YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Xannor]

Can you share which application/tool you're using when you see this please? I haven't come across any UDP issues with my devices so I'd like to have a way to re-create and test so that I can implement it if needed.

The WSView app for my Ecowitt GW1000, I have the GW1000 on my guest3 along with some ring cameras and my roomba. I had to network trace to figure out what port it was using, and then I did some iptables research. Not a lot of applications use broadcast packets for device discovery, but it makes sense for lightweight hardware. The only issue I have is since I append three rules, if I update YazFi, they get shoved to the end and fundamentally ignored.

Not currently possible within YazFi as it would require code to create and amend bridging interfaces. Not impossible, but gets very complicated when trying to write it into a user interface that protects the user from borking their network!

I figured it would be something that would have been implemented if "easy." No big issue, I only bring up the other two guest networks when needed and have a script to shut them down overnight, so I dont have devices that are always on them, and I have learned for IoT devices you have to run split SSIDs otherwise you will have all sorts of problems.

 

[maghuro]

Yes, sir.
No dropped packets, nothing on tcpdump.
As soon as I remove guest password... everything connects perfectly!

Any thoughts?

I did everything and I still can't connect with password

 

[Opasen]

I did everything and I still can't connect with password

I may not have gone back far enough in this thread to see if the question has already been asked but does your password contain characters that's not just numbers and letters? If so have you tried a simple password e.g. password123?

Edit:
It was asked by L&LD

I know my main WiFi (not guest) password had an @ symbol originally and worked fine but after a reset I no longer could use the @ symbol. I didn't try to investigate and simply replaced the character with something else.

 

[maghuro]

Any thoughts?

I did everything and I still can't connect with password

Here's my current nvram vars for Guest Network 1. The SSID and password are the real ones! (I just omitted hwaddr)

As soon as I put it open (without password), it starts working, and clients can connect properly.

wl0.1_akm=psk psk2
wl0.1_ap_isolate=1
wl0.1_auth=0
wl0.1_auth_mode=none
wl0.1_auth_mode_x=pskpsk2
wl0.1_bss_enabled=1
wl0.1_bss_maxassoc=64
wl0.1_bw_dl=0
wl0.1_bw_enabled=0
wl0.1_bw_ul=0
wl0.1_closed=1
wl0.1_crypto=tkip+aes
wl0.1_dwds=1
wl0.1_expire=0
wl0.1_expire_tmp=0
wl0.1_hwaddr=XX:XX:XX:XX:XX:XX
wl0.1_ifname=wl0.1
wl0.1_key=1
wl0.1_lanaccess=off
wl0.1_maclist=
wl0.1_macmode=disabled
wl0.1_mbss=1
wl0.1_mcast_regen_bss_enable=1
wl0.1_net_reauth=3600
wl0.1_preauth=
wl0.1_radio_pwrsave_enable=0
wl0.1_radio_pwrsave_level=0
wl0.1_radio_pwrsave_pps=10
wl0.1_radio_pwrsave_quiet_time=1800
wl0.1_radio_pwrsave_stas_assoc_check=1
wl0.1_radius_ipaddr=
wl0.1_radius_key=
wl0.1_radius_port=1812
wl0.1_rxchain_pwrsave_enable=1
wl0.1_rxchain_pwrsave_pps=10
wl0.1_rxchain_pwrsave_quiet_time=1800
wl0.1_rxchain_pwrsave_stas_assoc_check=1
wl0.1_ssid=MusicTWO
wl0.1_unit=0.1
wl0.1_wep=disabled
wl0.1_wep_x=0
wl0.1_wfi_enable=0
wl0.1_wfi_pinmode=0
wl0.1_wme=on
wl0.1_wme_bss_disable=0
wl0.1_wmf_bss_enable=0
wl0.1_wmf_psta_disable=
wl0.1_wpa_gtk_rekey=3600
wl0.1_wpa_psk=20202020
wl0.1_wps_mode=disabled

 

[bennor]

Here's my current nvram vars for Guest Network 1. The SSID and password are the real ones! (I just omitted hwaddr)

As soon as I put it open (without password), it starts working, and clients can connect properly.

