What's new

YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

You'll need to specify it in YazFi config

Tried the testing branch (v2.3.8) but it did not work. Here is my setting:

wl01_ENABLED=true
wl01_IPADDR=172.16.200.0
wl01_DHCPSTART=2
wl01_DHCPEND=254
wl01_DNS1=172.16.100.2
wl01_DNS2=172.16.100.2
wl01_FORCEDNS=false
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=
wl01_CLIENTISOLATION=​

And my dnsmasq.conf.add file:

dhcp-option=6,172.16.100.2

### Start of script-generated configuration for interface wl0.1 ###
interface=wl0.1
dhcp-range=wl0.1,172.16.200.2,172.16.200.254,255.255.255.0,43200s
dhcp-option=wl0.1,3,172.16.200.1
dhcp-option=wl0.1,6,172.16.200.1,172.16.200.1
### End of script-generated configuration for interface wl0.1 ###​

Albert
 
Tried the testing branch (v2.3.8) but it did not work. Here is my setting:

wl01_ENABLED=true
wl01_IPADDR=172.16.200.0
wl01_DHCPSTART=2
wl01_DHCPEND=254
wl01_DNS1=172.16.100.2
wl01_DNS2=172.16.100.2
wl01_FORCEDNS=false
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=
wl01_CLIENTISOLATION=​

And my dnsmasq.conf.add file:

dhcp-option=6,172.16.100.2

### Start of script-generated configuration for interface wl0.1 ###
interface=wl0.1
dhcp-range=wl0.1,172.16.200.2,172.16.200.254,255.255.255.0,43200s
dhcp-option=wl0.1,3,172.16.200.1
dhcp-option=wl0.1,6,172.16.200.1,172.16.200.1
### End of script-generated configuration for interface wl0.1 ###​

Albert
How are you verifying if it works - presumably no DNS requests make it through to PiHole?
Can you provide
Code:
iptables -S
iptables -nvL
 
How are you verifying if it works - presumably no DNS requests make it through to PiHole?
Can you provide
Code:
iptables -S
iptables -nvL


Yes, when I change the DNS1 and DNS2 parameters to my PiHole DNS IP 172.16.100.2, no hostname is resolvable. Changing the DNS1/2 parameters to 172.16.200.1 solves the issue but then the DNS traffic are not routed to PiHole.

IPtabes dump is attached for investigation. Thanks for your help.
 
Yes, when I change the DNS1 and DNS2 parameters to my PiHole DNS IP 172.16.100.2, no hostname is resolvable. Changing the DNS1/2 parameters to 172.16.200.1 solves the issue but then the DNS traffic are not routed to PiHole.

IPtabes dump is attached for investigation. Thanks for your help.
I may have made a (mis) assumption in my code.

Could you PM me a brief overview of your network, with LAN/guest subnets and how the PiHole is connected please?
 
@Jack Yaz, I noticed in 2.3.7 (per the changelog) you added the following in /jffs/scripts/service-event:
Code:
/jffs/scripts/YazFi bounceclients "$1" "$2" & # YazFi Guest Networks
Soooo, service-event gets called for a few things. I think all y'all script coders have an agreement to only add on-liners to the built-in scripts, but for my own self, do you seen any harm in me changing service-event to:
Code:
if [ "$1" = "restart" ] && [ "$2" = "wireless" ]; then
/jffs/scripts/YazFi bounceclients "$1" "$2" & # YazFi Guest Networks
fi
so it's only run when necessary? I doubt anything of value is gained except satisfying my OCD, but my OCD is a powerful thing. :) Obviously not asking you to violate the agreement, just want to know if you see a problem if I do that for my router?

Thanks
 
@Jack Yaz, I noticed in 2.3.7 (per the changelog) you added the following in /jffs/scripts/service-event:
Code:
/jffs/scripts/YazFi bounceclients "$1" "$2" & # YazFi Guest Networks
Soooo, service-event gets called for a few things. I think all y'all script coders have an agreement to only add on-liners to the built-in scripts, but for my own self, do you seen any harm in me changing service-event to:
Code:
if [ "$1" = "restart" ] && [ "$2" = "wireless" ]; then
/jffs/scripts/YazFi bounceclients "$1" "$2" & # YazFi Guest Networks
fi
so it's only run when necessary? I doubt anything of value is gained except satisfying my OCD, but my OCD is a powerful thing. :) Obviously not asking you to violate the agreement, just want to know if you see a problem if I do that for my router?

