YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

So I tried a few things. DNS fails. However, pings, SSH and HTTP to the internet works. After the testing, I have set wl01_CLIENTISOLATION to false to see what that does in the meantime.

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=119 time=47.491 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=36.655 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=221.526 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=139.665 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 36.655/111.334/221.526/75.163 ms
$ nslookup
> server 192.168.178.5
Default server: 192.168.178.5
Address: 192.168.178.5#53
> google.com
;; connection timed out; no servers could be reached
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> reddit.com
;; connection timed out; no servers could be reached
> exit

$ ssh 68.183.106.34
qwerty@68.183.106.34's password:
Last login: Sun Jan 27 14:12:14 2019 from cpe-75-187-52-188.columbus.res.rr.com

$ curl 68.183.106.34
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>

EDIT: wl01_CLIENTISOLATION set to false shows the same behavior. Think that is a red herring.

I'm putting together an update to provide a Diagnostics option to dump out everything i need. Presumably the pi-hole device is still reachable from the main network when the guests fail?

 

[Bubbagump210]

I'm putting together an update to provide a Diagnostics option to dump out everything i need. Presumably the pi-hole device is still reachable from the main network when the guests fail?

Correct, the main LAN is unaffected and is quite happy.

 

[L&LD]

complete total newb here...

i have a 68u running Merlin 384.9. If I add this YazFi, will it help me protect my main network from IoT hackers? Right now these devices are on a guest network with "access intranet" off. I probably need to do more than that to secure my primary network. I was looking into other routers (ubiquiti) to manage vlans and such, but if not necessary, I'd just stay with my current router or move to a 86u.

please advise if I can protect my main network using some of the things the brilliant people here have created.. thanks

It may not be the last line of defense, but it will certainly trip up the code-babies.

For example, with YazFi, you can run your main network/router on 192.168.1.1. Your 2.4GHz guest network on 10.x.x.x and your 5GHz guest network on the 172.16.x.x to 172.31.x.x private IP range.

The following table is the private IP ranges we can use internally:

• 192.168.0.0 - 192.168.255.255 (65,536 IP addresses)
• 172.16.0.0 - 172.31.255.255 (1,048,576 IP addresses)
• 10.0.0.0 - 10.255.255.255 (16,777,216 IP addresses)

It would take a sophisticated hacker to jump from one network to another (assuming they even got access to one of them).

 

[Jack Yaz]

I can confirm that YazFi 3.0.0 works with the RT-AX88U with Merlin V384.9 Final as a Guest Wireless Network, and I did set client isolation to false, thanks Jack Yaz!

Good stuff, I'll update the list!

 

[TheUntouchable]

Hi Jack!

Just tried to create an IOT guest network for my chinese cam.. My configuration looks like that:

wl01_ENABLED=true
wl01_IPADDR=192.168.2.0
wl01_DHCPSTART=2
wl01_DHCPEND=254
wl01_DNS1=127.0.0.1
wl01_DNS2=127.0.0.1
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=2
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true

I want that the clients in this network are also using my router with stuby to do dns things.

I can see that my cam is connected to that network:

INTERFACE: wl0.1
SSID: MB-WLAN_IOT

HOSTNAME IP ADDRESS MAC
? 192.168.2.110 XXX

But without hostname..?

Also I can't connect anymore to that cam if I am at my normal WLAN network or from the outside

Any hints?

 

[Jack Yaz]

Hi Jack!

Just tried to create an IOT guest network for my chinese cam.. My configuration looks like that:

wl01_ENABLED=true
wl01_IPADDR=192.168.2.0
wl01_DHCPSTART=2
wl01_DHCPEND=254
wl01_DNS1=127.0.0.1
wl01_DNS2=127.0.0.1
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=2
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true

I want that the clients in this network are also using my router with stuby to do dns things.

I can see that my cam is connected to that network:

INTERFACE: wl0.1
SSID: MB-WLAN_IOT

HOSTNAME IP ADDRESS MAC
? 192.168.2.110 XXX

But without hostname..?

Also I can't connect anymore to that cam if I am at my normal WLAN network or from the outside

Any hints?

Hostnames are generated by arp - does

 arp -a

show the hostname?
If not, the IP camera might not be registering the hostname properly.

Setting DNS to 127.0.0.1 might not work (oversight on my part). Can you try replacing blanking out DNS 1 and 2 and re-running please? (I'm improving this in the next version)

 

[TheUntouchable]

Hostnames are generated by arp - does

 arp -a

show the hostname?
If not, the IP camera might not be registering the hostname properly.

