YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[L&LD]

So far it looks like once I put all the settings I want initially and then into Yazi, I can just turn the guest wifi on and off as needed and it keeps the intended settings. Ya! Thanks!

Make sure that this testing was extended with a reboot in-between for all possible combinations too.

Just want to make sure your testing is thorough and your expected results match reality.

 

[QuikSilver]

Make sure that this testing was extended with a reboot in-between for all possible combinations too.

Just want to make sure your testing is thorough and your expected results match reality.

Already ahead of ya, that’s part 2. Was limited in first due to wife and kids wanting to watch tv. [emoji6]


Sent from my iPhone using Tapatalk

 

[L&LD]

Already ahead of ya, that’s part 2. Was limited in first due to wife and kids wanting to watch tv. [emoji6]


Sent from my iPhone using Tapatalk

I remember my dad giving my mom a dollar or two 'for ice cream for the kids' and he could have the house in peace and quiet for a couple of hours or more.

 

[QuikSilver]

I remember my dad giving my mom a dollar or two 'for ice cream for the kids' and he could have the house in peace and quiet for a couple of hours or more.

Ah yea the good old days....these days I turn the WiFi off to force them outside. [emoji23]


Sent from my iPhone using Tapatalk

 

[QuikSilver]

Make sure that this testing was extended with a reboot in-between for all possible combinations too.

Just want to make sure your testing is thorough and your expected results match reality.

Looks like guest wifi settings survive the reboot as well. Rebooted using GUI instead of scmerlin in case anyone wondering.

 

[lollerwaffle]

What do you mean by the WAN network, please?

Apologies as I wasn't clear. I meant where the regular wifi network has access to the internet, while the 'guest' wifi network goes through the VPN (i.e. the setup using your script). Is there a way for my devices to see each other if they are connected to these networks?

 

[WNorkle]

Ah - the easiest way for now is to duplicate the YazFi line from firewall-start to openvpn-event

Hi Jack - I'm experiencing the same issue with my PIA VPN. I found the line in firewall-start - but I don't seem to have an openvpn-event to modify. Looking at the openvpn forum, I see a reference to adding a line in the VPN config. Is this what you were suggesting?

persist-key
persist-tun
resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ
up-restart  /jffs/scripts/YazFi runnow

 

[WNorkle]

After a little more RTFM, I figured it out. If anyone else is looking for the solution, this is what my PIA VPN config Custom Configuration looks like:

persist-key
persist-tun
resolv-retry infinite
tls-client
remote-cert-tls server
disable-occ
up "/jffs/scripts/YazFi runnow"
up-restart

 

[WNorkle]

It appears I spoke too soon. This doesn't work properly.

Syslog shows

ovpn-client2[3839]: Multiple --up scripts defined.  The previously configured script is overridden.

and my client is still having problems with being connected to WiFi - but not to the Internet.

Still looking for help if anyone else has figured this out.

 

[WNorkle]

So, for those that are keeping score - Joe68000 set me straight.

Create an openvpn-events file in /jffs/scripts containing

#!/bin/sh
/jffs/scripts/YazFi runnow & # YazFi Guest Networks

Save it and make it executable.

Simple as that.

 

[Jack Yaz]

So, for those that are keeping score - Joe68000 set me straight.

Create an openvpn-events file in /jffs/scripts containing

#!/bin/sh
/jffs/scripts/YazFi runnow & # YazFi Guest Networks

Save it and make it executable.

Simple as that.

Sorry for not replying - yes, that's what I meant

 

[Teymur]

Hi Guys

I'm having issues with the YazFi. The thing is it all seems to be correct and working, I can have clients connected to the guest network created by YazFi. But no matter what I do the firewall drops all packets coming from that guest network interface e.g (wl0.1). Maybe Jack can comment on this. I have ASUS3200 with amtm, diversion, skynet and YazFi installed. Your time and help is highly appreciated.

