YazFi YazFi v4.x

[Ydnaroo]

Quick update, rebooted router and it stopped working again. Seem to get it working but a reboot breaks it. It seems to keep swapping between using the VPN DNS and the PiHole.

Will definitely be giving it a rest for a while. Thanks again both. Andy

 

[Jack Yaz]

i'm going to dig one of my Pi's out (I have several....) and chuck PiHole on it and get a working setup, then I can share my settings

 

[Ydnaroo]

i'm going to dig one of my Pi's out (I have several....) and chuck PiHole on it and get a working setup, then I can share my settings

That's very kind of you but please don't go to too much trouble on my behalf. As I've already said I'm pretty much out of my depth with this and have been moving around changing all sorts I don't understand.

My hope was to be able have my laptop so it uses the WAN connection most of the time but have the option to use VPN when I wanted by connecting to the Guest network. As it'll likely only be one device wanting VPN access I can achieve most of what I want with a VPN client on the laptop but won't have the benefit of PiHole blocking. It's just a whim of man with too much time on his hands.

Cheers for all your help up to now. Andy

 

[bennor]

It seems to keep swapping between using the VPN DNS and the PiHole.

Previously you indicated you set VPN Client 2 option "Accept DNS Configuration" to "Strict". Per the tool tip for the Accept DNS Configuration, Strict indicates that any DNS servers provided provided by the remote VPN Server will be added to the list of DNS servers used. As previously indicated, one would think that using "Disabled" would be the way to go. Disabled should, one would think, ignore the DNS servers pushed by the remote VPN server. One would think that only the local Pi-Hole would be used, assuming one instructs the VPN client to use it, when the remote VPN server provided DNS servers are not used.

Accept DNS Configuration Tool Tip:
How should your router handle DNS servers pushed by the remote VPN server. Disabled = ignore them, Relaxed = just add to list of known DNS, Strict = add to list, but use all servers in order specified, Exclusive = use only these servers for all queries from clients routed through the tunnel.

 

[bennor]

My hope was to be able have my laptop so it uses the WAN connection most of the time but have the option to use VPN when I wanted by connecting to the Guest network.

Just to clarify. Do you have a single network adapter that you would use to switch from the main LAN to the guest WiFi? Or would you be using two network adapters with the hope of having both connected at the same time, one to the main LAN and the second one to the guest WiFi?

 

[TITAN]

Hi Jack, I just came across this gem and love your work!

Just wondering if there is any way to set the subnet mask on the guest Wifi?

Cheers

 

[Ydnaroo]

Just to clarify. Do you have a single network adapter that you would use to switch from the main LAN to the guest WiFi? Or would you be using two network adapters with the hope of having both connected at the same time, one to the main LAN and the second one to the guest WiFi?

Just one adapter in laptop, just want WAN or VPN selectable from Windows.

 

[Ydnaroo]

i'm going to dig one of my Pi's out (I have several....) and chuck PiHole on it and get a working setup, then I can share my settings

Just to clarify. Do you have a single network adapter that you would use to switch from the main LAN to the guest WiFi? Or would you be using two network adapters with the hope of having both connected at the same time, one to the main LAN and the second one to the guest WiFi?

Hi both. Just a quick word to say please don't spend any more time on this. I'm using VPN Unlimited and there are posts in Merlin's VPN Director thread yesterday about problems with DNS with this provider due to them using a hostname rather than an IP for the server settings. I'll just leave it for now and maybe change provider in the future. Thanks again for your help. Andy

 

[maxbraketorque]

A few questions about YazFi:

• My home AC86U has an OVPN client that is permanently connected to an OVPN server on another AC86U across the internet. TUN protocol. Are YazFi guest networks on my home AC86U isolated from that VPN as well?
• Can I use DHCP manual IP address assignment for devices on a YazFI guest network? If yes, is this done using the ASUS DHCP manual assignment WebUI?
• Does the YazFI WebUI provide the same configurability as the CLI?

