YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Matthew Patrick]

Hey. So this is the first time I'm gonna use this script. And I have a few questions

1. So say I want to have a different subnet for the guest wifi (so both 2.4ghz and 5ghz guest wifi number 1) . Can I route the DNS part to the original router subnet? Since I want the DNS server to be the router since it has DOT .
2. Is it possible to have a randomized password for the guest network every 24 hours. And possibly send it to say an email address or telegram or something like that??

Thank you and sorry if it's been answered before

 

[Jack Yaz]

Hey. So this is the first time I'm gonna use this script. And I have a few questions

1. So say I want to have a different subnet for the guest wifi (so both 2.4ghz and 5ghz guest wifi number 1) . Can I route the DNS part to the original router subnet? Since I want the DNS server to be the router since it has DOT .
2. Is it possible to have a randomized password for the guest network every 24 hours. And possibly send it to say an email address or telegram or something like that??

Thank you and sorry if it's been answered before

to answer your questions:

1) Yes
2) Manually in YazFi's CLI menu (I didn't get round to coding in an automated approach yet)

 

[Matthew Patrick]

to answer your questions:

1) Yes
2) Manually in YazFi's CLI menu (I didn't get round to coding in an automated approach yet)

Thank you for the response!!

So 1. Do I just set my custom subnet and the DNS to my router ip? Also, since I enabled both 5ghz and 2.4 for say guest 1, do I need to set the subnet to be the same on both guest wifi? To allow roaming between those?

2. Oh nice. Is there any way for me to automatically send the password using something? Doesn't need to be built in.

Thanks again for the help!!

 

[Jack Yaz]

Thank you for the response!!

So 1. Do I just set my custom subnet and the DNS to my router ip? Also, since I enabled both 5ghz and 2.4 for say guest 1, do I need to set the subnet to be the same on both guest wifi? To allow roaming between those?

2. Oh nice. Is there any way for me to automatically send the password using something? Doesn't need to be built in.

Thanks again for the help!!

subnet to non-router subnet, dns set to router ip. 2.4 and 5ghz have to be separate at the moment

 

[Matthew Patrick]

subnet to non-router subnet, dns set to router ip. 2.4 and 5ghz have to be separate at the moment

Okay then . That means different subnet for 2.4 or 5ghz guest network

 

[Andy1932]

Just want to be sure I have everything setup correctly with this. I set up a guest network for all of my IoT devices.
On the Guest Network page, I have Access Intranet disabled.
On the YazFi page:
Force DNS - NO (My devices did not like that enabled)
Two way to guest - YES (This is my main concern. I think I have this right. My IoT devices can communicate all they want together on the guest network, but they CANNOT access my main intranet, correct?)

 

[Jack Yaz]

Just want to be sure I have everything setup correctly with this. I set up a guest network for all of my IoT devices.
On the Guest Network page, I have Access Intranet disabled.
On the YazFi page:
Force DNS - NO (My devices did not like that enabled)
Two way to guest - YES (This is my main concern. I think I have this right. My IoT devices can communicate all they want together on the guest network, but they CANNOT access my main intranet, correct?)

the last setting is for connections between guest and main. i'd suggest one way if you need to access IoT locally from main to guess, otherwise both disabled and communicate over the WAN

 

[Phil Schaffer]

I believe Two Way to Guest allows your guests to see devices on your main network. What I think you want is to set Client Isolation to No. Two Way to Guest should be No and One way to Guest is up to you.

Edit - Of course Jack beat me to this answer.

 

[Andy1932]

Thanks guys!

 

[bennor]

Two way to guest - YES (This is my main concern. I think I have this right. My IoT devices can communicate all they want together on the guest network, but they CANNOT access my main intranet, correct?)

No, that is incorrect. If you do not want your IoT devices to communicate (other than DNS, if running your own DNS server like Pi-Hole) with the main LAN clients, then set both Two way to guest and One way to guest to NO. If you need to have the guest IoT devices communicate with each other then disable (i.e. set to NO) Client isolation.

