What's new

Skynet Skynet - Router Firewall & Security Enhancements

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Code:
#
################################################################################
+ export LC_ALL=C
+ mkdir -p /tmp/skynet/lists
+ mkdir -p /jffs/addons/shared-whitelists
+ ntptimer=0
+ nvram get ntp_ready
+ [ 1 = 0 ]
+ [ 0 -ge 300 ]
+ grep -ow skynetloc=.* # Skynet /jffs/scripts/firewall-start
+ cut -c 11-
+ grep -vE ^#
+ awk {print $1}
+ skynetloc=/tmp/mnt/ext3usb/skynet
+ skynetcfg=/tmp/mnt/ext3usb/skynet/skynet.cfg
+ skynetlog=/tmp/mnt/ext3usb/skynet/skynet.log
+ skynetevents=/tmp/mnt/ext3usb/skynet/events.log
+ skynetipset=/tmp/mnt/ext3usb/skynet/skynet.ipset
+ date +%s
+ stime=1583847236
+ [ -z /tmp/mnt/ext3usb/skynet ]
+ [ ! -d /tmp/mnt/ext3usb/skynet ]
+ nvram get wan0_proto
+ [ dhcp = pppoe ]
+ nvram get wan0_ifname
+ iface=eth0
+ [ -z  ]
+ Load_Menu
+ . /tmp/mnt/ext3usb/skynet/skynet.cfg
+ model=RT-AC87U
+ localver=v7.1.2
+ autoupdate=enabled
+ banmalwareupdate=daily
+ forcebanmalwareupdate=
+ logmode=
+ filtertraffic=
+ swaplocation=
+ blacklist1count=146922
+ blacklist2count=1860
+ customlisturl=
+ customlist2url=
+ countrylist=
+ excludelists=
+ unbanprivateip=
+ loginvalid=
+ banaiprotect=
+ securemode=
+ extendedstats=
+ fastswitch=
+ syslogloc=
+ syslog1loc=
+ iotblocked=
+ iotports=
+ iotproto=
+ lookupcountry=
+ cdnwhitelist=
+ displaywebui=
+ Display_Header 9
+ printf \n\n==================================================================n


================================================================================


+ echo Router Model; RT-AC87U
Router Model; RT-AC87U
+ Filter_Date
+ grep -m1 -oE [0-9]{1,2}([/][0-9]{1,2})([/][0-9]{1,4})
+ md5sum /jffs/scripts/firewall
+ awk {print $1}
+ echo Skynet Version; v7.1.2 (05/03/2020) (58c65218ebfe560675ba0727e9381f48)
Skynet Version; v7.1.2 (05/03/2020) (58c65218ebfe560675ba0727e9381f48)
+ iptables --version
+ nvram get lan_ipaddr
+ echo iptables v1.4.15 - (eth0 @ 10.27.43.1)
iptables v1.4.15 - (eth0 @ 10.27.43.1)
+ ipset -v
ipset v6.32, protocol version: 6
+ nvram get wan0_ipaddr
+ nvram get ipv6_service
+ [ disabled != disabled ]
+ echo IP Address; (82.11.74.117)
IP Address; (82.11.74.117)
+ nvram get buildno
+ nvram get extendno
+ uname -v
+ awk {printf "%s %s %s\n", $5, $6, $9}
+ uname -r
+ echo FW Version; 384.13_2 (Dec 13 2019) (2.6.36.4brcmarm)
FW Version; 384.13_2 (Dec 13 2019) (2.6.36.4brcmarm)
+ df -h /tmp/mnt/ext3usb/skynet
+ + awkxargs {printf "%s / %s\n", $11, $9}

+ echo Install Dir; /tmp/mnt/ext3usb/skynet (12.4G / 14.3G Space Available)
Install Dir; /tmp/mnt/ext3usb/skynet (12.4G / 14.3G Space Available)
+ [ -n  ]
+ [ -n  ]
+ [ -f /tmp/skynet.lock ]
+ sed -n 2p /tmp/skynet.lock
+ [ -d /proc/9356 ]
+ echo