 

[bennor]

• Can I use DHCP manual IP address assignment for devices on a YazFI guest network? If yes, is this done using the ASUS DHCP manual assignment WebUI?
• Does the YazFI WebUI provide the same configurability as the CLI?

To answer two of your questions. For assigning static IP addresses see the YazFi GitHub Wiki entry on YazFi with Pi-Hole. There is a section (A Note on DHCP Reservations) there on how to setup static IP addresses for YazFi clients. Generally one cannot use the Asus-Merlin DHCP section to set static IP addresses for YazFi guest clients due to YazFi using different IP address ranges for YazFi guest clients. Or see my post on setting fixed IP addresses when using YazFi here:
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403

Generally the same settings for setting up and applying the YazFi configuration in the CLI are available in the YazFi Web GUI. There are certain options like updating YazFi that can only be done through the CLI. Examples of the Web GUI and CLI.

 

[bennor]

Just wondering if there is any way to set the subnet mask on the guest Wifi?

The YazFi CLI Config (via Nano) states the following on Subnets which may or may not answer your question.

N.B. Currently hardcoded to a 255.255.255.0 subnet, so DHCP pool can start at a minimum of X.Y.Z.2 and a maximum of X.Y.Z.254

Or see my screen capture directly above this post in a reply to someone else that indicates the same.

 

[maxbraketorque]

Thanks much, but I'm confused about one thing in your DHCP reservation options. The two methods you mentioned look identical with the second one just providing more detail. Both approaches appear to use dnsmasq on the router to set the DHCP reservation, and I don't see a requirement for Pi-hole. Is Pi-hole required for assigning a DHCP reservation?

 

[bennor]

Both approaches appear to use dnsmasq on the router to set the DHCP reservation, and I don't see a requirement for Pi-hole. Is Pi-hole required for assigning a DHCP reservation?

No. Pi-Hole is not required if one wants to set a static IP for YazFi guests. Pi-Hole usage was just the vehicle that got some of us discussing how to set a static IP in Asus-Merlin for YazFi clients.

 

[maxbraketorque]

No. Pi-Hole is not required if one wants to set a static IP for YazFi guests. Pi-Hole usage was just the vehicle that got some of us discussing how to set a static IP in Asus-Merlin for YazFi clients.

Awesome. Thanks. Now hoping to find out if YazFI is isolated from my VPN tunnel as well. Maybe I just need to try it.

 

[TITAN]

The YazFi CLI Config (via Nano) states the following on Subnets which may or may not answer your question.

Thanks bennor, yes it does answer my question, but doesn't solve my problem
It's not a huge issue, but more a 'nice to have'

 

[TITAN]

Ok, so I have the Guest Wifi 2 up and running but seem to be stuck on this one: I am trying to direct all traffic on Guest Wifi 2 via VPN 2, with the exception of 2 IP's - .2 and .3 (which are assigned by DHCP as per this post - https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403).

I've been playing around with a number of settings but can't seem to get it to work.

YazFi settings

VPN 2 details (NordVPN)
DNS Config - Exclusive
Policy rules (automatically added)
2.4GHz Guest 2 192.168.3.0/24 VPN
5GHz1 Guest 2 192.168.6.0/24 VPN (P.S. i think there is a typo with the '1' being added?)

With this setup, all clients are routed via VPN2 and all clients can access the internet.
If I change redirect all to VPN to 'no' then add the following policy rules to VPN2, no client can access the internet
Guest 1 192.168.3.2 WAN
Guest 2 192.168.6.3 WAN
2.4GHz Guest 2 192.168.3.0/24 VPN
5GHz1 Guest 2 192.168.6.0/24 VPN

I've tried combinations of Force DNS = 'no', redirect all to VPN ='no' and DNS config = 'disabled/relaxed/strict/exclusive' but I all I can seem to do is end up with all clients on Guest Wifi 2 going via my WAN/real IP, or all via the VPN...

I'm sure that it's some simple setting/configuration that I've overlooked... any help would be greatly appreciated!

