YazFi YazFi nat rules are getting overwritten

[321Kami]

Some time ago I've upgraded YazFi to 4.4.5 (develop) version to address the WebUI not scrolling properly issue. After that I started to see clients on my guest network being disconnected every 10 minutes so I started debugging what's the reason - in the logs I found that YazFi check mechanism is triggering reconfiguration due to "firewall rules not detected during persistence check, re-applying rules".
Digging down I found out that checking code was improved between 4.4.4 and 4.4.5.
4.4.4 version:

        if ! iptables -nL | grep -q "YazFi"; then
            Check_Lock
            Print_Output true "$SCRIPT_NAME firewall rules not detected during persistence check, re-applying rules" "$WARN"
            Config_Networks
            Clear_Lock
            exit 0
        fi

4.4.5 version:

        ##----------------------------------------##
        ## Modified by Martinski W. [2024-Jan-06] ##
        ##----------------------------------------##
        if echo "$IFACELIST" | grep -qE "wl[0-3][.][1-3]" && \
           { ! iptables -t nat -nL | grep -q "YazFi"    || \
             ! iptables -t nat -nL | grep -wq "YazFi"   || \
             ! iptables -t filter -nL | grep -q "YazFi" || \
             ! iptables -t filter -nL | grep -wq "YazFi"
           }
        then
            Check_Lock
            Print_Output true "$SCRIPT_NAME firewall rules were not detected during persistence check, re-applying rules" "$ERR"
            Config_Networks
            Clear_Lock
            exit 0
        fi

And the new code detects that YazFi nat rules are gone and reconfigures guest networks.
I started to monitor iptables and after reconfiguration the rules are getting overwritten in ~2-8 minutes, so every YazFi check triggers reconfiguration mechanism to restore the nat rules.
Only nat rules are affected, filtering rules are persistent.

I temporarily reverted this change on my router and I don't see negative effects, but I might be missing something. Here are the settings being wiped out:

MASQUERADE  all  --  192.168.13.0/24      192.168.13.0/24      /* YazFi 2.4GHz 3 */
MASQUERADE  all  --  192.168.13.0/24      192.168.2.0/24       /* YazFi 2.4GHz 3 to LAN */
MASQUERADE  all  --  192.168.2.0/24       192.168.13.0/24      /* LAN to YazFi 2.4GHz 3 */
MASQUERADE  all  --  192.168.12.0/24      192.168.12.0/24      /* YazFi 2.4GHz 2 */
MASQUERADE  all  --  192.168.12.0/24      192.168.2.0/24       /* YazFi 2.4GHz 2 to LAN */
MASQUERADE  all  --  192.168.2.0/24       192.168.12.0/24      /* LAN to YazFi 2.4GHz 2 */
MASQUERADE  all  --  192.168.11.0/24      192.168.11.0/24      /* YazFi 2.4GHz 1 */

Anyone else experienced such issue? Chatgpt told me that ASUS FW might be overwriting the rules. I cannot figure out what application does that and the only correlation I found, but I'm not 100% certain, is the entry in the log file:

log: router WAN_Connection: WAN was restored.

Any ideas how to fix it properly are much appreciated.

Regards
KB

 

[bennor]

@321Kami, to add context. What router and specific firmware do you have YazFi installed on? Are you running any additional addon scripts?

The YazFi clients dropping when WAN connection is interrupted has been mentioned before. See this post in the main YazFi discussion thread and the few that follow it:
https://www.snbforums.com/threads/yazfi-v4-x-continued.83846/page-6#post-899792
And see this post from that discussion:
https://www.snbforums.com/threads/yazfi-v4-x-continued.83846/page-6#post-900241

If the firewall and or dmasq are restarted (possibly due to WAN loss) then YazFi may restart which will trigger the WiFi clients to be booted from WiFi and have to reconnect.

If you are loosing WAN connection, investigate the cause and try to fix that.