Snipped out the code block for readability

What is the specific Authorization Mode and WPA Encryption setting in the Asus Merlin interface?

Using WPA2-Personal and AES with a password and the Yaz script works fine on a AC68U. The NVRAM output minus password, SSID and hardware address.

RT-AC68U-xxxx:/tmp/home/root# nvram show | grep wl0.1_ | sort
wl0.1_akm=psk2
wl0.1_ap_isolate=1
wl0.1_auth=0
wl0.1_auth_mode=none
wl0.1_auth_mode_x=psk2
wl0.1_bridge=
wl0.1_bss_enabled=1
wl0.1_bss_maxassoc=128
wl0.1_bw_dl=0
wl0.1_bw_enabled=0
wl0.1_bw_ul=0
wl0.1_closed=0
wl0.1_crypto=aes
wl0.1_dwds=1
wl0.1_expire=0
wl0.1_expire_tmp=0
wl0.1_hwaddr=xx:xx:xx:xx:xx:xx
wl0.1_ifname=wl0.1
wl0.1_infra=1
wl0.1_key1=
wl0.1_key2=
wl0.1_key3=
wl0.1_key4=
wl0.1_key=1
wl0.1_lanaccess=off
wl0.1_maclist=
wl0.1_macmode=disabled
wl0.1_maxassoc=128
wl0.1_mbss=1
wl0.1_mcast_regen_bss_enable=1
wl0.1_mode=ap
wl0.1_net_reauth=3600
wl0.1_preauth=
wl0.1_radio=1
wl0.1_radio_pwrsave_enable=0
wl0.1_radio_pwrsave_level=0
wl0.1_radio_pwrsave_pps=10
wl0.1_radio_pwrsave_quiet_time=1800
wl0.1_radio_pwrsave_stas_assoc_check=1
wl0.1_radius_ipaddr=
wl0.1_radius_key=
wl0.1_radius_port=1812
wl0.1_rxchain_pwrsave_enable=1
wl0.1_rxchain_pwrsave_pps=10
wl0.1_rxchain_pwrsave_quiet_time=1800
wl0.1_rxchain_pwrsave_stas_assoc_check=1
wl0.1_ssid=xxxxxxxx
wl0.1_sta_retry_time=5
wl0.1_unit=0.1
wl0.1_wep=disabled
wl0.1_wep_x=0
wl0.1_wfi_enable=0
wl0.1_wfi_pinmode=0
wl0.1_wme=on
wl0.1_wme_bss_disable=0
wl0.1_wmf_bss_enable=0
wl0.1_wmf_psta_disable=
wl0.1_wpa_gtk_rekey=3600
wl0.1_wpa_psk=xxxxxxxxxxxxxxx
wl0.1_wps_mode=disabled

 

[maghuro]

What is the specific Authorization Mode and WPA Encryption setting in the Asus Merlin interface?

Using WPA2-Personal and AES with a password and the Yaz script works fine on a AC68U. The NVRAM output minus password, SSID and hardware address.

