YazFi YazFi v4.x

[sor]

Hi. Is there any way that all Guest clients are allowed access ONLY to an arbitrary IP on the LAN (intranet) ? i.e. to be allowed to access ONLY internal ftp or web server or a network printer.
Once upon a time @Martineau did provide such a script but a lot did change since then and I feel that nowadays YazFi is maybe the proper script to implement this feature ?

 

[Jeffrey Young]

Hi. Is there any way that all Guest clients are allowed access ONLY to an arbitrary IP on the LAN (intranet) ? i.e. to be allowed to access ONLY internal ftp or web server or a network printer.
Once upon a time @Martineau did provide such a script but a lot did change since then and I feel that nowadays YazFi is maybe the proper script to implement this feature ?

If you look down toward the end of @Jack Yaz readme document on his GitHub page (https://github.com/jackyaz/YazFi), you will see Custom Scripts and an example of how to add an IP exclusion.

I do this for a couple of printers.

 

[mlord]

Eg. something like this:

#!/bin/sh
## Enable Guest WiFi to access a specific host/port on the non-guest LAN:
HOST=192.168.155.8  ## local printer on LAN
PORTS=631           ## list of space separated port numbers
PROTOCOL=tcp        ## tcp or udp, depending upon needs

for guest in wl0.1 wl0.2 wl0.3 wl1.1 wl1.2 wl1.3 ; do
    iptables -I YazFiFORWARD -i br0 -o $guest -s $HOST -j ACCEPT
    for port in $PORTS ; do
        iptables -I YazFiFORWARD -i $guest -o br0 -p $PROTOCOL --dport $port -d $HOST -j ACCEPT
    done
done

 

[sor]

Great ! Thank you @Jeffrey Young @mlord for your detailed answers.
And thanks for reminding me that I need to RTFM till the end !

 

[mlord]

I forgot to add: that script gets placed into /addons/YazFi.d/userscripts.d/

And set permissions to 0755: chmod 0755 xxx.sh

 

[Jack Yaz]

v4.4.1 is now available
Changelog:

• FIXED: YazFi could erroneously delete VPN Director rules after YazFi's own redirected rule when disabling VPN redirection

 

[Asusrouterlover]

v4.4.1 is now available
Changelog:

• FIXED: YazFi could erroneously delete VPN Director rules after YazFi's own redirected rule when disabling VPN redirection

I am running a VPN in my guest network and I would like to prevent family users from using a guest network - I try mac option in the wireless section and the guest network nothing work and conflict with mac permission I think adding this option in YazFi 4.4.2 will be great

PS: I can't hide guest network passwords.

 

[L&LD]

Easy enough to do. Just don't tell them the passwords (for both the Guest network(s) and the main router GUI too).

 

[bennor]

PS: I can't hide guest network passwords.

OK I'll bite. Why are you giving out the router's administration password so someone could access it and see the guest network password in the Asus (Asus-Merlin) Guest WiFi page? Further the easiest way to prevent guest network access is to NOT hand out the guest network password to untrusted people or devices. One certainly shouldn't be handing out the router administration password to untrusted persons. One could always set up additional Guest WiFi (generally up to three total at least on my router) networks to separate guests between them.

 

[Asusrouterlover]

OK I'll bite. Why are you giving out the router's administration password so someone could access it and see the guest network password in the Asus (Asus-Merlin) Guest WiFi page? Further the easiest way to prevent guest network access is to NOT hand out the guest network password to untrusted people or devices. One certainly shouldn't be handing out the router administration password to untrusted persons. One could always set up additional Guest WiFi (generally up to three total at least on my router) networks to separate guests between them.

admin password with me no one has the password (the problem is guest network connected to VPN to protect me against (( visitors illegal download )) when my kid access guest wifi I can't filter this network using NEXTDNS because DNS leak will reveal my Real IP address I try with Mac Address Filter Not Work (i don't know why)

 

[Asusrouterlover]

Easy enough to do. Just don't tell them the passwords (for both the Guest network(s) and the main router GUI too).

maybe you don't understand my good (barcode for guest wifi is printed on the wall) I don't want a family member to access guest wifi

 

[XIII]

I have never used YazFi before and I'm not sure how I can take advantage of it (the blame for that is totally on me).

Is my understanding correct that the number of guest networks remains the same (3), but you get more options to finetune how they behave?

Does YazFi also "mitigate" all the special stuff ASUS does on guest network 1 for AiMesh?

(I don't use AiMesh, but use all 3 guest networks for other reasons - would even like to have more...)

 

[bennor]

admin password with me no one has the password (the problem is guest network connected to VPN to protect me against (( visitors illegal download )) when my kid access guest wifi I can't filter this network using NEXTDNS because DNS leak will reveal my Real IP address I try with Mac Address Filter Not Work (i don't know why)

One possible option, assuming one is using YazFi, is to try blocking the client's internet access using custom firewall rules. The YazFi GitHub (https://github.com/jackyaz/YazFi) has a section covering Custom Firewall Rules with a few examples that deal with accessing main LAN clients. One can try to use IPTables scripting to block internet access by MAC address using that YazFi custom firewall rules steps. I did a quick test and it seems to work. No idea if it impacts other elements of YazFi or causes other issues with the router firewall/IPTable rules. No idea if this is even the correct coding to use, but it does seem to work for me in my quick test. The YazFi client that is being MAC internet blocked can connect to the YazFi guest network (my example blocks them on Guest #1 both 2.4Ghz and 5Ghz) BUT they have no internet access. Remember to restart/reapply YazFi settings after setting up the file containing the blocking code. As always one proceeds at their own risk!!!

