YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

Does anybody know what the iptables are to get a guest network to be able to query a local intranet dns server (pihole)?
Wireless Guest 2 - 2.4ghz is on, which is wl0.2, the dns server 192.168.1.2 is given out by the router, but nothing i try will allow a device connected to that wifi to be able to query the dns server because it is on the intranet side.

Should work out of the box if configured correctly. Please send diagnostics.

Another user had to set their PiHole to listen on all interfaces (I'm unfamiliar with PiHole's configuration). so that may be something to check as well

 

[Jack Yaz]

Testing by trying to access web interface of NAS (192.168.1.5) and router while connected to guest network with dhcp ip address of (192.168.2.20)

Diagnostics please. Are you able to ping the NAS? Does the NAS have its own firewall - it might be blocking traffic from different subnets to the one its on?

 

[bennor]

Does anybody know what the iptables are to get a guest network to be able to query a local intranet dns server (pihole)?
Wireless Guest 2 - 2.4ghz is on, which is wl0.2, the dns server 192.168.1.2 is given out by the router, but nothing i try will allow a device connected to that wifi to be able to query the dns server because it is on the intranet side.

Should work so long as you use the Pi-Hole IP address(s) for wl0x_DNS1 and wl0x_DNS2 and wl1x_DNS1 and wl1x_DNS2. You may also need to make sure wl0x_FORCEDNS and wl1x_FORCEDNS are set to true.

Running Pi-Hole and have no problems with the guest wifi clients using it with the YazFi script.

 

[Zonkd]

Diagnostics please. Are you able to ping the NAS? Does the NAS have its own firewall - it might be blocking traffic from different subnets to the one its on?

It was NAS firewall blocking traffic from different subnets -- thanks, LAN access works now

 

[Jack Yaz]

YazFi 3.2.0 is now available

Implement md5sum check for updates
Edit SSID and Passphrase of Guest Networks
Improved validation when reading nvram
Code refactoring
Various fixes and improvements to functions

 

[L&LD]

YazFi 3.2.0 is now available

Implement md5sum check for updates
Edit SSID and Passphrase of Guest Networks
Improved validation when reading nvram
Code refactoring
Various fixes and improvements to functions

I'm too old to say 'woo hoo!', but I can't seem to help it. Thank you very, very much!

 

[binarybin]

Thank you Jack Yaz, installed the script and tested by enabling one of the guest wifi, and settings dns, and forcedns. Allows the devices to reach the intranet dns server now, and no other services on that server. Perfect...

As much as i appreciate all the hard work that is going into this, the script is far more then i am needing. Would you mind explaining how you are allowing the guest network to access the internal dns and nothing else? I've been trying hard by searching for the correct iptables or ebtables to allow that to function but with no luck. I just wanted to keep it as basic as possible. I don't mind that the guest share the same IP Pool as the rest of the devices, I like being able to see the guess devices on the Network Map. I got very close to getting it working by using ebtables, all devices on the guest network was still isolated and could not access any other device on the intranet, but they could finally talk to the internal dns server. BUT they could access all ports on that dns server, like ping it, web interface, all which i would want blocked. So although close, even this didn't work. I know this has nothing to do with your project, but you seem to be the most knowledgeable I've come across on this as your implementation actually works, just with a ton more bells and whistles and design change

ebtables -I FORWARD -p ARP --arp-ip-src 192.168.1.2 -j ACCEPT
ebtables -I FORWARD -p ARP --arp-ip-dst 192.168.1.2 -j ACCEPT
ebtables -A FORWARD -i wl0.2 -j DROP
ebtables -A FORWARD -o wl0.2 -j DROP

 

[truglodite]

Yeah thanks again Jack Yaz! I updated to the latest and all is well. I'm using yazfi to subnet off my guests, and also provide an ssid that goes through a vpn client. It's nice knowing there's more separation between "bad guests" and my lan, and having the policy based vpn route makes it easy for me to switch between "safe" and "paranoid" mode easily without having to change router settings. It seems like firefox dnssec/dot/doh/esni may be the way to go in the end for truly paranoid browsing, but it is nice to be able to switch from vpn client to isp+stubby easily.

