YazFi Allowing access to selected network devices

[bennor]

This is a real head-scratcher indeed.

In the meantime, enjoy your New Year's Eve.

Did a hard factory reset and reconfigure on a RT-AX86U Pro yesterday. Same issue persists for some reason with YazFi. Setup the Guest Network #2, installed YazFi 4.4.4, set Allow Internet Access to No, Two Way to Guest to Yes and the Guest Network YazFi client couldn't access or ping any LAN client. If Allow Internet Access is set to Yes, then that WiFi client could access/ping the LAN clients. Meanwhile the LAN client could ping the WiFi client in both instances.

Its almost as if the TWOWAYTOGUEST in the YazFi.sh is not being properly triggered for some reason. As if the ONEWAYTOGUEST is being applied instead somehow based on the router configuration/settings. I'm wondering if there is a certain router setting or configuration that might cause this to happen, or the validation in the script to fail, and apply ONEWAYTOGUEST instead of TWOWAYTOGUEST. For example, just throwing something against the wall; the WAN Connection Type being configured a certain way, mine is set to Automatic IP, possibly causes the YazFi code to use ONEWAYTOGUEST rather than TWOWAYTOGUEST. Or there being some other iptables entry or Asus firmware code blocking Guest Network WiFi to LAN comms.

This is likely such a rare combination of settings (or maybe region specific) for a typical user it quite possibly hasn't come up often in the YazFi testing or usage on various routers. Or be reported often here.

Yes have a happy, safe and enjoyable New Year's Eve.

 

[Martinski]

Did a hard factory reset and reconfigure on a RT-AX86U Pro yesterday. Same issue persists for some reason with YazFi. Setup the Guest Network #2, installed YazFi 4.4.4, set Allow Internet Access to No, Two Way to Guest to Yes and the Guest Network YazFi client couldn't access or ping any LAN client. If Allow Internet Access is set to Yes, then that WiFi client could access/ping the LAN clients. Meanwhile the LAN client could ping the WiFi client in both instances.

Have you also tried testing with the latest YazFi develop "4.4.5" test version (dated "2023-Dec-29" as shown on the script file header)?

If you have or plan to do so later on, do you mind sending me the debug output file created by executing the "GetYazFiDebugInfo2.sh" script after you have tested using the latest 4.4.5 version?

I'm curious to see what your RT-AX86U Pro model shows when compared with the RT-AX86S router, which is the closest router model (that I have tested with) to yours.

FYI, here's a screenshot of my WAN Connection "Basic Config" settings:

Thanks & Happy New Year!

 

[bennor]

Have you also tried testing with the latest YazFi develop "4.4.5" test version (dated "2023-Dec-29" as shown on the script file header)?

If you have or plan to do so later on, do you mind sending me the debug output file created by executing the "GetYazFiDebugInfo2.sh" script after you have tested using the latest 4.4.5 version?

Just did a quick and dirty test with 4.4.5 on a RT-AX86U Pro. See this link for the GetYazFiDebug script results. There are three. For some reason after rebooting the router the YazFi client(s) could then properly access main LAN clients when access internet was disabled and two way to guest was enabled in YazFi. Weird.

Base YazFi config after installing YazFi 4.4.5 (and restarting YazFi) on RT-AX86U Pro
YazFi_DEBUG_2024-01-02_06-20-09.txt

Guest Network #2 5Ghz - Allow Internet Access set to No, Two Way to Client set to Yes
YazFi_DEBUG_2024-01-02_06-34-59.txt

After router reboot YazFi client could ping/access main LAN clients. Not sure what changed there if anything.
YazFi_DEBUG_2024-01-02_06-49-47.txt

Some other comments after some more testing post router reboot. One thing I found is that any YazFi connected device with two (or more) network adapters, particularly if a cellular device with both cell network connection and wifi connection, I had to disable the non WiFi network adapters. Failure to do so would sometimes resulted in the device using the wrong network adapter even though WiFi was the selected main active connection and the other adapter wasn't connect to LAN/WiFi/Cellular. The OS (both Windows and Android) seems to try and use other network adapters when the WiFi network adapter didn't have internet access despite showing WiFI as the main connected network adapter. On certain devices this likely caused past incorrect results in some cases when trying to ping or access main LAN clients on past tests.

 

[Martinski]

Just did a quick and dirty test with 4.4.5 on a RT-AX86U Pro. See this link for the GetYazFiDebug script results. There are three. For some reason after rebooting the router the YazFi client(s) could then properly access main LAN clients when access internet was disabled and two way to guest was enabled in YazFi. Weird.

