YazFi Allowing access to selected network devices

[TheLyppardMan]

I've never used YazFi before, but I understand that it could be used to achieve better security when using IoT devices. I don't plan to have a lot of those, but at the moment I have a Honeywell evohome controller that manages my programmable radiator TRV's and which connects to the internet for remote control, primarily from the dedicated mobile app. The controller doesn't need access to any devices on my LAN, so I have moved it onto Guest Network 1 (2.4Ghz band) with isolation from other devices on my LAN. The other devices are two security cameras, which store their video clips on a share on my Synology DiskStation. They do not have access to any other shares on the NAS. What I would ideally like to do is prevent the security cameras from having access to any other devices on my LAN. If this scenario is possible using YazFi, could someone tell me precisely how to set it up? My NAS has a static IP address on the LAN (xxx.xxx.xxx.200), as do a few other devices. The router is xxx.xxx.xxx.254 and the DHCP range is xxx.xxx.xxx.100 to xxx.xxx.xxx.199.

 

[bennor]

@Jack Yaz may have a better cleaner way to do this (with or with out YazFi), but the following worked in some quick and dirty testing when using YazFi (with One Way and Two Way to guest set to No in YazFi) to allow traffic from either all Guest 1 clients to a specific IP address on the LAN, or from a single IP address on Guest 1 to a specific IP address on the LAN. The following assumes one has knowledge of how to use SSH, has SSH enabled on their Asus-Merlin router, has YazFi installed and properly configured, knows how to use "nano", "vi" or SSH GUI programs WinSCP to create a file, paste in code, edit that code to match their specific network settings. One may also want to create static/reserved IP addresses for their IoT devices to avoid certain issues. The YazFi GitHub Wiki page has additional general information on how to setup static/reserved Guest IP addresses for YazFi Clients.
https://github.com/jackyaz/YazFi/wi...e-and-ARP-records#a-note-on-dhcp-reservations

Create a custom script file as explained in the YazFi Custom Script section and set its execute permissions as indicated in that section.
https://github.com/jackyaz/YazFi#custom-firewall-rules

Remember to save any changes to the created file, then trigger YazFi to apply the changes either in the YazFi CLI (option #1) or by selecting the Apply button on the YazFi GUI page in Asus-Merlin's Guest section. Failure to do so won't apply the YazFi custom script file updates.

All Guests 1 IP addresses to single LAN IP address
For allowing all Guest 1 (wl0.1) clients to access a single IP address on the LAN try the following. Paste in the following code block into the custom script file one created and save that file then trigger YazFi to apply the saved file. Make the adjustment to the source (-s) IP address and destination (-d) IP address to match the IP address of the LAN device in each iptables line.

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -j ACCEPT

Single Guest 1 IP address to single LAN IP address
For allowing a single Guest 1 (wl0.1) IP address to access a single IP address on the LAN try the following. Paste in the following code block into the custom script file one created and save that file. Make the adjustment to the source (-s) IP address and destination (-d) IP address to match the IP address of the Guest #1 device and LAN device in each iptables line.

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -s 192.168.3.50 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -d 192.168.3.50 -j ACCEPT

In the above example the NAS on the LAN has an IP address of: 192.168.1.100 and the single Guest #1 IP address of: 192.168.3.50.

What is generally happening is the following. In the first example; one is telling iptables to pass traffic to/from the Guest #1 (wl0.1) to the specific IP address on main LAN (br0). In the second example; one telling iptables to pass traffic to/from the specified IP addresses on the Guest 1 (wl0.1) to the specific IP address on the main LAN.

General Guest Network values:
2.4GhZ Network 1, 2, 3:
wl0.1
wl0.2
wl0.3
5Ghz Network 1, 2, 3:
wl1.1
wl1.2
wl1.3
5Ghz - 2 Networks (2 Ghz radios e.g. RT-AC53000)
wl2.1
wl2.2
wl2.3

There are likely better ways to script what you seek, but the above will get you started if using YazFi. One can likely modify the script to include additional Guest 1 (wl0.1) clients or to use different Guest networks (ex: wl0.2 or wl1.1) or to limit the traffic to just the Samba/SMB or FTP ports/traffic. In quick and dirty testing this worked for accessing a Synology NAS on the main LAN using a Windows PC connected to Guest 1. Note: Due to the devices being located on different IP subnets certain features like network discovery may not work properly. One may have to manually enter the NAS IP address (ex: \\192.168.1.100) when trying to access the NAS from the Guest 1 client.

Final note: You proceed at your own risk!!! The above requires one to have some knowledge and skill. Improperly modifying iptables may yield unexpected results including potentially opening up security vulnerabilities or pinholes that could allow malicious actors/hackers to access your local devices/network. What works for me in my quick and dirty testing may not work for others for various reasons.

