YazFi Blocking internet access for certain devices on YazFi guest network

[JoppeA]

Hi there,
I've been using YazFi for my IOT devices in the house, and have a question. I have a guest network that has internet access, but want to add 2 devices that do not need internet access but need to be accessed by my Homekit hub on the primary WiFi network.
The first step I've been doing is to block internet access for these devices with some specific rules in /jffs/addons/YazFi.d/userscripts.d/myscript.sh
CHMOD is set to 755, and I clicked apply in YazFi settings. However the devices still seem able to access the internet. Any idea what might cause this?
The HomeKit hub is on Wi-Fi, so should it remain br0 or should I change it to eth6/eth7?

The current script I have is:
#!/bin/sh
iptables -I YazFiFORWARD -s 192.168.4.215 -o eth0 -j YazFiREJECT
iptables -I YazFiFORWARD -s 192.168.4.193 -o eth0 -j YazFiREJECT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.193 -j ACCEPT
iptables -I YazFiFORWARD -o br0 -i wl0.3 -d 192.168.50.24 -s 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -o br0 -i wl0.3 -d 192.168.50.24 -s 192.168.4.193 -j ACCEPT

The first lines are supposed to block WAN access, the other lines are there to allow access from the HomeKit hub to the devices, but this also does not seem to work unfortunately, as I cannot access the devices within the Home app.

The YazFi network is setup to allow internet access in general, client isolation is on, and 1/2way to guest is disabled. I only want these specific two devices to not be able to access the internet but able to be accessed from my home WiFi.

Thanks

 

[bennor]

The first lines are supposed to block WAN access, the other lines are there to allow access from the HomeKit hub to the devices, but this also does not seem to work unfortunately, as I cannot access the devices within the Home app.

See the following post, if you haven't already, in another thread which may have some suggestions:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521
To allow a single main LAN client to access to all YazFi Guests you may need to do something like this (adjusting for your setup).

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -j ACCEPT

Or to allow a specific main LAN client to access a specific YazFi Guest(s).

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -s 192.168.3.50 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -d 192.168.3.50 -j ACCEPT

Make sure to check the entries carefully to ensure the correct punctuation and IP addresses are used. You may need to use reserved/static IP addresses for your YazFi Clients as well. Example here:
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403
And here:
https://github.com/jackyaz/YazFi/wi...e-and-ARP-records#a-note-on-dhcp-reservations

 

[JoppeA]

Hi, thanks for your message. I indeed found those links and your earlier posts and tried to replicate the posted scripts (as shown in the startpost), but for some reason I still cannot connect to the devices and they keep internet access, despite my changes. So what could I have done wrong? When comparing your lines with the one I use, it seems to be an exact copy, except for the exact IP addresses.

 

[bennor]

When comparing your lines with the one I use, it seems to be an exact copy, except for the exact IP addresses.

Your code looks somewhat different than the examples in my post. Maybe try the following to allow traffic between the main LAN IP address 192.168.50.24 and the two YazFi 2.4Ghz Guest #3 IP addresses 192.168.4.215 and 192.168.4.193:

iptables -I YazFiFORWARD -i wl0.3 -o br0 -s 192.168.4.215 -d 192.168.50.24 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.3 -o br0 -s 192.168.4.193 -d 192.168.50.24 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.193 -j ACCEPT

 

[Narios]

Hi,

I was looking on this forum for a solution to my issue and stumbled on this thread.

I've set up 2 guest network with YazFi (Guest 2 and 3). Guest 2 is for my IoT devices and for this network I set to Yes the Client Isolation option and to No the One way to guest, the Two way to guest and the Allow Internet access options.

I've also given static IP addresses to the devices on the IoT network by following the procedure described in this @bennor 's post.
and now my /jffs/scripts/dnsmasq.postconf file looks like this:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=84:CC:A8:B0:AD:9C,192.168.101.21,LivingRollerShutter" $CONFIG
pc_append "dhcp-host=A8:03:2A:1E:66:B0,192.168.101.42,Boiler" $CONFIG

Now, I want to modify the above set by allowing:
1) a 2 way communication only between the Raspberry Pi on the main network and all the devices on the IoT network
2) internet access only to some of the devices on the IoT network.