Thanks
By all means, change away, but I have a feeling the mere presence of the service-event file will print to syslog.

The function being called checks if its a wireless restart event so I'm not running anything unnecessarily for non-relevant events.
 
By all means, change away, but I have a feeling the mere presence of the service-event file will print to syslog.

The function being called checks if its a wireless restart event so I'm not running anything unnecessarily for non-relevant events.
Oh, right ... heck I even print to syslog every time it's called (might remove that). I just wanted to make sure I hadn't missed another case in your code where it was used for something other than restart wireless. It's more to satisfy my desire for "cleanness" than anything else, I'm sure my added logger call is more overhead than is removed by not calling your script.
 
This is about client isolation on guest network:

This should already happen - are you able to ping between 2 devices on the guest?

Sorry, I was away for a month. Yes, I can ping between 2 devices. I set CLIENTISOLATION=true in the new config file (updated to latest version as of today 2.3.8). Is there anything I should look for that I might've missed?

Thanks!
 
This is about client isolation on guest network:



Sorry, I was away for a month. Yes, I can ping between 2 devices. I set CLIENTISOLATION=true in the new config file (updated to latest version as of today 2.3.8). Is there anything I should look for that I might've missed?

Thanks!
The client isolation setting isn't actually active (it's in the config file for a future update), but the default is to not allow client communication.

Could you post the following, please?

Code:
cat /jffs/configs/YazFi/YazFi.config
ebtables -L
ebtables -t broute -L
iptables -S YazFiFORWARD

Which network are the IoT devices on, and can you remind me which model of router, and which firmware please?
 
Sorry about not providing the router model beforehand. I'm running AC68U, Merlin 384_6 firmware. Only posting what's relevant, leaving out blank lines from config file. Only 1 2.4G guest network on subnet 10.100.2.0 for IoT devices. Router main network is on 10.100.100.0 subnet.

Config file:
wl01_ENABLED=true
wl01_IPADDR=10.100.2.0
wl01_DHCPSTART=50
wl01_DHCPEND=75
wl01_DNS1=10.100.2.1
wl01_DNS2=10.100.2.1
wl01_FORCEDNS=false
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=
wl01_CLIENTISOLATION=true

ebtables -L:
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-o wl0.1 -j DROP
-i wl0.1 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

ebtables -t broute -L:
Bridge table: broute

Bridge chain: BROUTING, entries: 3, policy: ACCEPT
-p ARP -i wl0.1 -j DROP
-p IPv6 -i wl0.1 -j DROP
-p IPv4 -i wl0.1 -j DROP

iptables -S YazFiFORWARD:
-N YazFiFORWARD
-A YazFiFORWARD -i wl0.1 -o wl0.1 -m state --state NEW -j YazFiREJECT
-A YazFiFORWARD -i br0 -o wl0.1 -m state --state NEW -j YazFiREJECT
-A YazFiFORWARD -i wl0.1 -o br0 -m state --state NEW -j YazFiREJECT
-A YazFiFORWARD -i wl0.1 -m state --state NEW -j ACCEPT

Thank you for the prompt reply for help :)
 
Last edited:
Sorry about not providing the router model beforehand. I'm running AC68U, Merlin 384_6 firmware. Only posting what's relevant, leaving out blank lines from config file. Only 1 2.4G guest network on subnet 10.100.2.0 for IoT devices. Router main network is on 10.100.100.0 subnet.

Config file:


ebtables -L:


ebtables -t broute -L:


iptables -S YazFiFORWARD:


Thank you for the prompt reply for help :)
That should be fine - which device(s) are you pinging from/to? Can you post the output of your ping please?
 
That should be fine - which device(s) are you pinging from/to? Can you post the output of your ping please?

