YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[mbze430]

Can you try

YazFi develop

please? I've made some changes to align with the nvram changes in 384.18

That seems to have fixed the duplicating entry in the VPNC.

 

[madcheek]

Try running the below one-liner, then apply settings in YazFi

touch /jffs/addons/YazFi.d/userscripts.d/AllowSMB.sh && chmod +x /jffs/addons/YazFi.d/userscripts.d/AllowSMB.sh && { echo '#!/bin/sh'; echo 'iptables -D YazFiINPUT -i wl0.1 -p tcp -m multiport --dports 139,445 -j ACCEPT'; echo 'iptables -D YazFiINPUT -i wl1.1 -p tcp -m multiport --dports 139,445 -j ACCEPT'; echo 'iptables -I YazFiINPUT -i wl0.1 -p tcp -m multiport --dports 139,445 -j ACCEPT'; echo 'iptables -I YazFiINPUT -i wl1.1 -p tcp -m multiport --dports 139,445 -j ACCEPT'; } >> /jffs/addons/YazFi.d/userscripts.d/AllowSMB.sh

Hi Sir, I tried this, copied the command then paste to ssh window. restarted the router, but still unable to see the smb drive connected to the router. I can ping the router though when I am connected to the guest ssid.

I also edited the Yazfi settings, enabled two way to guest, set the client isolation to false. and in the native Guest section, enabled intranet. Thanks for the help.. hope there's still a workaround.

 

[mrkorky]

I would like to have my standard SSID's not use VPN and then have my guest SSID's utilize the VPN. This would allow me to connect to the VPN ssid when I want to be behind the VPN. Is that possible with this script? I was thinking that when I enabled the VPN configuration that it would also switch my standard SSID's over to the VPN as well.

 

[diyguy]

question, can I just set this up to use guest network for my google mini/ smart home devices? they seem to be the most finicky and seperating them into their own SSID would be ideal, I don't need them to go through VPN or anything.

 

[Phil Schaffer]

question, can I just set this up to use guest network for my google mini/ smart home devices? they seem to be the most finicky and seperating them into their own SSID would be ideal, I don't need them to go through VPN or anything.

Yes you can. I use it in a similar manner to put my IoT devices by themselves on a guest network that does not connect to my home network. I don't typically use a VPN either.

 

[logicalmind]

I tried to scan this thread and FAQ but could find anything. I really want to set this up to isolate my network. I have one router setup in wireless router mode. Then I have two other routers setup in AP mode (these are all RT-AC68U's running the same version of merlin 384.17). If I want to install Yazfi, do I need to install it on just the wireless router? Or the AP's as well?

EDIT: After some continued scouring I found this post that Yazfi doesn't support AP's. Though, this doesn't appear to be a Yazfi limitation. The guest networks on AP's are indistinguishable from normal LAN traffic to the main router, which is where the limitation lies.

EDIT AGAIN: For anyone looking to do a guest network across multiple devices, check out this thread.

 

[Fmstrat]

Correct. While VLAN support for LAN ports would be nice, it is messy when supporting lots of models that use different port configurations etc.

I'd just like to throw in that I would love to see this handle LAN ports as well. Especially on the newer models like the RT-AX88U where there is no robocfg.

 

[Jack Yaz]

Hi Sir, I tried this, copied the command then paste to ssh window. restarted the router, but still unable to see the smb drive connected to the router. I can ping the router though when I am connected to the guest ssid.

I also edited the Yazfi settings, enabled two way to guest, set the client isolation to false. and in the native Guest section, enabled intranet. Thanks for the help.. hope there's still a workaround.

Can you try a port scan on the router from the guest ssid using nmap, to verify what ports are exposed please?

 

[Jack Yaz]

v4.1.2 is now available
Changelog:

IMPROVED: WebUI validation
Disable fields if guest disabled in firmware
Disable fields if not enabled in YazFi
Disable VPN number if not redirecting
CHANGED: 0.0.0.0 not needed in line with VPN policy routing nvram changes in 384.18 / 384.13_10

 

[Wisiwyg]

Upgraded to v4.1.2 alongside a fresh wipe and install of Merlin 384.18. Web UI tab not showing, due to this? Note from Post #1:

WebUI page for YazFi
You must be running firmware no older than:

• Asuswrt-Merlin 384.15

TIA

 

[Jack Yaz]

Upgraded to v4.1.2 alongside a fresh wipe and install of Merlin 384.18. Web UI tab not showing, due to this? Note from Post #1:

WebUI page for YazFi
You must be running firmware no older than:

• Asuswrt-Merlin 384.15

TIA

Do you get any errors if you run

YazFi startup

 

[bennor]

Upgraded to v4.1.2 alongside a fresh wipe and install of Merlin 384.18. Web UI tab not showing, due to this?