See the second post of this thread to gain a general understanding of what each of the options does. Or if using the YazFi GUI, roll your mouse cursor over the text field for the entry and click to see a brief info on the option.

wl01_TWOWAYTOGUEST
Should LAN/Guest Network traffic have unrestricted access to each other? (true/false) Cannot be enabled if _ONEWAYTOGUEST is enabled

wl01_ONEWAYTOGUEST
Should LAN be able to initiate connections to Guest Network clients (but not the opposite)? (true/false) Cannot be enabled if _TWOWAYTOGUEST is enabled

wl01_CLIENTISOLATION
Should Guest Network radio prevent clients from talking to each other? (true/false)

 

[zokstar]

Any plan on making this work in AP mode? Or is this not possible?

 

[Wisiwyg]

Add a LAN port to a Guest network through edit on YazFi settings?

I looked around for instructions on redirecting one of the router hardwired LAN ports through one of the Guest networks and didn't see any clear indication of doing this. Has anyone tried editing the YazFi settings file and achieved this? TIA.

 

[AntonK]

Hi,
Does this look like an acceptable configuration when running a few IoT devices (smart bulbs) on a guest network? Thjs is my first foray into IoT devices. Aside from controlling them via phone app, I use Alexa to voice control them.

Thanks for any thoughts, or corrections.

Anton

 

[bennor]

Does this look like an acceptable configuration when running a few IoT devices (smart bulbs) on a guest network? Thjs is my first foray into IoT devices. Aside from controlling them via phone app, I use Alexa to voice control them.

Only two questions about your settings that I see is; do you need the One Way to Guest option enabled? If so why? And do you need Client Isolation disabled? If so why?

 

[AntonK]

Only two questions about your settings that I see is; do you need the One Way to Guest option enabled? If so why? And do you need Client Isolation disabled? If so why?

Hi Bennor,
My thinking was 1) that clients on my LAN would not be able to talk (command) the bulbs without one-way communication to the bulbs. But after reading your response, I set One Way to Guest to No, and my phone and Alexa can still control the bulbs, so I guess they're communicating via WAN to the bulbs. 2) Same reasoning (as faulty as it may be), I thought if I isolated the bulbs from the clients on my LAN (phone, Alexa), these devices wouldn't be able to control the bulbs on the Guest network.

 

[bennor]

Hi Bennor,
My thinking was 1) that clients on my LAN would not be able to talk (command) the bulbs without one-way communication to the bulbs. But after reading your response, I set One Way to Guest to No, and my phone and Alexa can still control the bulbs, so I guess they're communicating via WAN to the bulbs. 2) Same reasoning (as faulty as it may be), I thought if I isolated the bulbs from the clients on my LAN (phone, Alexa), these devices wouldn't be able to control the bulbs on the Guest network.

Correct. The control of most IoT devices do not require communication with Lan clients nor do they typically require communication with each other. They generally communicate via Wan only. Hence why I asked the questions the way I did. Wanted to see if there was some other reason you were using those options.

Only time I've personally seen the need to disable client isolation, with my various IoT devices running on YazFi, is when using two or more amazon echo devices that are grouped for multi room music mode.

 

[AntonK]

Correct. The control of most IoT devices do not require communication with Lan clients nor do they typically require communication with each other. They generally communicate via Wan only. Hence why I asked the questions the way I did. Wanted to see if there was some other reason you were using those options.

Only time I've seen the need to disable client isolation is when using two or more amazon echo devices that are grouped for multi room music mode.

Thanks Bennor. I appreciate your time and thoughts.

 

[Chenks]

hi, just set up YazFi on my RT-AX88U.
using it for a guest WIFI at the moment, so ideally would want total client isolation and for clients to only have internet access (i had already set a restricted bandwidth on the guest wifi).
ie i don't want them to be able to see any other client or be able to communicate with any other client.

i see client isolation is not an option that can be used on the AX88U? is that still correct?
so are my only options to disable TWO-WAY and ONE-WAY?

