YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[mpleasan88]

Can you use option d to generate diagnostics and share them with me please? PM, or Dropbox/other filesharing site

@Jack Yaz, did you download the diagnostic files? Any suggestions?

 

[Jack Yaz]

i have this working on my ac3100 on an openvpn profile.

i would like to try it using PPTP my VPN provider does support.
openvpn is very slow on the ac3100, so i'm hoping pptp will be faster
as i don't care about perfect privacy, simply keeping my wan private.
i know ac2900 openvpn would be faster, but i can't afford the change.

i was able to disable the openvpn and boot start, and enable
the PPTP profile which autostarts on it's own, but i see problems;

1. yazfi itself does not seem to see/use the PPTP profile

2. everyone's DNS access seems gone (i use merlin's DoT)
this includes other wifi ssid (not yazfi'd) and wired lan.

could someone point me in the right direction on this troubleshoot,
or does yazfi simply depend on openvpn and won't vlan active pptp.

of course i already tested the PPTP profile info using a VPN client PC
and it works fine (including it's own google dns) so it's not that.
while in use in the router, the connection status show it's active.

YazFi uses OpenVPN only

 

[Jack Yaz]

@Jack Yaz, did you download the diagnostic files? Any suggestions?

Just replied to your PM. Day job got in the way, sorry!

 

[consorts]

YazFi uses OpenVPN only

thanks for the fast and definitive reply - your app is great

if you have any links to people trying to vlan an ssid assigned thru the router's pptp client,
thus not depending on yazfi to manage it - i would at least to try if there's hope it may work.

otherwise, i guess i'll have to look out for the next good sale on the ac2900

 

[mpleasan88]

Just replied to your PM. Day job got in the way, sorry!

Ok, I forwarded a link of the screenshot of the Policy Rules. I can't seem to find how to upload a file within this forum.

 

[mcse]

Leary at first of installing, seemed too easy/simple.... but made the plunge anyway.

It was easy. Very basic config to simply create WiFi access through a unique network address.

Will let the new setup settle in before making additional changes to reserve addresses and assign device names. Further testing in the morning.

Thanks!
============

I did need to re-edit the config file as the assumption that the router would be #.#.#.1 was incorrect. (i did wonder why that address was missing between the IPADDR and DHCPSTART)

 

[mcse]

Leary at first of installing, seemed too easy/simple.... but made the plunge anyway.

It was easy. Very basic config to simply create WiFi access through a unique network address.

Will let the new setup settle in before making additional changes to reserve addresses and assign device names. Further testing in the morning.

Thanks!
============

I did need to re-edit the config file as the assumption that the router would be #.#.#.1 was incorrect. (i did wonder why that address was missing between the IPADDR and DHCPSTART)

=============
=============

Been checking screens/logs and I'm unsure if what is being reported is "as it should be". Realize there is some magic being performed so what I'm seeing could be totally fine, but to pacify my concerns here's what I have...

YazFi / 2 displays

INTERFACE: wl0.1
SSID: GUESTSSID24

HOSTNAME IP ADDRESS MAC
Unknown 172.16.#.# ##:##:##:##:##:##​

System Log / Wireless Log displays

And Network Map / Clients displays

OK, this is what I expect. GuestSSID on its own network address not to show up.


But then why does this happen...

YazFi / 2 displays

INTERFACE: wl1.1
SSID: GUESTSSID5

HOSTNAME IP ADDRESS MAC
Unknown 172.16.#.# ##:##:##:##:##:##

System Log / Wireless Log displays

And Network Map / Clients displays

There's actually a few GUESTSSID devices that show up in the list; all with a non-guest IP and reported as STATIC.

Probably unnecessary, but did perform the following to have a 'clean' environment and reconfirm the result.

1. All DHCP reservations deleted
2. Enable manual assignment DISABLED
3. DHCP stopped
4. Device(s) WiFi configuration deleted
5. YazFi uninstalled
6. Router rebooted
7. YazFi installed
8. YazFi started
9. DHCP started
10. Device(s) configured on WiFi

Normal? or at least expected behavior?

Peculiar as the IP is reported as STATIC, although the device is DHCP and assigned to the GUESTSSID5 network. If the address eventually be released and drop from the list it would be good, but as STATIC it remains.

What started me down the rabbit hole was the tons of AUTH/DEAUTH entries in the System Log / General Log file. Believe the previous DHCP reservations of devices on the non-guest network was causing issues making the device ping-pong on/off the GUEST network. (obviously impacting download speed)

================
================

Did one more check on the router and found another anomaly... (sorry)

YazFi / 2 is now displaying

INTERFACE: wl0.1
SSID: GUESTSSID24

HOSTNAME IP ADDRESS MAC
Unknown 172.16.#.# ##:##:##:##:##:##
Unknown ##:##:##:##:##:##
---------------------------------------------------------------------------

INTERFACE: wl1.1
SSID: GUESTSSID5

HOSTNAME IP ADDRESS MAC
Unknown ##:##:##:##:##:##
Unknown 172.16.#.# ##:##:##:##:##:##
---------------------------------------------------------------------------

IP addresses are being reported via System Log / Wireless Log and System Log / DHCP Leases


Ok, better stop here...