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -m mac --mac-source A0:C7:AA:C8:BF:B7 -j DROP
iptables -I YazFiFORWARD -i wl1.1 -m mac --mac-source A0:C7:AA:C8:BF:B7 -j DROP

One should note however that spoofing a MAC address is possible if one is so inclined. So it will be possible to bypass such MAC blocking if one was enterprising enough.

 

[Asusrouterlover]

One possible option, assuming one is using YazFi, is to try blocking the client's internet access using custom firewall rules. The YazFi GitHub (https://github.com/jackyaz/YazFi) has a section covering Custom Firewall Rules with a few examples that deal with accessing main LAN clients. One can try to use IPTables scripting to block internet access by MAC address using that YazFi custom firewall rules steps. I did a quick test and it seems to work. No idea if it impacts other elements of YazFi or causes other issues with the router firewall/IPTable rules. No idea if this is even the correct coding to use, but it does seem to work for me in my quick test. The YazFi client that is being MAC internet blocked can connect to the YazFi guest network (my example blocks them on Guest #1 both 2.4Ghz and 5Ghz) BUT they have no internet access. Remember to restart/reapply YazFi settings after setting up the file containing the blocking code. As always one proceeds at their own risk!!!

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -m mac --mac-source A0:C7:AA:C8:BF:B7 -j DROP
iptables -I YazFiFORWARD -i wl1.1 -m mac --mac-source A0:C7:AA:C8:BF:B7 -j DROP

One should note however that spoofing a MAC address is possible if one is so inclined. So it will be possible to bypass such MAC blocking if one was enterprising enough.

I hope this code works fine for me because I already but a family member mac address in the wireless section to "accept" mode to prevent any prevent "strange MAC address accessing my private lan"
in this case, the mac address for family member device is accepted in(( Home wireless)) and ((not accepted)) in the guest Wifi network

 

[bennor]

This also appears to work, using the custom firewall rules method described on the YazFi Github, to block a specific MAC:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -m mac --mac-source A0:C7:AA:C8:BF:B7 -j YazFiREJECT
iptables -I YazFiFORWARD -i wl1.1 -m mac --mac-source A0:C7:AA:C8:BF:B7 -j YazFiREJECT

Note: the use of YazFiREJECT to block internet access was previously mentioned in this thread.

 

[Asusrouterlover]

This also appears to work, using the custom firewall rules method described on the YazFi Github, to block a specific MAC:


Note: the use of YazFiREJECT to block internet access was previously mentioned in this thread.

thanks also I would like to ask.
1-How do I unblock or remove the((MAC Address)) from the YazFi MAC list?
2-how to restart and apply YazFi new setting

I am beginner

 

[bennor]

thanks also I would like to ask.
1-How do I unblock or remove the((MAC Address)) from the YazFi MAC list?
2-how to restart and apply YazFi new setting

I am beginner

One could either edit the file to remove the mac address block line, save the file and restart/reapply YazFi or one could delete the created file holding the blocked mac addresses entirely, then restart/apply/reapply YazFi.

One can restart, apply or reapply YazFi through either the command line terminal for YazFi, through the YazFi GUI, or through rebooting the router, or (if I remember right) issuing the terminal command: /jffs/scripts/YazFi runnow

Again standard caution applies; one proceeds at their own risk.

 

[Asusrouterlover]

One could either edit the file to remove the mac address block line, save the file and restart/reapply YazFi or one could delete the created file holding the blocked mac addresses entirely, then restart/apply/reapply YazFi.

One can restart, apply or reapply YazFi through either the command line terminal for YazFi, through the YazFi GUI, or through rebooting the router, or (if I remember right) issuing the terminal command: /jffs/scripts/YazFi runnow

Again standard caution applies; one proceeds at their own risk

thanks, I will backup everything before I start the modification

 

[micer45]

I have had to revert back to my RT-AC87U as my AX58U has died.
I had YazFi running succesfully before including the WebUI can't get it going again as it had been factory reset.
I am running Merlin 384.13_10 but tried with the current install script and it does nothing and comes back to the prompt when executed.

Does the latest version run with my router or do I need an older version, any help greatly appreciated.

 

[bennor]

I am running Merlin 384.13_10 but tried with the current install script and it does nothing and comes back to the prompt when executed.

You will likely need to run newer Merlin firmware than 384.13_10 and unfortunately your RT-AC87U unit is no longer supported by Merlin. Per the YazFi GitHub page:

Supported firmware versions​

Core YazFi features​

You must be running firmware no older than:

• Asuswrt-Merlin 384.5
• john9527 fork 374.43_32D6j9527

WebUI page for YazFi​

You must be running firmware Merlin 384.15/384.13_4 or Fork 43E5 (or later) Asuswrt-Merlin

Edit to add: If older versions of YazFi supported the AC87U/384.13_10 perhaps Jack or the WayBack machine (like this link) will have older versions.