What's new

YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Following on from https://www.snbforums.com/threads/parental-controls.55490/#post-470938

I have started work on the ability to set a guest SSID and passphrase from within YazFi's menu. I'm also making it so you can randomly generate a passphrase. Would anyone here make use of scheduling a passphrase change, if I implement it, or is manually setting a new passphrase in the menu enough?

If automating, how would you prefer to be notified of a new passphrase?
 
Following on from https://www.snbforums.com/threads/parental-controls.55490/#post-470938

I have started work on the ability to set a guest SSID and passphrase from within YazFi's menu. I'm also making it so you can randomly generate a passphrase. Would anyone here make use of scheduling a passphrase change, if I implement it, or is manually setting a new passphrase in the menu enough?

If automating, how would you prefer to be notified of a new passphrase?
Not sure I’d be able to make use of it, Jack: my wife’s iPad is the only device I allow on the guest wifi. (And no kids on the network. Ever.)
 
I'm looking into an option to disallow guests LAN access, with the exception of one LAN IP address/port (a LAN webserver at port 80). So guests only have outside internet access and to one local webserver.

Is this something that can be added or changed to your script? I guess ebtables is needed to bridge the GuestWifi to the IP of the webserver. And probably iptables to limit the port to 80.

ebtables -I FORWARD -p IPv4 -o $WIFI_IF --ip-src $PRINTER --ip-proto tcp -j ACCEPT
ebtables -I FORWARD -p IPv4 -i $WIFI_IF --ip-dst $PRINTER --ip-proto tcp -j ACCEPT
 
I'm looking into an option to disallow guests LAN access, with the exception of one LAN IP address/port (a LAN webserver at port 80). So guests only have outside internet access and to one local webserver.

Is this something that can be added or changed to your script? I guess ebtables is needed to bridge the GuestWifi to the IP of the webserver. And probably iptables to limit the port to 80.

ebtables -I FORWARD -p IPv4 -o $WIFI_IF --ip-src $PRINTER --ip-proto tcp -j ACCEPT
ebtables -I FORWARD -p IPv4 -i $WIFI_IF --ip-dst $PRINTER --ip-proto tcp -j ACCEPT
ebtables can be left as is in YazFi (since i force all traffic to be routed via iptables
 
ebtables can be left as is in YazFi (since i force all traffic to be routed via iptables

Thanks for the pointer. I noticed while running your script that Google Home devices can't connect anymore. This could be related to iptables doing the routing which might not be transparant for multicast.
 
Thanks for the pointer. I noticed while running your script that Google Home devices can't connect anymore. This could be related to iptables doing the routing which might not be transparant for multicast.
You would probably need to add a rule to allow the multicast address range 224.0.0.0/4
 
Supported Models
Models
All modes supported by Asuswrt-Merlin. Models confirmed to work are below:
  • RT-AC56U
  • RT-AC66U
  • RT-AC68U
  • RT-AC86U
  • RT-AC87U (2.4GHz guests only)
  • RT-AC88U
  • RT-AC3100
  • RT-AC3200
  • RT-AC5300
  • RT-AX88U (clientisolation=false may be required)
Has anyone tried running YazFi on a ASUS RT-AC66U_B1 ? (using the RT-AC68U firmware v384.8_2)
 
Has anyone tried running YazFi on a ASUS RT-AC66U_B1 ? (using the RT-AC68U firmware v384.8_2)

Should be straightforward as it is effectively a clone of the RT-AC68U's hardware.

Let us know how much you enjoy it. :)
 
Been reading through this thread trying to find an answer to this question. Is it possible for the guest clients to obtain a static/reserved IP address from the router's DHCP server rather than being confined to a new IP address range via the config file?

I see references to blockdhcp being superceded by bounceclients but no information (unless I missed it as I' still reading through the thread) on how to use bounceclients.
 
Been reading through this thread trying to find an answer to this question. Is it possible for the guest clients to obtain a static/reserved IP address from the router's DHCP server rather than being confined to a new IP address range via the config file?

I see references to blockdhcp being superceded by bounceclients but no information (unless I missed it as I' still reading through the thread) on how to use bounceclients.
This can be done via dnsmasq dhcp-host /jffs/scripts/dnsmasq.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=00:24:e4:5f:00:00,192.168.66.110,Therm" $CONFIG
pc_append "dhcp-host=00:24:e4:00:00:00,192.168.66.111,Scale" $CONFIG
 
This can be done via dnsmasq dhcp-host /jffs/scripts/dnsmasq.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=00:24:e4:5f:00:00,192.168.66.110,Therm" $CONFIG
pc_append "dhcp-host=00:24:e4:00:00:00,192.168.66.111,Scale" $CONFIG
Theoretically could you not also use the GUI? IIRC that just populates a text file that is read by dnsmasq
 
This can be done via dnsmasq dhcp-host /jffs/scripts/dnsmasq.postconf
Thanks for the reply. Tried using the dnsmasq.postconf file with the appropreate IP addresses and MAC addresses, but am still doing something wrong. Rebooted the router and The devices with static IP's are still picking up different IP addresses (those set forth in the /jffs/configs/YazFi/YazFi.config file).
 