RT-AC68U-xxxx:/tmp/home/root# nvram show | grep wl0.1_ | sort
wl0.1_akm=psk2
wl0.1_ap_isolate=1
wl0.1_auth=0
wl0.1_auth_mode=none
wl0.1_auth_mode_x=psk2
wl0.1_bridge=
wl0.1_bss_enabled=1
wl0.1_bss_maxassoc=128
wl0.1_bw_dl=0
wl0.1_bw_enabled=0
wl0.1_bw_ul=0
wl0.1_closed=0
wl0.1_crypto=aes
wl0.1_dwds=1
wl0.1_expire=0
wl0.1_expire_tmp=0
wl0.1_hwaddr=xx:xx:xx:xx:xx:xx
wl0.1_ifname=wl0.1
wl0.1_infra=1
wl0.1_key1=
wl0.1_key2=
wl0.1_key3=
wl0.1_key4=
wl0.1_key=1
wl0.1_lanaccess=off
wl0.1_maclist=
wl0.1_macmode=disabled
wl0.1_maxassoc=128
wl0.1_mbss=1
wl0.1_mcast_regen_bss_enable=1
wl0.1_mode=ap
wl0.1_net_reauth=3600
wl0.1_preauth=
wl0.1_radio=1
wl0.1_radio_pwrsave_enable=0
wl0.1_radio_pwrsave_level=0
wl0.1_radio_pwrsave_pps=10
wl0.1_radio_pwrsave_quiet_time=1800
wl0.1_radio_pwrsave_stas_assoc_check=1
wl0.1_radius_ipaddr=
wl0.1_radius_key=
wl0.1_radius_port=1812
wl0.1_rxchain_pwrsave_enable=1
wl0.1_rxchain_pwrsave_pps=10
wl0.1_rxchain_pwrsave_quiet_time=1800
wl0.1_rxchain_pwrsave_stas_assoc_check=1
wl0.1_ssid=xxxxxxxx
wl0.1_sta_retry_time=5
wl0.1_unit=0.1
wl0.1_wep=disabled
wl0.1_wep_x=0
wl0.1_wfi_enable=0
wl0.1_wfi_pinmode=0
wl0.1_wme=on
wl0.1_wme_bss_disable=0
wl0.1_wmf_bss_enable=0
wl0.1_wmf_psta_disable=
wl0.1_wpa_gtk_rekey=3600
wl0.1_wpa_psk=xxxxxxxxxxxxxxx
wl0.1_wps_mode=disabled

Using wpa auto and tkip+aes currently. However I tested with wpa2 and aes with the same problem...

 

[bennor]

Did a quick and dirty comparison between maghuro's RT-AC86U values and those on my RT-AC68U and noticed a number of either missing values on the AC86U or some that were different when compared to the AC68U values. Not sure if this is due to being different routers (having different options/values) or due to different option settings between them with respect to how the wireless settings are configured. Or perhaps there is another setting elsewhere in the Merlin interface that is setting up or configuring maghuro's router slightly differently than my router.

In the attached image the differences are noted by yellow cells.

 

[maghuro]

Did a quick and dirty comparison between maghuro's RT-AC86U values and those on my RT-AC68U and noticed a number of either missing values on the AC86U or some that were different when compared to the AC68U values. Not sure if this is due to being different routers (having different options/values) or due to different option settings between them with respect to how the wireless settings are configured. Or perhaps there is another setting elsewhere in the Merlin interface that is setting up or configuring maghuro's router slightly differently than my router.

In the attached image the differences are noted by yellow cells.

Ping @RMerlin

 

[Stef09]

Hi @Jack Yaz, I would like to thank you for this awesome tool.
I would like to know if the RT-AX56U, RT-AX58U or the RT-Ax3000 are supported.
I managed to get YazFi on the RT-AX3000 but I'm not really sure if it works or if the client traffic routing rules work correctly. The router's IP is 192.168.50.1 but the guest networks are on 192.168.2.0/24 and 192.168.5.0/24. (Firmware Version: 384.17)

 

[Jack Yaz]

Hi @Jack Yaz, I would like to thank you for this awesome tool.
I would like to know if the RT-AX56U, RT-AX58U or the RT-Ax3000 are supported.
I managed to get YazFi on the RT-AX3000 but I'm not really sure if it works or if the client traffic routing rules work correctly. The router's IP is 192.168.50.1 but the guest networks are on 192.168.2.0/24 and 192.168.5.0/24. (Firmware Version: 384.17)

It should work just fine! I've started removing the "supported models" list and sticking to firmware instead. I was awful at keeping them updated

 

[Stef09]

It should work just fine! I've started removing the "supported models" list and sticking to firmware instead. I was awful at keeping them updated

YazFi does in fact work fine with the RT-AX3000. The only issue was that the YazFi settings wouldn't work when clicking on the "Apply" button in the GUI, but would only work when running the script through the CLI (Option 1. Apply YazFi settings).
Thank you!