To accomplish the first step I followed the procedure in bennor's post I mentioned above and my file /jffs/addons/YazFi.d/userscripts.d/myscript.sh looks like this

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 192.168.50.2 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 192.168.50.2 -j ACCEPT

However, when I try to ping any of the devices on the IoT network from the Raspberry Pi I get the below messages:

ping 192.168.101.21
PING 192.168.101.21 (192.168.101.21) 56(84) bytes of data.
From 192.168.50.1 icmp_seq=1 Destination Port Unreachable
From 192.168.50.1 icmp_seq=2 Destination Port Unreachable
From 192.168.50.1 icmp_seq=3 Destination Port Unreachable
From 192.168.50.1 icmp_seq=4 Destination Port Unreachable

--- 192.168.101.21 ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3062ms

What am I missing?

Thanks in advance for any help

 

[bennor]

What is the IP address of the Raspberry PI? Make sure that IP address is the same as the one use in the iptables code. (post edit after reread)

As a troubleshooting step, reboot the router if you haven't already done so as a troubleshooting step.

 

[Narios]

What is the IP address of the Raspberry PI? Make sure that IP address is the same as the one use in the iptables code. (post edit after reread)

As a troubleshooting step, reboot the router if you haven't already done so as a troubleshooting step.

Hi, the IP of the Raspberry Pi is 192.168.50.2. I have already tried to reboot the router after applying the YazFi settings.

 

[bennor]

Hi, the IP of the Raspberry Pi is 192.168.50.2. I have already tried to reboot the router after applying the YazFi settings.

What device is using IP address 192.168.50.1 (per your ping example)? On my Pi, on the main LAN, when it fails to ping a client on YazFi it returns the ip address of the Raspberry Pi. Example:
From 192.168.2.150 icmp_seq=1 Destination Host Unreachable

 

[bennor]

@Narios a few other suggestions. Make sure you have followed the directions for creating the myscripts file which includes making it executable: chmod +x /jffs/addons/YazFi.d/userscripts.d/myscript.sh. One can use the YazFi CLI to force YazFi to reload by selecting Option 1. Just did a quick test on a RT-AX86U Pro and can ping from my Raspberry Pi (192.168.2.150) to YazFi Guest Wifi 2 (2.4 Ghz) client at IP address 192.168.3.91.

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 192.168.2.150 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 192.168.2.150 -j ACCEPT

admin@Pi:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.2.150  netmask 255.255.255.0  broadcast 192.168.2.255
        inet6 xxxx::xxxx:xxxx:xxxx:xxxx  prefixlen 64  scopeid 0x20<link>
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 1054831  bytes 130299796 (124.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 399515  bytes 43419155 (41.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 144578  bytes 16244508 (15.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 144578  bytes 16244508 (15.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

admin@Pi:~ $ ping 192.168.3.91
PING 192.168.3.91 (192.168.3.91) 56(84) bytes of data.
64 bytes from 192.168.3.91: icmp_seq=1 ttl=63 time=137 ms
64 bytes from 192.168.3.91: icmp_seq=2 ttl=63 time=373 ms
64 bytes from 192.168.3.91: icmp_seq=3 ttl=63 time=138 ms
64 bytes from 192.168.3.91: icmp_seq=4 ttl=63 time=102 ms
64 bytes from 192.168.3.91: icmp_seq=5 ttl=63 time=122 ms
^Z
[7]+  Stopped                 ping 192.168.3.91
admin@Pi:~ $

(Post edited to provide additional information)

 

[Narios]

Hi, followed the instructions step by step and tried to apply the YazFi changes both via the CLI and the WebGUI.

To reply also to your previous post, the device with IP 192.168.50.1 is the router (an RT-AX56U) and the Raspberry Pi with IP 192.168.50.2 is connected to the router via the LAN1 port. In my example, I was connected via SSH to the Raspberry Pi from a laptop on to the main and I was trying to ping the device 192.168.101.21 on the Guest 2 network

 

[bennor]

I was trying to ping the device 192.168.101.21 on the Guest 2 network

Just remembered that using the IP address subnets 192.168.101.x and 192.168.102.x may cause issues because Asus firmware uses those for certain firmware Guest WiFi features. A quick forum search for those IP addresses confirms it. Change the YazFi IP address subnet range to something else and adjust the myscript.sh to match. In my example, which works, I'm using different YazFi IP address subnets than 192.168.101.x and 102.x.

 

[Narios]

Just remembered that using the IP address subnets 192.168.101.x and 192.168.102.x may cause issues because Asus firmware uses those for certain firmware Guest WiFi features. A quick forum search for those IP addresses confirms it. Change the YazFi IP address subnet range to something else and adjust the myscript.sh to match. In my example, which works, I'm using different YazFi IP address subnets than 192.168.101.x and 102.x.

