Skynet Skynet blocking question

[mongodb]

DISREGARD THIS THREAD; IT WAS MY FAULT:

OK, so I realised what it was. I completely forgot I had setup a convoluted NAT (to test something out a few weeks ago) on the internal router that NAT'd the destination host to a test DoH client in the DMZ. My bad! Tested from another non-172.16.150.0/24 host and expected result looks good:

Apr 7 15:55:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= SRC=192.168.150.178 DST=213.181.166.26 LEN=60 TOS=0)

Thanks for looking if you did

--

Hi,

I'm currently running Skynet v7.2.4 (19/03/2021) and have a question regarding it blocking connections. The router's LAN IP is 172.16.150.254 and there are multiple other networks (behind an internal router) that don't appear to have traffic blocked when a new IP block is applied via Skynet. I can confirm that one other host on the 172.16.150.0/24 network is blocked on Skynet but all other non-172.16.150.0/24 nets are allowed thru.

Router Model; RT-AC88U
Skynet Version; v7.2.4 (19/03/2021) (0380669c11572e222d1fd2f7531d7bfa)
iptables v1.4.15 - (eth0 @ 172.16.150.254)
ipset v6.32, protocol version: 6
IP Address; (aaa.bbb.c.d)

Any ideas on how to address this please?

Thanks

--

Edit: thought I'll paste what I typed a little further down for ease of first-time readers:

Hopefully this explains it a bit better:

When attempting connection to a blocked network/IP from the same network as the router's internal interface network (172.16.150.0/24)

Host on same net:
user@172.16.150.234:~$ telnet 213.181.166.26 53
Trying 213.181.166.26...
^C

Skynet logs:
Apr 6 20:31:47 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= SRC=172.16.150.234 DST=213.181.166.26 LEN=60 TOS=0)

Works as expected.

Host on a diff internal net:
user@192.168.150.50:~$ telnet 213.181.166.26 53
Trying 213.181.166.26...
Connected to 213.181.166.26.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

Does not work as expected.

See what I mean?

 

[Wallace_n_Gromit]

Hi,

I'm currently running Skynet v7.2.4 (19/03/2021) and have a question regarding it blocking connections. The router's LAN IP is 172.16.150.254 and there are multiple other networks (behind an internal router) that don't appear to have traffic blocked when a new IP block is applied via Skynet. I can confirm that one other host on the 172.16.150.0/24 network is blocked on Skynet but all other non-172.16.150.0/24 nets are allowed thru.

Router Model; RT-AC88U
Skynet Version; v7.2.4 (19/03/2021) (0380669c11572e222d1fd2f7531d7bfa)
iptables v1.4.15 - (eth0 @ 172.16.150.254)
ipset v6.32, protocol version: 6
IP Address; (aaa.bbb.c.d)

Any ideas on how to address this please?

Thanks

I'm not sure if this is your problem. When SSH'ed On my RTAC86U running Skynet v7.2.4 and Merlin 386.2_beta3, I have a number of "Banned Countries; Multiple Countries" and shows this:

SWAP File; /tmp/mnt/AsusRTAC86U/myswap.swp (2.0G)
Banned Countries; Multiple Countries

45962 IPs (+0) -- 62305 Ranges Banned (+0) || 7863 Inbound -- 135 Outbound Connections Blocked!

Select Menu Option:
[1] --> Unban
[2] --> Ban

On my RTAC68U running Skynet v7.2.4 and Merlin 386.2, I have a number of "Banned Countries; Multiple Countries" (it's the same list as my 86U) and shows this:

SWAP File; /tmp/mnt/RTAC68U_55/myswap.swp (2.0G)
Banned Countries; Multiple Countries

0 IPs (+0) -- 0 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked!

Select Menu Option:
[1] --> Unban
[2] --> Ban

It appears that with the same two banned country list(s) my 68U fails to show it is banning anything.

What interests me about your RTAC88U, it is a similar class of Broadcom chip as is on the RTAC68U.

 

[mongodb]

Hi,

Thanks for the reply. I see this in my stats:

45622 IPs (+0) -- 2111 Ranges Banned (+0) || 260 Inbound -- 96 Outbound Connections Blocked!

I know outbound blocks work if traffic originates from the same network address as the router's (LAN) eth0 intf but other internal networks are allowed in my case.

Cheers

 

[mongodb]

Hopefully this explains it a bit better:

When attempting connection from the same network as the router's internal interface network (172.16.150.0/24)

Host on same net:
user@172.16.150.234:~$ telnet 213.181.166.26 53
Trying 213.181.166.26...
^C

Skynet logs:
Apr 6 20:31:47 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= SRC=172.16.150.234 DST=213.181.166.26 LEN=60 TOS=0)

Works as expected.

Host on a diff internal net:
user@192.168.150.50:~$ telnet 213.181.166.26 53
Trying 213.181.166.26...
Connected to 213.181.166.26.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

Does not work as expected.

See what I mean?

Regards

 

[Wallace_n_Gromit]

Hi,

Thanks for the reply. I see this in my stats:

45622 IPs (+0) -- 2111 Ranges Banned (+0) || 260 Inbound -- 96 Outbound Connections Blocked!

I know outbound blocks work if traffic originates from the same network address as the router's (LAN) eth0 intf but other internal networks are allowed in my case.

Cheers

I was hoping that my issue was similar to your issue. Then I could follow the suggestions of some of the very knowledgeable people on this forum as they provide some troubleshooting help to you. I see now that my issue(s) are likely unrelated to yours.

Good luck to you. (you've come to the right place for help)

 

[mongodb]

Good luck to you. (you've come to the right place for help)

Thanks

 

[mongodb]

As a side note, I found this handy site for finding out country-based networks- https://www.countryipblocks.net/acl.php

 

[mongodb]

Apologies for the bump up; please can an expert here weigh in on this?

Thanks in advance.

 

[mongodb]

OK, so I realised what it was. I completely forgot I had setup a convoluted NAT on the internal router that NAT'd the destination host to a test DoH client in the DMZ. My bad! Tested from another non-172.16.150.0/24 host and expected result looks good:

Apr 7 15:55:12 kernel: [BLOCKED - OUTBOUND] IN=br0 OUT= SRC=192.168.150.178 DST=213.181.166.26 LEN=60 TOS=0)

Thanks for looking if you did

 

[mongodb]

I was hoping that my issue was similar to your issue. Then I could follow the suggestions of some of the very knowledgeable people on this forum as they provide some troubleshooting help to you. I see now that my issue(s) are likely unrelated to yours.

Good luck to you. (you've come to the right place for help)

Hi there, not sure if this helps you or not but I've managed to fix the issue. Please see the OP or the message above this one.

 

[Wallace_n_Gromit]

Hi there, not sure if this helps you or not but I've managed to fix the issue. Please see the OP or the message above this one.

Thanks. Don't really understand why my (2nd backup) RTAC68U running the current version of Merlin/Skynet has failed to load a list of blocked country IP ranges. Since it is a backup to a backup Asus device, haven't really invested much time into troubleshooting it. My (1st backup) RTAC68U still running Merlin 386.1_2 is working fine showing the list of banned country IP's.

Glad you were able to troubleshoot your own networking issue.