 

[Jack Yaz]

YazFi does in fact work fine with the RT-AX3000. The only issue was that the YazFi settings wouldn't work when clicking on the "Apply" button in the GUI, but would only work when running the script through the CLI (Option 1. Apply YazFi settings).
Thank you!

Any errors in the browser or syslog?

 

[Phil Schaffer]

I know this is a really old entry, but I am having a similar issue on an AC5300. I've got guest networks setup on wl0.2 and wl2.2 that I'm using for IOT devices. However, when I reboot, my Ring Doorbell connects to wl2.2 and gets an address from the base pool of addresses rather than the pool assigned to wl2.2 by YazFi. I'm not sure what woudl happen if I waited for the lease to renew as I've been too impatient. Power cycling the Ring gets everything working right.

In reading through the "fix" below, I don't really feel comfortable with modifying the YazFi script and was wondering if this has ever been addressed further or if there's possibly another, simpler fix to the timing issue.

I have managed to get it to work correctly, my solution below.

The only problem I can see is that at startup because the wifi is activated but not the DHCP then devices can connect but will not be assigned an IP, and some devices might use a fallback IP configuration or disable autoconnect for that wifi network.

Delay DHCP Startup
Whe the router starts the DHCP is, if enabled, running on the br0 interface and if a device connects to a guest network before the YazFi script has finished it will be assigned a IP configuration for the main network.

The solution for this problem is to enable DHCP for all interfaces first after the YazFi script has finished.

1. Disable DHCP for all interfaces by adding no-dhcp-interface for br0 and all the guest networks to dnsmasq.conf.add, for example:
   

   no-dhcp-interface=br0
   no-dhcp-interface=wl0.1
   no-dhcp-interface=wl0.2

   
   
2. Modify dnsmasq.postconf so that it deletes the no-dhcp-interface lines added by dnsmasq.conf.add above if the YazFi script has finished:
   

   #!/bin/sh
   CONFIG=$1
   source /usr/sbin/helper.sh
   
   FILE=/tmp/0-enable-dhcp
   if [ -f "$FILE" ]; then
      logger -t "$(basename $0)[$$]:" "enabling dhcp"
      pc_delete "no-dhcp-interface=br0" $CONFIG
      pc_delete "no-dhcp-interface=wl0.1" $CONFIG
      pc_delete "no-dhcp-interface=wl0.2" $CONFIG
   fi

   
   
3. Modify the YazFi script to signal dnsmasq.postconf to enable DHCP and then restart dnsmasq after all networks have been configured:
   

   if [ -z "$1" ]; then
      Check_Lock
      Print_Output "true" "YazFi $YAZFI_VERSION starting up"
      Config_Networks
   
      touch /tmp/0-enable-dhcp
      service restart_dnsmasq
   
      exit 0
   fi

 

[Jack Yaz]

I know this is a really old entry, but I am having a similar issue on an AC5300. I've got guest networks setup on wl0.2 and wl2.2 that I'm using for IOT devices. However, when I reboot, my Ring Doorbell connects to wl2.2 and gets an address from the base pool of addresses rather than the pool assigned to wl2.2 by YazFi. I'm not sure what woudl happen if I waited for the lease to renew as I've been too impatient. Power cycling the Ring gets everything working right.

In reading through the "fix" below, I don't really feel comfortable with modifying the YazFi script and was wondering if this has ever been addressed further or if there's possibly another, simpler fix to the timing issue.

Where are you seeing the "wrong IP"? My doorbell shows the wrong IP in network map /wireless log, but in option 2 of YazFi it is correct. Pinging the incorrect IP times out, whereas the correct IP works.

