YazFi Allow client in isolated network to speak to main network

[Gary_Dexter]

Hi

I have YazFi setup to segregate my IoT devices onto their own network. This network is also set to allow one-way traffic TO the guest network (but not both ways).

I’ve added a Sonos device to this IoT network, however I would like it to have communication back to the main network as well so it can communicate with my HomeAssistant RPi - at the moment HomeAssistant throws back an error that it can’t poll the device as it sits on the segregated network.

Is there a way (with routing or firewall rules?) to allow a single device (or devices) to communicate back to the main network when one-way to guest is enabled?

Cheers!
Gary

 

[bennor]

Possibly yes. See YazFi's Custom Firewall Rules.
https://github.com/jackyaz/YazFi#custom-firewall-rules
See this post for an example of custom scripting to allow traffic between specific LAN and YazFi Guest clients:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521
Another example of the scripting from a few days ago:
https://www.snbforums.com/threads/help-with-iptables-script.87827/

When using custom scripting rules one may not even need to use YazFi's one way or two way to guests depending on the custom scripting used.

 

[Gary_Dexter]

That worked a treat - thanks!

I assume I can just add to that same file for any other devices/rules?

 

[Gary_Dexter]

Actually ignore that - it’s not working.

I assume the script I should be using is (guest network #2 2.4ghz - Sonos IP is 10.12.13.15):

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 10.12.13.15 -j ACCEPT

I want the Sonos device to be able to speak TO the main LAN (one-way TO Guest is enabled).

 

[bennor]

I assume I can just add to that same file for any other devices/rules?

If for other YazFi clients? Yes the process/rule(s) would be similar. Do some testing however to ensure everything is still being firewalled properly though for the YazFi clients and main LAN clients.

 

[bennor]

Actually ignore that - it’s not working.

I assume the script I should be using is (guest network #2 2.4ghz - Sonos IP is 10.12.13.15):

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 10.12.13.15 -j ACCEPT

I want the Sonos device to be able to speak TO the main LAN (one-way TO Guest is enabled).

One option is to disable one way to guest and simply use custom scripting to pass the traffic. Something like this:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 10.12.13.15 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 10.12.13.15 -j ACCEPT

In the code example one is opening up source and destination traffic to 10.12.13.15. I assume 10.12.13.15 is on the main LAN.