YazFi, ntpMerlin and guest network isolation

[lluke]

Hi All,
in my setup, I'm using YazFi to isolate the IoT devices from the main network and internet, and ntpMerlin to serve all the NTP requests any client may send.

Everything is working fine on the ntpMerlin side since it is serving responses for queries coming from the main network and guest networks with internet access enabled, unfortunately the requests from the guest network with internet and intranet access disabled are not receiving any response.

From the connections tab (System Log > Connections, screenshot below) I can see the requests performed by the IoT devices (192.168.13.2 and 192.168.13.3), that fails with the same reason with any of the following configurations on the devices:

• NTP server: empty
• NTP server: 192.168.10.1 (IP of the router)
• NTP server: 192.168.13.1 (
• NTP server: 0.pool.ntp.org (or any other public NTP server)

Do you have any idea of what should I check or review in my setup?

Current setup:

• Asus RT-AC86U (Merlin 386.12)
• YazFI 4.4.3 (latest)
• ntpMerlin 3.4.5 (latest)
• YazFi IoT Guest network setup (192.168.13.0/28):
  • Force DNS: yes
  • Allow Internet access: no
  • Two way to guest: no
  • One way to guest: yes
  • Client isolation: yes
    

 

[bennor]

As a troubleshooting step you could insert a custom firewall rule so all YazFi Guests can access the NTP port 123 on the router (assuming ntpMerlin uses the IP address of the router). See the following link for YazFi Custom Firewall Rules:
https://github.com/jackyaz/YazFi#custom-firewall-rules

Some additional YazFi custom scripting examples can be found at the following post:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521

Just a wild guess, and absolutely no idea if it will work; for an example but maybe something like this (or a variation of it) as a custom firewall rule (change IP address to match router) to allow port 123 through the firewall between the YazFi Guest #1 (2.4Ghz) and the router.

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.1 -p udp --dport 123 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.1 -p udp --dport 123 -j ACCEPT

YazFi is supposed to allow NTP traffic through. I haven't used ntpMerlin so I don't know if it has settings to block or reject NTP requests from IP addresses outside the router local IP address scope range. Or perhaps the router firmware itself rejects NTP requests from outside the router's local IP address scope range.

Also one troubleshooting step. If your YazFi Guests are configure to use Guest #1, try using Guest #2 or #3. Asus treats Guest #1 slightly differently possibly for AiMesh or similar.