YazFi Allowing cast traffic from guest network to IoT (media) network

[dangkhoa]

Hi, new to AsusWRT-Merlin and YazFi! (Not to mention iptables.)

I'm trying to allow my "true" guest network (wl0.1, wl1.1) one-way access to my "media" guest network (wl0.2, wl1.2). The intent being to allow house guests to be able to cast music/video to my speakers/TV.

Per Google's help page "Network requirements for cast moderator", I need to:

• Allow TCP packets on ports 8008-8009 from sender to receiver
• Allow UDP packets on ports 1-65535 from sender to receiver
• Allow UDP packets on ports 1-65535 from receiver to sender

These are the rules I tried to add. I put the following script /jffs/addons/YazFi.d/userscripts.d/allow-guest-access-to-media.sh:

#!/bin/sh

iptables -I YazFiFORWARD -i wl0.1 -o wl0.2 -p tcp --dport 8008:8009 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.1 -o wl0.2 -p udp --dport 1:65535 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o wl0.1 -p udp --dport 1:65535 -j ACCEPT

iptables -I YazFiFORWARD -i wl1.1 -o wl0.2 -p tcp --dport 8008:8009 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.1 -o wl0.2 -p udp --dport 1:65535 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o wl1.1 -p udp --dport 1:65535 -j ACCEPT

iptables -I YazFiFORWARD -i wl0.1 -o wl1.2 -p tcp --dport 8008:8009 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.1 -o wl1.2 -p udp --dport 1:65535 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.2 -o wl0.1 -p udp --dport 1:65535 -j ACCEPT

iptables -I YazFiFORWARD -i wl1.1 -o wl1.2 -p tcp --dport 8008:8009 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.1 -o wl1.2 -p udp --dport 1:65535 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.2 -o wl1.1 -p udp --dport 1:65535 -j ACCEPT

After running this, I put my cell phone on my guest network and don't see any of my media devices available to cast using, e.g., Spotify.

On my main network, I simply have YazFi's "one-way to guest" enabled for my media network. I suppose I'm really just looking for "actual guest network" (wl0.1, wl1.1) to have one-way access to my media network (wl0.2, wl1.2). (Although, a separate question of how does one-way to guest work for casting if I need to allow UDP traffic to flow from receiver to sender? Again, new to iptables, YazFi, and AsusWRT-Merlin...)

I'm hoping for some help to point out what I'm doing wrong with iptables (or if this is even close to the correct approach to allowing my "actual guest" network to access my media network).

 

[bennor]

Try using Two Way to Guest, or scripting the networks to pass traffic to each other.
See my post at the following link, if you haven't already, which has some discussion and examples on using YazFi custom firewall scripting. It may help (or it may not).
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521

 

[dangkhoa]

Well, with my main network, using one-way to guest allows casting to devices on my IoT network just fine - so I could just set up rules to do two-way to guest between the true-guest network and IoT network - but then, how does main network one-way to IoT network work correctly?

 

[bennor]

As a troubleshooting step(s). Try the scripting without the dport values if you haven't tried it already. Also try just scripting between one set of WiFi not all of them at once. If you can get it working, as you expect or want, for just one of the WiFI bands then you can expand it to all of them.

 

[dangkhoa]

Hah, I read your post and realized that I needed to actually apply YazFi settings from /jffs/scripts/YazFi. That said, using the rules I set above still doesn't work.

Right now I just implemented the following for complete two-way access:

iptables -I YazFiFORWARD -i wl0.1 -o wl0.2 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.1 -o wl0.2 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.1 -o wl1.2 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.1 -o wl1.2 -j ACCEPT

iptables -I YazFiFORWARD -i wl0.2 -o wl0.1 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o wl1.1 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.2 -o wl0.1 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.2 -o wl1.1 -j ACCEPT

and this works (except for one app that can't cast to my TV or Chromecasts, but I actually think this is a problem with the Fubo app and not with the network settings.. potentially) - clearly not ideal though if I don't want my media network to reach into my guest network.

Some musings:

• I think there's some nuance here with Avahi that I can't put my finger on - does Avahi only have clients advertise to br0? (Seeing as how enabling two way communications works, I think Avahi is actually running ok)
• What are the iptables rules that are being set when I set, e.g., wl02_ONEWAYTOGUEST=true ?

 

[bennor]

@dangkhoa, not sure you indicated it; but what router, and what specific firmware version are you running?
PS: Also what version of YazFi are you running?

 

[dangkhoa]

I'm on an RT-AX58U, firmware 3004.388.8_4, YazFi 4.4.4

 

[bennor]

I'm on an RT-AX58U, firmware 3004.388.8_4, YazFi 4.4.4

You may want to try the YazFi develop version (4.4.5) to see if that improves anything.

/jffs/scripts/YazFi develop
/jffs/scripts/YazFi forceupdate

GitHub - jackyaz/YazFi at develop

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - GitHub - jackyaz/Yaz...

github.com

Also make sure you don't have Client Isolation in YazFi.

 

[dangkhoa]

I'll give 4.4.5 a shot. I also am not running Client Isolation (although after I got this fully working that was my next intended change to my network) - but what would happen if I did so?

I'm trying to read the actual script to understand how exactly one-way-to-guest works and understand why casting to devices on a YazFi network works seamlessly when the source device is on the main wifi, but doesn't work when the source device is also on a YazFi network - I'll post again with my understanding so someone can correct me (or I figure it out and it's useful information for someone else in the future). (Or Martinski or JackYaz can just educate me )

 

[bennor]

I'm trying to read the actual script to understand how exactly one-way-to-guest works and understand why casting to devices on a YazFi network works seamlessly when the source device is on the main wifi, but doesn't work when the source device is also on a YazFi network - I'll post again with my understanding so someone can correct me (or I figure it out and it's useful information for someone else in the future). (Or Martinski or JackYaz can just educate me )

The firewall (iptables) rules for doONE_WAYtoGUEST in the YazFi.sh (v4.4.5) are found starting at line 1727:
https://github.com/jackyaz/YazFi/blob/develop/YazFi.sh#L1727

Another thing to do is to grep the iptables to see what the YazFI entries are. The following will dump all of the iptables entries:
iptables-save
Not sure if the following is the proper command to grep the YazFi entries in iptables as I don't have immediate access to Asus-Merlin router running YazFi to test with.
iptables-save | grep YazFi