Skynet Skynet not blocking any inbound IPs, but blocking some outbound only

[Daniel LaRusso]

I have an Asus RT-AC86U with Merlin 384.19 installed. I have Skynet and Diversion running on my router, and everything is up to date as well. I'm in Australia, so I'm on the NBN (50up/20down) and using their connection device, which is connected directly to my Asus 86U. My problem is that Skynet never blocks any inbound IPs at all, while it will block some outbound IPs. I have my router firewall turned on, DoS protection turned off, and Skynet running alongside Diversion (which is working fine). I'm also using a commercial VPN client that is running on my router at all times (for streaming, music, etc.), however, I've disabled policy rules and have all the traffic running through the VPN tunnel and have the DNS config set to "exclusive," so that I can run Diversion.

When I open Skynet through amtm, I've noticed that the IP recognized by Skynet is the WAN IP from my ISP, not the Asus router's IP, does this matter? I've also noticed when I check the router's system log, it is flooded with the following message:
"Skynet: [*] Private WAN IP Detected XXX.XX.XX.XX - Please Put Your Modem In Bridge Mode / Disable CG-NAT"

However, since I'm using the NBN connection device, there is no possible way to put it in bridge mode, it just connects directly to my router's WAN. Am I missing something here? I don't have much knowledge when it comes to networking, but I'm learning as much as I can at the moment. Any help would be appreciated.

 

[JaimeZX]

Well, your problem is all inbound traffic appears to be coming from your modem and therefore Skynet can't block anything, or it would block everything.

I'm not familiar with NBN; there's no way to access a GUI on the modem to enable Bridge Mode? Can you call you tech support? (Assuming the Asus sees 192.168.253.1 as your WAN IP, what happens if you try to access that IP from your browser? Anything?)

Google suggests:

How do I log into my NBN modem?
NBN modem settings

1. Log on to your Belong Wi-Fi (you don't need to be connected to the internet to do this)
2. Open an internet browser (e.g. Internet Explorer, Safari or Chrome)
3. Type 10.0.0.138 into the address bar.
4. If prompted, type in your modem username and password: Enter the username 'admin' Enter the password 'Belong'

 

[Daniel LaRusso]

Well, your problem is all inbound traffic appears to be coming from your modem and therefore Skynet can't block anything, or it would block everything.

I'm not familiar with NBN; there's no way to access a GUI on the modem to enable Bridge Mode? Can you call you tech support? (Assuming the Asus sees 192.168.253.1 as your WAN IP, what happens if you try to access that IP from your browser? Anything?)

Google suggests:

Thanks for your reply. Nothing happens if I try to go to the WAN IP, just a dead connection. Do I need the DDNS turned on in the Asus GUI? I checked it and it has this message:
“The wireless router currently uses a private WAN IP address.
This router may be in the multiple-NAT environment. While using an External check might allow DDNS to reflect the correct IP address, this might still interfere with remote access services.”
There is no way to bridge the NBN connection device (essentially a modem), nor is there any GUI to access; it’s essentially just plug and play. In Australia, this connection device is supplied by the wholesale retailer of our high speed (not very fast) internet, which we connect directly to a router. I believe the directions you obtained from the Google search were for a router supplied by an ISP provider, so it’s not the actual connection device. Access to the internet is provided by an ISP of the consumer’s choosing. The ISP isn’t responsible for, or has any control over the connection device provided by the NBN. Basically, there’s no bridging the device or any GUI, it’s just a dummy device that connects to your router. I don’t think contacting the ISP would even help because they don’t supply the hardware. It’s weird because this connection device cannot be bridged. I know users in Australia are using Skynet, so there has to be a solution. So, should the IP detected by Skynet be the router IP?

 

[agilani]

Your problem is that your modem/router before the asus router is performing NAT. All traffic from the device will look like internal traffic. The ASUS rotuer will need a routable public address (to make it simple) for it to be able to block incoming traffic.

Its like you have an internal only phone extension which is only accessible by dialing the main number (the NBN router).

Regardless, unless the NBN router has port forwarding turned on or somehow supports UPNP (which is doesn't). You don't have any incoming initiated traffic behind the NAT barrier. Because of the NAT configuration of your network, all your traffic must be initiated outbound.

 

[Stephen Harrington]

I have an Asus RT-AC86U with Merlin 384.19 installed. I have Skynet and Diversion running on my router, and everything is up to date as well. I'm in Australia, so I'm on the NBN (50up/20down) and using their connection device, which is connected directly to my Asus 86U. My problem is that Skynet never blocks any inbound IPs at all, while it will block some outbound IPs.

@Daniel LaRusso, to enable us (other Aussies) to help you, what kind of NBN do you have (FTTH, FTTN, FTTB, FTTC, HFC, Fixed Wireless or Satellite) and what is the supplied NBN hardware model? My understanding is that all NBN-supplied boxes are “bridged” anyway so I don’t think Double-NAT is your issue.

Who is your RSP (Retail Service Provider)? Do they have CGNAT enabled and can you ring them up and get it turned off? Aussie Broadband for example will put you on CGNAT by default but turn it off and give you an external IPv4 address on request.

As an example, I have NBN HFC variant on a 100/40 plan (Superloop is my RSP) and a RT-AC86U (Merlin 384.19) like you. My NBN-supplied hardware is an Arris CM8200 “cable-modem”. Superloop don’t use CGNAT. I do run a VPN Client but only selectively on one device, not everything on the LAN. SkyNet works perfectly Inbound and Outbound, and does correctly list my external IPv4 address. Have you checked if it works if you turn your VPN off?

 

[Daniel LaRusso]

@Daniel LaRusso, to enable us (other Aussies) to help you, what kind of NBN do you have (FTTH, FTTN, FTTB, FTTC, HFC, Fixed Wireless or Satellite) and what is the supplied NBN hardware model? My understanding is that all NBN-supplied boxes are “bridged” anyway so I don’t think Double-NAT is your issue.