 

[Jack Yaz]

=============
=============

Been checking screens/logs and I'm unsure if what is being reported is "as it should be". Realize there is some magic being performed so what I'm seeing could be totally fine, but to pacify my concerns here's what I have...

YazFi / 2 displays

INTERFACE: wl0.1
SSID: GUESTSSID24

HOSTNAME IP ADDRESS MAC
Unknown 172.16.#.# ##:##:##:##:##:##​

System Log / Wireless Log displays

View attachment 20892


And Network Map / Clients displays

View attachment 20886

OK, this is what I expect. GuestSSID on its own network address not to show up.


But then why does this happen...

YazFi / 2 displays

INTERFACE: wl1.1
SSID: GUESTSSID5

HOSTNAME IP ADDRESS MAC
Unknown 172.16.#.# ##:##:##:##:##:##

System Log / Wireless Log displays

View attachment 20888

And Network Map / Clients displays

View attachment 20891

There's actually a few GUESTSSID devices that show up in the list; all with a non-guest IP and reported as STATIC.

Probably unnecessary, but did perform the following to have a 'clean' environment and reconfirm the result.

1. All DHCP reservations deleted
2. Enable manual assignment DISABLED
3. DHCP stopped
4. Device(s) WiFi configuration deleted
5. YazFi uninstalled
6. Router rebooted
7. YazFi installed
8. YazFi started
9. DHCP started
10. Device(s) configured on WiFi

Normal? or at least expected behavior?

Peculiar as the IP is reported as STATIC, although the device is DHCP and assigned to the GUESTSSID5 network. If the address eventually be released and drop from the list it would be good, but as STATIC it remains.

What started me down the rabbit hole was the tons of AUTH/DEAUTH entries in the System Log / General Log file. Believe the previous DHCP reservations of devices on the non-guest network was causing issues making the device ping-pong on/off the GUEST network. (obviously impacting download speed)

================
================

Did one more check on the router and found another anomaly... (sorry)

YazFi / 2 is now displaying

INTERFACE: wl0.1
SSID: GUESTSSID24

HOSTNAME IP ADDRESS MAC
Unknown 172.16.#.# ##:##:##:##:##:##
Unknown ##:##:##:##:##:##
---------------------------------------------------------------------------

INTERFACE: wl1.1
SSID: GUESTSSID5

HOSTNAME IP ADDRESS MAC
Unknown ##:##:##:##:##:##
Unknown 172.16.#.# ##:##:##:##:##:##
---------------------------------------------------------------------------

IP addresses are being reported via System Log / Wireless Log and System Log / DHCP Leases


Ok, better stop here...

Since NetworkMap is closed source its hard to say what its doing. The 1 true source of which IP a device has will be reported on the device itself

 

[Chris_J]

Just so I understand the above, are we saying there is potentially a bug with the Network Map?

Ever since using YazFi, my map reports the IP addresses of clients on the guest networks with a subnet suggesting that it is on the main network. However, running option 2 on YazFi reports that clients are successfully connected to the relevant guest with correct subnet.

 

[bennor]

I suspect (guess ) that on my RT AC-68U the Network Map and related options to view client IP addresses are being pulled from the /jffs/nmp_cl_json.js that is apparently/possibly generated from NVRAM data when the router is rebooted. What I see is old client IP addresses that are unused for the devices that are now on the guest wifi with different IP addresses. The router is pulling the old IP address not the new guest one when populating the Network Map data. So far haven't seen a way to clear out the old unused IP addresses so the Network Map would populate correctly.

For me, every attempt to remove unused client IP addresses result in them returning when the router is rebooted. Further past discussion related to old client IP addresses and attempts to remove them:
https://www.snbforums.com/threads/a...disconnected-clients.42466/page-2#post-540794
https://www.snbforums.com/threads/a...-95-how-to-remove-some-offline-clients.46374/

 

[Ggdbb]

Hello!

first. Big thanks/kudos to the developer for this bad a$$ script. Was contemplating going down a PFSENSE rabbit hole before I found this solution

my question now is, why are my speeds so dang slow?!

Used openvpn On stock fw and was getting about 20-30 mbps down while connected to the vpn

since installing Merlin and using yazfi (didn’t test speeds before installing the script) my speeds are like 7-8mbps down

baseline: running on 500 up/down from frontier
Hw: ASUS 66-B1

any ideas on what it could be? I’ve spent the last 5 days researching this sub/ the google and tried changing settings. Adding custom confits to opvn files etc and nothing has worked

thanks in advance!