+ Check_Connection
+ grep -E start.* # Skynet /jffs/scripts/firewall-start
+ grep -qvE ^#
+ [ -w /tmp/mnt/ext3usb/skynet ]
+ Check_Swap
+ grep -qF file /proc/swaps
+ cru l
+ grep -c Skynet
+ [ 3 -lt 2 ]
+ Check_IPSets
+ ipset -L -n Skynet-Whitelist
+ ipset -L -n Skynet-Blacklist
+ ipset -L -n Skynet-BlockedRanges
+ ipset -L -n Skynet-Master
+ ipset -L -n Skynet-IOT
+ [ -n  ]
+ Check_IPTables
+ [  = all ]
+ [  = inbound ]
+ [  = all ]
+ [  = outbound ]
+ nvram get sshd_enable
+ [ 2 = 1 ]
+ [  = enabled ]
+ [  = enabled ]
+ [ -n  ]
+ [  = enabled ]
+ [  != 1 ]
+ Print_Log minimal
+ oldips=146922
+ oldranges=1860
+ grep -Foc add Skynet-Black /tmp/mnt/ext3usb/skynet/skynet.ipset
+ blacklist1count=126415
+ grep -Foc add Skynet-Block /tmp/mnt/ext3usb/skynet/skynet.ipset
+ blacklist2count=1726
+ unset fail
+ Check_IPTables
+ [  = all ]
+ [  = inbound ]
+ [  = all ]
+ [  = outbound ]
+ nvram get sshd_enable
+ [ 2 = 1 ]
+ [  = enabled ]
+ [  = enabled ]
+ [ -n  ]
+ [  != outbound ]
+ iptables -xnvL PREROUTING -t raw
+ awk {print $1}
+ grep -F Skynet-Master src
+ grep -Fv LOG
+ hits1=
+ [  != inbound ]
+ iptables -xnvL PREROUTING -t raw
+ grep -F Skynet-Master dst
+ awk {print $1}
+ grep -Fv LOG
+ iptables -xnvL OUTPUT -t raw
+ grep -F Skynet-Master dst
+ awk {print $1}
+ grep -Fv LOG
/jffs/scripts/firewall: line 40: arithmetic syntax error
I would speculate that your skynet.cfg file is bad. Many settings are blank, when they should not be. If you can’t uninstall, remove the Skynet line from firewall-start and reinstall. Or wait for Adamm to review it.
 
Guys, I've been closely monitoring this skynet issue that I have. Once the skynet attempts to start/restart this is what I get:

[*] Lock File Detected (start skynetloc=/tmp/mnt/Sandisk/skynet) (pid=5415)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests
IPTables Rules | [Failed]

So once this happens there in no internet access on LAN interface and WiFi, say if I do a ping to facebook.com this is what I get:

Pinging facebook.com [10.0.0.1] with 32 bytes of data:
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent= 1, Received= 0, Lost= 1 (100% loss),
Control-C

On top of that, sometimes the file does not get "unlocked" so to say, and the only fix I found so far is to ssh in to the router and do "firewall restart" manually and all the access is restored immediately. What do you guys think could be wrong? I didn't touch any settings of the scripts installed.
 
Guys, I've been closely monitoring this skynet issue that I have. Once the skynet attempts to start/restart this is what I get:

[*] Lock File Detected (start skynetloc=/tmp/mnt/Sandisk/skynet) (pid=5415)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests
IPTables Rules | [Failed]

So once this happens there in no internet access on LAN interface and WiFi, say if I do a ping to facebook.com this is what I get:

Pinging facebook.com [10.0.0.1] with 32 bytes of data:
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent= 1, Received= 0, Lost= 1 (100% loss),
Control-C

On top of that, sometimes the file does not get "unlocked" so to say, and the only fix I found so far is to ssh in to the router and do "firewall restart" manually and all the access is restored immediately. What do you guys think could be wrong? I didn't touch any settings of the scripts installed.
There have been several posts that have referred to the problems with the ipapi.co website that skynet uses to determine country information for blocked IPs. My startup times spiked and came back to normal after I disabled country lookup and the webui. Not ideal, but it works for me.
Code:
Mar  7 07:13:04 Skynet: [#] 151847 IPs (+0) -- 1956 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [56s]
Mar  7 07:15:16 Skynet: [#] 151847 IPs (+0) -- 1956 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [57s]
Mar  9 19:13:29 Skynet: [#] 147462 IPs (+0) -- 1822 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [275s]
Mar  9 19:21:49 Skynet: [#] 147462 IPs (+0) -- 1822 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [282s]
Mar  9 19:24:59 Skynet: [#] 147462 IPs (+0) -- 1822 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [43s]
Mar  9 19:29:22 Skynet: [#] 147462 IPs (+0) -- 1822 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [64s]
Mar  9 20:07:48 Skynet: [#] 147462 IPs (+0) -- 1822 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [37s]
 
Hi,

What does "Ban AiProtect" mean, and what does it do?

