YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[TheUntouchable]

No reason it won't work! Either not tested, or it has been and I neglected to update the list

Hehe, I will try it hopefully this afternoon and give you a short feedback

 

[Jack Yaz]

v2.3.3 is available

Changelog:

• Implement DNS Filter for guest networks
• Config file moved to /jffs/configs/YazFi/YazFi.config
• New settings added, preparation for upcoming LAN access

To update:

/jffs/scripts/YazFi update

This release brings the need for an updated config file, which can be downloaded from here: https://raw.githubusercontent.com/jackyaz/YazFi/master/YazFi.config

Alternatively running

/jffs/scripts/YazFi install

will grab a blank file for you to migrate your settings over.

While I have endeavoured to ensure settings are not lost, I highly recommend making a backup of your config file before updating

cp /jffs/configs/YazFi.config /jffs/configs/YazFi.config.prev

 

[esco]

Not sure if this is related to latest Merlin's FW or YazFi update (performed both within a short period) but the list of rules for routing via VPN was empty except the guest network subnet, I had to manually set all the IP's again.

 

[Jack Yaz]

Not sure if this is related to latest Merlin's FW or YazFi update (performed both within a short period) but the list of rules for routing via VPN was empty except the guest network subnet, I had to manually set all the IP's again.

That actually happened to me recently, I didn't have YazFi configured at the time (had recently moved from 87U to 86U). Which router and f/w?

EDIT: Please check rules persist across reboots

 

[esco]

Just rebooted my 86U (384.8_2) and the rules persist, anyway many thanks for this nice script.

 

[Peter jS]

Just bought an Asus RT-AC86U and installed Merlin to get the additional IP subnet isolation feature on guest networks. I ran your script ran without issue and my wireless devices are now able to access the internet as desired. Can you tell why I cannot see any information re the guest networks in the Merlin GUI or the clients on the guest networks? The only clients I can see any information on are the wired clients. Is this the way it is supposed to work? Is there any way I see more information on the VLANs used for each subnet?

I am new to Merlin, used to use Tomato but ran into performance issues when my ISP increased downloads to 600 Mbps. I could only get the speed by enabling cut-through-forwarding and lost all reporting capabilities.

Merlin Firmware: 384.8_2

 

[HuskyHerder]

It's an ASUS thing, the list only displays the IP address set, of /24
https://www.snbforums.com/threads/rt-ac5300-performance-security-guide.45710/#post-413315
https://www.snbforums.com/threads/client-status-hard-coded-for-24-bit-subnets.20668/

As for cut through, thats the same way it is for me. I am not the one to explain this.

 

[Peter jS]

If I do a ifconfig in a SSH session, all of my subnets are /24 bit so the clients should show in the GUI, correct?

 

[Peter jS]

Sorry, just got what you meant by /24. The first 3 Octets of the subnet have to match the base router IP subnet for the Asus GUI to show the clients

 

[Peter jS]

Sorry, I forgot to ask can I join a wired port (say port 4) to one of the wireless subnets. In tomato, I could create multiple bridges, vlans and associate virtual wireless interfaces and wired ports to specific subnets

 

[Jack Yaz]

Sorry, just got what you meant by /24. The first 3 Octets of the subnet have to match the base router IP subnet for the Asus GUI to show the clients

You can run

/jffs/scripts/YazFi status

for a list of currently connected clients.

 

[Jack Yaz]

Sorry, I forgot to ask can I join a wired port (say port 4) to one of the wireless subnets. In tomato, I could create multiple bridges, vlans and associate virtual wireless interfaces and wired ports to specific subnets

Not with how YazFi works currently. The guest interfaces are technically still part of the default bridge, but effectively firewalled off. This was to save messing with new bridges and updating EAPD etc. for wireless authentication.

 

[Jack Yaz]

I have managed to get it to work correctly, my solution below.

The only problem I can see is that at startup because the wifi is activated but not the DHCP then devices can connect but will not be assigned an IP, and some devices might use a fallback IP configuration or disable autoconnect for that wifi network.

Delay DHCP Startup
Whe the router starts the DHCP is, if enabled, running on the br0 interface and if a device connects to a guest network before the YazFi script has finished it will be assigned a IP configuration for the main network.

The solution for this problem is to enable DHCP for all interfaces first after the YazFi script has finished.

1. Disable DHCP for all interfaces by adding no-dhcp-interface for br0 and all the guest networks to dnsmasq.conf.add, for example:
   

   no-dhcp-interface=br0
   no-dhcp-interface=wl0.1
   no-dhcp-interface=wl0.2

   
   
2. Modify dnsmasq.postconf so that it deletes the no-dhcp-interface lines added by dnsmasq.conf.add above if the YazFi script has finished:
   

   #!/bin/sh
   CONFIG=$1
   source /usr/sbin/helper.sh
   
   FILE=/tmp/0-enable-dhcp
   if [ -f "$FILE" ]; then
      logger -t "$(basename $0)[$$]:" "enabling dhcp"
      pc_delete "no-dhcp-interface=br0" $CONFIG
      pc_delete "no-dhcp-interface=wl0.1" $CONFIG
      pc_delete "no-dhcp-interface=wl0.2" $CONFIG
   fi

