Skynet WAN ip outbound blocked

[SomeWhereOverTheRainBow]

Sounds like Skynet 7.4.2 will be available here pretty soon!

Your cats eye has been keeping track of me again!

Update firewall.sh by jumpsmm7 · Pull Request #126 · Adamm00/IPSet_ASUS

https://www.snbforums.com/threads/wan-ip-outbound-blocked.85184/post-843884 The above thought process was revised per @dave14305 suggestions, instead of deleting entries only when CDNWhitelisting ...

github.com

 

[Viktor Jaep]

Your cats eye has been keeping track of me again!

Update firewall.sh by jumpsmm7 · Pull Request #126 · Adamm00/IPSet_ASUS

https://www.snbforums.com/threads/wan-ip-outbound-blocked.85184/post-843884 The above thought process was revised per @dave14305 suggestions, instead of deleting entries only when CDNWhitelisting ...

github.com

MEOW

 

[SomeWhereOverTheRainBow]

Sounds like Skynet 7.4.2 will be available here pretty soon!

hey so,

https://github.com/Adamm00/IPSet_ASUS/blob/master/firewall.sh#L3800

if you see these line's

        Whitelist_VPN
        sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!

I wonder if there is a legitimate reason to delete all the Whitelist_VPN entries when skynet first starts.

Notice, it will delete all VPN entries from this function with the above one liner.

Whitelist_VPN() {
    echo "add Skynet-Whitelist $(nvram get vpn_server1_sn)/24 comment \"nvram: vpn_server1_sn\"
    add Skynet-Whitelist $(nvram get vpn_server2_sn)/24 comment \"nvram: vpn_server2_sn\"
    add Skynet-Whitelist $(nvram get vpn_server_sn)/24 comment \"nvram: vpn_server_sn\"
    add Skynet-Whitelist $(nvram get vpn_client1_addr)/24 comment \"nvram: vpn_client1_addr\"
    add Skynet-Whitelist $(nvram get vpn_client2_addr)/24 comment \"nvram: vpn_client2_addr\"
    add Skynet-Whitelist $(nvram get vpn_client3_addr)/24 comment \"nvram: vpn_client3_addr\"
    add Skynet-Whitelist $(nvram get vpn_client4_addr)/24 comment \"nvram: vpn_client4_addr\"
    add Skynet-Whitelist $(nvram get vpn_client5_addr)/24 comment \"nvram: vpn_client5_addr\"" | tr -d "\t" | Filter_IPLine | ipset restore -! 2>/dev/null
    if [ -f "/dev/astrill/openvpn.conf" ]; then ipset -q -A Skynet-Whitelist "$(sed '\~remote ~!d;s~remote ~~' "/dev/astrill/openvpn.conf")/24" comment "nvram: Astrill_VPN"; fi
}

@Adamm Should that one liner be before the Whitelist_VPN instead of Whitelist_Shared?

what i mean is, should it be

        Whitelist_Extra
        Whitelist_CDN
        sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
        Whitelist_VPN
        Whitelist_Shared

instead of

        Whitelist_Extra
        Whitelist_CDN
        Whitelist_VPN
        sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
        Whitelist_Shared

 

[dave14305]

Thus explaining why the users skynet blocked the IP address for asn.ipinfo.app in their geographical region.

It’s a theory. It doesn’t explain anything, at the moment.

Should that one liner be before the Whitelist_VPN instead of Whitelist_Shared?

It is probably an oversight and should be swapped.

I wouldn’t mess with the CDN whitelisting until you’ve really thought this through and tested or reproduced the scenario you’re trying to fix. Skynet runs at various times and under different circumstances (firewall restart, cron job, command line/menu), and you have to think about all of them before making significant changes.

“Let's work the problem, people. Let's not make things worse by guessing.”
― Gene Kranz

 

[SomeWhereOverTheRainBow]

It’s a theory. It doesn’t explain anything, at the moment.

It is probably an oversight and should be swapped.

I wouldn’t mess with the CDN whitelisting until you’ve really thought this through and tested or reproduced the scenario you’re trying to fix. Skynet runs at various times and under different circumstances (firewall restart, cron job, command line/menu), and you have to think about all of them before making significant changes.

I didn't have to guess at this. I manually blocked an IP to one of the CDN whitelist servers myself and tested it. You can test it too yourself if you like. See that your CDNwhitelist entries are removed every time the whitelist entries get "refreshed". Here is what i did : I pinged an address in the whitelist entries that I had added to the blocklists as well. For a moment, during the whitelisting process, the address was no longer pingable until the whitelist update process finished.