Yeah youre right, arp -a also reports the "?" as hostname. Sadly I can't remember if it reported the hostename in the normal wlan as I have all network devices renamed

Setting DNS to 127.0.0.1 might not work (oversight on my part). Can you try replacing blanking out DNS 1 and 2 and re-running please? (I'm improving this in the next version)

Changed the dns to empty and I can confirm that DNS is working now as I have connected my laptop to the guest network. Sadly I can't reach that damn cam even after a reboot of it.. I can view and change the configuration of that cam with the corresponding app, but if i try to open the stream with it it tells me the network is busy..

EDIT: Just tried the same with my Xiaomi Smart Mi Air Humidifier and here everything works fine.. F*** china cams!

EDIT2: Omg.. Without any changes this piece of s*** is working now.. Nevermind and thanks a lot

 

[skeal]

@Jack Yaz This script is freaking awesome man!! I just got a IoT camera and it insists on WAN access, this really helps me sleep knowing if it gets hacked, they won't have access to my network. Nice work my friend!

 

[Jack Yaz]

YazFi v3.0.2 has been uploaded!

Changelog:

Add support for router IP running on addresses ending in non .1
Add diagnostics gathering option d to main menu

To update use option 3 in the YazFi menu

Thanks to @L&LD for testing YazFi on a router using .254 for it's LAN IP

 

[skeal]

Nice work Jack!! I have one issue that I came across, when configuring the script and entering the ip pool, if I use my number pad lets say to enter the number 3, it sends me into the script further instead of just entering the number 3. If I use the number keys at the top of the keyboard everything works fine. I am using Ubuntu though so I'm not sure if this is part of it. Again this is a cosmetic thing the script still works just fine. Thanks @Jack Yaz this script is awesome!!

 

[Jack Yaz]

Nice work Jack!! I have one issue that I came across, when configuring the script and entering the ip pool, if I use my number pad lets say to enter the number 3, it sends me into the script further instead of just entering the number 3. If I use the number keys at the top of the keyboard everything works fine. I am using Ubuntu though so I'm not sure if this is part of it. Again this is a cosmetic thing the script still works just fine. Thanks @Jack Yaz this script is awesome!!

I think that's just how nano works

 

[skeal]

I think that's just how nano works

Ahhh gotcha!! I haven't used nano in a long time, thanks for the explanation!

 

[Jack Yaz]

Ahhh gotcha!! I haven't used nano in a long time, thanks for the explanation!

Tell a lie, I can fix this by feeding nano the -K argument

 

[skeal]

I think that's just how nano works

Hey @Jack Yaz one last question, does the new network created by YazFi get any protection from things like; Skynet, or AI-Protection? I know Diversion won't work because of DNS, I was just wondering. Thanks again for the fantastic script, it's a great idea!

 

[Jack Yaz]

Hey @Jack Yaz one last question, does the new network created by YazFi get any protection from things like; Skynet, or AI-Protection? I know Diversion won't work because of DNS, I was just wondering. Thanks again for the fantastic script, it's a great idea!

If you point DNS to your router then you can use Diversion (and stubby, dnscrypt and pixelserv-tls for that matter). YazFi will open up only the relevant ports for those services.

Skynet filters on the raw table so will protect everything connected to the WAN, as far as I know, so you don't lose any protection on guests

 

[skeal]

If you point DNS to your router then you can use Diversion (and stubby, dnscrypt and pixelserv-tls for that matter). YazFi will open up only the relevant ports for those services.

Skynet filters on the raw table so will protect everything connected to the WAN, as far as I know, so you don't lose any protection on guests

Awesome Jack!!

 

[skeal]

If you point DNS to your router then you can use Diversion (and stubby, dnscrypt and pixelserv-tls for that matter). YazFi will open up only the relevant ports for those services.

Skynet filters on the raw table so will protect everything connected to the WAN, as far as I know, so you don't lose any protection on guests

Ok I'm still seeing adds on the new network. I have my router dns as dns1 and YazFi inserted a default for dns2. I have not restarted the script or the router yet. Any thoughts?

 

[Jack Yaz]

Ok I'm still seeing adds on the new network. I have my router dns as dns1 and YazFi inserted a default for dns2. I have not restarted the script or the router yet. Any thoughts?

Can you see the device's queries in Diversion's log trailing?
Also check the device's DHCP config (i.e. has it picked up the correct DNS?)

 

[skeal]

Can you see the device's queries in Diversion's log trailing?
Also check the device's DHCP config (i.e. has it picked up the correct DNS?)

No there are no entries with the new ip range, also if I follow the logs in skynet as they appear, using the ip as the filter, there are no entries there either.

 

[skeal]

Without access to lan I don't see how this would work. My ip of the device is 192.168.2.x the ip of my router is 192.168.x.1