YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

Thanks again for the great script @Jack Yaz, the UI functionality is a great add!

Quick question: Do the YazFi settings persist after a router reboot, or does the config file need to be manually reprocessed after a reboot?

The settings will be reapplied on reboot via the firewall-start script

 

[JohnSmith]

Just a suggestion Jack Yaz, but on menu #2 - Edit Configuration, you give the options of nano or pi I believe, but if you could offer an option to go back to the main menu, in case you made a mistake going into that menu in the first place like I did (I used WinSCP for my edits), that would save cancelling out, and killing the process, or waiting for it to timeout.

 

[Jack Yaz]

Just a suggestion Jack Yaz, but on menu #2 - Edit Configuration, you give the options of nano or pi I believe, but if you could offer an option to go back to the main menu, in case you made a mistake going into that menu in the first place like I did (I used WinSCP for my edits), that would save cancelling out, and killing the process, or waiting for it to timeout.

Good point, I'll add that

 

[Zonkd]

Before I try setup of YazFi and Stubby for the first time, are there any known compatibility issues? Could they conflict with how YazFi and Stubby both are able to force redirecting client DNS queries?

 

[cmkelley]

Before I try setup of YazFi and Stubby for the first time, are there any known compatibility issues? Could they conflict with how YazFi and Stubby both are able to force redirecting client DNS queries?

I'm only one data point, but I run both with no issues. They act separately from one another. If I point the guest (YazFi) network DNS at 1.1.1.1 it bypasses stubby, if I point it at the router's IP on the guest network it uses Stubby. Pure freaking magic as far as I'm concerned.

 

[Zonkd]

I'm only one data point, but I run both with no issues. They act separately from one another. If I point the guest (YazFi) network DNS at 1.1.1.1 it bypasses stubby, if I point it at the router's IP on the guest network it uses Stubby. Pure freaking magic as far as I'm concerned.

Thanks for confirming this.

 

[Zonkd]

I'm only one data point, but I run both with no issues. They act separately from one another. If I point the guest (YazFi) network DNS at 1.1.1.1 it bypasses stubby, if I point it at the router's IP on the guest network it uses Stubby. Pure freaking magic as far as I'm concerned.

Do you use Skynet? I wonder if Skynet will still be able to do blocking for IoT clients connected to a YazGi guest network. Can you confirm?

Edit: I use Skynet to block 1 of my IoT clients (on the guest network) from using any port except 443.

 

[cmkelley]

Do you use Skynet? I wonder if Skynet will still be able to do blocking for IoT clients connected to a YazGi guest network. Can you confirm?

Edit: I use Skynet to block 1 of my IoT clients (on the guest network) from using any port except 443.

I use Skynet, but I have no IoT clients anywhere. If you look at my signature you can see all the scripts I run.

 

[Zonkd]

I use Skynet, but I have no IoT clients anywhere. If you look at my signature you can see all the scripts I run.

Sorry didn't think to read the sig.

Hoping someone may know if the Skynet Ban Devices option will work for YazFi guest clients? The feature is not exclusively for IoT devices. As seen below you can specify a private IP address of any client to block it's internet access.

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]: 11

Select Setting To Toggle:
[1]  --> Autoupdate            | [Enabled]                   
[2]  --> Banmalware            | [daily]                     
[3]  --> Debug Mode            | [Enabled]                   
[4]  --> Filter Traffic        | [all]                       
[5]  --> Unban PrivateIP       | [Enabled]                   
[6]  --> Log Invalid Packets   | [Enabled]                   
[7]  --> Ban AiProtect         | [Enabled]                   
[8]  --> Secure Mode           | [Enabled]                   
[9]  --> Fast Switch           | [Disabled]                   
[10] --> Syslog Location       | [Default]                   
[11] --> IOT Blocking          | [Disabled]                   

[1-11]: 11

Select IOT Option:
[1]  --> Unban Devices
[2]  --> Ban Devices
[3]  --> List Blocked Devices
[4]  --> Add Custom Allowed Ports
[5]  --> Reset Custom Port List
[6]  --> Select Allowed Protocols

[1-6]: 2

Input Local IP(s) To Ban:
Seperate Multiple Addresses With A Comma

[IP]: 192.168.x.x

 

[Jack Yaz]

Sorry didn't think to read the sig.