Who is your RSP (Retail Service Provider)? Do they have CGNAT enabled and can you ring them up and get it turned off? Aussie Broadband for example will put you on CGNAT by default but turn it off and give you an external IPv4 address on request.

As an example, I have NBN HFC variant on a 100/40 plan (Superloop is my RSP) and a RT-AC86U (Merlin 384.19) like you. My NBN-supplied hardware is an Arris CM8200 “cable-modem”. Superloop don’t use CGNAT. I do run a VPN Client but only selectively on one device, not everything on the LAN. SkyNet works perfectly Inbound and Outbound, and does correctly list my external IPv4 address. Have you checked if it works if you turn your VPN off?

I’m on NBN FTTC (Launtel is my provider and I’m on a 50/20 plan). The connection device doesn’t have a model number or name, so I’ve uploaded a photo of it. I just checked my account with Launtel, they have CGNAT turned on. I’ve turned off the VPN and restarted Skynet, but get a message that a lock file was detected and IPTables rules have failed.

 

[Stephen Harrington]

The connection device doesn’t have a model number or name, so I’ve uploaded a photo of it.

@Daniel LaRusso

Yep, that's the standard Netcomm NDD-0300 box that the NBN hand out for FTTC connections. It's basically a VDSL Modem in Bridge mode, but also supplies "reverse power" back down your phone line to the DPU box out in the street that does the Fibre-to-Copper conversion. It does NO routing/firewalling etc so you are NOT in a double-NAT situation at your end if you just have that plugged into your RT-AC86U, which would tend to point towards the CGNAT or the VPN being the culprit ...

I just checked my account with Launtel, they have CGNAT turned on.

Based then on the SkyNet log message you posted, and knowing/assuming we ARE bridged "upstream" of your RT-AC86U, CGNAT could be the issue then?
Others may be able to comment?

Me, I've always had proper external dynamic or static IPv4 addresses ...

Can you ask Launtel to "loan" you a static IPv4 address for a couple of days and test if that makes any difference?
In fact, can't you "Rent" one for a day yourself using their web interface or is that only speed changes?

Not sure what happens with SkyNet when everything is running through a VPN, as I have never run in that mode.
Others may be able to comment?

I’ve turned off the VPN and restarted Skynet, but get a message that a lock file was detected and IPTables rules have failed.

You may have just had to wait a couple of minutes for SkyNet to sort itself out but failing that ... a Router reboot / power cycle never hurts whenever in doubt, to get it back to a known good state. But that of course depends who is hanging off it and how loud the screams will be in these days of WFH and reliance on the internet by a household full of people!

If it was me, I'd leave the VPN off and out of the equation temporarily, get rid of the CGNAT and re-test, and see if you are getting anywhere ...

Sorry I can't be more helpful ...

 

[Daniel LaRusso]

@Daniel LaRusso

Yep, that's the standard Netcomm NDD-0300 box that the NBN hand out for FTTC connections. It's basically a VDSL Modem in Bridge mode, but also supplies "reverse power" back down your phone line to the DPU box out in the street that does the Fibre-to-Copper conversion. It does NO routing/firewalling etc so you are NOT in a double-NAT situation at your end if you just have that plugged into your RT-AC86U, which would tend to point towards the CGNAT or the VPN being the culprit ...




Based then on the SkyNet log message you posted, and knowing/assuming we ARE bridged "upstream" of your RT-AC86U, CGNAT could be the issue then?
Others may be able to comment?

Me, I've always had proper external dynamic or static IPv4 addresses ...

Can you ask Launtel to "loan" you a static IPv4 address for a couple of days and test if that makes any difference?
In fact, can't you "Rent" one for a day yourself using their web interface or is that only speed changes?

Not sure what happens with SkyNet when everything is running through a VPN, as I have never run in that mode.
Others may be able to comment?



You may have just had to wait a couple of minutes for SkyNet to sort itself out but failing that ... a Router reboot / power cycle never hurts whenever in doubt, to get it back to a known good state. But that of course depends who is hanging off it and how loud the screams will be in these days of WFH and reliance on the internet by a household full of people!

If it was me, I'd leave the VPN off and out of the equation temporarily, get rid of the CGNAT and re-test, and see if you are getting anywhere ...

Sorry I can't be more helpful ...

Launtel has two options for disabling CGNAT, I can rent an IP for $0.15/day or lease one for $100 (which will be refunded back to me when I no longer need it. I've done the $0.15/day option to test, and now Skynet is working with inbound IPs being blocked, so you were correct about CGNAT being the cuprit. You've been a big help. One more question, which option would you choose, the $0.15/day or the refundable $100 option?

 

[Stephen Harrington]

@Daniel LaRusso

Well that's good, now we've all learned something ... is your VPN on as well now and it's still working?

which option would you choose, the $0.15/day or the refundable $100 option?

If you had the cash and intended to stay for the long haul, I'd pony up the $100 refundable myself as $0.15 cents a day is $55 per year extra charges you can't recover ...

 

[Daniel LaRusso]

@Daniel LaRusso

Well that's good, now we've all learned something ... is your VPN on as well now and it's still working?




If you had the cash and intended to stay for the long haul, I'd pony up the $100 refundable myself as $0.15 cents a day is $55 per year extra charges you can't recover ...

Yes, my VPN is on and it all seems to be running fine. I agree with you about the $100 option as well, thank you, you've really helped me out with this, I appreciate it!

 

[Stephen Harrington]

you've really helped me out with this, I appreciate it!

@Daniel LaRusso

No problem, enjoy!
Launtel is a good choice, may give them a go myself at some stage ...