YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

In the YazFi config file

 

[Raymond74]

I'm new here and this script might be usefull for me.

I am running AsusMerlin 384.7 on an RT-AC87U and this is what I am looking for.
A seperate IoT/Chromcast/AppleTV guest Wifi (preffered also VLAN - for wired) in a different subnet with iptables for filtereing traffic. The seperate IoT/C/A networks should be reachable from the main internal WiFi (and some LAN devices should be reachable from the guest Wifi).

Is this script something that would help? Or is there already something else out there ?

PS: I will not be usig any of the VPN features.

 

[Jack Yaz]

I'm new here and this script might be usefull for me.

I am running AsusMerlin 384.7 on an RT-AC87U and this is what I am looking for.
A seperate IoT/Chromcast/AppleTV guest Wifi (preffered also VLAN - for wired) in a different subnet with iptables for filtereing traffic. The seperate IoT/C/A networks should be reachable from the main internal WiFi (and some LAN devices should be reachable from the guest Wifi).

Is this script something that would help? Or is there already something else out there ?

PS: I will not be usig any of the VPN features.

Currently guests are isolated on their own interface and firewalled off from the LAN.

LAN access is on the to-do but I haven't had time. It will likely be achieved by ipset, rather than Vlan since switch ports vary between models and i have no way to test and support them readily

 

[Raymond74]

Currently guests are isolated on their own interface and firewalled off from the LAN.

LAN access is on the to-do but I haven't had time. It will likely be achieved by ipset, rather than Vlan since switch ports vary between models and i have no way to test and support them readily

As I need an external swtch to be part of the same vlan and subnet I need to tag it (or at least have that asus port in a different vlan. So ipset will not work for me... But thnx for your input.
Please see my thread: https://www.snbforums.com/threads/seperate-wifi-ssid-seperate-subnet.49211/#post-436146

 

[kernol]

How to uninstall YazFi ???
Tried it out of curiosity ... and may well revert once VPN configured - but not using any VPN for now - so would like to remove completely.
I see there is a routine in the YazFi script for "uninstall" - so ran the install SSH command and changed switch from "install" to "uninstall".

Is that sufficient - or do I also need to manually clean up all YasFi installed scripts and config files ??
Sorry if the answer lurks somewhere else ... but have trawled all 14 pages under this thread AND the GitHub site - but could not find any guidance.
Thnx.

 

[Jack Yaz]

How to uninstall YazFi ???
Tried it out of curiosity ... and may well revert once VPN configured - but not using any VPN for now - so would like to remove completely.
I see there is a routine in the YazFi script for "uninstall" - so ran the install SSH command and changed switch from "install" to "uninstall".

Is that sufficient - or do I also need to manually clean up all YasFi installed scripts and config files ??
Sorry if the answer lurks somewhere else ... but have trawled all 14 pages under this thread AND the GitHub site - but could not find any guidance.
Thnx.

Uninstall will remove all references in startup scripts etc. Its up to you whether you then delete the script and config files (should you wish to reinstall and not lose your config)

 

[wacko911]

Jack_Yaz, I intsalled this in minutes and it just works as advertised - I've tried scripts in the past and failed after many hours of trying. I've sent you a small donation, thankyou and please keep up the good work.

Now if only we could get this included in merlin's builds...

 

[Jack Yaz]

Jack_Yaz, I intsalled this in minutes and it just works as advertised - I've tried scripts in the past and failed after many hours of trying. I've sent you a small donation, thankyou and please keep up the good work.

Now if only we could get this included in merlin's builds...

Glad to be of service! Reminds me that I really should crack on with LAN access

 

[SMS786]

Hi @Jack Yaz,

Thanks for the great script! Been eyeing it for a while..finally took the plunge and installed today. I had a quick question:

wl01_DNS1=8.8.8.8
wl01_DNS2=8.8.4.4

Could I leave the above DNS lines blank if I want my guests to default to my dnscrypt setup?

 

[Jack Yaz]

Hi @Jack Yaz,

Thanks for the great script! Been eyeing it for a while..finally took the plunge and installed today. I had a quick question:

wl01_DNS1=8.8.8.8
wl01_DNS2=8.8.4.4

Could I leave the above DNS lines blank if I want my guests to default to my dnscrypt setup?

Yes, leaving blank should be detected by the script and replaced with the router IP, and relevant firewall rules will be added

If you happen to have pixelserv-tls running, the script should allow access to the IP for that as well, so guests can benefit from ad-blocking

If not, let me know and we'll get to troubleshooting!