Hoping someone may know if the Skynet Ban Devices option will work for YazFi guest clients? The feature is not exclusively for IoT devices. As seen below you can specify a private IP address of any client to block it's internet access.

Select Menu Option:
[1]  --> Unban
[2]  --> Ban
[3]  --> Banmalware
[4]  --> Whitelist
[5]  --> Import IP List
[6]  --> Deport IP List
[7]  --> Save
[8]  --> Restart Skynet
[9]  --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall

[r]  --> Reload Menu
[e]  --> Exit Menu

[1-15]: 11

Select Setting To Toggle:
[1]  --> Autoupdate            | [Enabled]                  
[2]  --> Banmalware            | [daily]                    
[3]  --> Debug Mode            | [Enabled]                  
[4]  --> Filter Traffic        | [all]                      
[5]  --> Unban PrivateIP       | [Enabled]                  
[6]  --> Log Invalid Packets   | [Enabled]                  
[7]  --> Ban AiProtect         | [Enabled]                  
[8]  --> Secure Mode           | [Enabled]                  
[9]  --> Fast Switch           | [Disabled]                  
[10] --> Syslog Location       | [Default]                  
[11] --> IOT Blocking          | [Disabled]                  

[1-11]: 11

Select IOT Option:
[1]  --> Unban Devices
[2]  --> Ban Devices
[3]  --> List Blocked Devices
[4]  --> Add Custom Allowed Ports
[5]  --> Reset Custom Port List
[6]  --> Select Allowed Protocols

[1-6]: 2

Input Local IP(s) To Ban:
Seperate Multiple Addresses With A Comma

[IP]: 192.168.x.x

It comes down to how the iptables rules are implemented. I think Skynet does banning in the raw table so will supercede the filter table where YazFi operates

 

[Jack Yaz]

Thanks for confirming this.

This is also a rule ordering

iptables -t nat -S PREROUTING

will show you which rules are processed, from to bottom

 

[Jack Yaz]

Just a suggestion Jack Yaz, but on menu #2 - Edit Configuration, you give the options of nano or pi I believe, but if you could offer an option to go back to the main menu, in case you made a mistake going into that menu in the first place like I did (I used WinSCP for my edits), that would save cancelling out, and killing the process, or waiting for it to timeout.

Added with v3.0.1

 

[Bubbagump210]

https://gist.githubusercontent.com/...9b6597f5d239869145e8b5ebcedf715597a78b7/YazFi

I tried using this which appears to be 2.3.10 and got the same behavior. I did a bit of digging and installed this:

https://raw.githubusercontent.com/jackyaz/YazFi/9230246d2627b37e544262403256e83fce5c2c79/YazFi

Which appears to be 2.3.8 and it has been working all day without an issue. So it appears something changed after 2.3.8 to cause the guests to fall offline.

 

[Jack Yaz]

I tried using this which appears to be 2.3.10 and got the same behavior. I did a bit of digging and installed this:

https://raw.githubusercontent.com/jackyaz/YazFi/9230246d2627b37e544262403256e83fce5c2c79/YazFi

Which appears to be 2.3.8 and it has been working all day without an issue. So it appears something changed after 2.3.8 to cause the guests to fall offline.

The main change was where the YazFi FORWARD rule got inserted: https://www.diffchecker.com/AhWNcQ8e
and a change to block all connections regardless of state

next time the network fails can you run

iptables -I INPUT -i wl0.1 -j LOG
iptables -I FORWARD -i wl0.1 -j LOG

(replace wl0.1 as required) and check syslog to see what traffic, if any, is logged

 

[Bubbagump210]

iptables -I INPUT -i wl0.1 -j LOG
iptables -I FORWARD -i wl0.1 -j LOG

(replace wl0.1 as required) and check syslog to see what traffic, if any, is logged

Here we go:

Feb 14 12:37:41 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30462 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:46 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30876 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:51 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30989 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:56 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=31025 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:38:01 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31367 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:06 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31457 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:11 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31954 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:16 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31996 DF PROTO=UDP SPT=42905 DPT=53 LEN=50

It appears the access to my PiHole on the private network is getting blocked.