Here are some lines from the log. I'm trying to route the traffic to the VPN interface:

Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=57858 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840
Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=58260 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840
Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40276 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840
Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=33397 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840
Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=42890 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840

Regards

Teymur

 

[Jack Yaz]

Hi Guys

I'm having issues with the YazFi. The thing is it all seems to be correct and working, I can have clients connected to the guest network created by YazFi. But no matter what I do the firewall drops all packets coming from that guest network interface e.g (wl0.1). Maybe Jack can comment on this. I have ASUS3200 with amtm, diversion, skynet and YazFi installed. Your time and help is highly appreciated.

Here are some lines from the log. I'm trying to route the traffic to the VPN interface:

Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=57858 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840
Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=58260 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840
Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=40276 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840
Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=33397 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840
Jun 2 12:54:08 kernel: [BLOCKED - INVALID] IN=wl0.1 OUT=tun11 SRC=192.168.9.76 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=42890 PROTO=ICMP TYPE=8 CODE=0 ID=30840 SEQ=30840

Regards

Teymur

The packets are invalid, for some reason. I don't know what causes that.

 

[consorts]

i got a 5ghz guest ssid going to a single .ovpn now while
the other wifi's and ethernet are working off my wan

i'm trying to figure out if there's a way to make it faster
cause off my router my vpn is about half the speed of
a vpn android apk client or vpn window10 tap client.

so on my 100:100 wan, if i use a vpn client device
i get about 70:70 over 5ghz, but when i host the
.ovpn in the router, i'm lucky to get half that.

my router is 1.4ghz dual core and low cpu/ram util%
while the vpn is busy, so i don't get where the holdup is.

i mean, i'm grateful that yazfi is working stable,
but if there is room for bandwidth improvement,
i would love a nudge in what direction to look.

i find it hard to believe my cpu is the problem;
https://www.privateinternetaccess.c...celeration-is-here-for-routers-using-openvpn/
given that it's hardly being utilized for now.

UPDATE: i checked with my VPN provider and my better option
was to disable cipher, tried and gained about 30% more bandwidth.
since i'm only using it for streaming host and p2p peer privacy,
i set ovpn cipher disabled, rather then going with less stable l2tp.

 

[i0n1x]

Hi, I just installed YazFi on my AC5300 and everything coming from guest is dropped.
Do you know why ?

Jun 11 16:57:47 kernel: DROP IN=wl0.1 OUT=eth0 SRC=192.168.2.69 DST=9.9.9.9

 

[Gitsum]

I tried to use this for the first time on my AX88U because I read that you can force clients to use a local DNS server. I run a Raspberry Pi with PiHole and normally clients on my guest wifi can't connect to the lan because those client's are my IOT devices and that's how I would prefer it.
Anyway, I followed the setup instructions but once I tried to apply the settings, it did not work. The new subnet was not created and my wifi just kept resetting itself until I stopped the Yazfi script from running.
Anyone else get this working on a AX88U ?

 

[Jack Yaz]

I tried to use this for the first time on my AX88U because I read that you can force clients to use a local DNS server. I run a Raspberry Pi with PiHole and normally clients on my guest wifi can't connect to the lan because those client's are my IOT devices and that's how I would prefer it.
Anyway, I followed the setup instructions but once I tried to apply the settings, it did not work. The new subnet was not created and my wifi just kept resetting itself until I stopped the Yazfi script from running.
Anyone else get this working on a AX88U ?

Did you set

• RT-AX88U (clientisolation=false may be required)

 

[Gitsum]

No, sorry. I will try that. Thanks.

 

[consorts]

is there a reason and/or fix for why yazfi ovpn subnet 5ghz traffic shows up as upload only?

 

[Jack Yaz]

is there a reason and/or fix for why yazfi ovpn subnet 5ghz traffic shows up as upload only?

You'll probably see the same thing with any policy routed traffic to a vpn