YazFi Allowing access to selected network devices

TheLyppardMan

Very Senior Member
I've never used YazFi before, but I understand that it could be used to achieve better security when using IoT devices. I don't plan to have a lot of those, but at the moment I have a Honeywell evohome controller that manages my programmable radiator TRV's and which connects to the internet for remote control, primarily from the dedicated mobile app. The controller doesn't need access to any devices on my LAN, so I have moved it onto Guest Network 1 (2.4Ghz band) with isolation from other devices on my LAN. The other devices are two security cameras, which store their video clips on a share on my Synology DiskStation. They do not have access to any other shares on the NAS. What I would ideally like to do is prevent the security cameras from having access to any other devices on my LAN. If this scenario is possible using YazFi, could someone tell me precisely how to set it up? My NAS has a static IP address on the LAN (xxx.xxx.xxx.200), as do a few other devices. The router is xxx.xxx.xxx.254 and the DHCP range is xxx.xxx.xxx.100 to xxx.xxx.xxx.199.
 

bennor

Very Senior Member
@Jack Yaz may have a better cleaner way to do this (with or with out YazFi), but the following worked in some quick and dirty testing when using YazFi (with One Way and Two Way to guest set to No in YazFi) to allow traffic from either all Guest 1 clients to a specific IP address on the LAN, or from a single IP address on Guest 1 to a specific IP address on the LAN. The following assumes one has knowledge of how to use SSH, has SSH enabled on their Asus-Merlin router, has YazFi installed and properly configured, knows how to use "nano", "vi" or SSH GUI programs WinSCP to create a file, paste in code, edit that code to match their specific network settings. One may also want to create static/reserved IP addresses for their IoT devices to avoid certain issues. The YazFi GitHub Wiki page has additional general information on how to setup static/reserved Guest IP addresses for YazFi Clients.
https://github.com/jackyaz/YazFi/wi...e-and-ARP-records#a-note-on-dhcp-reservations

Create a custom script file as explained in the YazFi Custom Script section and set its execute permissions as indicated in that section.
https://github.com/jackyaz/YazFi#custom-firewall-rules

Remember to save any changes to the created file, then trigger YazFi to apply the changes either in the YazFi CLI (option #1) or by selecting the Apply button on the YazFi GUI page in Asus-Merlin's Guest section. Failure to do so won't apply the YazFi custom script file updates.

All Guests 1 IP addresses to single LAN IP address
For allowing all Guest 1 (wl0.1) clients to access a single IP address on the LAN try the following. Paste in the following code block into the custom script file one created and save that file then trigger YazFi to apply the saved file. Make the adjustment to the source (-s) IP address and destination (-d) IP address to match the IP address of the LAN device in each iptables line.
Code:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -j ACCEPT
Single Guest 1 IP address to single LAN IP address
For allowing a single Guest 1 (wl0.1) IP address to access a single IP address on the LAN try the following. Paste in the following code block into the custom script file one created and save that file. Make the adjustment to the source (-s) IP address and destination (-d) IP address to match the IP address of the Guest #1 device and LAN device in each iptables line.
Code:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -s 192.168.3.50 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -d 192.168.3.50 -j ACCEPT
In the above example the NAS on the LAN has an IP address of: 192.168.1.100 and the single Guest #1 IP address of: 192.168.3.50.

What is generally happening is the following. In the first example; one is telling iptables to pass traffic to/from the Guest #1 (wl0.1) to the specific IP address on main LAN (br0). In the second example; one telling iptables to pass traffic to/from the specified IP addresses on the Guest 1 (wl0.1) to the specific IP address on the main LAN.

General Guest Network values:
2.4GhZ Network 1, 2, 3:
wl0.1
wl0.2
wl0.3
5Ghz Network 1, 2, 3:
wl1.1
wl1.2
wl1.3
5Ghz - 2 Networks (2 Ghz radios e.g. RT-AC53000)
wl2.1
wl2.2
wl2.3

There are likely better ways to script what you seek, but the above will get you started if using YazFi. One can likely modify the script to include additional Guest 1 (wl0.1) clients or to use different Guest networks (ex: wl0.2 or wl1.1) or to limit the traffic to just the Samba/SMB or FTP ports/traffic. In quick and dirty testing this worked for accessing a Synology NAS on the main LAN using a Windows PC connected to Guest 1. Note: Due to the devices being located on different IP subnets certain features like network discovery may not work properly. One may have to manually enter the NAS IP address (ex: \\192.168.1.100) when trying to access the NAS from the Guest 1 client.

Final note: You proceed at your own risk!!! The above requires one to have some knowledge and skill. Improperly modifying iptables may yield unexpected results including potentially opening up security vulnerabilities or pinholes that could allow malicious actors/hackers to access your local devices/network. What works for me in my quick and dirty testing may not work for others for various reasons.
 
Last edited:

TheLyppardMan

Very Senior Member
Thank you for your detailed explanation. However, I'm rather embarrassed to admit this, but I've realised a couple of things that I should have done earlier (I think it's an age-related thing as I often get confused or forget things these days). Firstly, one of the cameras is not on Wi-Fi but rather has access to my network via a Powerline adapter. The other thing is, unless I need to access the cameras data remotely, then I can simply block their internet access from within the network map client status page thus:
Screenshot - 18_08_2022 , 20_05_48.jpg
Screenshot - 18_08_2022 , 20_06_09.jpg
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top