What's new

YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Thanks for the information. It appears to be working now after some tweaking. :)

For others who want to do the same, here are the steps I used (there may be better/other ways) to setup static IP addresses for a single 2.4GHz and single 5GHz Guest Wifi network. Note this assumes one has created the Guest WiFi networks in the Asus Merlin administrator interface. Obviously have the YazFi script installed, configured and running properly with the guest WiFi clients connected to the guest WiFi network(s). And the below assumes you have an SSH connection to the Asus router.

Edit/create the Dnsmasq.postconf file:
Code:
nano /jffs/scripts/dnsmasq.postconf

Add in the following code, with your guest client static IP address, MAC address and device name. In my case (in the example below) I have two static IP addresses. Add additional lines for additional static IP addresses. Note: Make sure to use the correct IP address range from the YazFi config file. In my case the main Asus router IP range is 192.168.2.x. The guest WiFi use ranges 192.168.3.x and 192.168.4.x respectively. Replace the "XX:XX:XX:XX:XX:XX" with the guest client MAC address.
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.3.2,devicename" $CONFIG
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.4.2,devicename" $CONFIG

Change dnsmasq.postconf file permission so it can be run when the router is rebooted:
Code:
chmod +xxx /jffs/scripts/dnsmasq.postconf
Note: Failure to appropriately change the file permission will result in the Dnsmasq.conf file not being updated with the guest static IP information.

Reboot the router.

After router reboot, one can check if the Dnsmasq.conf file was updated with YazFi guest wifi static IP’s (see end of file):
Code:
cat /etc/dnsmasq.conf

Troubleshooting:
Initially I ran into a problem (somehow) where the WiFi settings got corrupted on the Asus router when first working through setting up YazFi and trying to set a guest static IP. The router wired LAN network worked when I set a static IP address on a wired client, but wireless clients could not connect to WiFi. The workaround was to use a wired network client configured with a static IP address in the client OS and then edit Dnsmasq.conf file if error to remove the YazFi content and YazFi guest static IP conetnt and reboot the router:
Code:
nano /etc/dnsmasq.conf
If that doesn't work one may have to remove the YazFi script through the YazFi GUI and reboot the router. Then one can try the process again by installing the YazFi script and performing the actions previously detailed to set a guest static IP address.

Additional Notes:
The underlying reason for using YazFi was due to an Amazon Echo connected to the Guest WiFi failing to work properly when connected to an Asus router running Merlin firmware that is configured; using Pi-Hole for DNS, Advertise router's IP in addition to user-specified DNS set to No, and the Guest WiFi Access Intranet setting set to Off for each guest network. The problem was the Echo couldn't run DNS requests through the Pi-Hole so the request would fail. The previously detailed steps above now allow the Echo to work properly and contact the local network Pi-Hole for DNS requests.

Hopefully this info will help others who faced a similar problem with a Guest WiFi device.
I smell a possible feature...
 
I smell a possible feature...
Possibly might help others who want a static IP address on the guest network. I was able to get the Amazon Echo to work without a static IP address, but wanted a static IP address to avoid guest network devices from changing IP addresses.

One potential downside for some however is the Merlin web interface doesn't list any of the devices connected to the guest IP networks since they are using a different IP subnet than the subnet handed out by the router's DHCP server.
 
Possibly might help others who want a static IP address on the guest network. I was able to get the Amazon Echo to work without a static IP address, but wanted a static IP address to avoid guest network devices from changing IP addresses.

One potential downside for some however is the Merlin web interface doesn't list any of the devices connected to the guest IP networks since they are using a different IP subnet than the subnet handed out by the router's DHCP server.
Right, they don't show up on the DHCP server tab, but they do show up on the DHCP leases tab. While dnsmasq is the only DHCP server for all subnets, the DHCP server tab is restricted to the primary subnet for the training wheel purpose of filtering out user errors.
 
but they do show up on the DHCP leases tab.
Ah forgot about that tab on the System Log page. Normally just do a quick check on the GUI's main page's "view list".
 