On a side note, while I was at it I saw your kvic ntpd installer showed up in AMTM. I've been running a basic nptd script forever and it's been working fine, but I'm tempted to switch over to the fancy graphic version just to eliminate a few more steps if/when I have to setup a new router, LOL. Though honestly I feel like doing that would leave me even further 'disconnecte' from my (albiet limited) router scripting skills. You know the saying... one must suffer the arts.

Kev

 

[XIII]

I'm not sure I understand the benefits of YazFi.

This is my current setup:

• regular WiFi network for my PC, phones, and tablets
• 2.4 GHz guest network for my IoT devices, with access to intranet
• 2.4 GHz guest network for visitors, without access to intranet

Can this setup be improved using YazFi? How?

 

[thelonelycoder]

I'm not sure I understand the benefits of YazFi.

This is my current setup:

• regular WiFi network for my PC, phones, and tablets
• 2.4 GHz guest network for my IoT devices, with access to intranet
• 2.4 GHz guest network for visitors, without access to intranet

Can this setup be improved using YazFi? How?

I'm sure you read post #1.

 

[XIII]

I'm sure you read post #1.

Yes, but like I said, I'm not sure I understand.

For example, what's the difference between these?

• default Guest network with intranet access off
• restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS

Additionally, if YazFi is restricting more, would this break my IoT setup?

 

[truglodite]

'Intranet access off' may include full internet access. Otoh, restricting to just ntp, for example, means devices can get time updates from the internet, but won't be allowed to 'phone home' via TCP or other protocol. This can be much safer than just allowing a device that only needs ntp to have full internet access.

Yes yazfi CAN break an iot setup, but there are too many variables to know if it would or not depending on how you config it. That said, with proper config I am sure yazfi can be implemented for a more secure iot setup without issues. How it could improve your setup is a big subject... suggest researching forums+google for ideas.

Bottom line, even with out fancy config, isolating your guests on a separate subnet is a big step up in security (vs just using routing tables to drop traffic on one subnet).

 

[bennor]

Additionally, if YazFi is restricting more, would this break my IoT setup?

It may depend on your IoT device.

Here is an example how the YazFi actually helped with an IoT (Amazon Echo) device. I setup a Pi-Hole on my local network and tried to route all DNS requests to it using the standard Asus firmware. I put the IoT device on a guest network to isolate it from the main LAN. Found out that even though you specify your own DNS servers the Asus firmware adds the router IP address as another DNS server. It appears (if I remember right) that the guest network in the standard Asus firmware, LAN isolation, wouldn't use the user supplied DNS servers but would use the Asus router as the DNS server. This means some DNS requests, including the IoT DNS requests would bypass the Pi-Hole. So I loaded the Merlin firmware since it has an option to force all DNS requests to the DNS servers one specifies. The Merlin firmware truly isolated the IoT from the main network so the IoT device couldn't access the user supplied DNS servers. It partially crippled the Amazon Echo. I could no longer access certain Amazon Echo features/skills.

By using the YazFi on the Merlin firmware I was able to manually assign the Pi-Hole address as a DNS to the guest clients so the IoT DNS traffic is now routed through the Pi-Hole (and being filtered) and all is working again.

 

[truglodite]

Also, sort of the reverse of what bennor said... I use Diversion ad blocking on my router for all my lan clients. Normally guests would also have ad blocking since dhcp pushes the router ip for DNS to clients. Some of my guests swear their pages don't work right through diversion (I verified they are trippin... they just want to see ads, lol?!). So to set their mind at ease, instead of explaining what is going on with diversion, I setup a 'sophomoricGuest' wifi with yazfi that just uses cloudflare directly, so those guests can feel cozy seeing ads.

 

[Zonkd]

@Jack Yaz how can I manually assign IP to a device on yazfi guest network? This is impossible via web GUI DHCP Server page because it won't allow specifying IPs on a different subnet. My reason is I want apply firewall blocking rules to an IOT device, for which it requires a static DHCP reserved IP.


Edit: actually I'd also like to know if skynet supports devices on yazfi guest networks (ie different subnets)?

 

[bennor]

how can I manually assign IP to a device on yazfi guest network?