   
   
3. Modify the YazFi script to signal dnsmasq.postconf to enable DHCP and then restart dnsmasq after all networks have been configured:
   

   if [ -z "$1" ]; then
      Check_Lock
      Print_Output "true" "YazFi $YAZFI_VERSION starting up"
      Config_Networks
   
      touch /tmp/0-enable-dhcp
      service restart_dnsmasq
   
      exit 0
   fi

@carloskar and @orion44 is this solution still working for you? If so, I've had a go at implementing it in the testing branch of YazFi - let me know if you'd like to try it

 

[Toddimus]

I have read through most of this thread but I may have missed it...
Let me tell you what I want to do and let me know if there's any way to do it (my searching says it isn't possible, but I wanted to ask the gurus around here):

I want to use my three ASUS routers (2x RT-AC87U and RT-AC86U) in access point mode as (you guessed it) access points. They will be connected to my new Ubiquiti Edgerouter 12 and in the future (proper L3 capable switch) Edgeswitches. The goal is to separate and isolate trusted private, guest and IoT traffic. From what I've read, the 87U routers do support VLANs to some degree using roboconfig but the 86U router doesn't. I assume this is a limitation of the Broadcom and/or firmware setups. I want to figure out a way around this. Ultimately, I will end up with a L3 switch (EdgeSwitch 16 or 24?) between my access points (ASUS routers in AP mode) and my new router, an Edgerouter 12 from Ubiquiti. My main question is regarding VLANs... seems the ASUS routers don't play nice when it comes to VLANs.

Has anyone successfully set up ASUS routers as access points with an L2 or L3 switch that uses VLANs to separate guest (or IoT) traffic from private LAN traffic? Here's a version of my proposed (interim until I get a proper L3 swithc between the router and the rest of the system) topology:

What I'd like is to be able to have the Edgerouter convert the combined 10.0.A.X and 10.0.D.X into VLANs. Since the APs can't natively add VLAN tags, I want to do it upstream. The thought is to use YasFi to create separate subnets (i.e. 10.0.10.X and 10.0.40.X) and have the L3 switch or Edgerouter 12 in this case, take those subnets and assign them to VLANs.

I hope this makes sense and I'm not barking up the wrong tree here. I assume this might have been the original intent of Jack Yaz and his script. You ended up with subnets instead of VLANs and I want to know if this has the intended consequences or not. I just fig'ered throw it out to the crowd to see if anything sticks.
Thanks in advance for any insight or help!

 

[Jack Yaz]

I have read through most of this thread but I may have missed it...
Let me tell you what I want to do and let me know if there's any way to do it (my searching says it isn't possible, but I wanted to ask the gurus around here):

I want to use my three ASUS routers (2x RT-AC87U and RT-AC86U) in access point mode as (you guessed it) access points. They will be connected to my new Ubiquiti Edgerouter 12 and in the future (proper L3 capable switch) Edgeswitches. The goal is to separate and isolate trusted private, guest and IoT traffic. From what I've read, the 87U routers do support VLANs to some degree using roboconfig but the 86U router doesn't. I assume this is a limitation of the Broadcom and/or firmware setups. I want to figure out a way around this. Ultimately, I will end up with a L3 switch (EdgeSwitch 16 or 24?) between my access points (ASUS routers in AP mode) and my new router, an Edgerouter 12 from Ubiquiti. My main question is regarding VLANs... seems the ASUS routers don't play nice when it comes to VLANs.

Has anyone successfully set up ASUS routers as access points with an L2 or L3 switch that uses VLANs to separate guest (or IoT) traffic from private LAN traffic? Here's a version of my proposed (interim until I get a proper L3 swithc between the router and the rest of the system) topology:

What I'd like is to be able to have the Edgerouter convert the combined 10.0.A.X and 10.0.D.X into VLANs. Since the APs can't natively add VLAN tags, I want to do it upstream. The thought is to use YasFi to create separate subnets (i.e. 10.0.10.X and 10.0.40.X) and have the L3 switch or Edgerouter 12 in this case, take those subnets and assign them to VLANs.

I hope this makes sense and I'm not barking up the wrong tree here. I assume this might have been the original intent of Jack Yaz and his script. You ended up with subnets instead of VLANs and I want to know if this has the intended consequences or not. I just fig'ered throw it out to the crowd to see if anything sticks.
Thanks in advance for any insight or help!

Unfortunately YazFi won't help here - the guests are given subnets using DHCP, which won't be running in AP mode. Your best bet is to buy APs with proper VLAN support. It likely can be achieved with robocfg (non-HND) but the port configuration varies from model to model

 

[Toddimus]

Unfortunately YazFi won't help here - the guests are given subnets using DHCP, which won't be running in AP mode. Your best bet is to buy APs with proper VLAN support. It likely can be achieved with robocfg (non-HND) but the port configuration varies from model to model

Thanks Jack, that's what I was afraid of.

