What's new

YazFi YazFi v4.x

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

How is your LG TV connecting to the router? Wired or WiFi? If WiFi is, it using a Guest SSID (i.e. YazFi if you have YazFi installed)?

Do you have any other device, computer or mobile that you can use to test if setting manual DNS addresses are bypassing any filtering you have setup or enabled?

One thing, in some quick and dirty testing, that I'm seeing. It appears DNSFiltering isn't catching the YazFi clients when I manually set a YazFi client's DNS settings (example in the Android WiFi Advanced settings) to, for example Google's DNS servers. My assumption, this is due to the YazFi clients using IP ranges outside of the main LAN IP address range. So the DNSFilter doesn't see it the request and doesn't filter/catch those requests and they are not routed to my Pi-Hole. If I manually set the Android device's DNS to Google's DNS servers when connected to the main LAN's WiFi (ie not YazFi) then the DNSFiltering catches the request and routes it to my Pi-Hole.
Hi @bennor
LG TV is connected over Cat5e. I have guest network created that is in use for guests and nothing else. Cool thing is that I forced guest traffic over VPN rather than allowing any interaction on my LAN. Other than that all LAN clients use pi-hole as their dns provided by LAN/WAN settings on router, but as mentioned its these pesky apps that have hard coded ips that sneak thru.

I tried with Macbook and Windows 8 & Windows 10 laptops both over wire and wifi by plugging in Quad9, Quad8 or Quad1 and every time each of the said devices were able to access internet, albeit with all the advertisements that come along without pi-hole in the middle.

In my case Yazfi is not coming into picture at all,
 
In my case Yazfi is not coming into picture at all,
YazFi generally only applies to Guest WiFi clients. It's settings apply to Guest WiFi clients and traffic to/from those Guest WiFi clients. LAN/wired clients are (AFAIK) not controlled by YazFi.

My quick and dirty testing shows that DNSFilter does catch my LAN/wired client (tested using a Windows 10 pc) that have manually added DNS servers and route their traffic to my Pi-Hole. In Pi-Hole that traffic shows as coming from the router rather than the LAN client with the manual DNS values.

Adding in VPN to the mix may cause unintended operation if the VPN server is assigning its own DNS servers to VPN clients.

If your LAN clients are bypassing your Pi-Holes that really isn't, ultimately, a discussion for this thread since that speaks more to some sort of configuration issue with Asus-Merlin or the LAN clients or the Pi-Hole, and not with YazFi.
 
Looking for some help with this one... I finally got around to upgrading my spare AC86U to 386.3_2 and YazFi 4.3.4 (I've done a full factory reset and fresh install, no restore from backup config etc.)

I am having trouble with guests being able to browse the Internet after a reboot - connectivity to the WiFi is fine.
It seems if I go in to the VPN2 and change the DNS mode to exclusive it works until the next reboot, where I change it back to disabled and vice versa.

What I generally see, is that the devices with Static IPs on YazFi seem to work just fine (they show the real IP and 1.1.1.1 DNS), but any other device has no internet connectivity until I change the DNS mode on VPN2 and hit Apply.

I'm the first to admit, I've probably done something wrong with my configuration, but for the life of me, can't figure out where I've gone wrong.

My setup:
LAN side - nothing particularly special
- IPv4 only
- Subnet 192.168.1.0/27
- A few static IP's (from 192.168.1.2 to 192.168.1.10)
- WAN DNS set to 1.1.1.1
- NordVPN1 + VPN director, static IP's go via WAN, everything else via VPN1
- VPN1 DNS set to Relaxed
- I'm using vpnmgr to manage this NordVPN connection

YazFi setup
- Set up on guest wifi 2 (2.4GHz)
- Subnet 192.168.50.0/24 - 3 static IP's defined (for TV's with Netflix), see below
- DHCP Range 192.168.50.5 - 192.168.50.15
- DNS =1.1.1.1
- Force DNS = yes
- Redirect to VPN = 2
- Two way = No
- One way = No
- Client Isolation = No
- NordVPN2 + VPN director, static IP's go via WAN, everything else via VPN2
- VPN2 DNS = Disabled (at time of writing)
- Redirect Internet traffic through tunnel = VPN director (policy rules)
- I'm using vpnmgr to manage this NordVPN connection


I've defined a few static IP's for YazFi in /jffs/scripts/dnsmasq.postconf (MAC addresses removed)

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.50.2,devicename" $CONFIG
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.50.3,devicename" $CONFIG
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,192.168.50.4,devicename" $CONFIG
cat /jffs/addons/YazFi.d/.dnsmasq >> /etc/dnsmasq.conf # YazFi

And I also have a custom script for the static IP's to bypass the VPN, since Netflix 'just works' with the real IP /jffs/addons/YazFi.d/userscripts.d/yazfi_vpn_exclude.sh

