YazFi YazFi v4.x - continued

[bennor]

Or this is a deliberate behavior when setting Allow Internet Access option to OFF when using Guest Networks 1 and 2 which was introduced when the Aimesh option was added to those two guest networks.

Quick test with Guest Network #3 2.4Ghz (with YazFI) and issue is present there as well. With Allow Internet Access set to No and Two Way to Guest set to Yes, the YazFi GN# 3 client cannot access main LAN clients. When Allow Internet Access is set to Yes then the client can.

 

[SomeWhereOverTheRainBow]

Quick test with Guest Network #3 2.4Ghz (with YazFI) and issue is present there as well. With Allow Internet Access set to No and Two Way to Guest set to Yes, the YazFi GN# 3 client cannot access main LAN clients. When Allow Internet Access is set to Yes then the client can.

Interesting. looks like a deliberate behavior is becoming a deliberate problem. Maybe @Martinski might know whats going on (don't know of @Jack Yaz is around to check it out either).

 

[bennor]

Interesting. looks like a deliberate behavior is becoming a deliberate problem. Maybe @Martinski might know whats going on (don't know of @Jack Yaz is around to check it out either).

Yeah I pinged them both in my post in the other thread discussing this issue (see link above). Maybe they'll have some thoughts if they care to weigh in on this issue. Likely not a common issue that has cropped up since it doesn't appear many others have come across it by disabling Internet Access while at the same time wanting Two Way to client (or custom scripts) to access main LAN. Interesting issue none the less if it is exposing something in the underlying Asus firmware.

 

[cannondale]

Just dropping in here to say that this add-on is fantastic and actually the only reason why I updated from stock AsusWRT to Merlin today (on my AC68U), just so that I could configure my guest networks in a much finer grained way. Thank you!

 

[Darkje]

How can this be enabled on a accespoint. Since guest network is also there.

 

[bennor]

How can this be enabled on a accespoint. Since guest network is also there.

YazFi doesn't currently work in AP/AiMesh mode. Many of the router's features, including some or all firewall options, are disabled in AP mode.
Per the developer:

YazFi doesn't work on Aimesh nodes. The guest network on the node will be unrestricted

 

[Darkje]

@bennor Yeah i know. On aimesh i het it, on a app mode i dont get it. Since you turn on guest mode aswell.

 

[bennor]

@bennor Yeah i know. On aimesh i het it, on a app mode i dont get it. Since you turn on guest mode aswell.

AiMesh also does guest mode. There is much more going on under the hood when one enables AP mode for the router. YazFi, in part/whole, among other things works by setting certain IPTable rules. If AP mode is changing (or disabling) IPTables then YazFi won't function correctly. If you note, the guest mode in AP mode doesn't have the access intranet option like the router mode guest network has (at least the guest mode of an RT-AC68U didn't when I checked).
The developer is no longer actively developing YazFi so don't expect this to be addressed any time soon unless someone else, like user Martinski, decides to do so.
The script is available on GitHub, you are free to try your own hand at modifying the code to work on AiMesh or in AP mode.

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

GitHub - Martinski4GitHub/YazFi at develop

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - GitHub - Martinski4G...

github.com

 

[Darkje]

@bennor, Yeah i get it.

 

[powersupply]

First: Thank you YazFi for this extension, it means so much to (hopefully) shield chinese spy iot stuff from phoning home/cloud.
Being iot, most units need to have static IPs, so I downloaded YazDHCP in hopes to add "DHCP IP Address Reservation".
Didn't find much in that regard so exported to CSV, hoped I can just add MAC and IP addresses, but it's just a long list of other stuff.
Is there a simpler way to add static IP Address Reservation to the guest network?

 

[bennor]

Is there a simpler way to add static IP Address Reservation to the guest network?

See the writeup in the YazFi GitHub Wiki:
https://github.com/jackyaz/YazFi/wi...verse-DNS-records#a-note-on-dhcp-reservations
And my example here:
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403

 

[powersupply]

Yes, that's what I was doing but it's unreliable.
Sometimes it all gets overwritten as you mentioned there.
It's also very cumbersome and unreliable.
I just had to reinstall entware, diversion etc, and after loading the backup_jffs.tar (onto the same unit), the guest stuff was not there.
I tried again after a few reboots and it finally stuck, don't know how/why.
Is there a way to add this matter to the DHCP tab or the YazFi tab in future?
The DHCP tab has already a table etc, it would be great to just be able to add IPs from the guest network domain.
Right now, the DHCP tab prohibits guest network IPs.

 

[bennor]

Yes, that's what I was doing but it's unreliable.
Sometimes it all gets overwritten as you mentioned there.
It's also very cumbersome and unreliable.

Cumbersome and unreliable? Not my experience. Been using that setup for manually assigned YazFi client IP addresses since making that post in 2019. First on a RT-AC68U and now a RT-AX86U Pro. I have not experienced any issues or problems once it was properly setup in all those years. It is possible you have other scripts interacting with dnsmasq or somehow changing the dnsmasq.postconf file. You should list your router, it's firmware version, and any add-on scripts you are using. My sig line has my setup. Only scripts running are YazFi and YazDHCP.

Note: YazFi doesn't work with AiMesh nodes, it only works on the main router. In certain cases one may need to use Guest Network #2 and or #3 rather than Guest Network #1. Reason is Asus treats Guest Network #1 slightly differently, for AiMesh apparently.

