Skynet Skynet - Blocked outbounds coming from the router itself?

[JuanGF]

I've installed and been learning Skynet for some days now, there is one thing in the logs that I can't figure out how to read / interpret.

Skynet blocks outbounds, but all I can see been blocked seems to be originating from the router itself. For example, here the three most blocked out bound IPs:

10 Most Recent Blocks From 147.78.47.176;
May  9 02:40:59 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=147.78.47.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=7633 PROTO=TCP SPT=54367 DPT=8443 SEQ=4149757245 ACK=0 WINDOW=1024 RES
May  9 02:52:02 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=147.78.47.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=34187 PROTO=TCP SPT=55449 DPT=8080 SEQ=4097106444 ACK=0 WINDOW=1024 RE
May  9 03:08:00 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp1 SRC=192.168.2.1 DST=147.78.47.176 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=56529 SEQ=2863673844 ACK=2490895678 WINDOW=65340
May  9 03:08:01 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp1 SRC=192.168.2.1 DST=147.78.47.176 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=56529 SEQ=2863673844 ACK=2490895678 WINDOW=65340
May  9 05:48:25 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=147.78.47.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=44864 PROTO=TCP SPT=45749 DPT=8080 SEQ=2287257799 ACK=0 WINDOW=1024 RE
May  9 07:14:43 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=147.78.47.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=33528 PROTO=TCP SPT=50944 DPT=8443 SEQ=4225096212 ACK=0 WINDOW=1024 RE
May  9 07:27:19 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=147.78.47.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=34292 PROTO=TCP SPT=52027 DPT=8080 SEQ=686809715 ACK=0 WINDOW=1024 RES
May  9 07:40:30 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp1 SRC=192.168.2.1 DST=147.78.47.176 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=53107 SEQ=301263442 ACK=2454046790 WINDOW=65340 R
May  9 07:40:31 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp1 SRC=192.168.2.1 DST=147.78.47.176 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=53107 SEQ=301263442 ACK=2454046790 WINDOW=65340 R
May  9 10:27:39 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=147.78.47.176 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=38528 PROTO=TCP SPT=42321 DPT=8080 SEQ=3623088391 ACK=0 WINDOW=1024 RE

10 Most Recent Blocks From 23.95.186.183;
May  8 16:37:13 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=58656 SEQ=3343650615 ACK=780480555 WINDOW=65340 R
May  8 16:37:14 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=58656 SEQ=3343650615 ACK=780480555 WINDOW=65340 R
May  8 21:19:50 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=55285 SEQ=4061687358 ACK=1267577594 WINDOW=65340
May  8 21:19:51 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=55285 SEQ=4061687358 ACK=1267577594 WINDOW=65340
May  9 01:53:52 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=52207 SEQ=1325613638 ACK=2060921360 WINDOW=65340
May  9 01:53:53 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=52207 SEQ=1325613638 ACK=2060921360 WINDOW=65340
May  9 06:29:46 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=48308 SEQ=173238269 ACK=1950839580 WINDOW=65340 R
May  9 06:29:47 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=48308 SEQ=173238269 ACK=1950839580 WINDOW=65340 R
May  9 10:39:05 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=43518 SEQ=1558177459 ACK=1360031105 WINDOW=65340
May  9 10:39:07 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=23.95.186.183 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=43518 SEQ=1558177459 ACK=1360031105 WINDOW=65340

10 Most Recent Blocks From 79.110.62.71;
May  9 03:05:09 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=79.110.62.71 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=14238 PROTO=TCP SPT=56656 DPT=8443 SEQ=2722656114 ACK=0 WINDOW=1024 RES
May  9 04:27:19 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=79.110.62.71 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=41449 SEQ=2514349906 ACK=858156911 WINDOW=65340 RE
May  9 04:27:20 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=79.110.62.71 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=41449 SEQ=2514349906 ACK=858156911 WINDOW=65340 RE
May  9 05:42:38 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=79.110.62.71 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=30068 PROTO=TCP SPT=45935 DPT=8443 SEQ=1545743768 ACK=0 WINDOW=1024 RES
May  9 07:03:40 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=79.110.62.71 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=50954 SEQ=2356673267 ACK=2950742863 WINDOW=65340 R
May  9 07:03:41 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=79.110.62.71 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=50954 SEQ=2356673267 ACK=2950742863 WINDOW=65340 R
May  9 08:20:24 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=79.110.62.71 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=41978 PROTO=TCP SPT=55531 DPT=8443 SEQ=1331624726 ACK=0 WINDOW=1024 RES
May  9 09:46:58 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=79.110.62.71 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=40663 SEQ=3534287188 ACK=3066922797 WINDOW=65340 R
May  9 09:46:59 kernel: [BLOCKED - OUTBOUND] IN= OUT=ppp0 SRC=192.168.2.1 DST=79.110.62.71 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8443 DPT=40663 SEQ=3534287188 ACK=3066922797 WINDOW=65340 R
May  9 11:02:32 kernel: [BLOCKED - INBOUND] IN=ppp0 OUT= MAC= SRC=79.110.62.71 DST=x.x.x.x LEN=40 TOS=0x00 PREC=0x00 TTL=249 ID=28062 PROTO=TCP SPT=45225 DPT=8443 SEQ=3766170994 ACK=0 WINDOW=1024 RES

How can I read this? It is router trying to make those connection or do they come from the LAN but the device is unidentified for some reason?

How can I further diagnose what's going on with those outbound connections? Like, how/where are they starting.

I'm using an AXE16000 with Merlin.

Thanks for your help.