 

[321Kami]

Hi @bennor ,
Thanks for fast response. I have AC-5300 router with 386.14_2 asuswrt merlin FW. I already bought RT-AX86U as a replacement, but I need some time to switch as my configuration is pretty complex.
I have currently 21 cron jobs that are running in the background of working router:

45 */6 * * *    /jffs/addons/amtm/routerdate cron    #amtm_RouterDate
*/10 * * * *    /jffs/scripts/YazFi check    #YazFi
25 1 * * *    sh /jffs/scripts/firewall banmalware    #Skynet_banmalware
6 1 * * Mon    sh /jffs/scripts/firewall update    #Skynet_autoupdate
*/10 * * * *    /jffs/scripts/disk_space_monitor    #disk_space_monitor
0 * * * *    sh /jffs/scripts/firewall save    #Skynet_save
5 0 * * *    /opt/sbin/logrotate /opt/etc/logrotate.conf >> /opt/tmp/logrotate.daily 2>&1    #logrotate
*/3 * * * *    /jffs/scripts/connmon generate    #connmon
10 1 * * *    /tmp/mnt/System/entware/bin/rsync -av --delete /jffs/ /tmp/mnt/Data/Backup/jffs/    #rsync_jffs
10 1 * * *    /tmp/mnt/System/entware/bin/rsync -av --delete /tmp/mnt/System/entware/ /tmp/mnt/Data/Backup/entware/    #rsync_entware
0 */12 * * *    /jffs/scripts/spdmerlin generate    #spdMerlin
10 * * * *    /jffs/scripts/uiDivStats generate    #uiDivStats_generate
1 0 * * *    /jffs/scripts/uiDivStats trimdb    #uiDivStats_trim
*/2 * * * *    /jffs/scripts/uiDivStats querylog    #uiDivStats_querylog
4-59/5 * * * *    /jffs/scripts/uiDivStats flushtodb    #uiDivStats_flushtodb
*/2 * * * *    /etc/openvpn/server1/vpn-watchdog1.sh    #CheckVPNServer1
*/2 * * * *    /etc/openvpn/server2/vpn-watchdog2.sh    #CheckVPNServer2
00 2 * * Tue    /bin/sh /opt/share/diversion/file/update-bl.div reset    #Diversion_UpdateBL
20 5 * * *    /bin/sh /opt/share/diversion/file/rotate-logs.div    #Diversion_RotateLogs
20 17 * * *    diversion count_ads count    #Diversion_CountAds
50 */12 * * *    sh /jffs/scripts/firewall debug genstats    #Skynet_genstats

But for debugging purposes I removed them to check if situation improves (crontab -r). And it didn't, still few minutes after manually triggering:
/jffs/scripts/YazFi check
Nat rules were gone. I'm pretty sure it's happening for other people using YazFi, the only difference is that 4.4.4 version (which is official one) doesn't catch it.
Regarding "router WAN_Connection: WAN was restored." the log is spammed with this messages, but I don't see any symptoms of WAN connection being dropped. Internet works just fine, no issues whatsoever and no connection drops (e.g Netflix, youtube streaming).
I don't see either firewall nor dnsmasq being restarted. Here's a snipped of my log (you'll not see YazFi restart messages as I changed the script part to version from 4.4.4 to avoid guest networks being disconnected):