 

[kernol]

Uninstall will remove all references in startup scripts etc. Its up to you whether you then delete the script and config files (should you wish to reinstall and not lose your config)

Hi Jack

Pleased to confirm ... fully installed YazFi guest again ... and its a keeper - many thanks for a great add-on.
Hopping over to your donation link in appreciation.
Frankly I don't want guests to access my intranet - so content if you chill on that one ;-).

Brgds
Kernol

 

[Jack Yaz]

Hi Jack

Pleased to confirm ... fully installed YazFi guest again ... and its a keeper - many thanks for a great add-on.
Hopping over to your donation link in appreciation.
Frankly I don't want guests to access my intranet - so content if you chill on that one ;-).

Brgds
Kernol

Thank you for the donation, and I'm glad my script is of use

 

[carloskar]

Thanks for a great script!
It is working almost perfect on my RT-AC66U running 380.70.

I have one guest network for "untrusted" clients, like a air purifier and a roomba, that use the 192.168.2.0 net on the wl0.1 interface, and the main network at 192.168.1.0 (br0).
Unfortunately those clients are very qick to connect to the wifi after rebooting the router, and they manage to connect even before the dnsmas.conf.add script has run so they are always assigned an IP from the main network.
Any ideas how to remedy this?

 

[Jack Yaz]

Thanks for a great script!
It is working almost perfect on my RT-AC66U running 380.70.

I have one guest network for "untrusted" clients, like a air purifier and a roomba, that use the 192.168.2.0 net on the wl0.1 interface, and the main network at 192.168.1.0 (br0).
Unfortunately those clients are very qick to connect to the wifi after rebooting the router, and they manage to connect even before the dnsmas.conf.add script has run so they are always assigned an IP from the main network.
Any ideas how to remedy this?

I would have hoped firewall-start would be early enough to stop this...I'll see if there's a way to solve this

 

[carloskar]

I would have hoped firewall-start would be early enough to stop this...I'll see if there's a way to solve this

I've been looking into this some more.
I' must have been tired back then when I said that clients connected even before dnsmasq.conf.add. That is not the case, or at least I cannot get that behavior anymore.

But some of my devices are connecting to my guest wifi on wl0.1 but are assigned an IP from the wrong pool after a reboot of the router.
The common denominator is that they are all connected to the powerline, maybe they retry like crazy when they loose the connection.

Would it be possible to start YazFi in the dnsmaq.postconf script instead of the firewall-start? And skip the '&' to make the script finish before starting the dnsmasq?

 

[Jack Yaz]

Dropping the & was my first thought. The odd thing is though, that dnsmasq.conf.add is persistent across reboots so dnsmasq starts with that. The real issue is the firewall rules to separate the interface aren't running soon enough. I will PM an updated script with some things re-ordered, to see if that helps.

I suppose it depends what comes up first, dnsmasq or the firewall. @RMerlin is there a defined service start order please ?

 

[carloskar]

The "faulty" device is connecting to the guest wifi really early and sending DHCPDISCOVER, see the syslog snippet below.
If the wl0.1 interface has not been configured with an IP can it respond to dhcp requests?

Spoiler: syslog

Aug  1 02:00:35 kernel: nf_nat_rtsp v0.6.21 loading
Aug  1 02:00:35 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Aug  1 02:00:35 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Aug  1 02:00:35 YazFi: YazFi v2.2.4 starting up
Aug  1 02:00:36 rc_service: udhcpc 435:notify_rc start_upnp
Aug  1 02:00:36 rc_service: waitting "stop_upnp" via udhcpc ...
Aug  1 02:00:36 dnsmasq-dhcp[312]: DHCPDISCOVER(br0) f0:03:8c:b3:4c:67
Aug  1 02:00:36 dnsmasq-dhcp[312]: DHCPOFFER(br0) 192.168.1.159 f0:03:8c:b3:4c:67
Aug  1 02:00:37 ntp: start NTP update

 

[carloskar]

I have managed to get it to work correctly, my solution below.

The only problem I can see is that at startup because the wifi is activated but not the DHCP then devices can connect but will not be assigned an IP, and some devices might use a fallback IP configuration or disable autoconnect for that wifi network.

Delay DHCP Startup
Whe the router starts the DHCP is, if enabled, running on the br0 interface and if a device connects to a guest network before the YazFi script has finished it will be assigned a IP configuration for the main network.