Base YazFi config after installing YazFi 4.4.5 (and restarting YazFi) on RT-AX86U Pro
YazFi_DEBUG_2024-01-02_06-20-09.txt

Guest Network #2 5Ghz - Allow Internet Access set to No, Two Way to Client set to Yes
YazFi_DEBUG_2024-01-02_06-34-59.txt

After router reboot YazFi client could ping/access main LAN clients. Not sure what changed there if anything.
YazFi_DEBUG_2024-01-02_06-49-47.txt

Thank you for running the tests. And yes, something weird certainly happened during or after the router reboot.

The 1st debug output file (YazFi_DEBUG_2024-01-02_06-20-09.txt) of the initial "base config" ("Allow Internet Access" YES, "Two Way to Guest" NO) after installing YazFi 4.4.5 version shows the expected debug info.

The 2nd debug output file (YazFi_DEBUG_2024-01-02_06-34-59.txt) taken after the 5.0GHz Guest Network #2 was set up ("Allow Internet Access" NO, "Two Way to Guest" YES) for testing also shows the expected debug info, including the additional firewall rules to handle the 2-way-to-guest comms and the no-internet-access-allowed option.

However, the 3rd debug output file (YazFi_DEBUG_2024-01-02_06-49-47.txt) taken after rebooting the router is where things are weird. The debug info shows that *all* the FILTER table firewall rules for YazFi were gone and only some of the NAT table rules were found. This scenario looks like one of the "transient states" that usually happen when the system itself is resetting the firewall (e.g. "notify_rc restart_firewall") which can happen a few times during & right after a reboot, or when some changes are made via the webGUI or by some other script that require a firewall restart. Also, YazFi can initiate a reset of its own firewall rules under some conditions (there's a YazFi cron job that runs every 10 minutes that checks for this).

So it's possible that the firewall was being restarted exactly at the moment that you captured the debug info via the debug script. OTOH, I suppose it may be possible that somehow the FILTER table rules for YazFi were already missing when you ran your tests after rebooting the router, which would explain why the tests (with "Allow Internet Access" set to NO & "Two Way to Guest" set to YES) appeared to work. I don't have enough data to know with certainty what actually happened between the router being rebooted, the tests being run, and the debug info being captured.

I've made some changes to the YazFi shell script, and this latest 4.4.5 version is dated "2024-Jan-02" (shown on the script file header). Whenever you have time, please download this latest version for future tests. Also, the "GetYazFiDebugInfo2.sh" debug script has been modified (see post #35 for the updated version).

Please run the following sequence for testing whenever you can:

1) After downloading & replacing the current YazFi script with the latest 4.4.5 version, set up a YazFi Guest Network for testing ("Allow Internet Access" NO, "Two Way to Guest" YES). Make sure to restart YazFi by running the following command:

/jffs/scripts/YazFi runnow

2) Execute the "GetYazFiDebugInfo2.sh" debug script right *before* starting the tests.

3) Run your usual tests

4) Execute the "GetYazFiDebugInfo2.sh" debug script right *after* finishing the tests.
Save the two debug output files to a location so they survive a reboot.

5) Reboot the router. When completed & router is up & running, save the current syslog file (i.e. syslog.log) to the same location where the debug output files were saved.

6) "Rinse and Repeat" steps 2 through 4.

7) Save the current syslog file to the same location as previously done in step 5 (renamed, of course).

Hopefully, all the above data should provide enough clues to know what happens before and after a reboot.

Thank you for your time.

Some other comments after some more testing post router reboot. One thing I found is that any YazFi connected device with two (or more) network adapters, particularly if a cellular device with both cell network connection and wifi connection, I had to disable the non WiFi network adapters. Failure to do so would sometimes resulted in the device using the wrong network adapter even though WiFi was the selected main active connection and the other adapter wasn't connect to LAN/WiFi/Cellular. The OS (both Windows and Android) seems to try and use other network adapters when the WiFi network adapter didn't have internet access despite showing WiFI as the main connected network adapter.

Yes, in the past I have experienced the same situation with Windows PCs & smartphones. I have to disable the 2nd NIC adaptor or the cellular network to prevent them from switching automatically. That's why I've been using the iPads as Guest clients: they have no SIM card and I can easily set the "Auto-Join" option to OFF for all previously saved SSIDs except for the one I'm testing with.

 

[bennor]

@Martinski, sent a personal message/conversation with the link to the six requested files. Hope it helps with any additional troubleshooting or validation of YazFi.

