What's new

YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Hi Jack. Hope that you are keeping well and staying safe!! Just wanted to ask a couple of queries that have cropped up over the past few weeks, as a result of some oddities with YazFi.

I've been having an issue that seems to happen quite rarely (say once a week max.) whereby any client connected to any guest network on the 5GHz band spontaneously loses internet access. I am using all 3 guest networks for 5Ghz and only 1 for 2.4Ghz. When this happens, only the 2.4 network, which is for IoT devices, has internet access. The 5Ghz networks have a variety of settings for DNS, VPN (on and off) and client access/isolation, so I don't think the problem is necessarily related to any of these. The 'quick fix' is to reboot the router, then access is restored to normal. Next time this happens, is there a way that I can better debug what is going on here? Have you come across this issue before?

Also, I am using Pi-Hole on a RPi as my network wide DNS server. I have noticed that the Pi-Hole is unable to resolve host names for devices connected to any of the guest networks. This is purely cosmetic, as I can easily discern which device is which, but I'm wondering why this occurs. The DHCP server is still being run on the Asus router, but the Pi-Hole can only fetch host names from devices on the same subnet. I would perhaps expect this to happen maybe on a guest network which has full isolation (such as a typical IoT setup). Any ideas?

Cheers
 
Also, I am using Pi-Hole on a RPi as my network wide DNS server. I have noticed that the Pi-Hole is unable to resolve host names for devices connected to any of the guest networks. This is purely cosmetic, as I can easily discern which device is which, but I'm wondering why this occurs. The DHCP server is still being run on the Asus router, but the Pi-Hole can only fetch host names from devices on the same subnet. I would perhaps expect this to happen maybe on a guest network which has full isolation (such as a typical IoT setup). Any ideas?
Couple of ways to handle it. First is to enable Conditional Forwarding in the Pi-Hole > Settings > DNS and fill in the two fields, save the changes, and see if the IP addresses resolve to their proper names rather than IP addresses in Pi-Hole. I had issues with this where it wouldn't populate the WiFi guest names correctly if at all. It was an Asus router issue in this instance.

Second option is to setup a Hosts type file on Pi-Hole device so Pi-Hole pulls the correct names for each IP. This may require one to reserve IP addresses for each local network device otherwise naming issues may arise. I made an earlier post on creating static IP addresses for YazFi WiFi clients here. Here is an example of how I did so on my Pi-Hole running on a Pi Zero W. This assumes one has connected to their Pi using SSH.

First, create an entry for lan.list in the 02-lan.conf file:
Code:
echo "addn-hosts=/etc/pihole/lan.list" | sudo tee /etc/dnsmasq.d/02-lan.conf

Next create the lan.list file and open it for editing:
Code:
sudo nano /etc/pihole/lan.list

Enter in the various IP addresses and the names you assign to each device:
Code:
127.0.0.1           PiZeroW
192.168.2.10     <device name 1>
192.168.2.20     <device name 2>
192.168.2.30     <device name 3>
192.168.3.30     <device name 4>
192.168.4.30     <device name 5>
<etc.>

Save the file in nano and then restart the Pi DNS:
Code:
sudo pihole restartdns

It may take a few minutes before the Pi-Hole begins using the updated device names from the newly created list file. The attached screen grab shows how Pi-Hole displays the device names using this list file. The two WyzeCam entries and the AmazonEchoDot are for devices connecting through the guest WiFi (YazFi) network (Wyze on 2.4 Ghz, and Echo on 5 Ghz).

Its a rather tedious process and one that has to be edited/updated each time one changes, adds or deletes devices from their local network. But it works.
 

Attachments

  • ScreenshotPi-holeAdminConsole.jpg
    ScreenshotPi-holeAdminConsole.jpg
    58.8 KB · Views: 240
Last edited:
Couple of ways to handle it. First is to enable Conditional Forwarding in the Pi-Hole > Settings > DNS and fill in the two fields, save the changes, and see if the IP addresses resolve to their proper names rather than IP addresses in Pi-Hole. I had issues with this where it wouldn't populate the WiFi guest names correctly if at all. It was an Asus router issue in this instance.