Just to make sure I didn't screw the pooch, here is my config that I have used for all versions of YazFi.

wl01_ENABLED=true
wl01_IPADDR=192.168.180.0
wl01_DHCPSTART=50
wl01_DHCPEND=100
wl01_DNS1=192.168.178.5
wl01_DNS2=192.168.178.5
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=
wl01_CLIENTISOLATION=true

 

[bearever]

Here we go:

Feb 14 12:37:41 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30462 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:46 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30876 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:51 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30989 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:56 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=31025 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:38:01 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31367 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:06 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31457 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:11 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31954 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:16 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31996 DF PROTO=UDP SPT=42905 DPT=53 LEN=50

It appears the access to my PiHole on the private network is getting blocked.

Just to make sure I didn't screw the pooch, here is my config that I have used for all versions of YazFi.

wl01_ENABLED=true
wl01_IPADDR=192.168.180.0
wl01_DHCPSTART=50
wl01_DHCPEND=100
wl01_DNS1=192.168.178.5
wl01_DNS2=192.168.178.5
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=
wl01_CLIENTISOLATION=true

I am using Pihole too. Looks like clientislolation has to set to false.



Sent from my iPhone using Tapatalk Pro

 

[Jack Yaz]

I am using Pihole too. Looks like clientislolation has to set to false.



Sent from my iPhone using Tapatalk Pro

I wouldn't have thought that setting would have an impact on this issue but worth a go I suppose.

Are the devices able to ping say 8.8.8.8 if it is just DNS failing?

 

[Bubbagump210]

I wouldn't have thought that setting would have an impact on this issue but worth a go I suppose.

Are the devices able to ping say 8.8.8.8 if it is just DNS failing?

So I tried a few things. DNS fails. However, pings, SSH and HTTP to the internet works. After the testing, I have set wl01_CLIENTISOLATION to false to see what that does in the meantime.

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=119 time=47.491 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=36.655 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=221.526 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=139.665 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 36.655/111.334/221.526/75.163 ms
$ nslookup
> server 192.168.178.5
Default server: 192.168.178.5
Address: 192.168.178.5#53
> google.com
;; connection timed out; no servers could be reached
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> reddit.com
;; connection timed out; no servers could be reached
> exit

$ ssh 68.183.106.34
qwerty@68.183.106.34's password:
Last login: Sun Jan 27 14:12:14 2019 from cpe-75-187-52-188.columbus.res.rr.com

$ curl 68.183.106.34
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>

EDIT: wl01_CLIENTISOLATION set to false shows the same behavior. Think that is a red herring.

 

[oldlady]

complete total newb here...

i have a 68u running Merlin 384.9. If I add this YazFi, will it help me protect my main network from IoT hackers? Right now these devices are on a guest network with "access intranet" off. I probably need to do more than that to secure my primary network. I was looking into other routers (ubiquiti) to manage vlans and such, but if not necessary, I'd just stay with my current router or move to a 86u.

please advise if I can protect my main network using some of the things the brilliant people here have created.. thanks

 

[SMS786]

complete total newb here...

i have a 68u running Merlin 384.9. If I add this YazFi, will it help me protect my main network from IoT hackers? Right now these devices are on a guest network with "access intranet" off. I probably need to do more than that to secure my primary network. I was looking into other routers (ubiquiti) to manage vlans and such, but if not necessary, I'd just stay with my current router or move to a 86u.

please advise if I can protect my main network using some of the things the brilliant people here have created.. thanks

As you mentioned, LAN client isolation on guest networks is already part of the stock Merlin firmware. But in the future if you would like your guest clients to take advantage of ad-blocking by pixelserv, or have custon VPN routing policies for your guest network clients, then YazFi would definitely make your life easier.