New user questions

[Qwinn]

I will insert one last question for the moment, though, regarding the merlin version. Is the redirect logic intelligent enough that if the NTP server on the router were to fail for any reason, that it would stop redirecting, so that client requests would then be passed on to the upstream NTP servers (pool.npt.org or whatever?). Makes a big difference in how I would configure my clients.

I would normally assume that it was intelligent enough to stop redirecting if the NTP server failed, but on another board I'm talking with someone who has seen these implementations elsewhere that says that, on that at least, the two things were separate and redirecting would go on even when ntp server had failed for some reason.

 

[bennor]

I installed YazFi in the first place because my guest network, being a different subnet, could not access my DNS servers on my main intranet subnet.

If I can tell YazFi to cross the subnet boundary and access my dns servers on the different subnet, by using the different subnet 192.168.x.x, that's cool, didn't know it could do that as well (I mean, the whole point of guest network is isolation from the main network, so being able to easily hop over and access that intranet for DNS isn't exactly intuitive). Or do you have to leave intranet access from the guest network on to accomplish that? Again, that would seem to me to obviate the point.

Note the YazFi features:

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

YazFi - YazFi v4.x - continued

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to:

• Dedicated VPN WiFi networks
• Separate subnets for organisation of devices
• Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS
• Allow guest networks to make use of pixelserv-tls (if installed)
• Allow guests to use a local DNS server
• Extend DNS Filter to guest networks

Generally its always a good idea to read up on what a add-on actually does and what it's features are before installing it.
PS: And note the YazFI Wiki:
https://github.com/jackyaz/YazFi/wiki/Setting-up-YazFi-with-PiHole-and-Reverse-DNS-records
Note: bold emphasis mine in bulleted list above.
With YazFi custom firewall scripting one can open up additional pinholes to other local network services or clients. Use the forum search feature to find the many other posts and discussions about using YazFi; including how to open up specific LAN client to YazFi client communications.
https://github.com/jackyaz/YazFi?tab=readme-ov-file#custom-firewall-rules

 

[Qwinn]

I wonder if you guys realize how insufferable you can come across.

Thanks for the help.

 

[Tech9]

You just installed custom firmware and jumped into customizations right away with questions about must-have stuff. Everything you see in AMTM is optional, nothing is must-have. Some folks run scripts, some don't. It's a matter of personal choice based on specific needs.

The main rule to follow is this:

don't install stuff just because other people do

If you want to try regardless and after you read what and how the scripts do, follow this advice:

Then install each one, one at at a time, testing after install to ensure it works as you expected before you go installing another add-on.

Good luck!

 

[Crimliar]

@Qwinn if you are on here long enough you'll realise that there are a few on here that are well aware they can be insufferable.
My adventure started with an adult family member with behavioural issues who used to regularly download software infected with trojans and viri, and then every few weeks I'd have to wipe their laptop afresh. So like you, I ended up with a redundant pair of Pi 4 running PiHole which pretty much cleared the issue. Now though I just run Diversion, some custom DDNS, and a couple of basic scripts. I'm still playing with my SBCs, but setting up Diversion is easier (I'm lazy that way) than setting up PiHole and it's never failed me yet!

 

[Qwinn]

@Qwinn if you are on here long enough you'll realise that there are a few on here that are well aware they can be insufferable.
My adventure started with an adult family member with behavioural issues who used to regularly download software infected with trojans and viri, and then every few weeks I'd have to wipe their laptop afresh. So like you, I ended up with a redundant pair of Pi 4 running PiHole which pretty much cleared the issue. Now though I just run Diversion, some custom DDNS, and a couple of basic scripts. I'm still playing with my SBCs, but setting up Diversion is easier (I'm lazy that way) than setting up PiHole and it's never failed me yet!

Eh, I'm not running my pihole/unbounds on Pis. I just installed them on two relatively powerful boxes (10th gen i9s) running ubuntu/linux mint that I have doing other things. The impact/footprint on those boxes is totally negligible. And I found the install/setup to be exceedingly simple, though I can see it being harder if you're doing it on a pi. I like the pihole interface and see no real downside to just keeping them there forever. Also, pihole 6 will hopefully be released *someday* (been in development for like 5 years now?) and it seems to have some nice features I'm looking forward to.

If I may ask, what advantage is there to a custom DDNS? I do need a DDNS, but currently just using the standard asuscomm.com DDNS provided by the router. Only fault I ever found in it was sometimes it didn't update right away, hoping vanilla merlin helps with that.

 

[Tech9]

it seems to have some nice features I'm looking forward to

You may want to take a look at AdGuard Home, perhaps it already has what you are looking for.

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

I was running it on Ubuntu Server + Unbound test setup some time ago and it was pleasant experience.

 

[Qwinn]

You may want to take a look at AdGuard Home, perhaps it already has what you are looking for.

Home

Network-wide ads & trackers blocking DNS server. Contribute to AdguardTeam/AdGuardHome development by creating an account on GitHub.

github.com

I was running it on Ubuntu Server + Unbound test setup some time ago and it was pleasant experience.

Thanks for the suggestion. I have looked at AdGuard Home, it does look pretty good and if pihole didn't exist I'd probably go with it - but, my understanding is that if you enable AdGuard filters, it does communicate your queries to AdGuard's own servers (something about sending URL hashes for verification), so it is inferior from a privacy perspective. Only way I know of to really get to where ONLY your ISP (or a VPN, if you prefer that) to see your history is pihole.

 

[Tech9]

If you don't enable optional AdGuard Safe Browsing - it uses local blocklists only.

 

[Qwinn]

If you don't enable optional AdGuard Safe Browsing - it uses local blocklists only.

Hmmm, okay, but then does it provide an easy means for regular automated updating of the local blocklists, like pihole does? If so, then yes, I'd see it as a viable alternative.

 

[Tech9]

Yes, on user selected intervals. What I personally liked is modern looking GUI with easier to navigate settings, built in DoT/DoH/DoQ etc. for whoever prefers upstream resolver, DoT/DoH to clients if you like, nice stats with lots of info about queries, enough client configuration options. Take a look.