 

[Ripshod]

What other scripts are running on your router? Have you installed Asus' Download Manager, or have any other bittorrent clients running on your net? (we won't judge)
I think it's just skynet doing what's intended.

 

[JuanGF]

What other scripts are running on your router? Have you installed Asus' Download Manager, or have any other bittorrent clients running on your net? (we won't judge)

In the router I only have amtm/Entware, Dual Wan Failover and Skynet.

Bittorents I don't have; I do have LAN devices with TOR and/or VPN connections. But none of those are installed in the router itself.

 

[dave14305]

Is WAN access to the router GUI enabled on port 8443?

netstat -nltp | grep :8443

 

[JuanGF]

Is WAN access to the router GUI enabled on port 8443?

netstat -nltp | grep :8443

Yes, it is

tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      2655/httpds
tcp        0      0 192.168.2.1:8443        0.0.0.0:*               LISTEN      2655/httpds

 

[dave14305]

Yes, it is

tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      2655/httpds
tcp        0      0 192.168.2.1:8443        0.0.0.0:*               LISTEN      2655/httpds

that seems fine as LAN access. Any firewall rules or port forwards for port 8443?

iptables-save -c | grep 8443

 

[JuanGF]

that seems fine as LAN access. Any firewall rules or port forwards for port 8443?

iptables-save -c | grep 8443

Not that I'm aware of creating myself

[121:6132] -A VSERVER -p tcp -m tcp --dport 8443 -j DNAT --to-destination 192.168.2.1:8443
[39:2260] -A balance -p tcp -m tcp --dport 8443 -j RETURN
[122:6192] -A INPUT -d 192.168.2.1/32 -p tcp -m tcp --dport 8443 -j ACCEPT

 

[JuanGF]

I also have a DDNS script using inadyn to update an A record in Cloudflare with my WAN IP. As explained here: https://www.snbforums.com/threads/inadyn-cloudflare-ddns-help.82119/

Seems unrelated but just in case.

 

[dave14305]

Not that I'm aware of creating myself

[121:6132] -A VSERVER -p tcp -m tcp --dport 8443 -j DNAT --to-destination 192.168.2.1:8443
[39:2260] -A balance -p tcp -m tcp --dport 8443 -j RETURN
[122:6192] -A INPUT -d 192.168.2.1/32 -p tcp -m tcp --dport 8443 -j ACCEPT

There it is. A port forward to 8443 on the LAN interface of the router. Double-check port forwards, Let’s Encrypt certificate, or firewall-start and nat-start scripts.

 

[JuanGF]

I've deactivated Let's Encrypt, which wasn't working anyway, now the iptables it is:

[0:0] -A balance -p tcp -m tcp --dport 8443 -j RETURN

But how is Let's Encrypt, or the port forwards it creates, related to the outbound connections to IPs in the Skynet blacklist?

I would like to understand so I can diagnose this myself in the future.

There it is. A port forward to 8443 on the LAN interface of the router. Double-check port forwards, Let’s Encrypt certificate, or firewall-start and nat-start scripts.

 

[dave14305]

But how is Let's Encrypt, or the port forwards it creates, related to the outbound connections to IPs in the Skynet blacklist?

Let’s Encrypt usually requires a verification during cert renewal, by connecting to the httpd server. I’ve never used it, but that’s my understanding. Internet bad guys are scanning that port on your router, perhaps, and Skynet blocks it.

I’m curious about the “balance” chain in your iptables rules. Can you post:

iptables-save -c | grep balance

 

[JuanGF]

Let’s Encrypt usually requires a verification during cert renewal, by connecting to the httpd server. I’ve never used it, but that’s my understanding. Internet bad guys are scanning that port on your router, perhaps, and Skynet blocks it.

But would still be an inbound block, right? Skynet identifies these blocks as outbounds originating in 192.168.2.1

I’m curious about the “balance” chain in your iptables rules. Can you post:

iptables-save -c | grep balance

This:

:balance - [0:0]
[5022:516817] -A PREROUTING -i br0 -m state --state NEW -j balance
[3778:354019] -A balance -d 192.168.2.0/24 -j RETURN
[0:0] -A balance -d 10.0.9.154/32 -j RETURN
[0:0] -A balance -d 192.168.144.1/32 -j RETURN
[127:8084] -A balance -p tcp -m tcp --dport 443 -j RETURN
[0:0] -A balance -p tcp -m tcp --dport 8443 -j RETURN
[2:2556] -A balance -p udp -m udp --dport 443 -j RETURN
[0:0] -A balance -p udp -m udp --dport 80 -j RETURN
[861:120043] -A balance -m connmark --mark 0x80000000/0x80000000 -j RETURN
[0:0] -A balance -m state --state RELATED,ESTABLISHED -j RETURN
[190:22558] -A balance -m statistic --mode random --probability 0.75000000000 -j CONNMARK --set-xmark 0x80000000/0xf0000000
[64:9557] -A balance -m connmark --mark 0x0 -j CONNMARK --set-xmark 0x90000000/0xf0000000

10.0.9.154 is the gateway of my WAN1. This wan is directly connecting to the ONT
192.168.144.1 is the gateway of WAN2. This WAN uses another router in bridge mode, the ONT is integrated inside.

 

[JuanGF]

There's been zero outbound blockings since I removed Let's Encrypt, so it was definitely that. Thanks for the help, I'd never had figure that out myself.

Still I can't understand how having those port forwarding rules made the log to show outbound connections to (unrelated?) IPs. I put the top three as examples, but there was more:

All has stopped now.