I'm currently running with Skynet and AiProtect enabled.

Thanks,
Anton
 
Hi,

What does "Ban AiProtect" mean, and what does it do?

I'm currently running with Skynet and AiProtect enabled.

Thanks,
Anton
Any detections in AiProtect are automatically and permanently banned in Skynet.
 
Skynet lurker/newbie here ... have been running it for a couple of weeks now on my RT-AC86U running Merlin 384.15_0.
At the same time I took the plunge and installed Diversion/Entware/UIDivStats, Scribe/UIScribe, Unbound, ConMon, nsrum etc, so lots of simultaneous installing/configuring/updating going on. I had already been running FreshJR_QoS, scMerlin for ages.

Looking for some help/clues as to how to get my Skynet install back on track, I seem to have buggered something up somewhere along the way with all the updates to the AMTM scripts ... or maybe it is just coincidence?

Initially all seemed good, but now I don't seem to be getting much in the way of Stats from Skynet, either at the command line or in the GUI.
In the UIScribe skynet-0 logs all appears to be Ok, I can see plenty of Inbound and Outbound rejections happening, but the Skynet GUI and the Skynet "Stats" don't appear to reflect this.

I did notice that when I initially did a Debug/Print Debug Info that everthing looked fine (17/17), but that Syslog Location was set to "Custom" so I set both logs to "Default".
Not sure if that was smart or not but in any case it seemed to make no difference ... is it meant to be on "Default" for a normal install, even with Scribe/UIScribe running?

I also notice now that although I can see the Inbound and Outbound Blocks happening in the UIScribe version of the skynet-0 system log, if I go into Skynet at the command line and do a Debug Options / Show Log Entries As They Appear that nothing ever appears here now, whereas it definitely did when I first installed it.

I've tried uninstalling/reinstalling Skynet, but to no avail.
Is there something I need to "reset" to make it come good?

Any insight as to how I can approach fixing this appreciated!
Happy to supply any diagnostics you may deem relevant :)
Hopefully I will learn something along the way ...
 
Last edited:
but that Syslog Location was set to "Custom" so I set both logs to "Default".
Not sure if that was smart or not but in any case it seemed to make no difference ... is it meant to be on "Default" for a normal install, even with Scribe/UIScribe running?
No, Scribe sets the Skynet location to "Custom", and points to /opt/var/log/skynet-0.log.
Skynet sends it own logs to /tmp/mnt/<yourUSB>/skynet where the skynet log and the events log that keeps hourly {SAVE} messages.

You can try set the Skynet settings logging back to "Custom", and points to /opt/var/log/skynet-0.log, however might require a re-install of scribe to correct.
 
Last edited:
Hi Adam!

I'm pretty sure you've seen this message many times, but I'll repeat, after the last update, skynet takes very long to start or restart, which causes my network to go down for some time... I have a few lines (iptables rules)after skynet start up command in the firewall-start script. Do you think there is a way to fix the long start/restart of skynet?

Regards

Teymur

Skynet shouldn't "cause your network to go down", sounds like your issue is with your custom rules.

@Teymur
I too noticed the unusually long start/restarting time.
I think it depends on the size of the blocking list? Do you have installed unbound?

To rule out another suspect on my side:
I recently experimented around with unbound, I need to try to uninstall unbound and record the restarting time again.
Then I will try to factory reset my router and only install skynet and record the starting/restarting time, so I have a clean installation and time to hold on.
Same here; lock file takes longer but network functions while Skynet is getting ready.
Whilst I have noticed that the lockfile message lingers for a fair bit longer than previously, my network does NOT go down during that time.
(Just out of interest, I recently changed my blocking list from Standard to Medium, and, for all I know, that might be why my lockfile message takes longer to disappear, but to reiterate, it does NOT affect my network.)

I can't produce this on my end, my startup time is 50~ seconds on my AX88U, depending on how long your shared-*-Whitelist files are this may vary.