 

[Jack Yaz]

Ok, so I have the Guest Wifi 2 up and running but seem to be stuck on this one: I am trying to direct all traffic on Guest Wifi 2 via VPN 2, with the exception of 2 IP's - .2 and .3 (which are assigned by DHCP as per this post - https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403).

I've been playing around with a number of settings but can't seem to get it to work.

YazFi settings
View attachment 34628

VPN 2 details (NordVPN)
DNS Config - Exclusive
Policy rules (automatically added)
2.4GHz Guest 2 192.168.3.0/24 VPN
5GHz1 Guest 2 192.168.6.0/24 VPN (P.S. i think there is a typo with the '1' being added?)

With this setup, all clients are routed via VPN2 and all clients can access the internet.
If I change redirect all to VPN to 'no' then add the following policy rules to VPN2, no client can access the internet
Guest 1 192.168.3.2 WAN
Guest 2 192.168.6.3 WAN
2.4GHz Guest 2 192.168.3.0/24 VPN
5GHz1 Guest 2 192.168.6.0/24 VPN

I've tried combinations of Force DNS = 'no', redirect all to VPN ='no' and DNS config = 'disabled/relaxed/strict/exclusive' but I all I can seem to do is end up with all clients on Guest Wifi 2 going via my WAN/real IP, or all via the VPN...

I'm sure that it's some simple setting/configuration that I've overlooked... any help would be greatly appreciated!

you'll need to use a userscript (https://github.com/jackyaz/YazFi#custom-firewall-rules) for this. enable redirect to VPN for the guests in YazFi, then follow the below

create

/jffs/addons/YazFi.d/userscripts.d/myscript.sh

Remember to make it executable with

chmod +x /jffs/addons/YazFi.d/userscripts.d/myscript.sh

Contents:

#!/bin/sh
iptables -I YazFiFORWARD -i eth0 -o wl0.2 -d 192.168.3.2 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o eth0 -s 192.168.3.2 -j ACCEPT
iptables -I YazFiFORWARD -i eth0 -o wl1.2 -d 192.168.6.3 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.2 -o eth0 -s 192.168.6.3 -j ACCEPT

if your WAN interface isn't eth0 then replace accordingly
then apply YazFi settings (option 1 CLI or Save in WebUI)
hopefully I haven't missed anything!

 

[maxbraketorque]

I just installed this a few moments ago, and a few initial thoughts come to mind:

- Apparently this works in conjunction with the ASUS guest network settings, i.e., the guest network needs to be first configured and *enabled* in the ASUS guest network WebUI?
- How does DNS work when DoT is enabled. If I "Force DNS" and set the DNS Servers to the router IP, then is DoT implemented for the guest devices?
- In the CLI version of YazFi settings, it might be better to use the term, "Exit YazFi Settings" or "Exit YazFi Menu" rather than just "Exit YazFi". For those without much experience with this kind of thing (e.g., me), its unclear if "Exit YazFi" means actually killing YazFi itself or just exiting out of the settings.

 

[Jack Yaz]

I just installed this a few moments ago, and a few initial thoughts come to mind:

- Apparently this works in conjunction with the ASUS guest network settings, i.e., the guest network needs to be first configured and *enabled* in the ASUS guest network WebUI?

Yes

- How does DNS work when DoT is enabled. If I "Force DNS" and set the DNS Servers to the router IP, then is DoT implemented for the guest devices?

same rules as Merlin DNS Filter apply.
if sending guest traffic to the router, then yes, guest would benefit from DOT in the same way a "normal" LAN client would when connected to the router.
if DoT is set up directly on guest client then it will be allowed if its destination matches the one configured in YazFi. if it doesn't match, DoT from the client will be blocked.

 

[maxbraketorque]

Thanks much.

The next thing that's puzzling me is that I have YazFi enabled and "applied" the settings, but preexisting guest devices are not moving over to the new subnet. I tried power cycling one of the devices, but it did not cause the device to move over to the YazFi IP address range. What am I doing wrong?