 

[Martinski]

@Martinski, sent a personal message/conversation with the link to the six requested files. Hope it helps with any additional troubleshooting or validation of YazFi.

Thank you again for taking the time to run the tests and provide the results.

I've reviewed all the debug output files as well as the 2 system logs, and everything looks exactly as it should be. All the YazFi firewall rules handling client isolation, 2-way-to-guest comms & no internet access are found where they are expected, and your test results confirm that they're working very well on your RT-AX86U Pro router when configured per the testing parameters.

I fully appreciate your persistence and diligence in running each of the tests and for sticking with me while trying to figure out a fix for this specific scenario. I could not have made this much progress without your invaluable help. Much appreciated.

I'll run a few more validation tests to double-check that previous YazFi configurations continue to run fine as well and, eventually, I'll submit a GitHub PR to merge my changes with @Jack Yaz's official repository.

 

[bennor]

I fully appreciate your persistence and diligence in running each of the tests and for sticking with me while trying to figure out a fix for this specific scenario. I could not have made this much progress without your invaluable help. Much appreciated.

Glad to help out. Its been a very strange issue to be sure. How it wasn't working for some yet was for others. Hopefully this combination of YazFi settings will work properly for the few who appear to have wanted to use it but ran into issues or problems in the past.

A suggestion for anyone who is looking to use the YazFi and configure it so YazFi clients have their internet access blocked (Allow Internet Access: NO) while at the same time wanting those YazFi clients to access main LAN clients (Two Way to Guest: YES). If your YazFi client has two (or more) network adapters, or is a cellular + WiFi device, you may have to disable all non WiFi network adapters on that YazFi client if you are unable to access main LAN clients or if you are still getting internet access.

 

[Martinski]

Glad to help out. Its been a very strange issue to be sure. How it wasn't working for some yet was for others. Hopefully this combination of YazFi settings will work properly for the few who appear to have wanted to use it but ran into issues or problems in the past.

A suggestion for anyone who is looking to use the YazFi and configure it so YazFi clients have their internet access blocked (Allow Internet Access: NO) while at the same time wanting those YazFi clients to access main LAN clients (Two Way to Guest: YES). If your YazFi client has two (or more) network adapters, or is a cellular + WiFi device, you may have to disable all non WiFi network adapters on that YazFi client if you are unable to access main LAN clients or if you are still getting internet access.

FYI,

I have submitted a GitHub PR for @Jack Yaz to merge all the recent code changes that address the problem you discovered into his official YazFi repository.

 

[Martinski]

I have submitted a GitHub PR for @Jack Yaz to merge all the recent code changes that address the problem you discovered into his official YazFi repository.

@Jack Yaz has merged the PR containing the fix into his 'develop' branch.
If you want to switch from the current master "4.4.4" release to the latest develop "4.4.5" version use the following commands:

/jffs/scripts/YazFi develop
/jffs/scripts/YazFi forceupdate

FYI.

 

[powersupply]

reading this in awe, WOW you guys!
Had the exact same issues and experimented the whole afternoon and searched and finally found this amazing thread.
Thank you guys!!
Will try > just tried it, got a strange message after the /jffs/scripts/YazFi develop , something double 13 seconds, landed in Yazfi UI.
Tried to exit that, threw me back to it. Andother "e" worked and then I tried /jffs/scripts/YazFi forceupdate, back to the Yazfi UI.
Will reboot all and try.

 

[powersupply]

Don't know how, but now but the iot "guest" connected devices cannot connect to NTP aymore even if I open all and dual and reboots and whatnot.
How can I remove above
/jffs/scripts/YazFi develop
/jffs/scripts/YazFi forceupdate
bummer

 

[bennor]

Don't know how, but now but the iot "guest" connected devices cannot connect to NTP aymore even if I open all and dual and reboots and whatnot.

What NTP were the IoT devices using? I.e how are they configured to get the NTP. Is your router or if using Pi-Hole or other DNS or scripts possibly blocking NTP requests if using a internet based NTP? Is the router's time correct?

No NTP issues here with both the default YazFi and the YazFi develop version with a number of IoT and other WiFi connected devices.

 

[powersupply]

Just the regular, us.pool.ntp.org and time.nist.gov
No Pi-Hole, just Diversion + yazfi, on a RT-AC68 on 386.12_4
In fact, had opened/forwarded UDP 123

Removed yazfi and reinstalled 4.4.4 and it's all ok again, phew.
I probably messed something up when doing those two lines.
Will load it when new version 4.4.5 is published.

Thanks again for your detailed research and sharing it with us.