Edit: since the API limits to about 1000 queries a day, is it possible for Skynet to avoid making duplicate calls for the same IP? Or does it already do that?

Unless someone is producing stats every hour they will have a hard time reaching the API limit of 30,000 requests a month under normal usage.

Code:
#
################################################################################
+ export LC_ALL=C
+ mkdir -p /tmp/skynet/lists
+ mkdir -p /jffs/addons/shared-whitelists
+ ntptimer=0
+ nvram get ntp_ready
+ [ 1 = 0 ]
+ [ 0 -ge 300 ]
+ grep -ow skynetloc=.* # Skynet /jffs/scripts/firewall-start
+ cut -c 11-
+ grep -vE ^#
+ awk {print $1}
+ skynetloc=/tmp/mnt/ext3usb/skynet
+ skynetcfg=/tmp/mnt/ext3usb/skynet/skynet.cfg
+ skynetlog=/tmp/mnt/ext3usb/skynet/skynet.log
+ skynetevents=/tmp/mnt/ext3usb/skynet/events.log
+ skynetipset=/tmp/mnt/ext3usb/skynet/skynet.ipset
+ date +%s
+ stime=1583847236
+ [ -z /tmp/mnt/ext3usb/skynet ]
+ [ ! -d /tmp/mnt/ext3usb/skynet ]
+ nvram get wan0_proto
+ [ dhcp = pppoe ]
+ nvram get wan0_ifname
+ iface=eth0
+ [ -z  ]
+ Load_Menu
+ . /tmp/mnt/ext3usb/skynet/skynet.cfg
+ model=RT-AC87U
+ localver=v7.1.2
+ autoupdate=enabled
+ banmalwareupdate=daily
+ forcebanmalwareupdate=
+ logmode=
+ filtertraffic=
+ swaplocation=
+ blacklist1count=146922
+ blacklist2count=1860
+ customlisturl=
+ customlist2url=
+ countrylist=
+ excludelists=
+ unbanprivateip=
+ loginvalid=
+ banaiprotect=
+ securemode=
+ extendedstats=
+ fastswitch=
+ syslogloc=
+ syslog1loc=
+ iotblocked=
+ iotports=
+ iotproto=
+ lookupcountry=
+ cdnwhitelist=
+ displaywebui=
+ Display_Header 9
+ printf \n\n==================================================================n


================================================================================


+ echo Router Model; RT-AC87U
Router Model; RT-AC87U
+ Filter_Date
+ grep -m1 -oE [0-9]{1,2}([/][0-9]{1,2})([/][0-9]{1,4})
+ md5sum /jffs/scripts/firewall
+ awk {print $1}
+ echo Skynet Version; v7.1.2 (05/03/2020) (58c65218ebfe560675ba0727e9381f48)
Skynet Version; v7.1.2 (05/03/2020) (58c65218ebfe560675ba0727e9381f48)
+ iptables --version
+ nvram get lan_ipaddr
+ echo iptables v1.4.15 - (eth0 @ 10.27.43.1)
iptables v1.4.15 - (eth0 @ 10.27.43.1)
+ ipset -v
ipset v6.32, protocol version: 6
+ nvram get wan0_ipaddr
+ nvram get ipv6_service
+ [ disabled != disabled ]
+ echo IP Address; (82.11.74.117)
IP Address; (82.11.74.117)
+ nvram get buildno
+ nvram get extendno
+ uname -v
+ awk {printf "%s %s %s\n", $5, $6, $9}
+ uname -r
+ echo FW Version; 384.13_2 (Dec 13 2019) (2.6.36.4brcmarm)
FW Version; 384.13_2 (Dec 13 2019) (2.6.36.4brcmarm)
+ df -h /tmp/mnt/ext3usb/skynet
+ + awkxargs {printf "%s / %s\n", $11, $9}

+ echo Install Dir; /tmp/mnt/ext3usb/skynet (12.4G / 14.3G Space Available)
Install Dir; /tmp/mnt/ext3usb/skynet (12.4G / 14.3G Space Available)
+ [ -n  ]
+ [ -n  ]
+ [ -f /tmp/skynet.lock ]
+ sed -n 2p /tmp/skynet.lock
+ [ -d /proc/9356 ]
+ echo

