YazFi YazFi for IoT devices and control over network communication

[lluke]

I’m trying to restructure my network to improve security through segregations of devices (personal vs IoT) and I have some doubts to get answered before actually starting to implement it through YazFi (breaking the entire network for a couple of days for experimenting is not an option unfortunately).

I’ve so identified 5 classes of devices for which I’d like to properly manage their behaviour and capabilities inside my network.

Group	Interface	Internet Access	Client isolation	Access to	Accessible from
1. IoT Server/Hub	Ethernet	Y	N	IoT Manageable from local	IoT Manageable from local, Personal devices
2. IoT Manageable from remote only	WiFi (Guest #2)	Y	Y	No internal access	IoT Server/Hub
3. IoT Manageable from local	WiFi (Guest #3)	On demand (OTA updates)	Y	IoT Server/Hub	IoT Server/Hub, Personal Devices
4. Personal Devices	WiFi	Y	N	IoT Server/Hub, IoT Manageable from remote only, IoT Manageable from local	Personal Devices
5. Guest Personal Devices	WiFi (Guest #1)	Y	Y	No internal access	Not accessible from anyone

I’ve tried to achieve this only through the “basic” Asus Guest Networks plus some ebtables rules but I’ve failed like a noob, and so I’m evaluating to move to YazFi to achieve this setup.
My idea is to setup the 3 Guest Networks from YazFi as follow:

• GN 1 (Guest Personal Devices): Enabled, Router IP as DNS Server (I’m already using Unbound), One/Two way to guest disabled, Client Isolation enabled
• GN 2 (IoT Remote Only): Enabled, Router IP as DNS Server, One way to guest enabled, Client Isolation enabled
• GN 3 (IoT Local): Enabled, Router IP as DNS Server, Two way to guest enabled, Client Isolation enabled, Disable internet access for each device from Network map

Q1: Can you confirm this setup will let me achieve the needs described in the table above?

Q2: I’ve then a question about routing and multicast/mdns, can you confirm that since YazFi is not using VLANs but only subnetting if I enable One or Two Way Guest then I’ll be able to cast my content from clients on the standard WiFi network to a receiver connected to a Guest Network?

An additional point is then about IP Reservation, I’ll need to reserve a lot of IPs, as far as I understood the only way to achieve this is through the “dnsmasq.postconf” file.
Q3: Can you confirm there is no way to achieve this from the router’s UI, even by using YazDHCP?

 

[bennor]

Couple of comments. Generally YazFi should be able to do what you are seeking. You may have to so some additional scripting if you want to configure specific WiFi guest WiFi clients to have access to a specific LAN client. YazFi allows for this though it's Custom Firewall Rules. There are some discussions in other YazFi threads about how to use custom firewall rules to handle specific YazFi guest clients and or pass specific network traffic through the firewall to/from the LAN or WAN.

Currently YazDHCP doesn't affect static YazFi guest clients nor does the router's DHCP Manual Assignment GUI affect static YazFi guest clients. Jack Yaz has commented on it being planned to support YazFi in YazDHCP, but apparently hasn't been included yet. Currently one has to use a /jffs/scripts/dnsmasq.postconf file to create static/reserved IP addresses for YazFi clients. While it may take some time to properly setup the first time, unless one is constantly adding and removing YazFi guest clients to the file it should not be much of an issue to backup and restore if one needs to. See my post here with some general steps for doing static/reserved IP addresses with YazFi. Keep in mind you will not see the YazFi static IP mappings reflected in the Asus-Merlin Network Map. Instead they are reflected in the System Log > Wireless Log

Note that YazFi only deals with WiFi guest clients and traffic from/to them. YazFi won't isolate LAN clients and will not include LAN clients into YazFi's IP address scope.

 

[lluke]

Thanks a lot @bennor for the response and for the super useful links!

I’m now defining the subnets, the DHCP reservations, and the firewall rules I should use for my needs and then I’ll give YazFi a try.

About your last point on LAN clients isolation, I’m aware of it and it’s fine since I should be able to reach the IoT server (Homebridge) from any device connected to the (iPhone, iPad, Mac, and local IoT).

The only remaining doubt now is about multicast for casting (Google Chromecast), will it work if the Client is on the main network and the receiver is on a Guest network with One Way access enabled?

 

[bennor]

The only remaining doubt now is about multicast for casting (Google Chromecast), will it work if the Client is on the main network and the receiver is on a Guest network with One Way access enabled?

It should work. If one doesn't enable One Way to Guest or Two Way to Guest then as previously indicated one may have to use custom firewall rules as detailed in YazFi's github page and as others have discussed in other YazFi discussions.

 

[lluke]

I’ve finally managed to have some time to destroy and rebuild from scratch my network.
I’m 95% done applying the solution I was asking for in the first post, so we can say YazFi is definitely the solution for this kind of needs!

I’ve only the last point to solve, basically some IoT devices don’t accept very well to live on a different subnet than the bridge device.
They will work only if on the router the communication between the bridge and the device will be set as “MASQUERADE”, if I’m not wrong this means adding a NAT layer between these communications.

So that if I should add the rule below, is it compatible with YazFi? If yes, which is the best place to add this rule?

iptables -t nat -A POSTROUTING -s __IOT_HUB_IP__/32 -d __GUEST_2_SUBNET__/24 -p UDP -j MASQUERADE --to-ports 54321

 

[bennor]

So that if I should add the rule below, is it compatible with YazFi? If yes, which is the best place to add this rule?

iptables -t nat -A POSTROUTING -s __IOT_HUB_IP__/32 -d __GUEST_2_SUBNET__/24 -p UDP -j MASQUERADE --to-ports 54321

You could try using the YazFi custom firewall rules example file as a place to put that file. Per earlier post see the Custom Firewall Rules section of the YazFi GitHub for an example of the custom firewall rules file YazFi can use.

https://github.com/jackyaz/YazFi#custom-firewall-rules

 

[lluke]

You could try using the YazFi custom firewall rules example file as a place to put that file. Per earlier post see the Custom Firewall Rules section of the YazFi GitHub for an example of the custom firewall rules file YazFi can use.

https://github.com/jackyaz/YazFi#custom-firewall-rules

Ah-ah it works!!! Routing, integrations and HomeKit work like a charm also after a restart.

Mega thanks for the support @bennor , now I can finally say my network is properly segregated and secure!

 

[Chuckles67]

lluke: which one of the five groups did you put HomeKit devices on? How has this worked out for you? Thanks.