Theoretically could you not also use the GUI? IIRC that just populates a text file that is read by dnsmasq
YazFiDhcp.png
 
Thanks for the reply. Tried using the dnsmasq.postconf file with the appropreate IP addresses and MAC addresses, but am still doing something wrong. Rebooted the router and The devices with static IP's are still picking up different IP addresses (those set forth in the /jffs/configs/YazFi/YazFi.config file).
My recollection is that YazFi DHCP leases default to 12 hours, so you will not know for sure whether it worked until then. If you grep dhcp-host from /etc/dnsmasq.conf and you see MAC, IP and Hostname without typos, then it will probably work when the client requests a new lease after the old one expires.

Dnsmasq allows you to run a custom script each time a DHCP event occurs. I find this helpful so I wrote a script just to log the events to the syslog. There is another line in my dnsmasq.postconf for it.
Code:
pc_append "dhcp-script=/jffs/scripts/log-dhcp.sh" $CONFIG
Here is the script:
Code:
# cat /jffs/scripts/log-dhcp.sh
#!/bin/sh
myscriptname=$(/usr/bin/basename $0)
/usr/bin/logger -t ${myscriptname} -p local6.info "Action $1, MAC $2, IP_address $3, Hostname $4"
If you see an event with an Action of "old", the client is keeping it's IP until lease expiration.

Postscript: I like the reserved DHCP IP addresses to be in the subnet of course, but outside of the pool. For example, my pool is from 192.168.66.10 to 192.168.66.99 (two digits), but my static reservations are three digit. I can tell from a glance what category an IP is.
Code:
wl01_ENABLED=true
wl01_IPADDR=192.168.66.0
wl01_DHCPSTART=10
wl01_DHCPEND=99
wl01_DNS1=192.168.66.1
wl01_DNS2=192.168.66.1
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true
 
Last edited:
My recollection is that YazFi DHCP leases default to 12 hours, so you will not know for sure whether it worked until then. If you grep dhcp-host from /etc/dnsmasq.conf and you see MAC, IP and Hostname without typos, then it will probably work when the client requests a new lease after the old one expires.
Thanks for the information. It appears to be working now after some tweaking. :)

For others who want to do the same, here are the steps I used (there may be better/other ways) to setup static IP addresses for a single 2.4GHz and single 5GHz Guest Wifi network. Note this assumes one has created the Guest WiFi networks in the Asus Merlin administrator interface. Obviously have the YazFi script installed, configured and running properly with the guest WiFi clients connected to the guest WiFi network(s). And the below assumes you have an SSH connection to the Asus router.

Edit/create the Dnsmasq.postconf file:
Code:
nano /jffs/scripts/dnsmasq.postconf

Add in the following code, with your guest client static IP address, MAC address and device name. In my case (in the example below) I have two static IP addresses. Add additional lines for additional static IP addresses. Note: Make sure to use the correct IP address range from the YazFi config file. In my case the main Asus router IP range is 192.168.2.x. The guest WiFi use ranges 192.168.3.x and 192.168.4.x respectively. Replace the "XX:XX:XX:XX:XX:XX" with the guest client MAC address.
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.3.2,devicename" $CONFIG
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.4.2,devicename" $CONFIG

Change dnsmasq.postconf file permission so it can be run when the router is rebooted:
Code:
chmod +xxx /jffs/scripts/dnsmasq.postconf
Note: Failure to appropriately change the file permission will result in the Dnsmasq.conf file not being updated with the guest static IP information.

Reboot the router.

After router reboot, one can check if the Dnsmasq.conf file was updated with YazFi guest wifi static IP’s (see end of file):
Code:
cat /etc/dnsmasq.conf

Troubleshooting:
Initially I ran into a problem (somehow) where the WiFi settings got corrupted on the Asus router when first working through setting up YazFi and trying to set a guest static IP. The router wired LAN network worked when I set a static IP address on a wired client, but wireless clients could not connect to WiFi. The workaround was to use a wired network client configured with a static IP address in the client OS and then edit Dnsmasq.conf file if error to remove the YazFi content and YazFi guest static IP conetnt and reboot the router:
Code:
nano /etc/dnsmasq.conf
If that doesn't work one may have to remove the YazFi script through the YazFi GUI and reboot the router. Then one can try the process again by installing the YazFi script and performing the actions previously detailed to set a guest static IP address.

Additional Notes:
The underlying reason for using YazFi was due to an Amazon Echo connected to the Guest WiFi failing to work properly when connected to an Asus router running Merlin firmware that is configured; using Pi-Hole for DNS, Advertise router's IP in addition to user-specified DNS set to No, and the Guest WiFi Access Intranet setting set to Off for each guest network. The problem was the Echo couldn't run DNS requests through the Pi-Hole so the request would fail. While the intial YazFi script would allow the Echo to work properly when using local network DNS servers, wanted the ability to set Guest WiFi devices to static IP's. The previously detailed steps above now allow the Echo to work properly with a static IP address and contact the local network Pi-Hole for DNS requests.

Hopefully this info will help others who faced a similar problem with a Guest WiFi device and static IP's.
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top