188.114.96.0;

First Block Tracked From 188.114.96.0;
-*-
10 Most Recent Blocks From 188.114.96.0;
--*

Top 10 Targeted Ports From 188.114.96.0 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

*--

Top 10 Sourced Ports From 188.114.96.0 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

--*


=============================================================================================================


[#] 34177 IPs (+0) -- 2280 Ranges Banned (+0) || 28476 Inbound -- 0 Outbound Connections Blocked! [stats] [10s]
 
On my router, Skynet shows that IP whitelisted as described earlier in thread
Code:
# firewall stats search ip 188.114.96.0
#############################################################################################################
#                                                                                                           #
#                  ███████╗██╗  ██╗██╗   ██╗███╗   ██╗███████╗████████╗    ██╗   ██╗███████╗                #
#                  ██╔════╝██║ ██╔╝╚██╗ ██╔╝████╗  ██║██╔════╝╚══██╔══╝    ██║   ██║╚════██║                #
#                  ███████╗█████╔╝  ╚████╔╝ ██╔██╗ ██║█████╗     ██║       ██║   ██║    ██╔╝                #
#                  ╚════██║██╔═██╗   ╚██╔╝  ██║╚██╗██║██╔══╝     ██║       ╚██╗ ██╔╝   ██╔╝                 #
#                  ███████║██║  ██╗   ██║   ██║ ╚████║███████╗   ██║        ╚████╔╝    ██║                  #
#                  ╚══════╝╚═╝  ╚═╝   ╚═╝   ╚═╝  ╚═══╝╚══════╝   ╚═╝         ╚═══╝     ╚═╝                  #
#                                                                                                           #
#                                 Router Firewall And Security Enhancements                                 #
#                             By Adamm -  https://github.com/Adamm00/IPSet_ASUS                             #
#                                            14/05/2023 - v7.4.1                                            #
#############################################################################################################


=============================================================================================================


[i] Logging Data Detected in /tmp/mnt/ent/skynet/skynet.log - 8.5M
[i] Monitoring From May 22 23:00:02 To May 25 14:10:46
[i] 31680 Block Events Detected
[i] 5396 Unique IPs
[i] 0 Manual Bans Issued

Warning: 188.114.96.0 is in set Skynet-Whitelist.
188.114.96.0 is NOT in set Skynet-Blacklist.
188.114.96.0 is NOT in set Skynet-BlockedRanges.

Whitelist Reason;
 188.114.96.0/20 "CDN-Whitelist: CloudFlare"


[i] IP Location - Canada (CLOUDFLARENET / AS13335)

[i] 188.114.96.0 First Tracked On
[i] 188.114.96.0 Last Tracked On
[i] 0 Blocks Total

Event Log Entries From 188.114.96.0;

First Block Tracked From 188.114.96.0;
-*-
10 Most Recent Blocks From 188.114.96.0;
--*

Top 10 Targeted Ports From 188.114.96.0 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

*--

Top 10 Sourced Ports From 188.114.96.0 (Inbound);


--------   | --------   | --------------
| Hits |   | | Port |   | | SpeedGuide |
--------   | --------   | --------------

--*


=============================================================================================================


[#] 34177 IPs (+0) -- 2280 Ranges Banned (+0) || 28476 Inbound -- 0 Outbound Connections Blocked! [stats] [10s]
I don't think this is the issue. The actual question seems to be "why is there HTTP(s) (dpt=443) traffic spawning from the router (src=wanIP) on the outbound to the IP of 188.114.96.0(dst) being blocked by the OP firewall?"
 
I don't think this is the issue. The actual question seems to be "why is there HTTP(s) (dpt=443) traffic spawning from the router (src=wanIP) on the outbound to the IP of 188.114.96.0(dst) being blocked by the OP firewall?"
The issue is that the OP must have disabled CDN Whitelisting in Skynet, otherwise the IP would have been whitelisted by Skynet, just like in EmeraldDeer's output. OP needs to run the same command to see why it's being blocked.
Code:
firewall stats search ip 188.114.96.0
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top