 

[TheLyppardMan]

Thank you for your detailed explanation. However, I'm rather embarrassed to admit this, but I've realised a couple of things that I should have done earlier (I think it's an age-related thing as I often get confused or forget things these days). Firstly, one of the cameras is not on Wi-Fi but rather has access to my network via a Powerline adapter. The other thing is, unless I need to access the cameras data remotely, then I can simply block their internet access from within the network map client status page thus:

 

[fotingo]

@bennor

in my case, I am using 2.4 ghz Guest Network 3
and would like all clients (IoTs) connected to that Guest Network to be able to be controlled or viewed from the main LAN 192.168.1.1.

in that case, would this be correct?

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.3 -o br0 -d 192.168.1.1 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.1.1 -j ACCEPT

 

[bennor]

@bennor

in my case, I am using 2.4 ghz Guest Network 3
and would like all clients (IoTs) connected to that Guest Network to be able to be controlled or viewed from the main LAN 192.168.1.1.

in that case, would this be correct?

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.3 -o br0 -d 192.168.1.1 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.1.1 -j ACCEPT

Is the router IP 192.168.1.1 or is it some other main LAN device?

If you want to open up all traffic from the main LAN to all YazFi clients then perhaps you should rethink using Guest WiFi networks or even YazFi.

 

[fotingo]

The router IP is on 192.168.1.1 (main network) - but what I need is to be able to view/control the IoT devices (smart plugs/switches).. those are connected to 2.4ghz Guest Network 3...but I cannot control them from my Kasa phone app unless I give them internet access.. which I prefer not to, but I would also like to keep them separate from the main network 192.168.1.1 and still be able to control them.

Are you saying this is not possible?

 

[fotingo]

Before I started using Yazfi, I had those same IoT devices connected to the main network, but I had disabled their internet access via the Time Scheduler section of the Router in the Parental Controls.. even though they did not have internet access, I was able to control them.

The Wireless Cameras on the other hand.. I can view them and control them via their app even though I have disabled Internet Access to them.. those are on the same Guest Network 3... but for some reason I cannot view the IoT devices if internet is disabled... they are on the same Guest Network as the cameras.

 

[fotingo]

If you want to open up all traffic from the main LAN to all YazFi clients then perhaps you should rethink using Guest WiFi networks or even YazFi.

I guess I am a bit confused by your response... I am sort of new to this kind of stuff, so please bare with me...

YazFi has an option to Allow all clients to have unrestricted access to the LAN by enabling "Two way to guest" - this is why I am not sure what you mean by your response above.. why is there an option to do this if this is not allowed?

They way I am looking at it ( and I am sure it's erroneous on my part).. is.. if by allowing all clients connected to a specific Guest Network to have access to the main LAN, but at the same time disabling Internet Access to them...why would that be a security risk?

Yes, they have access to the LAN, but by disabling its internet capabilities, wouldn't that make it them not a risk?
I am trying to learn here, so please do not take this in any other manner..just trying to make it make sense to me.

 

[bennor]

If all one wants to do is block internet access to a main WiFi or main LAN client then there is already a method doing that in the Asus GUI. Other LAN/WiFi client will still be able to access that internet blocked main LAN/WiFi client. See the GUI's Parental Controls > Time Scheduling section where you can add a main LAN/WiFi client and block their internet access.

The advantage of Guest WiFi Network is moving WiFi clients off the main WiFi/LAN and isolating them from being accessed by main LAN/WiFi clients and or isolating the Guest WiFi clients from accessing the main LAN/WiFi (Guest Network Access Intranet set to off). What YazFi does is add extra features and options to the limited and basic Guest WiFi Network features/options. YazFi allows certain traffic (ex. ICMP, DHCP, DNS, NTP and NetBIOS) through to the main LAN that otherwise would be blocked by normal Guest Network WiFi. While YazFi has the options of one-way to guest and two-way to guest (descriptions below) to allow main LAN/WiFi clients to access YazFi client(s); if one is using Custom Scripting to open up full access both ways it sort of defeats the purpose of using the Guest Network or using YazFi to isolate WiFi clients away from the main LAN/WiFi network. That is why I said if one goes that route (custom script to open up all traffic between the two networks) then one may want to rethink what they're trying to do or what they want to accomplish.

YazFi Two-Way to Guest
Should LAN/Guest Network traffic have unrestricted access to each other? Cannot be enabled if One-Way to Guest is enabled
YazFi One-Way to Guest
Should LAN be able to initiate connections to Guest Network clients (but not the opposite)? Cannot be enabled if Two-Way to Guest is enabled

Not everyone needs to use YazFi or even Guest Networks. All depends on their needs and what they're trying to do with their WiFi client(s).