I've already set up the Conditional Forwarding and this works correctly with all devices on the main subnet - i.e. nothing will resolve on the guest networks. Sounds like this is not related to YazFi then.

Thanks for your second suggestion, however, I think I'll not bother with this, as it will only be something else that I'd need to keep up-to-date & maintain. A very interesting solution, nonetheless!
 
Hi Jack. Hope that you are keeping well and staying safe!! Just wanted to ask a couple of queries that have cropped up over the past few weeks, as a result of some oddities with YazFi.

I've been having an issue that seems to happen quite rarely (say once a week max.) whereby any client connected to any guest network on the 5GHz band spontaneously loses internet access. I am using all 3 guest networks for 5Ghz and only 1 for 2.4Ghz. When this happens, only the 2.4 network, which is for IoT devices, has internet access. The 5Ghz networks have a variety of settings for DNS, VPN (on and off) and client access/isolation, so I don't think the problem is necessarily related to any of these. The 'quick fix' is to reboot the router, then access is restored to normal. Next time this happens, is there a way that I can better debug what is going on here? Have you come across this issue before?

Also, I am using Pi-Hole on a RPi as my network wide DNS server. I have noticed that the Pi-Hole is unable to resolve host names for devices connected to any of the guest networks. This is purely cosmetic, as I can easily discern which device is which, but I'm wondering why this occurs. The DHCP server is still being run on the Asus router, but the Pi-Hole can only fetch host names from devices on the same subnet. I would perhaps expect this to happen maybe on a guest network which has full isolation (such as a typical IoT setup). Any ideas?

Cheers
can you send me diagnostics next time the networks end up in that state please?
 
Question - What does the Force DNS feature do?
And also - I set my guest network ip to 192.168.5.0 but I see that a device on that network is still using a 192.168.1.x address, why is that?
 
Question - What does the Force DNS feature do?
The second post of the thread has brief explanations of what the options do. Also one can use the GUI page to see what the various options do by rolling one's mouse over an option and clicking to see the info.

wl01_FORCEDNS
Should Guest Network DNS requests be forced/redirected to DNS1? (true/false) N.B. This setting is ignored if sending to VPN, and VPN Client's DNS configuration is Exclusive

And also - I set my guest network ip to 192.168.5.0 but I see that a device on that network is still using a 192.168.1.x address, why is that?
The Network Map of the Asus administration interface may not properly display the correct guest wifi IP listings (doesn't for me) when using the YazFi script. Instead I look at the System Log > DHCP Leases where the guest IP addresses are typically shown correctly.
 

Attachments

  • forcedns.jpg
    forcedns.jpg
    32.5 KB · Views: 171
can you send me diagnostics next time the networks end up in that state please?

This issue happened again this morning, but I managed to track down the problem, which was not related to your script. It appear to be a problem associated with policy routing.
 
Hi I have an issue with this and I wasn't sure if it was resolved. I set up a custom guest Network and I used for the DNS OpenDNS servers, as I wanted to restrict my kids internet as they are at home.

for some reason it just randomly drops and it shows connected but I can't connect any websites.

I am connected on the 2.4 guest band and there's only one that were connected.

It is only 2 users connecting.

If someone else had this scenario and can provide an answer I will be much appreciated.
Thank you and have a nice day and be safe.

Sent from my SM-A505U1 using Tapatalk
 
Hello everyone! Sent here from the John 374.43 LTS thread... I can only find one (1) post by someone in the thread with an RT-N66U but it was a search hit in their post signature, so not even sure if YazFi will work on my router. Before I attempt it though, I realize YazFi started out for separating/adding guest WiFi networks, but can it help me get separate LANs set up? Is it possible to configure two of the four LAN ports for LAN1 and the other two ports for LAN2, where LAN1 and LAN2 don't connect/talk, both just share access with the WAN? Or will I need to look into setting up a pfSense box?
I'm wanting to put all my sketchy IoT crap on a separate network from my home devices.