 

[Sagittarius A*]

Hi guys, sorry for just jumping into a conversation, and thanks so much to all the people answering and asking questions, and, of course merlin; also so many great scripts are available here or on their sites, i think from lonleycoder and others, I forgot the other names right know, i've learned a lot by browsing the site.

maybe, could anyone tell me how to best configure a guest network for possibly infected devices with YazFi (which maybe adds an extra layer of security, i read somewhere on here) so any maleware wouldn't spread across the main network or that someone could use the maleware to break-in and alter the system on the AC, by the way, is there something like a NIDS or HIDS for the asuswrt-merlin and would a simple factory reset set all malicious changes back to a secure machine or do I need to do a nuclear reset or can they dig deep into the system, like a kernel infection, a nuclear reset probably wouldn't help in this situation and would make the infection permanent, right?

I use a AC68U, I will probably upgrade to an AC86U. normally, i think, one has to use a switch an extra firewall (possibly mini pc or alike) and a wireless-AP then connect it to the main network, but i'm not sure if I would need a switch in my small network. I'm planning on using a mini-pc as a firewall (sophos or pfsense?) to make my network more secure.

(reason I'm so security conscious: someone broke-in my network some time ago. i infected my notebook at an unsafe place (the notebook itself didn't directly show any signs of infections, but there were other signs (I don't want to go into details, because the breach "revealed" itself IRL, which caused a lot of distress) and when I connected it to a switch to record the traffic it send and receveid packets from ip's (i cannot remember, should have noted it somewhere) that are listed as possibly dangerous from abuseip[.]com), i tried to find out the malcious ip's through tcpdump (but that is, i think, not how this kind of things are usuallay handled) and block them through ipset/ iptables, but my knowledge is not enough to find out all possible ip's (i mean i could block everything from typical hosting providers that would also provide computing time), since they could be hiding through a normal google/amazon ip, right?, if they'd rent something like cloud computing time, i think, i could be wrong here, tough or they broke-in into someones private pc and use their ip).

i hope it is ok that my first post is a question, I'm not very used to post in forums and sorry for my lack of knowledge.
oh and client isolation would probably also be good for security, like chenks (what is exactly ment by two/one-way communication, so that a device could just communicate with others but they cannot establish a session?) asked.
thank you, guys.

 

[mike37]

snip.....

maybe, could anyone tell me how to best configure a guest network for possibly infected devices with YazFi (which maybe adds an extra layer of security, i read somewhere on here) so any maleware wouldn't spread across the main network or that someone could use the maleware to break-in and alter the system on the AC, by the way, is there something like a NIDS or HIDS for the asuswrt-merlin and would a simple factory reset set all malicious changes back to a secure machine or do I need to do a nuclear reset or can they dig deep into the system, like a kernel infection, a nuclear reset probably wouldn't help in this situation and would make the infection permanent, right?

I use a AC68U, I will probably upgrade to an AC86U. normally, i think, one has to use a switch an extra firewall (possibly mini pc or alike) and a wireless-AP then connect it to the main network, but i'm not sure if I would need a switch in my small network. I'm planning on using a mini-pc as a firewall (sophos or pfsense?) to make my network more secure.


snip

My situation exactly. I'm a newbie; have an AC68; have thoughts; but mostly questions:

1. I created two guest networks - one each for two IOT water sensors (they don't need to communicate with each other; if one gets infected I don't want it to get t'other - or anything else.

Then tightened down Yazfi as restrictively as possible 'til they fail.

2. ISTM that with its Linux OS and Iptables tightened down, AM is a basic firewall. Not as robust as a standalone box; under a flood it would hopefully fail and shutdown.

Use Diversion and Skynet, then tweak Iptables if necessary (seems hardly necessary if you use suricata)

3. FWIW, I'm on Comcast cable, so can also tweak their router to afford an initial layer of protection before anything gets to my box. Maybe you can do something similar.

4. Check out suricata for IDS/IPS function. Very promising. <https://www.snbforums.com/threads/suricata-ids-ips-on-asuswrt-merlin.63280/>

This will do packet inspection and more if you don't want to get into Iptables. With this, you get the function of Snort typically "sold" with standalone firewalls.

If something does get into one of the guests ("subnets"?) hopefully suricata will, after having learned about the subnet devices and configured to only allow healthy communications, detect the change and block any connections to/from "strange" locations, or streams containing strange payloads.

Corrections to my understandings gladly welcomed