YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

I've been reading through almost the whole thread but I couldn't find a solution... I'm wondering whether there's a way to bridge two of the guest networks. The reasoning behind this is that I have two guest networks, one on 2.4 and one on 5, and I'd like devices on those networks to be able to talk to each other, while being isolated from the main network.

You could add your own rules to allow it

 

[FalconB]

I have a few questions regarding this excellent script that I have been using for quite a while (along with amtm, Diversion, uiDivStats and VLANSwitch):

1. I have noticed that sometimes YazFi-clients get an ip address from the router dhcp-pool (specified in the WebUI) and then, a short time after when YazFi kicks in, they're put on the "correct" subnet (as per the YazFi config). Is there anyway to avoid this behaviour? Reason beeing is that I have some IOT-stuff that I don't want to mix with my other devices, but as of now they sometimes get a (short) window of opportunity to access my private subnet before YazFi does its magic.
   
   
2. Is it possible to set static leases for the defined subnets in YazFi? Some of my IOT-devices only support DHCP but I would like them on a static ip if possible.

 

[Gitsum]

Don't get an IP.

 

[Jack Yaz]

I have a few questions regarding this excellent script that I have been using for quite a while (along with amtm, Diversion, uiDivStats and VLANSwitch):

1. I have noticed that sometimes YazFi-clients get an ip address from the router dhcp-pool (specified in the WebUI) and then, a short time after when YazFi kicks in, they're put on the "correct" subnet (as per the YazFi config). Is there anyway to avoid this behaviour? Reason beeing is that I have some IOT-stuff that I don't want to mix with my other devices, but as of now they sometimes get a (short) window of opportunity to access my private subnet before YazFi does its magic.
   
   
2. Is it possible to set static leases for the defined subnets in YazFi? Some of my IOT-devices only support DHCP but I would like them on a static ip if possible.

dnsmasq starts before the ebtable and iptable rules are loaded, so kicking them is done at the earliest opportunity (roughly 60s after firewall is started to allow it to finish setting up)

there was an implementation to fudge with blocking dhcp until yazfi started, but that would stop any devices (not just yazfi) contacting for dhcp

 

[Jack Yaz]

Don't get an IP.

Any errors reported in syslog? The devices shouldn't need re-configuring every time

 

[FalconB]

dnsmasq starts before the ebtable and iptable rules are loaded, so kicking them is done at the earliest opportunity (roughly 60s after firewall is started to allow it to finish setting up)

there was an implementation to fudge with blocking dhcp until yazfi started, but that would stop any devices (not just yazfi) contacting for dhcp

.
Hmm. Ok, that's unfortunate, but it is what it is. Still a great script though.

Any info on static leases for specified MACs on YazFi subnets? I tried adding a "dhcp-host=<MAC>,<IP>" in dnsmasq.conf.add but didn't get it to work. I did a "service restart_dnsmasq" but maybe that's not enough?

 

[Jack Yaz]

.
Hmm. Ok, that's unfortunate, but it is what it is. Still a great script though.

Any info on static leases for specified MACs on YazFi subnets? I tried adding a "dhcp-host=<MAC>,<IP>" in dnsmasq.conf.add but didn't get it to work. I did a "service restart_dnsmasq" but maybe that's not enough?

That should work, but you'd likely have to cycle the WiFi connection on the device for it to pull a new IP

 

[FalconB]

That should work, but you'd likely have to cycle the WiFi connection on the device for it to pull a new IP

Ok, I'll have another go at it. Thanks!

EDIT:
Well, it seems that the device I tried to set static ip for yesterday (that I didn't get to work) today has changed to the assigned static lease ip. So, I tried on another device and it will not work (as of yet). It still clings on to its old dhcp-lease address despite an on/off cycle. I did the following:

1. Modified the dnsmasq.conf.add to contain the IOT device's mac and desired ip
   
2. Shut the IOT device off
3. Restarted dnsmasq (service restart_dnsmasq)
4. Waited >1 min
5. Opened YazFi and reapplied the settings (don't now if this is necessary though)
   
6. Started the IOT device, but it still gets its old dhcp-lease address

That makes me belive that it has something to do with the lease time or something similar. However it seems that time will make it switch to the desired static ip (as per the first deivce I tried yesterday), but it would be nice to know what I am missing to get it working asap.

Oh, if this is to much offtopic, let me know and I'll find or start a separate thread.



EDIT 2:
Ok, the ip did not change over night for the second device, but after another restart of dnsmasq its now up and running. Don't know why it didn't work before. Anyways, case closed!

 

[nahventure]

Hey, I'm curious as to why the 87u doesn't support YazFi on 5ghz? Bummer

 

[L&LD]

Hey, I'm curious as to why the 87u doesn't support YazFi on 5ghz? Bummer

Possibly because of the one-off Quantenna chipset the RT-AC87U uses?