 

[Jack Yaz]

Hello!

first. Big thanks/kudos to the developer for this bad a$$ script. Was contemplating going down a PFSENSE rabbit hole before I found this solution

my question now is, why are my speeds so dang slow?!

Used openvpn On stock fw and was getting about 20-30 mbps down while connected to the vpn

since installing Merlin and using yazfi (didn’t test speeds before installing the script) my speeds are like 7-8mbps down

baseline: running on 500 up/down from frontier
Hw: ASUS 66-B1

any ideas on what it could be? I’ve spent the last 5 days researching this sub/ the google and tried changing settings. Adding custom confits to opvn files etc and nothing has worked

thanks in advance!

It would be worth removing the script and manually policy routing a client through VPN to see what speed you get. If no better, check that hardware acceleration is enabled etc.

 

[Ggdbb]

It would be worth removing the script and manually policy routing a client through VPN to see what speed you get. If no better, check that hardware acceleration is enabled etc.

thank you!

I tried that already and the result was the same

hardware acceleration is enabled

is there anything to do from the CLI by any chance? I read something along the lines of NVRAM reset when starting fresh but unsure if that would do anything.

I’m at work right now but can provide any kind of logs/screenshots needed to help troubleshoot later today

 

[marelit]

Hi Jack,

I've been using your script since you released it and it helped me a lot organizing my Wifi-Devices!

Recently I discovered that even with all parameters set to the strictest setting, I was able to ping my router at 192.168.1.1 from the isolated guest network (192.168.10.x) and pixelserv-tls at 192.168.1.2. I believe that it has nothing to do with your script, but rather with the setup of my network. I am running double NAT, so my router with YazFi (A) is behind another router (B)(both in router mode). Now there is a static route configured on B to forward all 192.168.1.x packets to A.

My guess was that packets went from my guest network out to B and then B sends them back to A (this time my main net), because of the static route.
Is there anything I can do to prevent this? Or is this intended behaviour?

Thank you in advance!

 

[Jack Yaz]

Hi Jack,

I've been using your script since you released it and it helped me a lot organizing my Wifi-Devices!

Recently I discovered that even with all parameters set to the strictest setting, I was able to ping my router at 192.168.1.1 from the isolated guest network (192.168.10.x) and pixelserv-tls at 192.168.1.2. I believe that it has nothing to do with your script, but rather with the setup of my network. I am running double NAT, so my router with YazFi (A) is behind another router (B)(both in router mode). Now there is a static route configured on B to forward all 192.168.1.x packets to A.

My guess was that packets went from my guest network out to B and then B sends them back to A (this time my main net), because of the static route.
Is there anything I can do to prevent this? Or is this intended behaviour?

Thank you in advance!

Pinging of the router is enabled currently and non-configurable. Some devices like Smart Tvs decided they had no internet connection if they couldn't ping the gateway IP. Go figure!

I'm considering adding something that allows for user-added firewall rules to run after YazFi finishes to cover edge cases, as its likely impossible to account for them all myself!

 

[nihon]

Hi
Colin recommended me to post my question here since people here are the most likely to be able to help.

I have some China cameras on my network that I want to prevent from accessing my intranet, therefore I set them up to use a guest network and disabled intranet access on the guest network.

However I really need to be able to connect to the cameras from devices on my intranet.

How can that be achieved? Blocking an untrusted device from accessing other devices on the intranet but allow the trusted devices on the intranet to connect to the untrusted device?

Hope for your help here since I am stuck.
I assume VLAN and firewall rules in general could solve it but Merlin lacks support for it in the web gui and I have no clue how to approach it. I wished there were an option for the guest network settings to block guest network from intranet but allow intranet accessing guest devices.

Could this be achieved using Yazfi?

@Jack Yaz

 

[Jack Yaz]

v3.2.3 is now available
Changelog:

Move config to /jffs/addons/YazFi.d
Make sure script is removed on failed install

 

[TheUntouchable]

After the latest update Yazfi is not listed in AMTM as installed anymore

 

[kernol]

After the latest update Yazfi is not listed in AMTM as installed anymore

And a re-install of YazFi from within amtm fails ... but chill for a while ... YazFi is still there alive and well ... but access is only through

/jffs/scripts/YazFi

. @Jack Yaz

 

[Jack Yaz]

And a re-install of YazFi from within amtm fails ... but chill for a while ... YazFi is still there alive and well ... but access is only through

/jffs/scripts/YazFi

. @Jack Yaz

Hm. Guess amtm is looking at the old location still. I was asked to update in preparation for an amtm update that's due out soon. It should get resolved with that.