 

[bennor]

I know this is a really old entry, but I am having a similar issue on an AC5300. I've got guest networks setup on wl0.2 and wl2.2 that I'm using for IOT devices. However, when I reboot, my Ring Doorbell connects to wl2.2 and gets an address from the base pool of addresses rather than the pool assigned to wl2.2 by YazFi.

The Asus Network Map may not show the correct IP addresses for guest devices connecting using the guest WiFi YazFi script. Look at the Wireless Log instead, it should show the correct IP addresses for the YazFi connected devices.

And one may want to check the wifi device and remove any saved login's that connect to the main non ugest WiFi. Had a problem with one of my Amazon Echo devices where it would connect to the main WiFi before the guest WiFi's came up. Had to go into the Amazon Alexa app and remove the saved login for the main WiFi network. Since then it always connects to the guest Wifi.

Network Map showing incorrect Guest WiFi IP addresses:

Wireless Log showing correct Guest WiFi IP addresses:

 

[Phil Schaffer]

Where are you seeing the "wrong IP"? My doorbell shows the wrong IP in network map /wireless log, but in option 2 of YazFi it is correct. Pinging the incorrect IP times out, whereas the correct IP works.

Jack,

I have been looking at the the wireless log and Option 2 of YazFi. In addition, after a router reboot, until I power cycle the Ring, I can't connect to it through its app.

I tried a reboot again this morning and what I found was that all of my devices on the guest networks reconnected as expected and show correctly in both the wireless log and YazFi after a few minutes. However, the Ring shows up with a 192.168.1.129 address in Wireless log and although the MAC shows in YazFi, the IP Address field is blank (it should be 192.168.3.101). What seems a little strange is that it always grabs the same wrong IP. I've do have one manually assigned IP in the router configuration, but that is for a wired device. The guest network IP assignments are made in the dnsmasq.postconf file.

After the router reboot, I waited about 20 minutes the Ring app still shows the Ring as Offline. I power cycled the Ring and after that, it took the correct IP and I was able to reach it via the App.

 

[Jack Yaz]

Jack,

I have been looking at the the wireless log and Option 2 of YazFi. In addition, after a router reboot, until I power cycle the Ring, I can't connect to it through its app.

I tried a reboot again this morning and what I found was that all of my devices on the guest networks reconnected as expected and show correctly in both the wireless log and YazFi after a few minutes. However, the Ring shows up with a 192.168.1.129 address in Wireless log and although the MAC shows in YazFi, the IP Address field is blank (it should be 192.168.3.101). What seems a little strange is that it always grabs the same wrong IP. I've do have one manually assigned IP in the router configuration, but that is for a wired device. The guest network IP assignments are made in the dnsmasq.postconf file.

After the router reboot, I waited about 20 minutes the Ring app still shows the Ring as Offline. I power cycled the Ring and after that, it took the correct IP and I was able to reach it via the App.

Just to check you are running the latest version of YazFi?

EDIT: I ask as one of the latest versions I made a change after seeing similar issues with my Ring Doorbell 2

 

[Phil Schaffer]

Just to check you are running the latest version of YazFi?

EDIT: I ask as one of the latest versions I made a change after seeing similar issues with my Ring Doorbell 2

Yes, Installed with AMTM which reports ver 4.0.4. For what it's worth, I have a Ring Video Doorbell Pro.

 

[Jack Yaz]

Yes, Installed with AMTM which reports ver 4.0.4. For what it's worth, I have a Ring Video Doorbell Pro.

Can you try increasing the sleep on line 155 of the script?

Can you share your postconf script as well please. If possible PM me your syslog/dnsmasq log so that I can see what IP it is offering the Pro.

 

[Phil Schaffer]

Can you try increasing the sleep on line 155 of the script?

Can you share your postconf script as well please. If possible PM me your syslog/dnsmasq log so that I can see what IP it is offering the Pro.

Sent a PM with the syslog and postconf script. I'm not sure where to find the dnsmasq log.

I increased sleep from 10 to 30 and will try another reboot in a bit when my daughter is done with her online class.