A bit more info that may help. Items in "<>" are redacted for obvious reasons. /jffs/scripts/YazFi status:
YazFi: Querying router for connected WiFi clients...

---------------------------------------------------------------------------

INTERFACE: wl0.1
SSID: <Guest_IOT_Network>

HOSTNAME IP ADDRESS MAC
<Device1> 10.100.2.52 <MAC1>
<Device2> 10.100.2.75 <MAC2>
<Device3> 10.100.2.67 <MAC3>
<Device4> 10.100.2.57 <MAC4>
<Device5> 10.100.2.56 <MAC5>
---------------------------------------------------------------------------

YazFi: Query complete, please see above for results

If I temporarily connect my laptop to guest network and try to ping one of the IOT devices:

ip of laptop on guest: 10.100.2.55, ifconfig:
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether <MAC>
inet6 <MAC> en0 prefixlen 64 secured scopeid 0x5
inet 10.100.2.55 netmask 0xffffff00 broadcast 10.100.2.255

Pinging from laptop to one of IOT devices - ping 10.100.2.75:
PING 10.100.2.75 (10.100.2.75): 56 data bytes
64 bytes from 10.100.2.75: icmp_seq=0 ttl=64 time=5.341 ms
64 bytes from 10.100.2.75: icmp_seq=1 ttl=64 time=4.027 ms
64 bytes from 10.100.2.75: icmp_seq=2 ttl=64 time=1.856 ms
64 bytes from 10.100.2.75: icmp_seq=3 ttl=64 time=2.690 ms
64 bytes from 10.100.2.75: icmp_seq=4 ttl=64 time=2.628 ms

--- 10.100.2.75 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.856/3.308/5.341/1.233 ms
 
A bit more info that may help. Items in "<>" are redacted for obvious reasons. /jffs/scripts/YazFi status:


If I temporarily connect my laptop to guest network and try to ping one of the IOT devices:

ip of laptop on guest: 10.100.2.55, ifconfig:


Pinging from laptop to one of IOT devices - ping 10.100.2.75:
Thanks, I'll dig out my laptop to test what's going on
 
Thanks, I'll dig out my laptop to test what's going on
Thank you!

If this helps, I tried pinging the IoT on guest network (10.100.2.0) from my laptop on the main network (10.100.100.0) and it went through.

laptop on main network, ifconfig:
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether <MAC>
inet6 <MAC> en0 prefixlen 64 secured scopeid 0x5
inet 10.100.100.120 netmask 0xffffff00 broadcast 10.100.100.255

ping 10.100.2.75 (guest iot) from 10.100.100.120:
PING 10.100.2.75 (10.100.2.75): 56 data bytes
64 bytes from 10.100.2.75: seq=0 ttl=64 time=3.361 ms
64 bytes from 10.100.2.75: seq=1 ttl=64 time=6.265 ms
64 bytes from 10.100.2.75: seq=2 ttl=64 time=2.176 ms
64 bytes from 10.100.2.75: seq=3 ttl=64 time=1.204 ms

--- 10.100.2.75 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.204/3.251/6.265 ms

More info on my setup. I run the following:

FreshJR_QOS script
Skynet 6.7.0
Diversion 4.0.7 with pixelserv-tls
Stubby DNA v1.0.1
 
Could you please send the full outputs of

iptables -t raw -S
iptables -S

Can you ping from wired to guest, out of interest?
 
Could you please send the full outputs of

iptables -t raw -S
iptables -S

Can you ping from wired to guest, out of interest?

Very interesting, I cannot ping guest (10.100.2.0) from wired only wireless, though both wired and wireless are on the same main subnet (10.100.100.0)

Wired (main network):
Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . :
IPv4 Address. . . . . . . . . . . : 10.100.100.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.100.100.1

ping 10.100.2.75 (guest network)

Pinging 10.100.2.75 with 32 bytes of data:
Reply from 10.100.100.1: Destination port unreachable.
Reply from 10.100.100.1: Destination port unreachable.
Reply from 10.100.100.1: Destination port unreachable.
Reply from 10.100.100.1: Destination port unreachable.

