RT-AX88U Pro Blocking Internet Access

[eibgrad]

Yes, or as I added as a postscript, based on the MAC address.

 

[bennor]

On my AC86U, I have Yazfi, but it has this issue where if I disable Internet access, I cannot control the IoT devices using their respective apps if my iPhone is connected to the main Wifi network. I know this is limitation of Yazfi.

It is possibly or even likely a limitation of the IoT device itself and not YazFi. It is possible the IoT may require internet access for the IoT device's app to have access to the IoT device. Shut off internet access for the IoT device, and the IoT app on other WiFi clients cannot connect to that IoT device.

You can always open up main LAN/WiFi access to specific YazFi clients using the YazFi custom firewall rules scripting.
https://github.com/jackyaz/YazFi?tab=readme-ov-file#custom-firewall-rules
See my post here for some examples of YazFi custom scripting to allow traffic between main LAN clients and YazFi clients:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521

 

[fotingo]

Yeah I remember going through this last year. The issue is, the IoTs work fine without Internet access (LAN only) when connected to the main wifi network. It's only when using a vlan where the issue is. If they connect to any other Wifi Network that is not the main, then Internet access has to be enabled for them to be accessible via LAN.

 

[fotingo]

It is possibly or even likely a limitation of the IoT device itself and not YazFi

This is most likely what it is because the wireless security cameras that are connected to the same wifi network as the IoTs works fine without Internet access.
I guess the only fix is to have the IoT devices connect to the main wifi network and then block internet access via Parental Controls, which is how I had them on the AC86U.

 

[bennor]

Personally I went back to 3004.388.x and YazFi after I experimented with Guest Network Pro/3006.x stock Asus firmware on a RT-AX86U Pro. Didn't like some of the limitations of the Guest Network Pro options/features. Whole thing felt like it was still in beta when trying to use Guest Network Pro to segment my IoT devices similar to how I had with with YazFi under Asus-Merlin. At least with Asus-Merlin + YazFi one has a lot more control over their guest WiFi network.

As previously indicated, with YazFi's custom firewall rules one can exercise more granular custom control to suit one's specific needs. One can likely even use custom firewall rules to block internet access by individual client if they wanted to. And as already indicated one can setup pin holes for local main LAN clients to access YazFi clients if needed.

 

[fotingo]

I'm having too many issues with this Router. DNS Director doesn't work properly.
I use Pihole as my DNS server and I set it up exactly as it was on my AC86U.

I added the pihole DNS IP in the LAN DCHP, but if I select "Router" as the global setting in DNS Director, it breaks the connection.
I have to add devices as "No direction" in order for them to get internet access.

Yes, Pihole is working fine because those same devices listed under "No direction" have the Pihole IP manually configured on the device itself.
Something is wrong and I can't figure out what it is. The settings are exactly as before, just a different router. Pihole was not touched.

If I turn off DNS Director, then all clients get internet access using Pihole.

Is there an issue with DNS Director for this router?

 

[fotingo]

This is off topic, so I will create a new post.

 

[eibgrad]

I'm having too many issues with this Router. DNS Director doesn't work properly.
I use Pihole as my DNS server and I set it up exactly as it was on my AC86U.

I added the pihole DNS IP in the LAN DCHP, but if I select "Router" as the global setting in DNS Director, it breaks the connection.
I have to add devices as "No direction" in order for them to get internet access.

Yes, Pihole is working fine because those same devices listed under "No direction" have the Pihole IP manually configured on the device itself.
Something is wrong and I can't figure out what it is. The settings are exactly as before, just a different router. Pihole was not touched.

If I turn off DNS Director, then all clients get internet access using Pihole.

Is there an issue with DNS Director for this router?

View attachment 60572

View attachment 60573

This is the classic result of making DNS too complicated!

There are TOO MANY options. We have numerous DNS settings in the WAN (DoH, DoT, Stubby, etc.). We have DNS overrides w/ the DHCP server. We have ppl using pihole or Unbound. We have VPNs w/ their own DNS behavior (Disabled, Strict, Exclusive, etc.), which also varies behavior depending on whether you do or don't use the VPN Director. We have Diversion and other ad-blockers. We now have the lovely DNS Director. We've reached the point where we're now managing DNS on a per client basis. It's crazy!

How did something as basic as name resolution get this complicated?

The darn thing is so complicated, so brittle, that the behavior changes from release to release.

Ugg.

As best as I can tell from your post, the problem is that you've configured the DNS Director w/ 8.8.8.8 (why you did that multiple times, I don't understand). Since it's Global, it means it's enforced everywhere.

You also configured DNS on the LAN w/ DHCP to point to the pihole. Normally, that would be sufficient to get all your DHCP clients using the pihole. But since you configured the DNS Director as you did, you effectively nullified your DHCP changes, and then attempted to unnullify those changes w/ exceptions on the same DNS Director!

I've said it a million times. The DNS on these routers has gotten too complicated. Users are constantly getting in trouble because they don't understand the contradictions inherent in certain settings. It's one of the reasons I do NOT use any of this stuff. No pihole, no Unbound, no nothing. I'm old school ISP DNS. It avoids all these headaches.

 

[fotingo]

@eibgrad The issue was resolved. I forgot to exclude the Pihole server. But as far as the google dns, those are added by default, not by me.
DNS Director issue is now resolved.

With regards to the blocking, I just ended up adding those IoT devices to the main wifi Network and blocked Internet access using Parental Controls as I used to have it before.
I guess it's an issue with these IoTs that for some reason do not work when they are on a different subnet and Internet is disabled.