 

[Toddimus]

Doing a bit more research, it looks like VLANs might be possible using some CLI commands. The question is, is it worth the time to figure it out or do I just bite the bullet and buy Unifi APs?
@Fitz Mutch found a possible solution. I'm starting to look into it:
https://www.snbforums.com/threads/rt-ac86u-vlans-how-to-do-it.44279/

Here's what shows up when I navigate to the /bin directory on the AC86 and enter the "vlanctl" command (Note that I had to cut out a bunch of the lines because the forum won't let me post more than 10000 characters):

MYUSERNAME@RT-AC86U:/bin# vlanctl


VLAN Control Utility:

::: Usage:

vlanctl

        --if <if_name> Sets the target Interface of a composite vlanctl command to <if_name>.

        --rx Sets the direction of a composite vlanctl command to RECEIVE

        --tx Sets the direction of a composite vlanctl command to TRANSMIT

        --tags <nbr_of_tags> Sets the number of tags of a composite vlanctl command to <nbr_of_tags>

        --if-create <real_if_name> <if_index> Creates a new VOPI named <real_if_name>.v<if_index> and attaches it to the real device
         <real_if_name>. For instance, if this command were executed for the eth0 real interface and the VOPI interface index were
         set to 3, the resulting interface would have been named eth0.v3.

        --if-create-name <real_if_name> <vlan_if_name> Creates a new VOPI named <vlan_if_name> and attaches it to the real device

        --if-delete <vlan_if_name> Destroy the VOPI named <vlan_if_name>.

        --rule-append Inserts a new Tagging Rule as the last rule of the specified Tagging Rule Table. Dependencies: --if, --rx or
         --tx, and --tags.

        --rule-insert-before <rule-id> Inserts a new Tagging Rule before the Tagging Rule whose identifier matches <rule-id> in the
        specified Tagging Rule Table. Dependencies: --if, --rx or --tx, and --tags.

        --rule-insert-after <rule-id> Inserts a new Tagging Rule after the Tagging Rule whose identifier matches <rule-id> in the
        specified Tagging Rule Table. Dependencies: --if, --rx or --tx, and --tags.

        --rule-remove <rule-id> Removes the Tagging Rule that matches <rule-id> from the specified Tagging Rule Table. Dependencies:
        --if, --rx or --tx, and --tags.

        --rule-remove-all <real_if_name> <vlan_if_name> Removes all the Tagging Rules for the vlan device.

        --show-table Lists all Tagging Rules stored in the specified Tagging Rule Table. Dependencies: --if, --rx or --tx, and
        --tags.

        --default-tpid <tpid> Sets the default TPID value of a tagging rule table to <tpid>. When a table is created, its default
        TPID value is set to 0x8100. Dependencies: --if, --rx or --tx, and --tags.

        --default-pbits <pbits> Sets the default PBITS value of a tagging rule table to <pbits>. When a table is created, its
        default PBITS value is set to 0. Dependencies: --if, --rx or --tx, and --tags.

        --default-cfi <cfi> Sets the default CFI value of a tagging rule table to <cfi>. When a table is created, its default CFI
        value is set to 0. Dependencies: --if, --rx or --tx, and --tags.

        --default-vid <vid> Sets the default VID value of a tagging rule table to <vid>. When a table is created, its default VID
        value is set to 1 (as per IEEE 802.1Q). Dependencies: --if, --rx or --tx, and --tags.
...
TRUNCATED HERE BECAUSE THE FORUM WON'T LET ME POST OVER 10000 CHARACTERS
...
        --rule-type <type> set the type of rule. 0: flow; 1: qos;

        --create-flows <rx_vlan_ifname> <tx_vlan_ifname> Setup vlan flows for the path (rx_vlan_ifname->tx_vlan_ifname).

        --delete-flows <rx_vlan_ifname> <tx_vlan_ifname> Remove vlan flows for the path (rx_vlan_ifname->tx_vlan_ifname).

 

[preacher65]

To enable:

/jffs/scripts/YazFi blockdchp

To disable:

/jffs/scripts/YazFi unblockdchp

Hi Jack, just thought I'd point out a typo in the above commands, dhcp is "dchp", it took me a while to notice and I couldn't figure out why they weren't working.

 

[Jack Yaz]

Hi Jack, just thought I'd point out a typo in the above commands, dhcp is "dchp", it took me a while to notice and I couldn't figure out why they weren't working.

Good spot - I'll admit I had stared at "DHCP" for about 3 hours at that point, I'd gone a bit blind

 

[preacher65]

Good spot - I'll admit I had stared at "DHCP" for about 3 hours at that point, I'd gone a bit blind

Easily done.
I have a device that's sometimes getting an address from the main DHCP pool while connected to a guest network, I'm not sure if it's the same issue as @carloskar and @orion44 but happy to test a version with the built-in fix if you'd like.
If I manually disconnect and reconnect it's fine, and on a router reboot it seems to be okay, but if I modify the guest wifi, which I assume restarts the interfaces and some services, then I get an IP address from the main DHCP scope for that client even though it's on guest network 1.