YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

Hi all, I'd like to start by thanking you all, I have learned a lot by reading this forum; and I'd particularly like to thank @Jack Yaz for writing YazFi, it's a fantastic script!

Like many others, I am using YazFi to isolate IoT devices from my main LAN's subnet. This includes a few Amazon Fire sticks that I have. The reason I'm posting is that I don't have a lot of knowledge regarding IP table rules, and I'm trying to create a pinhole to allow the AFTVs to connect to my Plex server on the main LAN on specific ports, but it doesn't seem to be working. It's unclear to me, in my ignorance, whether the issue is with my iptables settings or something else. If anyone could enlighten me, I'd appreciate it

I am running an RT-AC68U on the latest Merlin firmware, with the latest YazFi script.

My YazFi settings are as follows:

wl11_ENABLED=true
wl11_IPADDR=192.168.5.0
wl11_DHCPSTART=30
wl11_DHCPEND=220
wl11_DNS1=192.168.1.251
wl11_DNS2=9.9.9.9
wl11_FORCEDNS=true
wl11_REDIRECTALLTOVPN=false
wl11_VPNCLIENTNUMBER=1
wl11_TWOWAYTOGUEST=false
wl11_ONEWAYTOGUEST=true
wl11_CLIENTISOLATION=false

I have run the following commands without port restrictions, figuring once I get it working, I can tighten it down later:

iptables -I YazFiFORWARD -i wl1.1 -d 192.168.1.20 -j ACCEPT
iptables -I YazFiFORWARD -o wl1.1 -s 192.168.1.20 -j ACCEPT

Here is what is produced for YazFiFORWARD from the "iptables -L -v" command:

Chain YazFiFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination
  207 25966 ACCEPT     udp  --  any    wl1.1   192.168.1.251        anywhere             udp spt:domain
  207 12461 ACCEPT     udp  --  wl1.1  any     anywhere             192.168.1.251        udp dpt:domain
    0     0 ACCEPT     tcp  --  any    wl1.1   192.168.1.251        anywhere             tcp spt:domain
    0     0 ACCEPT     tcp  --  wl1.1  any     anywhere             192.168.1.251        tcp dpt:domain
  107 21990 ACCEPT     all  --  wl1.1  !eth0   anywhere             anywhere             state RELATED,ESTABLISHED
  191 43528 ACCEPT     all  --  !eth0  wl1.1   anywhere             anywhere
  167  9836 YazFiREJECT  all  --  wl1.1  !eth0   anywhere             anywhere
  885  214K ACCEPT     all  --  wl1.1  any     anywhere             anywhere
    0     0 ACCEPT     udp  --  any    wl0.1   192.168.1.251        anywhere             udp spt:domain
    0     0 ACCEPT     udp  --  wl0.1  any     anywhere             192.168.1.251        udp dpt:domain
    0     0 ACCEPT     tcp  --  any    wl0.1   192.168.1.251        anywhere             tcp spt:domain
    0     0 ACCEPT     tcp  --  wl0.1  any     anywhere             192.168.1.251        tcp dpt:domain
    0     0 ACCEPT     all  --  wl0.1  !eth0   anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  !eth0  wl0.1   anywhere             anywhere
    0     0 YazFiREJECT  all  --  wl0.1  !eth0   anywhere             anywhere
    0     0 ACCEPT     all  --  wl0.1  any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    w11.1   192.168.1.20         anywhere
    0     0 ACCEPT     all  --  w11.1  any     anywhere             192.168.1.20

I would expect that this would allow Plex to get through on any port with any type of request. However, when watching a movie on Plex, it says it's sending the video remotely (I have external port forwarding set for it, too - could this be what's causing the issue?).

TIA for any advice

Try adding the YazFi subnet range to Plex's local network:

 

[lamentary]

Try adding the YazFi subnet range to Plex's local network:
View attachment 22560

Thanks, @Jack Yaz! I got it working

 

[Xsvrg]

I got YazFi showing up twice in guest networks. Is this a problem?

Recently I just updated stuff through amtm, nothing unusual.

 

[L&LD]

@Xsvrg you need to reboot the router.

 

[Xsvrg]

Now I don't see YazFi at all

 

[L&LD]

Did you configure it?

 

[Bubbles]

Internet not working is a bit strange - pm me diagnostics please

Turned out to be some stale AiMesh setting causing the firewall to be constantly restarting. Solved with a factory reset as AiMesh settings aren't accessible.

If you see something like:

rc_service: amas_lib 1166:notify_rc restart_firewall

repeatedly appearing in system log, and you lose guest wifi ability to reach the internet, then try a factory reset.

Thanks Jack for figuring that out!

 

[Jack Yaz]

Now I don't see YazFi at all

Check syslog, it should show YazFi running or not after a reboot. Which router and firmware?

 

[Xsvrg]

Check syslog, it should show YazFi running or not after a reboot. Which router and firmware?