I asked the same question a while back. See the following link where it is explained how to configure static IP devices for the guest network.
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403

 

[Zonkd]

Thanks for the information. It appears to be working now after some tweaking.

For others who want to do the same, here are the steps I used (there may be better/other ways) to setup static IP addresses for a single 2.4GHz and single 5GHz Guest Wifi network. Note this assumes one has created the Guest WiFi networks in the Asus Merlin administrator interface. Obviously have the YazFi script installed, configured and running properly with the guest WiFi clients connected to the guest WiFi network(s). And the below assumes you have an SSH connection to the Asus router.

Edit/create the Dnsmasq.postconf file:

nano /jffs/scripts/dnsmasq.postconf

Add in the following code, with your guest client static IP address, MAC address and device name. In my case (in the example below) I have two static IP addresses. Add additional lines for additional static IP addresses. Note: Make sure to use the correct IP address range from the YazFi config file. In my case the main Asus router IP range is 192.168.2.x. The guest WiFi use ranges 192.168.3.x and 192.168.4.x respectively. Replace the "XX:XX:XX:XX:XX:XX" with the guest client MAC address.

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.3.2,devicename" $CONFIG
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.4.2,devicename" $CONFIG

Change dnsmasq.postconf file permission so it can be run when the router is rebooted:

chmod +xxx /jffs/scripts/dnsmasq.postconf

Note: Failure to appropriately change the file permission will result in the Dnsmasq.conf file not being updated with the guest static IP information.

Reboot the router.

After router reboot, one can check if the Dnsmasq.conf file was updated with YazFi guest wifi static IP’s (see end of file):

cat /etc/dnsmasq.conf

Troubleshooting:
Initially I ran into a problem (somehow) where the WiFi settings got corrupted on the Asus router when first working through setting up YazFi and trying to set a guest static IP. The router wired LAN network worked when I set a static IP address on a wired client, but wireless clients could not connect to WiFi. The workaround was to use a wired network client configured with a static IP address in the client OS and then edit Dnsmasq.conf file if error to remove the YazFi content and YazFi guest static IP conetnt and reboot the router:

nano /etc/dnsmasq.conf

If that doesn't work one may have to remove the YazFi script through the YazFi GUI and reboot the router. Then one can try the process again by installing the YazFi script and performing the actions previously detailed to set a guest static IP address.

Additional Notes:
The underlying reason for using YazFi was due to an Amazon Echo connected to the Guest WiFi failing to work properly when connected to an Asus router running Merlin firmware that is configured; using Pi-Hole for DNS, Advertise router's IP in addition to user-specified DNS set to No, and the Guest WiFi Access Intranet setting set to Off for each guest network. The problem was the Echo couldn't run DNS requests through the Pi-Hole so the request would fail. While the intial YazFi script would allow the Echo to work properly when using local network DNS servers, wanted the ability to set Guest WiFi devices to static IP's. The previously detailed steps above now allow the Echo to work properly with a static IP address and contact the local network Pi-Hole for DNS requests.

Hopefully this info will help others who faced a similar problem with a Guest WiFi device and static IP's.

I smell a possible feature...

The addition of this feature would be greatly appreciated by me myself and i. In the meantime I will try this method suggested by @bennor to manually assign IP to IOT devices so I can block their net access.

 

[dougruns]

Jack Yaz,

Thanks for building this script. I've been checking on these forums periodically trying to set up my guest network outside my VPN. I read the wiki pages, but was hesitant to start mucking with my router configs. Your script worked like a charm and did the hard stuff for me. Much appreciated. Donated via PayPal.

 

[Jack Yaz]

Jack Yaz,

Thanks for building this script. I've been checking on these forums periodically trying to set up my guest network outside my VPN. I read the wiki pages, but was hesitant to start mucking with my router configs. Your script worked like a charm and did the hard stuff for me. Much appreciated. Donated via PayPal.

No problem, happy to hear that's its helping another user!

 

[Jack Yaz]

The addition of this feature would be greatly appreciated by me myself and i. In the meantime I will try this method suggested by @bennor to manually assign IP to IOT devices so I can block their net access.

I can code something to use withe existing dnsmasq.conf.add code and then be a bit clever with grep and sed