I changed the YazFi subnets but that didn't work.

I have also tried to add another rule to allow the internet access for the device with IP 192.168.126.42 and now the /jffs/addons/YazFi.d/userscripts.d/myscript.sh file looks like this

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 192.168.50.2 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 192.168.50.2 -j ACCEPT
iptables -I YazFiFORWARD -s 192.168.126.42 -o eth0 -j ACCEPT

That device, however, has still no access to the internet. I made the file executable with

chmod +x /jffs/addons/YazFi.d/userscripts.d/myscript.sh

, applied the YazFi changes and even rebooted and then turned off and on the router...still no luck. I managed to assigne static IPs to the devices on the IoT network through the /jffs/scripts/dnsmasq.postconf file:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=84:CC:A8:B0:AD:9C,192.168.126.21,LivingRollerShutter" $CONFIG
pc_append "dhcp-host=A8:03:2A:1E:66:B0,192.168.126.42,Boiler" $CONFIG
cat /jffs/addons/YazFi.d/.dnsmasq >> /etc/dnsmasq.conf # YazFi

By the way, if I set to Yes the One way to guest or the Two way to guest, then I can ping the devices on Guest 2 from the Raspberry (and from other devices on the main network as well).

Edit: I have added the 2 rules below to test if the Raspberry Pi was the issue and now I can ping devices on Guest 2 network from another laptop (with IP 192.168.50.231) which is connected to the main network via WiFi (not via ethernet as the Raspberry Pi)

iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 192.168.50.231 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 192.168.50.231 -j ACCEPT

 

[bennor]

Edit: I have added the 2 rules below to test if the Raspberry Pi was the issue and now I can ping devices on Guest 2 network from another laptop (with IP 192.168.50.231) which is connected to the main network via WiFi (not via ethernet as the Raspberry Pi)

How is the Raspberry Pi configured? Is it a headless setup or the desktop OS? Is it configured to run a specific service or program? How is it connected to the local network? Directly to the router's LAN port or through a extender, AiMesh, or some other method?

In my case my Raspberry Pi is headless running Raspberry Pi OS Lite along with Pi-Hole and Unbound directly connected to the router's LAN port, and as previously indicated it could ping a YazFi Guest 2 client with the settings in my prior post.

 

[Narios]

How is the Raspberry Pi configured? Is it a headless setup or the desktop OS? Is it configured to run a specific service or program? How is it connected to the local network? Directly to the router's LAN port or through a extender, AiMesh, or some other method?

In my case my Raspberry Pi is headless running Raspberry Pi OS Lite along with Pi-Hole and Unbound directly connected to the router's LAN port, and as previously indicated it could ping a YazFi Guest 2 client with the settings in my prior post.

Hi, thanks a lot for your time and patience.

The Raspberry is headless and it is connected to the router's LAN port, running Raspberry Pi OS (Debian bullseye) along with Home Assistant a d other services (duckdns, caddy, mosquitto and esphome) in Docker.

Prior to buying the Asus router I installed hostapd on the Raspberry Pi so that it was acting as a router of its own local network, blocking internet access to the devices connected to this network. I've reverted all the changes made to create such a network, but I am not sure if I've forgot something or broken something in the process.

 

[bennor]

Prior to buying the Asus router I installed hostapd on the Raspberry Pi so that it was acting as a router of its own local network, blocking internet access to the devices connected to this network. I've reverted all the changes made to create such a network, but I am not sure if I've forgot something or broken something in the process.

Sounds like something might have gotten left over or is interfering if you didn't wipe the Pi OS boot device and start from scratch. As a troubleshooting step setup another Pi OS boot device, if you have one available, from scratch with the Pi OS without all the extra services and see if the issue happens.

 

[Narios]

Sounds like something might have gotten left over or is interfering if you didn't wipe the Pi OS boot device and start from scratch. As a troubleshooting step setup another Pi OS boot device, if you have one available, from scratch with the Pi OS without all the extra services and see if the issue happens.

Hi, sorry for getting back just now but I found out the issue: I was reserving a static IP for the Raspberry Pi through the dhcp.conf file rather than at router level. Once I removed the IP reservation at Raspberry level, then everything worked as expected. I hope this can help anybody with the same issue.

Also, @bennor thanks a lot for your help.

Cheers