 

[Galaxysurfer]

Currently running RT-AC68U with Merlin 384.12
Amtm YazFi
Diversion
Skynet
Scribe scripts
OpenVpn 3 clients connected to NordVpn

I have Roku devices setup on guest networks to isolate them from the rest of my network
My main network range is set at; SSID 1 (Main) 192.168.a.2-254 vpn 1
guest network range is set at; SSID 2 (Guest1) 192.168.b.2-254 2 gh vpn 2
SSID 3 (Guest2) 192.168.c.2-254 5 gh vpn 3

​

All my main devices are on vpn channels strict settings with exception of obi ata which cant currently for proper functioning so it is on wan only. My rokus are each in their own guest ssid so they are isolated. when I check in yazfi script they are properly identified & located on my designated ip range & corresponding mac address. When I look in my vpn clients unfortunately they are listed with a different 192,168,a.2-254 ip address . I have them set as lan access= no & client isolation=yes. Is the wild card google dns settings? I am running on google dns addresses rather than Nordvpn's dns to make roku happy
Is this a failure on my part with configuration or am I misunderstanding YazFi & it's capabilities. My understanding of this was I am/could create a vlan like setup here. I would like to get this sorted out & working properly since I am adding a new variable to the mix - pbx vm & encrypted comm channel for my home business. main os is mx linux with pbx vm & soon win 10 vm running from virtualbox instances. Please help me to sort put this mess!
Summary;
Is the YazFi script properly configured?
Why are my rokus being given 192.168.a.2-254 addresses as well as the designated
192.168.b.2-254 2 gh vpn 2 192.168.c.2-254 5 gh vpn 3 I gave them?
Do I need to do mac binding & how would I properly implement that?

 

[Jack Yaz]

Currently running RT-AC68U with Merlin 384.12
Amtm YazFi
Diversion
Skynet
Scribe scripts
OpenVpn 3 clients connected to NordVpn

I have Roku devices setup on guest networks to isolate them from the rest of my network
My main network range is set at; SSID 1 (Main) 192.168.a.2-254 vpn 1
guest network range is set at; SSID 2 (Guest1) 192.168.b.2-254 2 gh vpn 2
SSID 3 (Guest2) 192.168.c.2-254 5 gh vpn 3

​

All my main devices are on vpn channels strict settings with exception of obi ata which cant currently for proper functioning so it is on wan only. My rokus are each in their own guest ssid so they are isolated. when I check in yazfi script they are properly identified & located on my designated ip range & corresponding mac address. When I look in my vpn clients unfortunately they are listed with a different 192,168,a.2-254 ip address . I have them set as lan access= no & client isolation=yes. Is the wild card google dns settings? I am running on google dns addresses rather than Nordvpn's dns to make roku happy
Is this a failure on my part with configuration or am I misunderstanding YazFi & it's capabilities. My understanding of this was I am/could create a vlan like setup here. I would like to get this sorted out & working properly since I am adding a new variable to the mix - pbx vm & encrypted comm channel for my home business. main os is mx linux with pbx vm & soon win 10 vm running from virtualbox instances. Please help me to sort put this mess!
Summary;
Is the YazFi script properly configured?
Why are my rokus being given 192.168.a.2-254 addresses as well as the designated
192.168.b.2-254 2 gh vpn 2 192.168.c.2-254 5 gh vpn 3 I gave them?
Do I need to do mac binding & how would I properly implement that?

The Rokus shouldn't be getting 2 IPs. Can you start by posting diagnostics (pm me the passphrase), along with any screenshots showing the ip mismatch

 

[Tobias]

You could add your own rules to allow it

Sounds like a terrific idea. Has anyone done that and can share how? I would appreciate some help with this Perhaps it could be incorporated into the scripts since it is pretty annoying that subnets are divided by frequencies where two devices cannot communicate just because of speed/coverage.

 

[Martin Leza]

Hello all,

I'd like to have the guest network(s) on a simple time schedule (for example: Allow connection every day only from 7 A.M. to 11 P.M.)

Enabling the "wireless scheduling" (under Wireless, Professional) does not work for me because it will also apply the schedule to the normal wireless users.

Mr. Jack Yaz, I understand than adding this to the public versions may be confusing and perhaps out of the scope of the YazFi. Is there a way to provide a sample code that I can implement myself? To make things simple, this can be global, in other words applied to all the guest networks and to every day of the week.

Cheers,

 

[Jack Yaz]

Hello all,

I'd like to have the guest network(s) on a simple time schedule (for example: Allow connection every day only from 7 A.M. to 11 P.M.)

Enabling the "wireless scheduling" (under Wireless, Professional) does not work for me because it will also apply the schedule to the normal wireless users.

Mr. Jack Yaz, I understand than adding this to the public versions may be confusing and perhaps out of the scope of the YazFi. Is there a way to provide a sample code that I can implement myself? To make things simple, this can be global, in other words applied to all the guest networks and to every day of the week.