Thanks,
Mike
 
Before I attempt it though, I realize YazFi started out for separating/adding guest WiFi networks, but can it help me get separate LANs set up? Is it possible to configure two of the four LAN ports for LAN1 and the other two ports for LAN2, where LAN1 and LAN2 don't connect/talk, both just share access with the WAN?
The WazFi script deals with just WiFi. It does not affect or change (AFAIK) the LAN wired network ports.

The YazFi script is great for dealing with WiFi based IoT devices. For wired IoT devices one will probably have to look elsewhere for ways to separate those devices from the rest of the local network.
 
Hello everyone! Sent here from the John 374.43 LTS thread... I can only find one (1) post by someone in the thread with an RT-N66U but it was a search hit in their post signature, so not even sure if YazFi will work on my router. Before I attempt it though, I realize YazFi started out for separating/adding guest WiFi networks, but can it help me get separate LANs set up? Is it possible to configure two of the four LAN ports for LAN1 and the other two ports for LAN2, where LAN1 and LAN2 don't connect/talk, both just share access with the WAN? Or will I need to look into setting up a pfSense box?
I'm wanting to put all my sketchy IoT crap on a separate network from my home devices.

Thanks,
Mike
The WazFi script deals with just WiFi. It does not affect or change (AFAIK) the LAN wired network ports.

The YazFi script is great for dealing with WiFi based IoT devices. For wired IoT devices one will probably have to look elsewhere for ways to separate those devices from the rest of the local network.
Correct. While VLAN support for LAN ports would be nice, it is messy when supporting lots of models that use different port configurations etc.
 
Hi I have an issue with this and I wasn't sure if it was resolved. I set up a custom guest Network and I used for the DNS OpenDNS servers, as I wanted to restrict my kids internet as they are at home.

for some reason it just randomly drops and it shows connected but I can't connect any websites.

I am connected on the 2.4 guest band and there's only one that were connected.

It is only 2 users connecting.

If someone else had this scenario and can provide an answer I will be much appreciated.
Thank you and have a nice day and be safe.

Sent from my SM-A505U1 using Tapatalk
Hi, can you PM me Diagnostics when this next happens please?
 
Hi, can you PM me Diagnostics when this next happens please?
Hi Jack so I will create another guest Network setup the opendns ips for the DNS and setup my kids laptops to connect.

Then i goto system log and cut and paste from the logfile when it bugs out or is there a trace or diagnostic section of yazfi or another script to see?

Sent from my SM-A505U1 using Tapatalk
 
Is there a way to see the current installed version from the web GUI? If not, can we please have that small feature? It is just much easier to check form the GUI as I have a monthly routine to update the Asus Merlin Firmware. :)
 
I'm having teething problems with YazFi, but still hopeful to accomplish with it what I though would require more routers!

I'm trying to use YazFi to run Home Assistant on the LAN with all my IoT devices on guest networks, and be able to connect to HA (and the IOT devices both directly and via HA) from my cell phone while away from home using OpenVPN. I can do that when everything is on the 192.168.10.x wifi.

Is this something I should be able to do using YazFi?

As a simple test, I enabled YazFi for guest1 (192.168.2.x) and put my denon receiver on guest 1. From my wired (192.168.10.x) connection I can get to the receiver's webpage. Great!

I can access the receiver webpage via OpenVPN over the celular network (slowly, maybe due to my poor cell reception at the house)

I can't access the receiver from the main (not guest) wifi network though.

I also can't access the internet through the guest wifi either, so I must have something wrong, as guest wifi can access the internet before enabling YazFi on it.

In Home Assistant I don't see the entities on the guest wifi that were visible on the LAN wifi.