Let's not forget the status function in YazFi :D
No didn't forget about that :)
Was more concerned with the Merlin GUI (on the default main page) and having one place listing all attached clients. Will have to use the System Log > DHCP leases from now on.
Edit to add: Or maybe I'll just use a batch (.bat) file in Windows with Plink.
Code:
plink.exe -ssh -l <router login name> -pw <router password> <router IP address> cat /var/lib/misc/dnsmasq.leases

PAUSE
 
Last edited:
@Jack-yaz much thanks for your script. we're able to bind guest wifis to specific vpns. I've been using your script since YazFi.config. update to this new version yesterday when dropping by.
during update i saw that the old config file will be imported. great! all settings were retained. but.. it seems some new settings were missing? i couldn't find

wl01_LANACCESS
Should Guest Network traffic have unrestricted access to the LAN? (true/false)

wl01_CLIENTISOLATION
Should Guest Network radio prevent clients from talking to each other? (true/false)t

Edit: alright, upon manually adding the rules and applying, they appear in the list.
however, i cannot get my device to access my samba drive connected to my router.

Edit again: hmmpft... i didnt know i also have to set client isolation to false.. lmao. it works now..

also, is there no way to make guests connection from AP connected behind the Router routed thru the VPNs ? all guests networks on the AP are mirrored from the router if it matters

ok it seems adding routing rules is doing the trick.. gotta test more

-- -- -- -- -- -- -- -- -- -- -- --

Finally.. things seems to be working as intended now.
But.. one funny issue is .. why i hit apply settings..
all my connections failed validation. ,.. haha.. how so?

YazFi: YazFi v3.1.0 starting up
YazFi: wl01_IPADDR (192.168.5.0) has been used for another interface already
YazFi: wl01_FORCEDNS is blank, setting to false
YazFi: wl01_LANACCESS is blank, setting to false
YazFi: wl01_CLIENTISOLATION is blank, setting to true
YazFi: wl0.1 failed validation
YazFi: wl11_IPADDR (192.168.2.0) has been used for another interface already
YazFi: wl11_FORCEDNS is blank, setting to false
YazFi: wl1.1 failed validation
YazFi: wl12_IPADDR (192.168.3.0) has been used for another interface already
YazFi: wl12_FORCEDNS is blank, setting to false
YazFi: wl1.2 failed validation
YazFi: wl13_IPADDR (192.168.4.0) has been used for another interface already
YazFi: wl13_FORCEDNS is blank, setting to false
YazFi: wl13_LANACCESS is blank, setting to false
YazFi: wl13_CLIENTISOLATION is blank, setting to true
YazFi: wl1.3 failed validation​
 
Last edited:
@Jack-yaz much thanks for your script. we're able to bind guest wifis to specific vpns. I've been using your script since YazFi.config. update to this new version yesterday when dropping by.
during update i saw that the old config file will be imported. great! all settings were retained. but.. it seems some new settings were missing? i couldn't find

wl01_LANACCESS
Should Guest Network traffic have unrestricted access to the LAN? (true/false)

wl01_CLIENTISOLATION
Should Guest Network radio prevent clients from talking to each other? (true/false)t

Edit: alright, upon manually adding the rules and applying, they appear in the list.
however, i cannot get my device to access my samba drive connected to my router.

Edit again: hmmpft... i didnt know i also have to set client isolation to false.. lmao. it works now..

also, is there no way to make guests connection from AP connected behind the Router routed thru the VPNs ? all guests networks on the AP are mirrored from the router if it matters

ok it seems adding routing rules is doing the trick.. gotta test more

-- -- -- -- -- -- -- -- -- -- -- --

Finally.. things seems to be working as intended now.
But.. one funny issue is .. why i hit apply settings..
all my connections failed validation. ,.. haha.. how so?

YazFi: YazFi v3.1.0 starting up
YazFi: wl01_IPADDR (192.168.5.0) has been used for another interface already
YazFi: wl01_FORCEDNS is blank, setting to false
YazFi: wl01_LANACCESS is blank, setting to false
YazFi: wl01_CLIENTISOLATION is blank, setting to true
YazFi: wl0.1 failed validation
YazFi: wl11_IPADDR (192.168.2.0) has been used for another interface already
YazFi: wl11_FORCEDNS is blank, setting to false
YazFi: wl1.1 failed validation
YazFi: wl12_IPADDR (192.168.3.0) has been used for another interface already
YazFi: wl12_FORCEDNS is blank, setting to false
YazFi: wl1.2 failed validation
YazFi: wl13_IPADDR (192.168.4.0) has been used for another interface already
YazFi: wl13_FORCEDNS is blank, setting to false
YazFi: wl13_LANACCESS is blank, setting to false
YazFi: wl13_CLIENTISOLATION is blank, setting to true
YazFi: wl1.3 failed validation​
Can you provide the contents of your YazFi.conf file please?
 