Whitelist_Extra() {
    echo "ipdeny.com
    ipapi.co
    api.db-ip.com
    api.bgpview.io
    asn.ipinfo.app
    speedguide.net
    otx.alienvault.com
    github.com
    raw.githubusercontent.com
    iplists.firehol.org
    astrill.com
    strongpath.net
    snbforums.com
    bin.entware.net
    nwsrv-ns1.asus.com
    $(nvram get "firmware_server")
    $(nvram get "ntp_server0")
    $(nvram get "ntp_server1")" | tr -d "\t" > /jffs/addons/shared-whitelists/shared-Skynet2-whitelist
}

Whitelist_CDN() {
    sed '\~add Skynet-Whitelist ~!d;\~CDN-Whitelist~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
    if [ "$cdnwhitelist" = "enabled" ]; then
        {
            # Apple AS714 | Akamai AS12222 AS16625 | HighWinds AS33438 AS20446 | Fastly AS54113 | GitHub AS36459
            printf "AS714\nAS12222\nAS16625\nAS33438\nAS20446\nAS54113\nAS36459" | xargs -I {} sh -c 'curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://asn.ipinfo.app/api/text/list/{} | awk -v asn={} '\''/^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: %s\"\n", $1, asn }'\'''
            curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://www.cloudflare.com/ips-v4 | awk '/^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: CloudFlare\"\n", $1 }'
            curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://ip-ranges.amazonaws.com/ip-ranges.json | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Amazon\"\n", RT }'
            curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://api.github.com/meta | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Github\"\n", RT }'
            curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://endpoints.office.com/endpoints/worldwide?clientrequestid="$(awk '{printf "%s", $1}' /proc/sys/kernel/random/uuid)" | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Microsoft365\"\n", RT }'
        } | awk '!x[$0]++' | ipset restore -!
    fi
}

Whitelist_VPN() {
    echo "add Skynet-Whitelist $(nvram get vpn_server1_sn)/24 comment \"nvram: vpn_server1_sn\"
    add Skynet-Whitelist $(nvram get vpn_server2_sn)/24 comment \"nvram: vpn_server2_sn\"
    add Skynet-Whitelist $(nvram get vpn_server_sn)/24 comment \"nvram: vpn_server_sn\"
    add Skynet-Whitelist $(nvram get vpn_client1_addr)/24 comment \"nvram: vpn_client1_addr\"
    add Skynet-Whitelist $(nvram get vpn_client2_addr)/24 comment \"nvram: vpn_client2_addr\"
    add Skynet-Whitelist $(nvram get vpn_client3_addr)/24 comment \"nvram: vpn_client3_addr\"
    add Skynet-Whitelist $(nvram get vpn_client4_addr)/24 comment \"nvram: vpn_client4_addr\"
    add Skynet-Whitelist $(nvram get vpn_client5_addr)/24 comment \"nvram: vpn_client5_addr\"" | tr -d "\t" | Filter_IPLine | ipset restore -! 2>/dev/null
    if [ -f "/dev/astrill/openvpn.conf" ]; then ipset -q -A Skynet-Whitelist "$(sed '\~remote ~!d;s~remote ~~' "/dev/astrill/openvpn.conf")/24" comment "nvram: Astrill_VPN"; fi
}