(...)
Mar 27 04:16:24 router WAN_Connection: WAN was restored.
Mar 27 04:20:29 router uiDivStats: Stats updated successfully
Mar 27 04:32:26 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 04:32:27 router WAN_Connection: WAN was restored.
Mar 27 04:40:21 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 04:40:21 router WAN_Connection: WAN was restored.
Mar 27 04:52:32 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 04:52:32 router WAN_Connection: WAN was restored.
Mar 27 05:00:31 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:00:31 router WAN_Connection: WAN was restored.
Mar 27 05:10:01 router uiDivStats: Starting stat update
Mar 27 05:20:07 router Diversion: rotated dnsmasq log files
Mar 27 05:20:25 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:20:25 router WAN_Connection: WAN was restored.
Mar 27 05:20:30 router uiDivStats: Stats updated successfully
Mar 27 05:24:22 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:24:27 router WAN_Connection: WAN was restored.
Mar 27 05:28:25 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:28:26 router WAN_Connection: WAN was restored.
Mar 27 05:32:31 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:32:31 router WAN_Connection: WAN was restored.
Mar 27 05:36:22 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:36:28 router WAN_Connection: WAN was restored.
Mar 27 05:40:23 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:40:23 router WAN_Connection: WAN was restored.
Mar 27 05:48:29 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:48:30 router WAN_Connection: WAN was restored.
Mar 27 05:52:31 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:52:31 router WAN_Connection: WAN was restored.
Mar 27 05:56:30 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 05:56:30 router WAN_Connection: WAN was restored.
Mar 27 06:04:21 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 06:04:26 router WAN_Connection: WAN was restored.
Mar 27 06:08:22 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 06:08:22 router WAN_Connection: WAN was restored.
Mar 27 06:10:01 router uiDivStats: Starting stat update
Mar 27 06:20:24 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 06:20:24 router WAN_Connection: WAN was restored.
Mar 27 06:20:31 router uiDivStats: Stats updated successfully
Mar 27 06:36:22 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 06:36:23 router WAN_Connection: WAN was restored.
Mar 27 06:40:28 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 06:40:28 router WAN_Connection: WAN was restored.
Mar 27 06:45:00 router amtm routerdate: Preserving router date via cron (2025-03-27 05:45:00) UTC time.
Mar 27 06:56:30 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 06:56:30 router WAN_Connection: WAN was restored.
Mar 27 07:00:11 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 07:00:11 router WAN_Connection: WAN was restored.
Mar 27 07:00:24 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 07:00:25 router WAN_Connection: WAN was restored.
Mar 27 07:10:02 router uiDivStats: Starting stat update
Mar 27 07:12:29 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 07:12:29 router WAN_Connection: WAN was restored.
Mar 27 07:16:30 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 07:16:30 router WAN_Connection: WAN was restored.
Mar 27 07:20:21 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 07:20:25 router WAN_Connection: WAN was restored.
Mar 27 07:20:31 router uiDivStats: Stats updated successfully
Mar 27 07:32:23 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 07:32:23 router WAN_Connection: WAN was restored.
Mar 27 07:40:28 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 07:40:29 router WAN_Connection: WAN was restored.
Mar 27 08:00:28 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 08:00:28 router WAN_Connection: WAN was restored.
Mar 27 08:04:22 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 08:04:23 router WAN_Connection: WAN was restored.
Mar 27 08:08:23 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 08:08:23 router WAN_Connection: WAN was restored.
Mar 27 08:08:42 router DualWAN: skip single wan wan_led_control - WANRED off
Mar 27 08:08:42 router WAN_Connection: WAN was restored.
(...)

​

 

[bennor]

(...)
Mar 27 04:32:26 router DualWAN: skip single wan wan_led_control - WANRED off

Do you have Dual WAN enabled? If so does the issue happen if you disable Dual WAN?

 

[321Kami]

No, DualWAN is disabled. But after searching a bit it seems like this "WAN was restored" logs are manifests of the issue I have.

Regards
KB

 

[bennor]

What is the router's WAN port connected to upstream? If it is connected to ISP equipment, perhaps check the logs (if possible) of that upstream device to see if there is an issue causing the possible WAN connection issues on the Asus router.

 

[321Kami]

Yes, I have ISP router which is currently working only as a bridge. Checked the logs it provides - nothing worrying, don't see any reconnection messages (besides old ones when internet was gone due to ISP issues). This starts to become really weird. Will try to connect my (not yet configured) AX86U instead just to verify if the issue is visible on the other router

 

[321Kami]

Moved to AX86U Pro and problem seems to be gone.
Will conduct more tests today after finishing all the configuration.
As a next step I will reset my AC5300 configuration to default state and check if the issue is also resolved on AC5300

 

[bennor]

Moved to AX86U Pro and problem seems to be gone.

Note that YazFi likely will not work properly under 3006.102.x firmware due to the nature of the changes Asus made for the Guest Network Pro feature. There are a number of other discussions here (see the forum search feature) where people are trying to replicate the YazFi functionality (like one way to guest) on the 3006 firmware with mixed success.

 

[321Kami]

As long as intranet access (block) / internet access (block) and client isolation are working - and I checked - they are - I'm ok.
Finished configuration just a moment ago everything works now.

 

[321Kami]

Topic to be closed.