Cheers,

Not tested it, but something like the below?

iptables -I YazFiFORWARD -i wl0.1 -m time --timestart 23:00 --timestop 23:59 -j DROP
iptables -I YazFiFORWARD -i wl0.1 -m time --timestart 00:00 --timestop 06:59 -j DROP
iptables -I YazFiINPUT -i wl0.1 -m time --timestart 23:00 --timestop 23:59 -j DROP
iptables -I YazFiINPUT -i wl0.1 -m time --timestart 00:00 --timestop 06:59 -j DROP

You will need to input in UTC, I think

 

[Martin Leza]

Thanks a lot. I will get to it. Slowly of course.

Regards,

 

[Martin Leza]

This post do not belong on this thread, but I will poke Mr. Jack Yaz knowledge first.

Today I replaced my RT-AC68R with an RT-AC86U and installed Merlin's 384.13 firmware.

I have not been able to have wireless or wired devices successfully make use of the running VPN client and connect to the internet, except with the Guest Network, if and only if YazFi is running.

All the router settings are stock except the few entries in the LAN DHCP server and few Mac addresses added to the standard 2.4 and 5 Ghz Wireless MAC filters, and of course the only VPN Client which is set to "Accept DNS Configuration: Strict" and Policy Rules (strict).

Router IP is 192.168.1.1

The only enabled Guest Network radio is the 2.4 GHz and YazFi sets the ip address to 192.168.2.0/24

In the VPN client I tried Disabled, Relaxed, Strict and Exclusive for "Accept DNS Configuration", I did this with and without the line "dhcp-option DNS 1.1.1.1" added to the Custom Configuration field.

Obviously YazFi is by-passing whatever mistake I am making. Any ideas?

Regards,

 

[Krzywy]

That may not be question strictly related to yazfi scripts, but hopefully someone will be able to answer me/direct me to right place. Please be aware, that this is my first post on this forum, and I'm not an expert in any means.

So, currently I've only ruter provided by my ISP, which is dual band but it is some technicolor cheap one so it does not have many options, the main one it is missing is VPN client support, so i cannot use VPN by simply connecting to wifi network. That's not a big deal when using PC, however other devices like my Samsung TV does not allow my to set VPN on them. That's why i thought about buying another ruter RT-AC86U and setting VPN on it, so what i want is to have two routers ,the first one will be the one from my ISP (which would still have "normal/local" wi-fi), and connected to it would be RT-AC86U which I would connect to NordVPN so everything connected to it would appear as connected from somewhere else. The tricky part is I would like to use one network on 2.4GHz band for UK configured VPN, and 2nd network on 5GHz band for for example Canada configured VPN. Can i achieve this using YazFi? I've read somewhere that it is not possible to achieve without some kind of scripting because regardless of network band (2.4GHz and 5GHz) same device will have same IP Address on both. I know, that my question have nothing to do with a guest network but from what I've found YazFi is the closest thing to achieve my desired result.

Regards

 

[Jack Yaz]

This post do not belong on this thread, but I will poke Mr. Jack Yaz knowledge first.

Today I replaced my RT-AC68R with an RT-AC86U and installed Merlin's 384.13 firmware.

I have not been able to have wireless or wired devices successfully make use of the running VPN client and connect to the internet, except with the Guest Network, if and only if YazFi is running.

All the router settings are stock except the few entries in the LAN DHCP server and few Mac addresses added to the standard 2.4 and 5 Ghz Wireless MAC filters, and of course the only VPN Client which is set to "Accept DNS Configuration: Strict" and Policy Rules (strict).

Router IP is 192.168.1.1

The only enabled Guest Network radio is the 2.4 GHz and YazFi sets the ip address to 192.168.2.0/24

In the VPN client I tried Disabled, Relaxed, Strict and Exclusive for "Accept DNS Configuration", I did this with and without the line "dhcp-option DNS 1.1.1.1" added to the Custom Configuration field.

Obviously YazFi is by-passing whatever mistake I am making. Any ideas?

Regards,

Define not working (i.e. can you ping an internet ip, is dns not working).
What does your VPN client setup look like, including policy routing?

 

[Martin Leza]

Define not working (i.e. can you ping an internet ip, is dns not working).
What does your VPN client setup look like, including policy routing?

-With a browser open on the (wired) TV (LG, Web OS), I click a link on Favorites and nothing happens.
-With my iPhone 7(wireless of course), I open Navigator, which tries to open the last visited URL and the progress bar at the top of the browser halts at around 1/5th of the way.
-With my Windows computer(wired):
--------- Pinging yahoo.com and google.com results on requests timed out.
--------- With Firefox open, clicking on google link: Hmm. We’re having trouble finding
that site.
---------With Firefox open, clicking on youtube link:
The connection has timed out
The server at www.youtube.com is taking too long to respond.


Not sure 100% how to test if DNS is working (please forgive my ignorance). When pinging google, the ping command knows the ip address to ping. Also, "nslookup google.com" returns IPV4 and IPV6 addresses, so I think DNS is fully working or at least to some extent. Please advise if there is a better test for DNS functionality.

Haven't shared an image in a forum in a long time, let's see if this works:

https://www.dropbox.com/s/frzm3fn2j65pskv/VPN.png?dl=0