What's new

Skynet WAN ip outbound blocked

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Your cats eye has been keeping track of me again!

53834.jpg
MEOW
 
Sounds like Skynet 7.4.2 will be available here pretty soon! :)
hey so,


if you see these line's

Code:
        Whitelist_VPN
        sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!

I wonder if there is a legitimate reason to delete all the Whitelist_VPN entries when skynet first starts.

Notice, it will delete all VPN entries from this function with the above one liner.

Code:
Whitelist_VPN() {
    echo "add Skynet-Whitelist $(nvram get vpn_server1_sn)/24 comment \"nvram: vpn_server1_sn\"
    add Skynet-Whitelist $(nvram get vpn_server2_sn)/24 comment \"nvram: vpn_server2_sn\"
    add Skynet-Whitelist $(nvram get vpn_server_sn)/24 comment \"nvram: vpn_server_sn\"
    add Skynet-Whitelist $(nvram get vpn_client1_addr)/24 comment \"nvram: vpn_client1_addr\"
    add Skynet-Whitelist $(nvram get vpn_client2_addr)/24 comment \"nvram: vpn_client2_addr\"
    add Skynet-Whitelist $(nvram get vpn_client3_addr)/24 comment \"nvram: vpn_client3_addr\"
    add Skynet-Whitelist $(nvram get vpn_client4_addr)/24 comment \"nvram: vpn_client4_addr\"
    add Skynet-Whitelist $(nvram get vpn_client5_addr)/24 comment \"nvram: vpn_client5_addr\"" | tr -d "\t" | Filter_IPLine | ipset restore -! 2>/dev/null
    if [ -f "/dev/astrill/openvpn.conf" ]; then ipset -q -A Skynet-Whitelist "$(sed '\~remote ~!d;s~remote ~~' "/dev/astrill/openvpn.conf")/24" comment "nvram: Astrill_VPN"; fi
}

@Adamm Should that one liner be before the Whitelist_VPN instead of Whitelist_Shared?

what i mean is, should it be

Code:
        Whitelist_Extra
        Whitelist_CDN
        sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
        Whitelist_VPN
        Whitelist_Shared

instead of

Code:
        Whitelist_Extra
        Whitelist_CDN
        Whitelist_VPN
        sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
        Whitelist_Shared
 
Last edited:
Thus explaining why the users skynet blocked the IP address for asn.ipinfo.app in their geographical region.
It’s a theory. It doesn’t explain anything, at the moment.
Should that one liner be before the Whitelist_VPN instead of Whitelist_Shared?
It is probably an oversight and should be swapped.

I wouldn’t mess with the CDN whitelisting until you’ve really thought this through and tested or reproduced the scenario you’re trying to fix. Skynet runs at various times and under different circumstances (firewall restart, cron job, command line/menu), and you have to think about all of them before making significant changes.
“Let's work the problem, people. Let's not make things worse by guessing.”
― Gene Kranz
 
It’s a theory. It doesn’t explain anything, at the moment.

It is probably an oversight and should be swapped.

I wouldn’t mess with the CDN whitelisting until you’ve really thought this through and tested or reproduced the scenario you’re trying to fix. Skynet runs at various times and under different circumstances (firewall restart, cron job, command line/menu), and you have to think about all of them before making significant changes.
I didn't have to guess at this. I manually blocked an IP to one of the CDN whitelist servers myself and tested it. You can test it too yourself if you like. See that your CDNwhitelist entries are removed every time the whitelist entries get "refreshed". Here is what i did : I pinged an address in the whitelist entries that I had added to the blocklists as well. For a moment, during the whitelisting process, the address was no longer pingable until the whitelist update process finished.