The solution for this problem is to enable DHCP for all interfaces first after the YazFi script has finished.

1. Disable DHCP for all interfaces by adding no-dhcp-interface for br0 and all the guest networks to dnsmasq.conf.add, for example:
   

   no-dhcp-interface=br0
   no-dhcp-interface=wl0.1
   no-dhcp-interface=wl0.2

   
   
2. Modify dnsmasq.postconf so that it deletes the no-dhcp-interface lines added by dnsmasq.conf.add above if the YazFi script has finished:
   

   #!/bin/sh
   CONFIG=$1
   source /usr/sbin/helper.sh
   
   FILE=/tmp/0-enable-dhcp
   if [ -f "$FILE" ]; then
      logger -t "$(basename $0)[$$]:" "enabling dhcp"
      pc_delete "no-dhcp-interface=br0" $CONFIG
      pc_delete "no-dhcp-interface=wl0.1" $CONFIG
      pc_delete "no-dhcp-interface=wl0.2" $CONFIG
   fi

   
   
3. Modify the YazFi script to signal dnsmasq.postconf to enable DHCP and then restart dnsmasq after all networks have been configured:
   

   if [ -z "$1" ]; then
      Check_Lock
      Print_Output "true" "YazFi $YAZFI_VERSION starting up"
      Config_Networks
   
      touch /tmp/0-enable-dhcp
      service restart_dnsmasq
   
      exit 0
   fi

 

[Jack Yaz]

I have managed to get it to work correctly, my solution below.

The only problem I can see is that at startup because the wifi is activated but not the DHCP then devices can connect but will not be assigned an IP, and some devices might use a fallback IP configuration or disable autoconnect for that wifi network.

Delay DHCP Startup
Whe the router starts the DHCP is, if enabled, running on the br0 interface and if a device connects to a guest network before the YazFi script has finished it will be assigned a IP configuration for the main network.

The solution for this problem is to enable DHCP for all interfaces first after the YazFi script has finished.

1. Disable DHCP for all interfaces by adding no-dhcp-interface for br0 and all the guest networks to dnsmasq.conf.add, for example:
   

   no-dhcp-interface=br0
   no-dhcp-interface=wl0.1
   no-dhcp-interface=wl0.2

   
   
2. Modify dnsmasq.postconf so that it deletes the no-dhcp-interface lines added by dnsmasq.conf.add above if the YazFi script has finished:
   

   #!/bin/sh
   CONFIG=$1
   source /usr/sbin/helper.sh
   
   FILE=/tmp/0-enable-dhcp
   if [ -f "$FILE" ]; then
      logger -t "$(basename $0)[$$]:" "enabling dhcp"
      pc_delete "no-dhcp-interface=br0" $CONFIG
      pc_delete "no-dhcp-interface=wl0.1" $CONFIG
      pc_delete "no-dhcp-interface=wl0.2" $CONFIG
   fi

   
   
3. Modify the YazFi script to signal dnsmasq.postconf to enable DHCP and then restart dnsmasq after all networks have been configured:
   

   if [ -z "$1" ]; then
      Check_Lock
      Print_Output "true" "YazFi $YAZFI_VERSION starting up"
      Config_Networks
   
      touch /tmp/0-enable-dhcp
      service restart_dnsmasq
   
      exit 0
   fi

Looks promising!

Another thought I had, with your fix removed, what happens after a reboot with the devices on the wrong IP and running service restart_wireless?

 

[Jack Yaz]

The "faulty" device is connecting to the guest wifi really early and sending DHCPDISCOVER, see the syslog snippet below.
If the wl0.1 interface has not been configured with an IP can it respond to dhcp requests?

Spoiler: syslog

Aug  1 02:00:35 kernel: nf_nat_rtsp v0.6.21 loading
Aug  1 02:00:35 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Aug  1 02:00:35 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Aug  1 02:00:35 YazFi: YazFi v2.2.4 starting up
Aug  1 02:00:36 rc_service: udhcpc 435:notify_rc start_upnp
Aug  1 02:00:36 rc_service: waitting "stop_upnp" via udhcpc ...
Aug  1 02:00:36 dnsmasq-dhcp[312]: DHCPDISCOVER(br0) f0:03:8c:b3:4c:67
Aug  1 02:00:36 dnsmasq-dhcp[312]: DHCPOFFER(br0) 192.168.1.159 f0:03:8c:b3:4c:67
Aug  1 02:00:37 ntp: start NTP update

Question, what have you set for dhcp lease time?