#!/bin/sh
iptables -I YazFiFORWARD -i eth0 -o wl0.2 -d 192.168.50.2 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o eth0 -s 192.168.50.2 -j ACCEPT
iptables -I YazFiFORWARD -i eth0 -o wl0.2 -d 192.168.50.3 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o eth0 -s 192.168.50.3 -j ACCEPT
iptables -I YazFiFORWARD -i eth0 -o wl0.2 -d 192.168.50.4 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o eth0 -s 192.168.50.4 -j ACCEPT

VPN Director rules (names have been modified)
[Enabled] LAN1 192.168.1.2 WAN
[Enabled] LAN2 192.168.1.3 WAN
[Enabled] LAN3 192.168.1.4 WAN
[Enabled] NETFLIX1 192.168.50.2 WAN
[Enabled] NETFLIX2 192.168.50.3 WAN
[Enabled] NETFLIX3 192.168.50.4 WAN
[Enabled] LAN Traffic 192.168.1.0/27 OVPN1
[Enabled] YazFi 2.4GHz 2 192.168.50.0/24 OVPN2

Any help or advice would be greatly appreciated
 
v4.3.4
Updated 2021-08-04


Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to:

* Dedicated VPN WiFi networks
* Separate subnets for organisation of devices
* Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS
* Allow guest networks to make use of pixelserv-tls (if installed)
* Allow guests to use a local DNS server
* Extend DNS Filter to guest networks

This project is hosted on GitHub

YazFi is free to use under the GNU General Public License version 3 (GPL 3.0).

Love the script and want to support future development? Any and all donations gratefully received!
PayPal donation
Buy me a coffee

Supported firmware versions
Core YazFi features
You must be running firmware no older than:
WebUI page for YazFi
You must be running firmware no older than:

Installation
Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/jackyaz/YazFi/master/YazFi.sh" -o "/jffs/scripts/YazFi" && chmod 0755 /jffs/scripts/YazFi && /jffs/scripts/YazFi install

Please then follow instructions shown on-screen. An explanation of the settings is provided in the FAQs in post #2

Usage
WebUI
YazFi can be configured via the WebUI, in the Guest Network section.

Command Line
To launch the YazFi menu after installation, use:
Code:
YazFi

If you do not have Entware installed, you will need to use the full path:
Code:
/jffs/scripts/YazFi
I've installed YazFi. I'm very happy with it and I'll buy you a coffee ;-). I think I can't see in the Asus router App which clients are on it and that's why I can't disallow a client.
Or is there an other way to see which clients are on the guest network in the app? Update: PS I bought you a coffee.
 
Last edited:
I've installed YazFi. I'm very happy with it and I'll buy you a coffee ;-). I think I can't see in the Asus router App which clients are on it and that's why I can't disallow a client.
Or is there an other way to see which clients are on the guest network in the app? Update: PS I bought you a coffee.

Bennor suggested this for me previously, which works well: http://www.snbforums.com/threads/yazfi-v4-x.70308/post-698877
In the latest version of YazFi, you can view the clients under Guest Network > YazFi
Could you disallow a client via MAC address under the Guest Network > Enable MAC filter ?
 
Looking for some help with this one... I finally got around to upgrading my spare AC86U to 386.3_2 and YazFi 4.3.4 (I've done a full factory reset and fresh install, no restore from backup config etc.)

I am having trouble with guests being able to browse the Internet after a reboot - connectivity to the WiFi is fine.
It seems if I go in to the VPN2 and change the DNS mode to exclusive it works until the next reboot, where I change it back to disabled and vice versa.

What I generally see, is that the devices with Static IPs on YazFi seem to work just fine (they show the real IP and 1.1.1.1 DNS), but any other device has no internet connectivity until I change the DNS mode on VPN2 and hit Apply.

I'm the first to admit, I've probably done something wrong with my configuration, but for the life of me, can't figure out where I've gone wrong.

My setup:
LAN side - nothing particularly special
- IPv4 only
- Subnet 192.168.1.0/27
- A few static IP's (from 192.168.1.2 to 192.168.1.10)
- WAN DNS set to 1.1.1.1
- NordVPN1 + VPN director, static IP's go via WAN, everything else via VPN1
- VPN1 DNS set to Relaxed
- I'm using vpnmgr to manage this NordVPN connection

YazFi setup
- Set up on guest wifi 2 (2.4GHz)
- Subnet 192.168.50.0/24 - 3 static IP's defined (for TV's with Netflix), see below
- DHCP Range 192.168.50.5 - 192.168.50.15
- DNS =1.1.1.1
- Force DNS = yes
- Redirect to VPN = 2
- Two way = No
- One way = No
- Client Isolation = No
- NordVPN2 + VPN director, static IP's go via WAN, everything else via VPN2
- VPN2 DNS = Disabled (at time of writing)
- Redirect Internet traffic through tunnel = VPN director (policy rules)
- I'm using vpnmgr to manage this NordVPN connection


I've defined a few static IP's for YazFi in /jffs/scripts/dnsmasq.postconf (MAC addresses removed)