Whitelist_Shared() {
    echo "add Skynet-Whitelist $(nvram get wan0_ipaddr) comment \"nvram: wan0_ipaddr\"
    add Skynet-Whitelist $(LAN_CIDR_Lookup "$(nvram get "lan_ipaddr")") comment \"nvram: lan_ipaddr\"
    add Skynet-Whitelist $(nvram get wan_dns1_x) comment \"nvram: wan_dns1_x\"
    add Skynet-Whitelist $(nvram get wan_dns2_x) comment \"nvram: wan_dns2_x\"
    add Skynet-Whitelist $(nvram get wan0_dns1_x) comment \"nvram: wan0_dns1_x\"
    add Skynet-Whitelist $(nvram get wan0_dns2_x) comment \"nvram: wan0_dns2_x\"
    add Skynet-Whitelist $(nvram get wan_dns | awk '{print $1}') comment \"nvram: wan_dns\"
    add Skynet-Whitelist $(nvram get wan_dns | awk '{print $2}') comment \"nvram: wan_dns\"
    add Skynet-Whitelist $(nvram get wan0_dns | awk '{print $1}') comment \"nvram: wan0_dns\"
    add Skynet-Whitelist $(nvram get wan0_dns | awk '{print $2}') comment \"nvram: wan0_dns\"
    add Skynet-Whitelist $(nvram get wan0_xdns | awk '{print $1}') comment \"nvram: wan0_xdns\"
    add Skynet-Whitelist $(nvram get wan0_xdns | awk '{print $2}') comment \"nvram: wan0_xdns\"
    add Skynet-Whitelist 192.30.252.0/22 comment \"nvram: Github Content Server\"
    add Skynet-Whitelist 127.0.0.0/8 comment \"nvram: Localhost\"" | tr -d "\t" | Filter_IPLine | ipset restore -! 2>/dev/null
    ipset flush Skynet-WhitelistDomains
    sed -i '\~# Skynet~d' /jffs/configs/dnsmasq.conf.add
    grep -hvF "#" /jffs/addons/shared-whitelists/shared-*-whitelist | Strip_Domain | xargs -n 20 | sed 's~^~ipset=/~g;s~ ~/~g;s~$~/Skynet-WhitelistDomains # Skynet~g' >> /jffs/configs/dnsmasq.conf.add
    chmod +x /jffs/configs/dnsmasq.conf.add
    service restart_dnsmasq >/dev/null 2>&1
    if [ "$(uname -o)" = "ASUSWRT-Merlin" ]; then dotvar="dnspriv_rulelist"; else dotvar="stubby_dns"; fi
    for ip in $(nvram get "$dotvar" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'); do
        echo "add Skynet-Whitelist $ip comment \"nvram: $dotvar\""
    done | ipset restore -!
    if [ -f "/jffs/dnscrypt/public-resolvers.md" ] && [ -f "/jffs/dnscrypt/relays.md" ]; then
        grep -hoE '^sdns:.*' /jffs/dnscrypt/public-resolvers.md /jffs/dnscrypt/relays.md | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g" | while read -r stamp; do
            echo "${stamp}$(echo '====' | cut -c-$(($(printf '%s' "${stamp}" | wc -m) % 4)))" | openssl enc -base64 -d -A
        done | strings | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk '{printf "add Skynet-Whitelist %s comment \"nvram: DNSCrypt Stamp\"\n", $1 }' | ipset restore -!
    fi
    if [ -f "/opt/var/lib/unbound/root.hints" ]; then
        grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' /opt/var/lib/unbound/root.hints | while read -r roothint; do
            echo "add Skynet-Whitelist $roothint comment \"nvram: Root DNS Server\""
        done | ipset restore -!
    fi
    Strip_Domain < /jffs/addons/shared-whitelists/shared-Skynet2-whitelist | while IFS= read -r domain; do
        nslookup "$domain" 127.0.0.1 >/dev/null 2>&1
    done &
}

Even though asn.ipinfo.app is present in the whitelist_extra, that domain is not populated into the whitelist until long after the CDN whitelist entries have ran. Hence why the part of the CDN whitelisting failed on skynet startup, and didn't fail on a second run.

Look below for the logic:

Whitelist_Extra  ## the place where asn.ipinfo.app is added to list of skynet domains shared list.
Whitelist_CDN ## CDN whitelisting is expected to access asn.ipinfo.app to whitelist entries.
sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
Whitelist_VPN
Whitelist_Shared ## the place where asn.ipinfo.app was finally added to the whitelist ipset.

 

[SomeWhereOverTheRainBow]

It’s a theory. It doesn’t explain anything, at the moment.

It is probably an oversight and should be swapped.

I wouldn’t mess with the CDN whitelisting until you’ve really thought this through and tested or reproduced the scenario you’re trying to fix. Skynet runs at various times and under different circumstances (firewall restart, cron job, command line/menu), and you have to think about all of them before making significant changes.

@dave14305

"The shrewd guess, the fertile hypothesis, the courageous leap to a tentative conclusion - these are the most valuable coins of the thinker at work. But in most schools guessing is heavily penalized and is associated somehow with laziness."
-Jerome Bruner

I made some improvements that take skynet's healing factors into consideration per @dave14305 suggestion's.

Update firewall.sh by jumpsmm7 · Pull Request #126 · Adamm00/IPSet_ASUS

https://www.snbforums.com/threads/wan-ip-outbound-blocked.85184/post-843884 The above thought process was revised per @dave14305 suggestions, instead of deleting entries only when CDNWhitelisting ...

github.com