YazFi Can YazFi custom firewall rules overcome VLAN client isolation?

[Waylo]

I have my IOT devices isolated on a VLAN using YazFi. Client isolation is ON for this network.

On occasion, I will encounter a device that requires client isolation to be turned off when adding it. I believe it's because the device needs direct access to the phone app and vice versa.

I could turn off client isolation, add the device, and then turn it back on.

But can I accomplish something similar via a custom firewall rule?

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

Can I use rules to open up my phone only, on the IOT wifi, to access any other IOT device on the same client isolated network? And vice versa, allow any IOT device to access my phone's IP address?

Or, less broad, open up 2 way contact between my phone and 1 other single address on the IOT wifi?

I've done this across VLANs to great effect. But my attempts to do this with firewall rules within the IOT VLAN don't seem to work. I wonder if the client isolation setting supersedes some custom firewall commands, or (probably more likely) if I'm just not configuring the IPtable line correctly.

Some sample lines I've tried, with wl0.2 the IOT wifi VLAN and 192.168.3.144 the phone's IP address:

iptables -I YazFiFORWARD -i wl0.2 -o wl0.2 -s 192.168.3.144 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o wl0.2 -d 192.168.3.144 -j ACCEPT

 

[bennor]

What router and firmware are you using? If using the router and firmware listed in your signature line, note that the 386.7.0 is extremely old firmware (from 22-June-2022). 3004.388.8_4 is the latest Asus-Merlin firmware.

You may need to use specific IP addresses for both the source and destination. Maybe something like the following in the script file:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o wl0.1 -s 192.168.3.50 -d 192.168.3.100 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.1 -o wl0.1 -s 192.168.3.100 -d 192.168.3.50 -j ACCEPT

Don't recall anyone trying to circumvent Client Isolation within the same YazFi Guest Network using custom firewall rules scripting. Rather its usually trying to either block internet access to YazFi clients or allow traffic between a specific YazFi client and the main LAN.

Don't have a way to check at the moment if the example above works as I don't currently run Asus-Merlin on my RT-AX86U Pro at the moment.