+ Check_Connection
+ grep -E start.* # Skynet /jffs/scripts/firewall-start
+ grep -qvE ^#
+ [ -w /tmp/mnt/ext3usb/skynet ]
+ Check_Swap
+ grep -qF file /proc/swaps
+ cru l
+ grep -c Skynet
+ [ 3 -lt 2 ]
+ Check_IPSets
+ ipset -L -n Skynet-Whitelist
+ ipset -L -n Skynet-Blacklist
+ ipset -L -n Skynet-BlockedRanges
+ ipset -L -n Skynet-Master
+ ipset -L -n Skynet-IOT
+ [ -n  ]
+ Check_IPTables
+ [  = all ]
+ [  = inbound ]
+ [  = all ]
+ [  = outbound ]
+ nvram get sshd_enable
+ [ 2 = 1 ]
+ [  = enabled ]
+ [  = enabled ]
+ [ -n  ]
+ [  = enabled ]
+ [  != 1 ]
+ Print_Log minimal
+ oldips=146922
+ oldranges=1860
+ grep -Foc add Skynet-Black /tmp/mnt/ext3usb/skynet/skynet.ipset
+ blacklist1count=126415
+ grep -Foc add Skynet-Block /tmp/mnt/ext3usb/skynet/skynet.ipset
+ blacklist2count=1726
+ unset fail
+ Check_IPTables
+ [  = all ]
+ [  = inbound ]
+ [  = all ]
+ [  = outbound ]
+ nvram get sshd_enable
+ [ 2 = 1 ]
+ [  = enabled ]
+ [  = enabled ]
+ [ -n  ]
+ [  != outbound ]
+ iptables -xnvL PREROUTING -t raw
+ awk {print $1}
+ grep -F Skynet-Master src
+ grep -Fv LOG
+ hits1=
+ [  != inbound ]
+ iptables -xnvL PREROUTING -t raw
+ grep -F Skynet-Master dst
+ awk {print $1}
+ grep -Fv LOG
+ iptables -xnvL OUTPUT -t raw
+ grep -F Skynet-Master dst
+ awk {print $1}
+ grep -Fv LOG
/jffs/scripts/firewall: line 40: arithmetic syntax error


Run the install command again, you are missing a whole bunch of entries in your skynet.cfg file

Guys, I've been closely monitoring this skynet issue that I have. Once the skynet attempts to start/restart this is what I get:

[*] Lock File Detected (start skynetloc=/tmp/mnt/Sandisk/skynet) (pid=5415)
[*] Locked Processes Generally Take 1-2 Minutes To Complete And May Result In Temporarily "Failed" Tests
IPTables Rules | [Failed]

So once this happens there in no internet access on LAN interface and WiFi, say if I do a ping to facebook.com this is what I get:

Pinging facebook.com [10.0.0.1] with 32 bytes of data:
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent= 1, Received= 0, Lost= 1 (100% loss),
Control-C

On top of that, sometimes the file does not get "unlocked" so to say, and the only fix I found so far is to ssh in to the router and do "firewall restart" manually and all the access is restored immediately. What do you guys think could be wrong? I didn't touch any settings of the scripts installed.

This is most definitely caused by something other than Skynet, id start with your "custom" rules
 
No, Scribe sets the Skynet location to "Custom", and points to /opt/var/log/skynet-0.log.
Skynet sends it own logs to /tmp/mnt/<yourUSB>/skynet where the skybet log and the events log that keeps hourly {SAVE} messages. You can try set the Skynet settings logging back to "Custom", and points to /opt/var/log/skynet-0.log, however might require a re-install of scribe to correct.

Thanks @Butterfly Bones, your thoughts helped! I uninstalled Skynet and Scribe/UIScribe and started again, looking more promising now ...
 
Skynet shouldn't "cause your network to go down", sounds like your issue is with your custom rules.

I also want to believe that Skynet isn't the cause! But it all started happening after the last update. I never changed anything. My custom rules are below. vlan84 and vlan85 are guest networks, and not being used at the moment. The only thing I care about is the last lines to set fwmarks that's all. And that's for my iptv traffic which is 7 subnets to be going through the VPN. This file has always been like this and worked well that's why I never touched it. But as I said before the second line of the script takes a bit more time to execute which wasn't the case before. I have now disabled the skynet webui and country look ups. Still monitoring.