As a datapoint. GUI page shows for me on Merlin 384.18 on an RT-AC68U.

 

[Wisiwyg]

Thank you all for the replies. An uninstall, reinstall and reboot cleared it. Now have the YazFi GUI on 384.18.

 

[Quietsy]

I tried to install YazFi on RT-N66U, but xt_comment was missing (running the latest john's LTS).
I got it working by removing the lines related to xt_comment, is there a better way to do it? (everything seems to be working fine)

modprobe xt_comment

 -m comment --comment "$(Get_Guest_Name "$2")"


if ! modprobe xt_comment 2>/dev/null; then
    Print_Output "true" "Router does not support xt_comment module for iptables. Is a newer firmware available?" "$ERR"
    CHECKSFAILED="true"
fi

 

[joe68000]

hello,

I've been seeing this in my logs for a while now... any ideas as to how to fix?

Jul  9 22:48:39 RT-AC5300 YazFi: Forcing YazFi Guest WiFi clients to reauthenticate
Jul  9 22:48:50 RT-AC5300 syslog: Error unlocking 6: 9 Bad file descriptor
Jul  9 22:48:50 RT-AC5300 syslog: Error unlocking 0: 9 Bad file descriptor
Jul  9 22:48:55 RT-AC5300 YazFi: YazFi v4.1.2 completed successfully

 

[Jack Yaz]

hello,

I've been seeing this in my logs for a while now... any ideas as to how to fix?

Jul  9 22:48:39 RT-AC5300 YazFi: Forcing YazFi Guest WiFi clients to reauthenticate
Jul  9 22:48:50 RT-AC5300 syslog: Error unlocking 6: 9 Bad file descriptor
Jul  9 22:48:50 RT-AC5300 syslog: Error unlocking 0: 9 Bad file descriptor
Jul  9 22:48:55 RT-AC5300 YazFi: YazFi v4.1.2 completed successfully

It's normal where networkmap gets restarted. Nothing to worry about!

 

[Jack Yaz]

I tried to install YazFi on RT-N66U, but xt_comment was missing (running the latest john's LTS).
I got it working by removing the lines related to xt_comment, is there a better way to do it? (everything seems to be working fine)

modprobe xt_comment

 -m comment --comment "$(Get_Guest_Name "$2")"


if ! modprobe xt_comment 2>/dev/null; then
    Print_Output "true" "Router does not support xt_comment module for iptables. Is a newer firmware available?" "$ERR"
    CHECKSFAILED="true"
fi

i think the comment was so the script knew which rule(s) to delete if a yazfi network changes which vpn client is configured, i.e. was using 1 but moves to 2

 

[Quietsy]

i think the comment was so the script knew which rule(s) to delete if a yazfi network changes which vpn client is configured, i.e. was using 1 but moves to 2

Luckily I don't use that feature, hopefully this helps anyone else on the RT-N66U having issues.
Thanks for the awesome work!

 

[joe68000]

It's normal where networkmap gets restarted. Nothing to worry about!

OK! Thank you very much.

 

[juched]

I noticed an issue, perhaps this meant to be this way. When my WAN went down, etc., when it came back up, YazFi during startup issued this "YazFi: Forcing YazFi Guest WiFi clients to reauthenticate".

Now, from the logs it appears that all my wifi interfaces were impacted, not just those using my one YazFi Guest network. This caused my regular network to push all devices to AiMesh nodes. Not a big deal, but perhaps the script could only turn off and on (via wl radio off commands) those wifi interfaces being controlled by YazFi? Currently, the IFACELIST is every wifi interface.

Perhaps all need to be bounced to force people to go onto the Guest Wifi? Seems this command runs during startup, which happens when WAN drops and then connects. Figured out mine dropped this time due to my ISP pushing a software update to the modem.

Thanks.