Skynet Skynet - Router Firewall & Security Enhancements

[skeal]

Hey @Adamm I use the IoT blocking. I ban the ip associated with a device on my guest 2.4 network. The network does not have lan access. I can still access the device from my phone using a data connection with wifi shut off. Am I missing something? Is it because the device is on the guest network and isolated from the lan?

 

[Adamm]

Hey @Adamm I use the IoT blocking. I ban the ip associated with a device on my guest 2.4 network. The network does not have lan access. I can still access the device from my phone using a data connection with wifi shut off. Am I missing something? Is it because the device is on the guest network and isolated from the lan?

The corresponding rule is the following;

iptables -I FORWARD -i br0 -m set --match-set Skynet-IOT src ! -o tun+ -j DROP

Which breaks down to;

Table: Forward
Interface: br0
Matches our ipset
Isn't destine for tun+ (VPN Traffic)

I've never personally used guest networks nor looked into what it changes, are you just using the built in functionality?

 

[skeal]

The corresponding rule is the following;

iptables -I FORWARD -i br0 -m set --match-set Skynet-IOT src ! -o tun+ -j DROP

Which breaks down to;

Table: Forward
Interface: br0
Matches our ipset
Isn't destine for tun+ (VPN Traffic)

I've never personally used guest networks nor looked into what it changes, are you just using the built in functionality?

Ok try to follow me here, lol:
Yes, my idea was that, the guest network has the "isolate from intranet function." I found out I have to allow this camera wan access. If I want it to function at all. So the idea was the IoT blocking (which breaks the camera no matter what I do) and has now progressed to just isolation from lan, using the guest wifi.l However when I try to isolate using the "access intranet function" set to disable, I can't ping the camera and the camera cannot ping me on the lan, BUT, I can still access the camera with built in software, when my phone's data connection is switched off and using wifi only. I don't know why I can still access the camera with it's software, but not be able to ping it. What am I missing?

 

[Adamm]

Ok try to follow me here, lol:
Yes, my idea was that, the guest network has the "isolate from intranet function." I found out I have to allow this camera wan access. If I want it to function at all. So the idea was the IoT blocking (which breaks the camera no matter what I do) and has now progressed to just isolation from lan, using the guest wifi.l However when I try to isolate using the "access intranet function" set to disable, I can't ping the camera and the camera cannot ping me on the lan, BUT, I can still access the camera with built in software, when my phone's data connection is switched off and using wifi only. I don't know why I can still access the camera with it's software, but not be able to ping it. What am I missing?

I have just tested thing exact setup and everything works as expected.

You toggled "isolate from intranet" meaning it can't contact other local devices. This is the reason you cant ping the device. This setting has no affect on the devices ability to contact WAN, only other clients. I assume your client software is accessing the camera via the cloud rather then connecting locally.

 

[skeal]

I have just tested thing exact setup and everything works as expected.

You toggled "isolate from intranet" meaning it can't contact other local devices. This is the reason you cant ping the device. This setting has no affect on the devices ability to contact WAN, only other clients. I assume your client software is accessing the camera via the cloud rather then connecting locally.

Ahhh I gotcha now. Yeah it's access is with the cloud. You never really access the camera I guess you are accessing the cloud's link to the camera and it's authentication system. I'm not broadcasting anything sensitive so I should be ok, if the camera is truly isolated from my lan, I'm doing ok, if the camera gets hacked through the cloud somehow.

 

[Adamm]

Ahhh I gotcha now. Yeah it's access is with the cloud. You never really access the camera I guess you are accessing the cloud's link to the camera and it's authentication system. I'm not broadcasting anything sensitive so I should be ok, if the camera is truly isolated from my lan, I'm doing ok, if the camera gets hacked through the cloud somehow.

Yeah that's a device limitation, my Annke setup fortunately allows me to keep everything local. You can still prevent non necessary ports to be used by configuring the IOT blacklist feature and allowing whatever port it calls home on.

It could be I am not understanding what the data tabel is showing. If you are saying this is the Ports the 9,397 blocked IPs were trying to reach then that makes sense. I guess it is useful to know not only what IPs were knocking but on what door.

Thanks.


-------- | -------- | --------------
| Hits | | | Port | | | SpeedGuide |
-------- | -------- | --------------

683x | 23 | https://www.speedguide.net/port.php?port=23
498x | 1433 | https://www.speedguide.net/port.php?port=1433
467x | 8088 | https://www.speedguide.net/port.php?port=8088
371x | 8545 | https://www.speedguide.net/port.php?port=8545
241x | 5060 | https://www.speedguide.net/port.php?port=5060
179x | 22 | https://www.speedguide.net/port.php?port=22
173x | 3389 | https://www.speedguide.net/port.php?port=3389
120x | 8080 | https://www.speedguide.net/port.php?port=8080

Yes so that table shows you the amount of hits in the first column, the port in question, then a link to a description of common services usually found on that port.

I try to break down the data in the most effective ways possible, listing commonly targeted ports is one of them.

 

[Zonkd]

Yeah that's a device limitation, my Annke setup fortunately allows me to keep everything local. You can still prevent non necessary ports to be used by configuring the IOT blacklist feature and allowing whatever port it calls home on.



Yes so that table shows you the amount of hits in the first column, the port in question, then a link to a description of common services usually found on that port.

I try to break down the data in the most effective ways possible, listing commonly targeted ports is one of them.