And I also have a custom script for the static IP's to bypass the VPN, since Netflix 'just works' with the real IP /jffs/addons/YazFi.d/userscripts.d/yazfi_vpn_exclude.sh



VPN Director rules (names have been modified)


Any help or advice would be greatly appreciated


I believe I may have resolved the issue. It appears the format of my config in /jffs/scripts/dnsmasq.postconf was not correct

A previous post indicated the format:
pc_append "dhcp-host=[MAC],[IP],[NAME]" $CONFIG

However looking at the wiki article on Github, the format it slightly different
#!/bin/sh
source /usr/sbin/helper.sh
CONFIG=$1
#Set IP reservation

pc_append "dhcp-host=[MAC ADDRESS],[DESIRED HOSTNAME],[DESIRED IP ADDRESS]" $CONFIG

#Set Hostname
pc_append "dhcp-host=[MAC ADDRESS],[DESIRED HOSTNAME]" $CONFIG

Next, I decided to take a look at /etc/dnsmasq.conf and noticed the format is different yet again
dhcp-host=[MAC],set:[MAC],[IP]

So.... with this in mind, I modified /jffs/scripts/dnsmasq.postconf to use the same format as dnsmasq
#!/bin/sh
source /usr/sbin/helper.sh
CONFIG=$1
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,set:XX:XX:XX:XX:XX:XX,192.168.50.2" $CONFIG
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,set:XX:XX:XX:XX:XX:XX,192.168.50.3" $CONFIG
pc_append "dhcp-host=XX:XX:XX:XX:XX:XX,set:XX:XX:XX:XX:XX:XX,192.168.50.4" $CONFIG
cat /jffs/addons/YazFi.d/.dnsmasq >> /etc/dnsmasq.conf # YazFi

Save and reboot, and it works! I have rebooted a few times since, and all seems to be rock solid for the past day!

FWIW, I have left the DNS configuration on VPN2 as disabled

Hoping this might help anyone else who comes across a similar issue :)
 
Can someone comment on the procedure when upgrading the router firmware, in regards to Yazfi? Does anything need to be run/re-installed?
 
Can someone comment on the procedure when upgrading the router firmware, in regards to Yazfi? Does anything need to be run/re-installed?
Usually no. It really depends. You would get better answers if you have alittle more details. Is there anything special about the firmware change(i.e. is it a major upgrade requiring a factory reset).
 
Usually no. It really depends. You would get better answers if you have alittle more details. Is there anything special about the firmware change(i.e. is it a major upgrade requiring a factory reset).
No, not a major upgrade, no reset required. Just moving up from john's last LTS release to the latest LTS release, v51E3.

EDIT: Tried it, everything looks like it's working. YazFi remained active on the one guest network I had it configured for pre-flash.
 
Last edited:
I tried a search but didn't find this in the thread. When I try to check for an update under the YazFi add-on GUI on the router, I get a spinning circle and no response. I've turned off the ad-blocker, so I don't think that's the issue. Here's a screenshot:

circle.jpg


Any thoughts?
 
I tried a search but didn't find this in the thread. When I try to check for an update under the YazFi add-on GUI on the router, I get a spinning circle and no response. I've turned off the ad-blocker, so I don't think that's the issue.
What happens if you check for updates using the YazFi CLI (command line interface)?

Edit to add: The current YazFi version is: v4.3.4
 
I tried a search but didn't find this in the thread. When I try to check for an update under the YazFi add-on GUI on the router, I get a spinning circle and no response. I've turned off the ad-blocker, so I don't think that's the issue. Here's a screenshot:

View attachment 36218

Any thoughts?
Known problem on John's fork, the older web server doesn’t like the way ajax adds a timestamp to cache bust resources. It's on my to do list when I get back to scripting
 
What happens if you check for updates using the YazFi CLI (command line interface)?

Edit to add: The current YazFi version is: v4.3.4

Good point. Using the terminal it does return the proper response ("No updates available - latest is v4.3.4"). According to the bossman above it's a fork-related issue.

I was aware I'm on the latest as I just installed it last week as part of my pi-hole setup, just kicking the tires and testing out functionality. :)
 
Is there anything about these scripts that might cause my RT-AC68U to turn off CTF and the like, and instead do ALL packet processing in the CPU ??

I ask, because I recently updated the router to Merlin 386.3_2, and had to add YazFi to it to get the guest networks running again. But the router with that setup is now CPU limited in wired (ethernet) throughput from the WAN, unable to keep up with a 300mbit/sec cable connection.


Found/fixed the issue -- not at all related to YazFi (yay!).
 
Last edited:
What other scripts, options or features are you enabling?
 
With YazFi on my RT-AC68U w/Merlin 386.3_2:

If I check "Client Isolation" for a guest network, that network then ceases to work correctly -- my Android phone tries to connect, then disconnects and tries again, over and over..

Why?
 

Attachments

  • guest_network2_yazfi.jpg
    guest_network2_yazfi.jpg
    11.8 KB · Views: 89

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top