Code:
#!/bin/sh
logger -t firewall-start **********FIREWALL-START SCRIPT IS BEING EXECUTED**********
sh /jffs/scripts/firewall start skynetloc=/tmp/mnt/Sandisk/skynet # Skynet Firewall Addition
####################################

########vlan85 Firewall Rules########
logger -t vlan85 Injecting vlan85 security policies
iptables -D FORWARD -i vlan85 -m state --state NEW -j ACCEPT
iptables -D FORWARD -i vlan85 -o br0 -m state --state NEW -j DROP
iptables -D FORWARD -i br0 -o vlan85 -m state --state NEW -j DROP
iptables -D INPUT -i vlan85 -p udp -m multiport --dports 67,123 -j ACCEPT
iptables -I FORWARD -i vlan85 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan85 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan85 -m state --state NEW -j DROP
iptables -I INPUT -i vlan85 -p udp -m multiport --dports 67,123 -j ACCEPT
iptables -S | grep vlan85 | logger -t vlan85
########vlan85 Firewall Rules End########

########vlan84 Firewall Rules########
logger -t vlan84 Injecting vlan84 security policies
iptables -D FORWARD -i vlan84 -m state --state NEW -j ACCEPT
iptables -D FORWARD -i vlan84 -o br0 -m state --state NEW -j DROP
#iptables -D FORWARD -i br0 -o vlan84 -m state --state NEW -j DROP
iptables -D INPUT -i vlan84 -p udp -m multiport --dports 67,123 -j ACCEPT
iptables -I FORWARD -i vlan84 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan84 -o br0 -m state --state NEW -j DROP
#iptables -I FORWARD -i br0 -o vlan84 -m state --state NEW -j DROP
iptables -I INPUT -i vlan84 -p udp -m multiport --dports 67,123 -j ACCEPT
iptables -S | grep vlan84 | logger -t vlan84
########vlan84 Firewall Rules End########
#
#This is to set edemtv fwmarks on firewall restart
iptables -t mangle -D PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-xmark 0x1000/0x1000
iptables -t mangle -A PREROUTING -i br0 -m set --match-set edemtvips dst -j MARK --set-xmark 0x1000/0x1000

I can't produce this on my end, my startup time is 50~ seconds on my AX88U, depending on how long your shared-*-Whitelist files are this may vary.



Unless someone is producing stats every hour they will have a hard time reaching the API limit of 30,000 requests a month under normal usage.




Run the install command again, you are missing a whole bunch of entries in your skynet.cfg file



This is most definitely caused by something other than Skynet, id start with your "custom" rules

Today and whenever I have the internet connection drop caused by the ISP or the "firewall" issue that I have every now and then, I always get this weird thing that even if I try to ping a device on a local subnet (br0) it gives me this weird ip 10.0.0.1 unreachable.
First I thought it could be DNS Rebind or Forwarding local queries to upstream dns. But that option has always been off. Local queries should go to the router internal ip and they do but only when there is a working internet connection. Very strange problem that I never faced before. Do you have any suggestions?
 
Today and whenever I have the internet connection drop caused by the ISP or the "firewall" issue that I have every now and then, I always get this weird thing that even if I try to ping a device on a local subnet (br0) it gives me this weird ip 10.0.0.1 unreachable.
First I thought it could be DNS Rebind or Forwarding local queries to upstream dns. But that option has always been off. Local queries should go to the router internal ip and they do but only when there is a working internet connection. Very strange problem that I never faced before. Do you have any suggestions?
Does syslog offer any clues?
 
I added ICMP support in the latest hotfix, I may refine this in the future with a toggle/selective icmp types but I am very busy moving apartments today/this week so my free time (and sleep! o_O) is limited.

As for the feature request, maybe in the future. I try keep it as simplistic as possible to reduce the number of IPTables entries.
Thank you for taking time to look at this even though you are busy with more important stuff :)

I updated to the latest Skynet build (v7.1.2 (05/03/2020) (58c65218ebfe560675ba0727e9381f48) ), and now devices on YazFi subnets are being blocked from accessing the internet - but also other subnets.
I added a port exception for 1883, but still they can't access my local MQTT server instance (running on 10.0.0.10).
At the moment I only have one device on the IOT ban list (10.0.3.13).
The log output:
Code:
Mar 11 14:15:17 YazFi: wl0.2 (SSID: CKA_IOT) - sending all interface internet traffic over WAN interface
/jffs/scripts/firewall: line 5625: [: Argument list too long
Mar 11 14:16:32 kernel: [BLOCKED - IOT] IN=wl0.2 OUT=br0 SRC=10.0.3.13 DST=10.0.0.10 LEN=44 TOS=0x00 PREC=0x00 TTL=254 )
...Same output every few seconds, but nothing else.....