Code:
Whitelist_Extra() {
    echo "ipdeny.com
    ipapi.co
    api.db-ip.com
    api.bgpview.io
    asn.ipinfo.app
    speedguide.net
    otx.alienvault.com
    github.com
    raw.githubusercontent.com
    iplists.firehol.org
    astrill.com
    strongpath.net
    snbforums.com
    bin.entware.net
    nwsrv-ns1.asus.com
    $(nvram get "firmware_server")
    $(nvram get "ntp_server0")
    $(nvram get "ntp_server1")" | tr -d "\t" > /jffs/addons/shared-whitelists/shared-Skynet2-whitelist
}

Whitelist_CDN() {
    sed '\~add Skynet-Whitelist ~!d;\~CDN-Whitelist~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
    if [ "$cdnwhitelist" = "enabled" ]; then
        {
            # Apple AS714 | Akamai AS12222 AS16625 | HighWinds AS33438 AS20446 | Fastly AS54113 | GitHub AS36459
            printf "AS714\nAS12222\nAS16625\nAS33438\nAS20446\nAS54113\nAS36459" | xargs -I {} sh -c 'curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://asn.ipinfo.app/api/text/list/{} | awk -v asn={} '\''/^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: %s\"\n", $1, asn }'\'''
            curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://www.cloudflare.com/ips-v4 | awk '/^(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: CloudFlare\"\n", $1 }'
            curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://ip-ranges.amazonaws.com/ip-ranges.json | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Amazon\"\n", RT }'
            curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://api.github.com/meta | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Github\"\n", RT }'
            curl -fsL --retry 3 --connect-timeout 3 --max-time 6 --retry-delay 1 --retry-all-errors https://endpoints.office.com/endpoints/worldwide?clientrequestid="$(awk '{printf "%s", $1}' /proc/sys/kernel/random/uuid)" | awk 'BEGIN{RS="(((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])\\.){3}(25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)"}{if(RT)printf "add Skynet-Whitelist %s comment \"CDN-Whitelist: Microsoft365\"\n", RT }'
        } | awk '!x[$0]++' | ipset restore -!
    fi
}

Whitelist_VPN() {
    echo "add Skynet-Whitelist $(nvram get vpn_server1_sn)/24 comment \"nvram: vpn_server1_sn\"
    add Skynet-Whitelist $(nvram get vpn_server2_sn)/24 comment \"nvram: vpn_server2_sn\"
    add Skynet-Whitelist $(nvram get vpn_server_sn)/24 comment \"nvram: vpn_server_sn\"
    add Skynet-Whitelist $(nvram get vpn_client1_addr)/24 comment \"nvram: vpn_client1_addr\"
    add Skynet-Whitelist $(nvram get vpn_client2_addr)/24 comment \"nvram: vpn_client2_addr\"
    add Skynet-Whitelist $(nvram get vpn_client3_addr)/24 comment \"nvram: vpn_client3_addr\"
    add Skynet-Whitelist $(nvram get vpn_client4_addr)/24 comment \"nvram: vpn_client4_addr\"
    add Skynet-Whitelist $(nvram get vpn_client5_addr)/24 comment \"nvram: vpn_client5_addr\"" | tr -d "\t" | Filter_IPLine | ipset restore -! 2>/dev/null
    if [ -f "/dev/astrill/openvpn.conf" ]; then ipset -q -A Skynet-Whitelist "$(sed '\~remote ~!d;s~remote ~~' "/dev/astrill/openvpn.conf")/24" comment "nvram: Astrill_VPN"; fi
}