In YazFi I have set One way to guest true. Force DNS = False, Redirect to VPN = False. Client isolation = false.

In the Merlin (384.16 on RT-AC86U) Guest WiFi setup I have set Access Intranet = enabled

(This is all with Diversion and Skynet disabled).

Has anyone got any tips for getting Home Assistant to work with IoT devices on guest network? Also should guest wifi be able to connect to the internet by just enabling JazFi on it?

(I've only started looking at JazFi in the last few days and it looks awesome. I just need to figure out what I'm doing wrong!)
 
No, AiMesh doesn't support Guest networks. Asus is supposed to be working on this, hopefully, it will be released soon(ish). :)
 
I'm having teething problems with YazFi, but still hopeful to accomplish with it what I though would require more routers!

I'm trying to use YazFi to run Home Assistant on the LAN with all my IoT devices on guest networks, and be able to connect to HA (and the IOT devices both directly and via HA) from my cell phone while away from home using OpenVPN. I can do that when everything is on the 192.168.10.x wifi.

Is this something I should be able to do using YazFi?

As a simple test, I enabled YazFi for guest1 (192.168.2.x) and put my denon receiver on guest 1. From my wired (192.168.10.x) connection I can get to the receiver's webpage. Great!

I can access the receiver webpage via OpenVPN over the celular network (slowly, maybe due to my poor cell reception at the house)

I can't access the receiver from the main (not guest) wifi network though.

I also can't access the internet through the guest wifi either, so I must have something wrong, as guest wifi can access the internet before enabling YazFi on it.

In Home Assistant I don't see the entities on the guest wifi that were visible on the LAN wifi.

In YazFi I have set One way to guest true. Force DNS = False, Redirect to VPN = False. Client isolation = false.

In the Merlin (384.16 on RT-AC86U) Guest WiFi setup I have set Access Intranet = enabled

(This is all with Diversion and Skynet disabled).

Has anyone got any tips for getting Home Assistant to work with IoT devices on guest network? Also should guest wifi be able to connect to the internet by just enabling JazFi on it?

(I've only started looking at JazFi in the last few days and it looks awesome. I just need to figure out what I'm doing wrong!)
Internet not working is a bit strange - pm me diagnostics please
 
Hi all, I'd like to start by thanking you all, I have learned a lot by reading this forum; and I'd particularly like to thank @Jack Yaz for writing YazFi, it's a fantastic script!

Like many others, I am using YazFi to isolate IoT devices from my main LAN's subnet. This includes a few Amazon Fire sticks that I have. The reason I'm posting is that I don't have a lot of knowledge regarding IP table rules, and I'm trying to create a pinhole to allow the AFTVs to connect to my Plex server on the main LAN on specific ports, but it doesn't seem to be working. It's unclear to me, in my ignorance, whether the issue is with my iptables settings or something else. If anyone could enlighten me, I'd appreciate it

I am running an RT-AC68U on the latest Merlin firmware, with the latest YazFi script.

My YazFi settings are as follows:
Code:
wl11_ENABLED=true
wl11_IPADDR=192.168.5.0
wl11_DHCPSTART=30
wl11_DHCPEND=220
wl11_DNS1=192.168.1.251
wl11_DNS2=9.9.9.9
wl11_FORCEDNS=true
wl11_REDIRECTALLTOVPN=false
wl11_VPNCLIENTNUMBER=1
wl11_TWOWAYTOGUEST=false
wl11_ONEWAYTOGUEST=true
wl11_CLIENTISOLATION=false

I have run the following commands without port restrictions, figuring once I get it working, I can tighten it down later:
Code:
iptables -I YazFiFORWARD -i wl1.1 -d 192.168.1.20 -j ACCEPT
iptables -I YazFiFORWARD -o wl1.1 -s 192.168.1.20 -j ACCEPT