@azdeltawye suggested feature would of course be awesome - but for my setup not necessary as all my IOT devices only link with my server via MQTT
Instead I would suggest adding the possibility to whitelist connection to specific IP's, local or external to let IOT devices connect to controllers, but stilll limiting their phone-home possibility.
 
Thank you for taking time to look at this even though you are busy with more important stuff :)

I updated to the latest Skynet build (v7.1.2 (05/03/2020) (58c65218ebfe560675ba0727e9381f48) ), and now devices on YazFi subnets are being blocked from accessing the internet - but also other subnets.
I added a port exception for 1883, but still they can't access my local MQTT server instance (running on 10.0.0.10).
At the moment I only have one device on the IOT ban list (10.0.3.13).
The log output:
Code:
Mar 11 14:15:17 YazFi: wl0.2 (SSID: CKA_IOT) - sending all interface internet traffic over WAN interface
/jffs/scripts/firewall: line 5625: [: Argument list too long
Mar 11 14:16:32 kernel: [BLOCKED - IOT] IN=wl0.2 OUT=br0 SRC=10.0.3.13 DST=10.0.0.10 LEN=44 TOS=0x00 PREC=0x00 TTL=254 )
...Same output every few seconds, but nothing else.....

@azdeltawye suggested feature would of course be awesome - but for my setup not necessary as all my IOT devices only link with my server via MQTT
Instead I would suggest adding the possibility to whitelist connection to specific IP's, local or external to let IOT devices connect to controllers, but stilll limiting their phone-home possibility.

Okay I see the issue, trying to support YazFi has really complicated the logic required for this to work how it should. Need some time to think over the whole issue for a correct fix for every situation.
 
Does syslog offer any clues?

That’s the thing. Syslog reports nothing! Once the connection is restored local domain queries start working too. I don’t understand how these things can be tied one to another.


Отправлено с моего iPhone используя Tapatalk
 
Just a quirk I noticed with Skynet today.

Previously country lookup wasn't resolving for most entries and was slowing down running a stats report in AMTM so I disabled country lookup.

Just now I opened the Skynet tab and for some of the entries the country was resolved and I could also run the nice PIE chart showing blocks by country. Went into Skynet and verified country lookup was still disabled.

Router is an AC86 has been power cycled at least twice since disabling country lookup so any hold over settings should have been flushed.
 
Just a quirk I noticed with Skynet today.

Previously country lookup wasn't resolving for most entries and was slowing down running a stats report in AMTM so I disabled country lookup.

Just now I opened the Skynet tab and for some of the entries the country was resolved and I could also run the nice PIE chart showing blocks by country. Went into Skynet and verified country lookup was still disabled.

Router is an AC86 has been power cycled at least twice since disabling country lookup so any hold over settings should have been flushed.

Country lookup setting is for SSH based stats, it doesn't have any effect on the WebUI ones. I may revise this in future.
 
Guys I think I've found what's causing it:

so everything happens after these 3 lines in the log:

Code:
Mar 11 21:40:40    10.10.10.1        kern    debug    nat    apply redirect rules
Mar 11 21:40:46    10.10.10.1        kern    debug    WAN_Connection    ISP's DHCP did not function properly.
Mar 11 21:40:46    10.10.10.1        kern    debug    DualWAN    skip single wan wan_led_control - WANRED off

Internet connection goes down, dns resolves everything (local domain and external) to 10.0.0.1

Any clue what could be causing this? The interesting thing is that if I do service restart_firewall it restores the internet connection and dns works normal again. I've deleted Skynet and diversion for now, but kept the entware. Could this be any residue you think? Last thing I want is a factory reset and configuring all from scratch. Any input appreciated. Thanks
 
Any clue what could be causing this? The interesting thing is that if I do service restart_firewall it restores the internet connection and dns works normal again. I've deleted Skynet and diversion for now, but kept the entware. Could this be any residue you think? Last thing I want is a factory reset and configuring all from scratch. Any input appreciated. Thanks

No such thing as Skynet residue. I will assure you again this issue isn't Skynet related.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top