Regarding that feature, I have several different IoT devices and I’d like to allow just 1 of them to connect out on port 21, is that possible to do? I don’t want any of the other blocked IoT devices to be allowed.

 

[Adamm]

Regarding that feature, I have several different IoT devices and I’d like to allow just 1 of them to connect out on port 21, is that possible to do? I don’t want any of the other blocked IoT devices to be allowed.

Not in its current form, this would require essentially rewriting the entire feature. Your best bet would be to change the FTP port to something random before allowing it to minimize impact on other devices.

 

[Zonkd]

Not in its current form, this would require essentially rewriting the entire feature. Your best bet would be to change the FTP port to something random before allowing it to minimize impact on other devices.

I’m not sure I understand what you mean. What were you suggesting?

This particular IoT home appliance (smart meter for analysing energy usage) cannot be configured by the user at all. The manufacturers manual says it requires port 21 to auto check/download firmware updates and there’s a couple other ports it uses to upload data to their servers for cloud storage and graphing.

For every other IoT device on my network NAS, cameras, printer, I block all net access including on port 21. To date I’ve done that by setting a bunch of blacklist firewall rules for port ranges 1:65535 TCP and 1:65535 UDP per device and for the smart meter I blocked all except port 21. It seems to work and no complaints was just curious if there’s a better way of doing it with Skynet. If not no worries!

 

[Adamm]

This particular IoT home appliance (smart meter for analysing energy usage) cannot be configured by the user at all. The manufacturers manual says it requires port 21 to auto check/download firmware updates and there’s a couple other ports it uses to upload data to their servers for cloud storage and graphing.

For every other IoT device on my network NAS, cameras, printer, I block all net access including on port 21. To date I’ve done that by setting a bunch of blacklist firewall rules for port ranges 1:65535 TCP and 1:65535 UDP per device and for the smart meter I blocked all except port 21. It seems to work and no complaints was just curious if there’s a better way of doing it with Skynet. If not no worries!

Ah okay I assumed by it using port 21 it was some sort of configurable FTP server. In that case you will have to stick to your current solution for that particular device.

 

[Zonkd]

Ah okay I assumed by it using port 21 it was some sort of configurable FTP server. In that case you will have to stick to your current solution for that particular device.

Ok I’ll use your feature to outright block most of my devices (printer nas camera( and the usual Asus firewall blacklist block all but the desired ports for my smart meter.

 

[PoloNes]

I was wondering if someone could help me out here. I want to block a certain IP address from accessing certain websites. How do I do that? I just want to block the one client from using these sites.

https://cleanbrowsing.org/

 

[ninjada]

possibly a very stupid question, but been running diversion forever and only just switched on skynet.

super awesome btw, but the only issue ive encountered so far is my google home controlling spotify, it seems to no longer function when skynets on.

having trouble trying to troubleshoot what its blocking. how can i best track this down to stop whatever is being blocked? im looking at the watch log, but the addresses that come up as blocked when i attempt 'hey google, play music on spotify', seem to be completely unrelated to google or spotify.

 

[martinr]

possibly a very stupid question, but been running diversion forever and only just switched on skynet.

super awesome btw, but the only issue ive encountered so far is my google home controlling spotify, it seems to no longer function when skynets on.

having trouble trying to troubleshoot what its blocking. how can i best track this down to stop whatever is being blocked? im looking at the watch log, but the addresses that come up as blocked when i attempt 'hey google, play music on spotify', seem to be completely unrelated to google or spotify.

This guide by Adam should solve it:
https://github.com/Adamm00/IPSet_ASUS/wiki#applicationexe-or-websitecom-is-blocked

 

[ninjada]

Working again. My bad, looks like "spclient.wg.spotify.com" was in one of my diversion block lists, which apparently breaks some spotify functionality like google home.

in debugging it, i tried disabling diversion and skynet individually and google home control of spotify would only fail when skynet was running. so i was only looking at the skynet debug log which had no entries... when that got me nowhere, i looked at diversion and saw the spclient.wg.spotify.com block, and then added it to whitelist...

i guess skynet takes over some of the blocking for diversion white/black lists or something, it mentions it in diversion when compiling the block lists? not fully across it. not sure why it was only failing when skynet was running if it wasnt actually doing any blocking. unless i was somehow mistaken when debugging.

 

[Zonkd]

I've pushed v6.7.5

• Display country code in stats output

Great to have but you were right it takes a long time, is it possible to toggle it on/off?

 

[Adamm]

Great to have but you were right it takes a long time, is it possible to toggle it on/off?

I've pushed v6.7.6

• Toggle for country lookups on stat data ( sh /jffs/scripts/firewall settings lookupcountry enable|disable )
  
  
• Show IOT blocks in "debug watch"
  
  
• Show if associated domains are also blocked in Diversion when using "stats search ip" and "stats search malware"

 

[Zonkd]

I've pushed v6.7.6

• Toggle for country lookups on stat data ( sh /jffs/scripts/firewall settings lookupcountry enable|disable )
  
  
• Show IOT blocks in "debug watch"
  
  
• Show if associated domains are also blocked in Diversion when using "stats search ip" and "stats search malware"

@Adamm - Option 11 appears twice.

 

[Adamm]

@Adamm - Option 11 appears twice.

View attachment 16286

Ofcoarse I get all the technical aspects correct and mess up on aesthetics Pushed a hotfix to correct that visually.

 

[BloodFX]

does skynet work with LTS builds?