The original YazFi developer is no longer actively developing the script. As such any changes to it would need to be made by others. Currently user @Martinski is occasionally tweaking some elements of YazFi; but to integrate it into YazDHCP or into the main DHCP client list may require extensive coding, if it's even possible to do so. Currently its simple to backup the YazFi configuration file and it's manual client reservations file by simply copying two files and restoring them (with their permissions) at a later time after YazFi has been reinstalled.
YazFi configuration file: /jffs/addons/YazFi.d/config
(Note: permissions 0644)
Manual YazFi Client IP reservations file: /jffs/scripts/dnsmasq.postconf
(Note: permissions 0755)

PS: Restoring a backup_jffs.tar might be a hit or miss. It might work or you might have to reinstall any scripts that were broken by restoring that backup_jffs.tar.

 

[powersupply]

Thanks for the infos.
RT-AC68 386.12_4 with just Diversion and YazFis.
Am trying backupmon but that's too convoluted, directories over directories, will remove it.

Didn't know YazFi is no longer actively developed, bummer.
But it is really a great addition, after Diversion it's on second spot for me, thank you dear YazFi developer.
Great that Martinski continues carrying the task.

PS: Restoring a backup_jffs.tar might be a hit or miss. It might work or you might have to reinstall any scripts that were broken by restoring that backup_jffs.tar.

THAT is the issue.

I consider fiddeling in subdirectories and permissions cumbersome, especially since I have to redo it sometimes.
But that's my personal opinion.

I will try to make a 1:1, byte by byte image copy of the SD card, hope that will resolve the issues.

 

[bennor]

I consider fiddeling in subdirectories and permissions cumbersome, especially since I have to redo it sometimes.
But that's my personal opinion.

I routinely experiment with and hard factory reset the router running YazFi (and YazDHCP) from time to time, have been doing so for a number of years. It really isn't much of a deal, problem or issue, to use WinSCP on a Windows PC to copy the two files (YazFi config and YazFi manual IP reservations). Takes mere seconds to copy them to a PC for long term backup then restore them to the router (and set their permissions) at a later point when needed. Keep the two files on a NAS for backup. Made moving to a new router significantly easier and quicker. YMMV

Heck one could probably create a batch file using Putty (or even a router CRON job with script) to automate the copying and restoring of the two files if they wanted to.

 

[bennor]

I will try to make a 1:1, byte by byte image copy of the SD card, hope that will resolve the issues.

SD card? Why are you using a SD card and for what purpose? For external storage attached to the router one should be using at worse a USB flash drive or at best a USB SSD drive. Its possible using an SD card in a SD reader attached to the router may potentially cause unexpected behavior or results. For YazFi and YazDHCP one does not need to use any external storage as the scripts run from the router's jffs/scripts directory.

 

[Ripshod]

SD card? Why are you using a SD card and for what purpose? For external storage attached to the router one should be using at worse a USB flash drive or at best a USB SSD drive. Its possible using an SD card in a SD reader attached to the router may potentially cause unexpected behavior or results. For YazFi and YazDHCP one does not need to use any external storage as the scripts run from the router's jffs/scripts directory.

You mean besides the poor performance - if the disk gets written to a lot data will be lost along with the dreaded potential Out Of Memory error.

 

[Caesar the Dictator]

Hello, are we currently able to redirect guest clients to the any WireGuard connection, or are we still only able to redirect to the any OpenVPN connection?

 

[bennor]

Hello, are we currently able to redirect guest clients to the any WireGuard connection, or are we still only able to redirect to the any OpenVPN connection?

It may potentially be possible to do so via scripting if YazFi doesn't support Wireguard. See a comment here:
https://www.snbforums.com/threads/use-wireguard-for-yazfi.82160/#post-806768
Otherwise see the forum search for other discussions. Its been asked before but because Jack Yaz is not actively developing YazFi the odds of it being fixed is likely very slim.
https://www.snbforums.com/search/10...t&c[child_nodes]=1&c[nodes][0]=60&o=relevance
And another user who has performed some some mods/fixes on YazFi has previously indicated they likely will not be able to help modify Yazfi to work properly with WireGuard.

Sorry to say, but I cannot help. I don't subscribe to any commercial VPN providers & I don't have any VPN clients set up on my own router. The only VPN Servers I currently use are from the company I work for & the ones on ASUS routers (mine & those from relatives & friends for maintenance purposes) so that I can connect remotely when needed using my work PC or my personal PCs/tablets/phones. The bottom line is that I'm not in a position where I can test & validate any changes made in the YazFi code regarding OpenVPN or Wireguard clients.

 

[potrto]

After reviewing the YazFi code, I found & fixed a bug that under some conditions would cause the "Hostname" of some clients to be shown as "UNKNOWN" on the webGUI even when the IP address was correct.

If you want to try and see if this fix addresses the problem you're seeing on your router, the new updated script (version 4.4.5, develop branch) is available from GitHub:

curl -kLSs --retry 3 --retry-delay 5 --retry-connrefused  https://raw.githubusercontent.com/Martinski4GitHub/YazFi/develop/YazFi.sh  -o /jffs/scripts/YazFi  && chmod 755 /jffs/scripts/YazFi

I have submitted a PR for @Jack Yaz to merge into his GitHub repository.

EDIT:
@Jack Yaz has merged the PR containing the fix into his 'develop' branch. If you want to switch from master "4.4.4" release to the develop "4.4.5" version use the following commands:

/jffs/scripts/YazFi develop
/jffs/scripts/YazFi forceupdate

I tried the develop version 4.4.5 and it broke my custom settings (specifically, AirPlay to Sonos speakers in a guest network). Going back to 4.4.4 made it work again. I was trying to understand the problem by logging dropped packets in YazFiFORWARD and YazFiINPUT chains, but nothing showed up...