Whitelist_Shared() {
    echo "add Skynet-Whitelist $(nvram get wan0_ipaddr) comment \"nvram: wan0_ipaddr\"
    add Skynet-Whitelist $(LAN_CIDR_Lookup "$(nvram get "lan_ipaddr")") comment \"nvram: lan_ipaddr\"
    add Skynet-Whitelist $(nvram get wan_dns1_x) comment \"nvram: wan_dns1_x\"
    add Skynet-Whitelist $(nvram get wan_dns2_x) comment \"nvram: wan_dns2_x\"
    add Skynet-Whitelist $(nvram get wan0_dns1_x) comment \"nvram: wan0_dns1_x\"
    add Skynet-Whitelist $(nvram get wan0_dns2_x) comment \"nvram: wan0_dns2_x\"
    add Skynet-Whitelist $(nvram get wan_dns | awk '{print $1}') comment \"nvram: wan_dns\"
    add Skynet-Whitelist $(nvram get wan_dns | awk '{print $2}') comment \"nvram: wan_dns\"
    add Skynet-Whitelist $(nvram get wan0_dns | awk '{print $1}') comment \"nvram: wan0_dns\"
    add Skynet-Whitelist $(nvram get wan0_dns | awk '{print $2}') comment \"nvram: wan0_dns\"
    add Skynet-Whitelist $(nvram get wan0_xdns | awk '{print $1}') comment \"nvram: wan0_xdns\"
    add Skynet-Whitelist $(nvram get wan0_xdns | awk '{print $2}') comment \"nvram: wan0_xdns\"
    add Skynet-Whitelist 192.30.252.0/22 comment \"nvram: Github Content Server\"
    add Skynet-Whitelist 127.0.0.0/8 comment \"nvram: Localhost\"" | tr -d "\t" | Filter_IPLine | ipset restore -! 2>/dev/null
    ipset flush Skynet-WhitelistDomains
    sed -i '\~# Skynet~d' /jffs/configs/dnsmasq.conf.add
    grep -hvF "#" /jffs/addons/shared-whitelists/shared-*-whitelist | Strip_Domain | xargs -n 20 | sed 's~^~ipset=/~g;s~ ~/~g;s~$~/Skynet-WhitelistDomains # Skynet~g' >> /jffs/configs/dnsmasq.conf.add
    chmod +x /jffs/configs/dnsmasq.conf.add
    service restart_dnsmasq >/dev/null 2>&1
    if [ "$(uname -o)" = "ASUSWRT-Merlin" ]; then dotvar="dnspriv_rulelist"; else dotvar="stubby_dns"; fi
    for ip in $(nvram get "$dotvar" | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'); do
        echo "add Skynet-Whitelist $ip comment \"nvram: $dotvar\""
    done | ipset restore -!
    if [ -f "/jffs/dnscrypt/public-resolvers.md" ] && [ -f "/jffs/dnscrypt/relays.md" ]; then
        grep -hoE '^sdns:.*' /jffs/dnscrypt/public-resolvers.md /jffs/dnscrypt/relays.md | sed "s~'~~g;s~sdns://~~g;s~-~+~g;s~_~/~g" | while read -r stamp; do
            echo "${stamp}$(echo '====' | cut -c-$(($(printf '%s' "${stamp}" | wc -m) % 4)))" | openssl enc -base64 -d -A
        done | strings | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' | awk '{printf "add Skynet-Whitelist %s comment \"nvram: DNSCrypt Stamp\"\n", $1 }' | ipset restore -!
    fi
    if [ -f "/opt/var/lib/unbound/root.hints" ]; then
        grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}' /opt/var/lib/unbound/root.hints | while read -r roothint; do
            echo "add Skynet-Whitelist $roothint comment \"nvram: Root DNS Server\""
        done | ipset restore -!
    fi
    Strip_Domain < /jffs/addons/shared-whitelists/shared-Skynet2-whitelist | while IFS= read -r domain; do
        nslookup "$domain" 127.0.0.1 >/dev/null 2>&1
    done &
}

Even though asn.ipinfo.app is present in the whitelist_extra, that domain is not populated into the whitelist until long after the CDN whitelist entries have ran. Hence why the part of the CDN whitelisting failed on skynet startup, and didn't fail on a second run.

Look below for the logic:

Code:
Whitelist_Extra  ## the place where asn.ipinfo.app is added to list of skynet domains shared list.
Whitelist_CDN ## CDN whitelisting is expected to access asn.ipinfo.app to whitelist entries.
sed '\~add Skynet-Whitelist ~!d;\~nvram: ~!d;s~ comment.*~~;s~add~del~g' "$skynetipset" | ipset restore -!
Whitelist_VPN
Whitelist_Shared ## the place where asn.ipinfo.app was finally added to the whitelist ipset.
 
Last edited:
It’s a theory. It doesn’t explain anything, at the moment.

It is probably an oversight and should be swapped.

I wouldn’t mess with the CDN whitelisting until you’ve really thought this through and tested or reproduced the scenario you’re trying to fix. Skynet runs at various times and under different circumstances (firewall restart, cron job, command line/menu), and you have to think about all of them before making significant changes.
@dave14305

"The shrewd guess, the fertile hypothesis, the courageous leap to a tentative conclusion - these are the most valuable coins of the thinker at work. But in most schools guessing is heavily penalized and is associated somehow with laziness."
-Jerome Bruner

I made some improvements that take skynet's healing factors into consideration per @dave14305 suggestion's.

 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top