Here is what is produced for YazFiFORWARD from the "iptables -L -v" command:
Code:
Chain YazFiFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
  207 25966 ACCEPT     udp  --  any    wl1.1   192.168.1.251        anywhere             udp spt:domain
  207 12461 ACCEPT     udp  --  wl1.1  any     anywhere             192.168.1.251        udp dpt:domain
    0     0 ACCEPT     tcp  --  any    wl1.1   192.168.1.251        anywhere             tcp spt:domain
    0     0 ACCEPT     tcp  --  wl1.1  any     anywhere             192.168.1.251        tcp dpt:domain
  107 21990 ACCEPT     all  --  wl1.1  !eth0   anywhere             anywhere             state RELATED,ESTABLISHED
  191 43528 ACCEPT     all  --  !eth0  wl1.1   anywhere             anywhere
  167  9836 YazFiREJECT  all  --  wl1.1  !eth0   anywhere             anywhere
  885  214K ACCEPT     all  --  wl1.1  any     anywhere             anywhere
    0     0 ACCEPT     udp  --  any    wl0.1   192.168.1.251        anywhere             udp spt:domain
    0     0 ACCEPT     udp  --  wl0.1  any     anywhere             192.168.1.251        udp dpt:domain
    0     0 ACCEPT     tcp  --  any    wl0.1   192.168.1.251        anywhere             tcp spt:domain
    0     0 ACCEPT     tcp  --  wl0.1  any     anywhere             192.168.1.251        tcp dpt:domain
    0     0 ACCEPT     all  --  wl0.1  !eth0   anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  !eth0  wl0.1   anywhere             anywhere
    0     0 YazFiREJECT  all  --  wl0.1  !eth0   anywhere             anywhere
    0     0 ACCEPT     all  --  wl0.1  any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    wl1.1   192.168.1.20         anywhere
    0     0 ACCEPT     all  --  wl1.1  any     anywhere             192.168.1.20

I would expect that this would allow Plex to get through on any port with any type of request. However, when watching a movie on Plex, it says it's sending the video remotely (I have external port forwarding set for it, too - could this be what's causing the issue?).

TIA for any advice.

EDIT
This does NOT appear to be an issue with my YazFi settings, as far as I can tell. I am able to connect my laptop to the Guest Network and access 192.168.1.20 via SSH, but cannot ping/SSH any other IPs across the 192.168.1.X range, which is the results I would expect with these settings. I'll have to dig in on the Plex side, looks like. If anyone else has experienced something similar, though, I'd appreciate any insights they might have to offer.

Edit 2 - FIXED
FWIW, to anyone else experiencing this issue, this was a configuration issue in Plex. The way to fix it was to login as an administrator in the Plex application, and navigate to Server->Settings->Network, there I changed the LAN Networks to "192.168.1.1/24,192.168.5.1/24" in order to explicitly define which IP origins should be considered LAN. This appears to have worked for me.

Final port settings for iptables (I'll probably trim these down a little later, but this works for now):
Code:
    0     0 ACCEPT     udp  --  any    wl1.1   192.168.1.20         anywhere             multiport dports 17827,32400,32443,32410,32412,32413,32414,32469
 1194  813K ACCEPT     tcp  --  any    wl1.1   192.168.1.20         anywhere             multiport sports 32400,32443
    0     0 ACCEPT     udp  --  wl1.1  any     anywhere             192.168.1.20         multiport dports 17827,32400,32443,32410,32412,32413,32414,32469
 1036  163K ACCEPT     tcp  --  wl1.1  any     anywhere             192.168.1.20         multiport dports 32400,32443

Edit 3
For those facing the same problem that come across this post via google search, there is an excellent suggestion by bennor on the next page if you are using multiple IoT devices on the same Guest WiFi (assuming you are using IP reservations):
May want to not specify the entire guest WiFi range in Plex, and just specify the specific IP address for the Fire Stick. That way only the one IoT device (Fire Stick) on the guest network has access to the Plex rather than all guest WiFi devices (on that IP address subnet) possibly having access.
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top