Ping statistics for 10.100.2.75:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

iptables -t raw -S:
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -i br0 -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP
-A PREROUTING -i eth0 -m set ! --match-set Skynet-Whitelist src -m set --match-set Skynet-Master src -j DROP
-A OUTPUT -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP

iptables -S:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N ACCESS_RESTRICTION
-N FUPNP
-N INPUT_ICMP
-N NSFW
-N OVPN
-N PControls
-N PTCSRVLAN
-N PTCSRVWAN
-N SECURITY
-N YazFiFORWARD
-N YazFiINPUT
-N YazFiREJECT
-N default_block
-N logaccept
-N logdrop
-N other2wan
-A INPUT -j YazFiINPUT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j logdrop
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -m state --state NEW -j OVPN
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j logdrop
-A FORWARD -i br0 -o eth0 -p udp -m set --match-set Skynet-IOT src -m udp --dport 123 -j ACCEPT
-A FORWARD -i br0 ! -o tun+ -m set --match-set Skynet-IOT src -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j YazFiFORWARD
-A FORWARD ! -i br0 -o eth0 -j other2wan
-A FORWARD -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -i eth0 -j SECURITY
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -m state --state NEW -j OVPN
-A FORWARD -i br0 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j logdrop
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j logdrop
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j logdrop
-A SECURITY -j RETURN
-A YazFiFORWARD -i wl0.1 -o wl0.1 -m state --state NEW -j YazFiREJECT
-A YazFiFORWARD -i br0 -o wl0.1 -m state --state NEW -j YazFiREJECT
-A YazFiFORWARD -i wl0.1 -o br0 -m state --state NEW -j YazFiREJECT
-A YazFiFORWARD -i wl0.1 -m state --state NEW -j ACCEPT
-A YazFiINPUT -i wl0.1 -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A YazFiINPUT -i wl0.1 -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A YazFiINPUT -d 10.100.100.5/32 -i wl0.1 -p tcp -m multiport --dports 80,443 -m state --state NEW -m comment --comment PixelServ -j ACCEPT
-A YazFiINPUT -i wl0.1 -p udp -m multiport --dports 67,123 -m state --state NEW -j ACCEPT
-A YazFiINPUT -i wl0.1 -m state --state NEW -j YazFiREJECT
-A YazFiREJECT -j REJECT --reject-with icmp-port-unreachable
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A other2wan -i tun+ -j RETURN
-A other2wan -j logdrop
 
Very interesting, I cannot ping guest (10.100.2.0) from wired only wireless, though both wired and wireless are on the same main subnet (10.100.100.0)

Wired (main network):


ping 10.100.2.75 (guest network)



iptables -t raw -S:


iptables -S:
Can you temporarily disable Skynet and retry your ping tests?

EDIT: Also, do you have IPv6 enabled?
 
Can you temporarily disable Skynet and retry your ping tests?

EDIT: Also, do you have IPv6 enabled?

I don't have ipv6 enabled.

Interesting results when I temporarily disable Skynet.

1) Ping from main wireless (10.100.100.x) to guest (10.100.2.x) > failed (this passed before)
2) Ping from main wired (10.100.100.x) to guest (10.100.2.x) > failed (this is unchanged)
3) Ping from guest (10.100.2.x) to guest (10.100.2.x) > pass (this is unchanged)

edit: not sure if this info will help but here goes anyway:

Guest network: all devices get IP through DHCP
Main network: all existing devices have a static ip, DHCP enabled for new devices (none connected that don't have static IP as of now)
 
I don't have ipv6 enabled.

Interesting results when I temporarily disable Skynet.

1) Ping from main wireless (10.100.100.x) to guest (10.100.2.x) > failed (this passed before)
2) Ping from main wired (10.100.100.x) to guest (10.100.2.x) > failed (this is unchanged)
3) Ping from guest (10.100.2.x) to guest (10.100.2.x) > pass (this is unchanged)
OK - so Skynet is preceding my rules and allowing traffic from br0 to wlX.X - though I must admit I can't see why. Perhaps @Adamm can shed some light on this

I'll look into point 3

I think I've stumbled on the reason...if it is, I need to find why I opted for it
 
Last edited:

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top