If One-Way and Two-Way to Guest to Guest are not working, one can use the Custom Scripting to route the traffic (or specific ports) to/from YazFi and the main LAN/WiFi. For example if one want to block internet access using YazFi and open up full access between main LAN/WiFi and YazFi clients then a custom script like the following, off the top of my head, might work (have not tested it so don't know if it works or may have other issues) after setting Allow Internet Access to No in YazFi. It should allow full access between main LAN clients and YazFi Guest Network #3 (2.4Ghz).

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.3 -o br0 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -j ACCEPT

 

[fotingo]

Thank you Bennor.. I will try that. I got confused because once I saw I was able to view and control the security cameras connected to Guest Network 3 with Internet Access disabled.. I was like YES.. this is great.. but then I noticed the IoTs that were connected to the same Guest Network were not working unless I enabled Internet Access.

Is that because those devices use a different protocol or something.. even though they are the same brand (TP-Link)?

EDIT..
Also, so why is it recommended to keep IoT devices on a separate Network if they do not have Internet Access?
Is it because even though Internet Access is disabled, a hacker can still have gain access to them?

 

[fotingo]

By the way.. the script did not work. I still cannot access the IoT devices, but as soon as I enable Internet Access, they pop right up on the app.
I guess the workaround is to have them I as I used to before which is connected to the main wifi network and disable internet access via the Scheduler.

I cannot use the regular Guest Network from Asus because if I disable Intranet, the same issues occur.
The ideal scenario I was looking for is to keep the IoT on a separate Network without Internet Access.. but for some reason this is not possible with these devices.

 

[bennor]

but as soon as I enable Internet Access, they pop right up on the app.

Have you checked the "app" to see if it even supports local network access to the device it's trying to access? Some IoT and camera apps access their devices only through the Internet not through the local network.

 

[fotingo]

Have you checked the "app" to see if it even supports local network access to the device it's trying to access?

They do because when I connect them to the main network and I disable Internet Access, I am able to control them and view them in the app. I always had them connected to the main wifi Network and blocked Internet Access Parental Controls > Time Scheduling, which is how I've had them in the past.

I was just looking for a way to have them on a different Network, but without Internet Access.

 

[fotingo]

@bennor I want to try a different Guest Network.
This time, I want to try Guest Network 2 to see if the IoT devices are able to communicate with the main LAN 192.168.1.1

In this case, would I use...?

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -j ACCEPT

I know you said you haven't tested it, but at least I know it didn't work on Guest 3.
If this one doesn't work, which other iptables can I try?

 

[bennor]

I know you said you haven't tested it, but at least I know it didn't work on Guest 3.
If this one doesn't work, which other iptables can I try?

After some quick and dirty testing it appears, when using YazFi, if one sets Allow Internet Access to No then it breaks the use of the custom scripting to allow access from YazFi clients to the main LAN. (Note I was only doing quick testing of WiF to LAN not both ways)
If I have Allow Internet Access set to Yes then the following script for Guest Network #2 5Ghz works and a YazFi GN #2 5Ghz client can access the main LAN client.

#!/bin/sh
iptables -I YazFiFORWARD -i wl1.2 -o br0 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl1.2 -j ACCEPT

But if I set Allow Internet Access to No then YazFi GN #2 5Ghz client cannot access the main LAN client. Not having looked deep into the YazFi script lately I assume there is something with the disabling Internet Access through YazFi that is superseding or entirely blocking the YazFi custom script.

@Jack Yaz and @Martinski if you have a free moment, any thoughts or comments you might be able to share on this? When the YazFi Allow Internet Access is set to No to block internet access for YazFi client(s), those clients cannot access the main LAN using custom scripts. Does the custom script have to be written differently to account for internet access being blocked? Or is there something else happening here preventing the custom script from running properly? Or is the custom script example above written incorrectly?

 

[fotingo]

Hi Bennor..
Just wanted to make sure.. this is on the 2.4 Ghz.. not sure if that's going to make a difference. I say that because your post mentioned the 5Ghz.

 

[bennor]

Just wanted to make sure.. this is on the 2.4 Ghz.. not sure if that's going to make a difference. I say that because your post mentioned the 5Ghz.