It ended up randomly appearing again after I went back and forth through a few unrelated menus in the router. 68u btw.
Seems to work fine now.

 

[bennor]

Edit 2 - FIXED
FWIW, to anyone else experiencing this issue, this was a configuration issue in Plex. The way to fix it was to login as an administrator in the Plex application, and navigate to Server->Settings->Network, there I changed the LAN Networks to "192.168.1.1/24,192.168.5.1/24" in order to explicitly define which IP origins should be considered LAN. This appears to have worked for me.

May want to not specify the entire guest WiFi range in Plex, and just specify the specific IP address for the Fire Stick. That way only the one IoT device (Fire Stick) on the guest network has access to the Plex rather than all guest WiFi devices (on that IP address subnet) possibly having access.

 

[lamentary]

May want to not specify the entire guest WiFi range in Plex, and just specify the specific IP address for the Fire Stick. That way only the one IoT device (Fire Stick) on the guest network has access to the Plex rather than all guest WiFi devices (on that IP address subnet) possibly having access.

This is a great suggestion. In my case, that particular guest network is only used for streaming devices, and I didn't bother with IP reservations for them, but it's a good idea for scenarios in which different types of IoT devices are on a given guest network and IP reservations are used.

 

[Calkulin]

Picked up an RT-AX56U and the script seems to be working fine with the exception that client isolation does cause the Wi-Fi to reboot constantly but I'm guessing that's probably the same issue the RT-AX88U has

 

[L&LD]

@Calkulin, no. That isn't an issue here with my RT-AX88U.

 

[distilled]

Try adding the YazFi subnet range to Plex's local network:
View attachment 22560

Thanks for this. You just fixed the only outstanding issue that I have experienced with YazFi, and it was embarrassingly simple to do. I have seen and ignored that Plex setting a dozen times.

 

[Dee dee]

Hi, can you PM me Diagnostics when this next happens please?

Jack, PMing you just played around with it now before going to bed. DNS drops all req's, I wonder what is causing it.

I'll pm you the file as requested and thanks for your help.

 

[Jack Yaz]

For any other PiHole users, @lamentary has very kindly written up the process here: https://github.com/jackyaz/YazFi/wiki/Setting-up-YazFi-with-Pi-hole-and-ARP-records

 

[Chris_J]

Good guide, especially with the point regarding adding the exception in the DNSFilter.

I only skim-read this, but I don't see any mention that for YazFi networks, you have to force the DNS setting in the YazFi configuration file, as guest networks seem to bypass the DNSFilter, much to my surprise.

Once you have this set up and working, you can even get Wireguard running on the Pi and have all that traffic routing through the PiHole too.

 

[bennor]

For any other PiHole users, @lamentary has very kindly written up the process here: https://github.com/jackyaz/YazFi/wiki/Setting-up-YazFi-with-Pi-hole-and-ARP-records

Pretty good write up. Not sure what "Subnet Name Resolution/ARP settings for LAN clients" accomplishes though when one is using static IP addresses. Been running Pi Hole with static guest IP's and the Pi Hole resolves the name correctly per methods previously posted earlier in the thread (here and here).

Also, no mention of setting the Asus/Merlin LAN > DHCP Server > DNS and WINS Server Settings > Advertise router's IP in addition to user-specified DNS to "No". If one doesn't set this option to No then the router shows up as a third DNS server potentially bypassing the Pi-Hole both on the local LAN and any Guest YazFi LAN.

 

[lamentary]

Not sure what "Subnet Name Resolution/ARP settings for LAN clients" accomplishes though when one is using static IP addresses. Been running Pi Hole with static guest IP's and the Pi Hole resolves the name correctly per methods previously posted earlier in the thread (here and here).

This is a valid point, I am very new to the process of setting up subnets, using YazFi, and SSH commands in Asuswrt-Merlin. This was how I got the Pi-Hole to recognize the subnets in my environment, and I hadn't come across those posts while setting up my configuration (nor do I use static IPs in my setup). Feel free to add those references to the wiki entry, or I will later as I find time.

Also, no mention of setting the Asus/Merlin LAN > DHCP Server > DNS and WINS Server Settings > Advertise router's IP in addition to user-specified DNS to "No". If one doesn't set this option to No then the router shows up as a third DNS server potentially bypassing the Pi-Hole both on the local LAN and any Guest YazFi LAN.

Good call out. I'll work on a second draft later (perhaps this weekend). It is referenced in one of the links, but deserves to be specifically called out here, too.

 

[lamentary]

...but I don't see any mention that for YazFi networks, you have to force the DNS setting in the YazFi configuration file, as guest networks seem to bypass the DNSFilter, much to my surprise

Mine, too. In fact, I was unaware of this. I had the explicit setting in the YazFi config prior to attempting to work through name resolution, and had never taken that off. I'll make sure to add that.