Ah, your config file seems to repeat sections. You need to remove the duplicated settings.

And re. Your earlier question, i didn't find a way i was happy with for migrating config files when new settings are introduced so sadly it is a manual process. I've tried to avoid adding new settings wherever possible since thst decision.
 
Ah, your config file seems to repeat sections. You need to remove the duplicated settings.

And re. Your earlier question, i didn't find a way i was happy with for migrating config files when new settings are introduced so sadly it is a manual process. I've tried to avoid adding new settings wherever possible since that decision.

my goodness! how silly of me to miss that duplication!!! thanks thanks thanks a bunch sire!! everything is beautiful now!
manual process no sad - no sweat hah!!

thanks again sire.. not much just what i can for my appreciation - 9TX098444F1390538
 
my goodness! how silly of me to miss that duplication!!! thanks thanks thanks a bunch sire!! everything is beautiful now!
manual process no sad - no sweat hah!!

thanks again sire.. not much just what i can for my appreciation - 9TX098444F1390538
No problem and thanks :D
 
After some tests.. seems like the routing to make traffics from AP's guests connections go thru the VPNs are not working..
what else can I try .. lol

Edited overnight:
bah ... haha.. samba access on the router is in fact not working correctly also... *crys*

might i add, my wired pc is connected to the same vpn the guest network is.
and pc is able to browse the samba drive. but i just cannot get my wifi device to see the samba drives.
 
Last edited:
After some tests.. seems like the routing to make traffics from AP's guests connections go thru the VPNs are not working..
what else can I try .. lol
Are your APs also broadcasting guests?
Edited overnight:
bah ... haha.. samba access on the router is in fact not working correctly also... *crys*

might i add, my wired pc is connected to the same vpn the guest network is.
and pc is able to browse the samba drive. but i just cannot get my wifi device to see the samba drives.
YazFi won't allow guests to talk to Samba on the router, you would need to add your own firewall rule to allow it
 
Are your APs also broadcasting guests?

YazFi won't allow guests to talk to Samba on the router, you would need to add your own firewall rule to allow it

Yes, the ap is broadcasting the “mirrored” guests ssids

So those on the guest networks routed thru vpns will never see the samba drives, unless i create a firewall rule to allow it?

May i know where shld i create the rule?
 
Hi,
newbie here.... I have 3 merlin routers... 1 main and 2 AP (ethernet backhaul). Is there a way to make yazfi work in this config? Thanks!
 
Hi,
newbie here.... I have 3 merlin routers... 1 main and 2 AP (ethernet backhaul). Is there a way to make yazfi work in this config? Thanks!
Only on the router, guests from AP to router would require VLAN tagging of some description
 
Yes, the ap is broadcasting the “mirrored” guests ssids

So those on the guest networks routed thru vpns will never see the samba drives, unless i create a firewall rule to allow it?

May i know where shld i create the rule?
If you add it to the top of the YazFiINPUT chain that should be fine, add your rules after YazFi in firewall-start
 
Any users of this on ppp0 with guests that arent VPN routed?

Set AC86U router with:
LAN > DHCP Server > DNS Server 1 - 192.168.51.123 = Pihole IP
WAN > Internet Connection > WAN DNS SEtting > Connect to DNS Server automatically - YES

I set up YazFi with these options:
wl01_ENABLED=true
wl01_IPADDR=192.168.52.0
wl01_DHCPSTART=2
wl01_DHCPEND=254
wl01_DNS1=192.168.51.123
wl01_DNS2=192.168.51.123
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=2
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true

I get an IP assigned from the 52.0 block when connecting to the guest network. However, no internet. Also the device doesn't show up in the network map list on the router.

---------------------
Tried this too:
Router:
LAN > DHCP Server
IP Pool Starting address - 192.168.51.2
IP Pool Ending address - 192.168.51.154

###### Guest Network 1 (wl0.1) #####
wl01_ENABLED=true
wl01_IPADDR=192.168.51.0
wl01_DHCPSTART=155
wl01_DHCPEND=254
wl01_DNS1=192.168.51.123
wl01_DNS2=192.168.51.123
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=2
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true

Same, no internet access and not visible on network map list.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top