I was only testing 5Ghz in my quick text, but its very likely this issue affects both 2.4Ghz and 5Gh, and very likely those routers with three bands. You can test for yourself if you wish (assuming you haven't done so already). If you look at the custom script I used the ONLY change was using wl1.2 (the Guest Network #2 - 5Ghz network) versus wl0.2 (the Guest Network #2 2.4Ghz network)

 

[fotingo]

Oh ok. I guess we'll see what Jack Yaz and Martinski say regarding the iptables.
So those iptables are basically the same thing as selecting "Two ways to guest" or is there a difference between turning that feature to "Yes" vs using the iptables?

 

[bennor]

Bit more quick and dirty troubleshooting. This time with One Way and Two Way to Guest settings in YazFi.

Summary:
There appears to be the same or similar issue when Access Internet is set to Off in YazFi when using Two Way to Guest that is mentioned above. With YazFi set to no internet access, the YazFi client cannot access main LAN client when Two Way to Guest is enabled. When internet is enabled in YazFi, the YazFi client can access main LAN client when Two Way to Guest is enabled.

Testing
Router: RT-AX86U Pro
Firmware: 3004.388.5
DNS: LAN Pi-Hole & Unbound
YazFi version: 4.4.4
----------------------------------

WiFi band: 2.4Ghz
Guest Network #2
YazFi Client isolation: Enabled (Yes)

Allow Internet access set to NO
One Way to Guest set to ON
LAN (PC) can ping YazFi client (smartphone)
YazFi client cannot access LAN client (a NAS)

Allow Internet access set to NO
Two Way to Guest set to ON
LAN can ping YazFi client
YazFi client cannot access LAN client (NAS)

Allow Internet access set to Yes
One Way to Guest set to ON
LAN (PC) can ping YazFi client (smartphone)
YazFi client cannot access LAN client (a NAS)

Allow Internet access set to Yes
Two Way to Guest set to ON
LAN can ping YazFi client
YazFi client can access LAN client (NAS) both web page and SMB
----------------------------------

WiFi band: 5Ghz
Guest Network #2
YazFi Client isolation: Enabled (Yes)

Allow Internet access set to NO
One Way to Guest set to ON
LAN (PC) can ping YazFi client (smartphone)
YazFi client cannot access LAN client (a NAS)

Allow Internet access set to NO
Two Way to Guest set to ON
LAN can ping YazFi client
YazFi client cannot access LAN client (NAS)

Allow Internet access set to Yes
One Way to Guest set to ON
LAN (PC) can ping YazFi client (smartphone)
YazFi client cannot access LAN client (a NAS)

Allow Internet access set to Yes
Two Way to Guest set to ON
LAN can ping YazFi client
YazFi client can access LAN client (NAS) both web page and SMB
----------------------------------

To eliminate the possibility that client isolation may play a role.

WiFi band: 2.4Ghz
Guest Network #2
YazFi Client isolation: Disabled (No)

Allow Internet access set to Yes
Two Way to Guest set to ON
LAN can ping YazFi client
YazFi client can access LAN client (NAS) both web page and SMB

Allow Internet access set to NO
Two Way to Guest set to ON
LAN can ping YazFi client
YazFi client cannot access LAN client (NAS)

 

[Martinski]

After some quick and dirty testing it appears, when using YazFi, if one sets Allow Internet Access to No then it breaks the use of the custom scripting to allow access from YazFi clients to the main LAN. (Note I was only doing quick testing of WiF to LAN not both ways)
If I have Allow Internet Access set to Yes then the following script for Guest Network #2 5Ghz works and a YazFi GN #2 5Ghz client can access the main LAN client.

#!/bin/sh
iptables -I YazFiFORWARD -i wl1.2 -o br0 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl1.2 -j ACCEPT

But if I set Allow Internet Access to No then YazFi GN #2 5Ghz client cannot access the main LAN client. Not having looked deep into the YazFi script lately I assume there is something with the disabling Internet Access through YazFi that is superseding or entirely blocking the YazFi custom script.

@Jack Yaz and @Martinski if you have a free moment, any thoughts or comments you might be able to share on this? When the YazFi Allow Internet Access is set to No to block internet access for YazFi client(s), those clients cannot access the main LAN using custom scripts. Does the custom script have to be written differently to account for internet access being blocked? Or is there something else happening here preventing the custom script from running properly? Or is the custom script example above written incorrectly?

It's been quite a while since I've looked at that part of the YazFi script so I don't recall the details well enough to make an informed response right now. I'll review the code either tomorrow evening or Thursday evening. I'm busy at the moment and my wife just let me know that she wants to do her "last gift shopping trip" tomorrow so I've got to do my duty and be "the guy sitting on a bench, drinking coffee & holding the shopping bags while the wife does the shopping."

I'll let you know what I find. Is my understanding correct that the same behavior also happens without YazFi, by simply using the built-in Guest Networks #1, #2, or #3?