YazFi Allowing access to selected network devices

[bennor]

I'll let you know what I find. Is my understanding correct that the same behavior also happens without YazFi, by simply using the built-in Guest Networks #1, #2, or #3?

Good luck with the last minute gift shopping.

Haven't tested it yet outside of YazFi on just the normal Guest Network #1-3. If I have time today I'll try to test it without YazFi on the router to see if its Asus firmware related vs YazFi script related. Thanks for taking a look at this issue.

 

[bennor]

As requested (@Martinski), did some quick testing with YazFi uninstalled. Not sure how to disable Guest Network internet access for all Guest Network clients. Didn't seem to be an obvious option and a quick search of Asus's FAQ's didn't turn anything up. So I first used the Parental Controls > Time Scheduling (or using the Network Map > Client > Block Internet Access option) to disable internet access for one Guest Network client. My second test was trying to use the Guest Network Access Time option. That option wouldn't let me set it to 0:00:00, instead I tried using 1 minute (0:00:01). The (Asus-Merlin) firmware appears to disable that Guest Network entry once the Access Time ran out causing it to be unavailable to the WiFi clients. Had to go into Guest Network and re-enable that Guest Network entry.

When blocking internet access per WiFi client via Parental Controls Time Scheduling, the Guest Network client can access the main LAN client(s) so long as the Guest Network Access Intranet option was enabled. When that option is disabled, access between LAN and Guest Network is blocked. In this basic limited testing it would appear there is something with how the block internet access is run in YazFi that may be introducing the problem of YazFi guests being unable to access main LAN when Two-Way to Guest is enabled but internet access is blocked. (just my speculation/guess)

Testing
RT-AX86U Pro
3004.388.5
DNS: LAN Pi-Hole & Unbound
YazFi uninstalled

Guest Network #2 2.4Ghz
Internet access
Access Intranet: Enabled
LAN (PC) can ping YazFi client (smartphone)
YazFi client can access LAN client (a NAS)

Guest Network #2 2.4Ghz
Access Intranet: Enabled
Parental Controls > Time Scheduling: Enabled
WiFi client (smartphone) blocked under Time Scheduling Client List.
WiFi client see's Asus warning screen "Warning! This device is now unable to access the Internet."
LAN (PC) can ping YazFi client (smartphone)
YazFi client can access LAN client (a NAS)

Guest Network #2 5Ghz
Internet access
Access Intranet: Enabled
LAN (PC) can ping YazFi client (smartphone)
YazFi client can access LAN client (a NAS)

Guest Network #2 5Ghz
Access Intranet: Enabled
Parental Controls > Time Scheduling: Enabled
WiFi client (smartphone) blocked under Time Scheduling Client List.
LAN (PC) can ping YazFi client (smartphone)
YazFi client can access LAN client (a NAS)

Tried to set the Guest Network Access time to zero, couldn't do so. Set to 1 minute and it disabled the specific Guest Network WiFi frequency (5Ghz) entry when applied. Had to select Enable again to get the Guest Network WiFi frequency entry active again. It appears once the "minute" was up the Asus firmware disabled that specific Guest Network entry (5Ghz GN# 2 in my test). Because that Guest Network was disabled by the firmware, WiFi clients could not see Guest Network #2's 5Ghz when searching for WiFi networks.

 

[Martinski]

Bit more quick and dirty troubleshooting. This time with One Way and Two Way to Guest settings in YazFi.

Summary:
There appears to be the same or similar issue when Access Internet is set to Off in YazFi when using Two Way to Guest that is mentioned above. With YazFi set to no internet access, the YazFi client cannot access main LAN client when Two Way to Guest is enabled. When internet is enabled in YazFi, the YazFi client can access main LAN client when Two Way to Guest is enabled.

As requested (@Martinski), did some quick testing with YazFi uninstalled. Not sure how to disable Guest Network internet access for all Guest Network clients. Didn't seem to be an obvious option and a quick search of Asus's FAQ's didn't turn anything up. So I first used the Parental Controls > Time Scheduling (or using the Network Map > Client > Block Internet Access option) to disable internet access for one Guest Network client. My second test was trying to use the Guest Network Access Time option. That option wouldn't let me set it to 0:00:00, instead I tried using 1 minute (0:00:01). The (Asus-Merlin) firmware appears to disable that Guest Network entry once the Access Time ran out causing it to be unavailable to the WiFi clients. Had to go into Guest Network and re-enable that Guest Network entry.

Thank you for taking the time to run the tests and report the results.

I took a look at the YazFi code that specifically deals with the firewall rules for the Guest Network virtual interfaces. Four Filter table FORWARD chain rules get created/deleted whenever the "Allow Internet Access" option is set to YES or NO. These are straightforward rules that block internet access via the WAN (eth0) and the OpenVPN client (tun1+) interfaces, so 2 rules for each case. That's it, fairly simple & effective; but I didn't see how these rules would be interfering with the "Two Way to Guest" functionality, but something is certainly affecting it when "Allow Internet Access" is set to NO.

On a hunch, I rearranged and made some changes to the code to add 2 NAT table POSTROUTING chain rules for 'br0' & the target YazFi virtual interface (e.g. wl0.1) whenever "Two Way to Guest" is enabled, and that immediately fixed "whatever" was causing the problem, at least on my current YazFi setup & environment.

I have a test version of the script on my GitHub repository. If you want to try and see how it works on your own YazFi setup you can download it from here:

curl -kLSs --retry 3 --retry-delay 5 --retry-connrefused https://raw.githubusercontent.com/Martinski4GitHub/YazFi/develop/YazFi.sh -o /jffs/scripts/YazFi.445.DEV.sh
chmod 755 /jffs/scripts/YazFi.445.DEV.sh

After downloading it, rename your current script file (e.g. YazFi_ORIG.sh) and replace it with the develop 4.4.5 version:

cp -fp /jffs/scripts/YazFi.445.DEV.sh /jffs/scripts/YazFi

Now run the following command to reset YazFi firewall rules and restart the firewall.

/jffs/scripts/YazFi runnow

This takes about 15-20 seconds so wait until the guest network clients reconnect and are re-authenticated; then go to the YazFi WebGUI and set the "Allow Internet Access" & "Two Way to Guest" options as needed to test how they work for you now.

 

[bennor]

I have a test version of the script on my GitHub repository. If you want to try and see how it works on your own YazFi setup you can download it from here:

curl -kLSs --retry 3 --retry-delay 5 --retry-connrefused https://raw.githubusercontent.com/Martinski4GitHub/YazFi/develop/YazFi.sh -o /jffs/scripts/YazFi.445.DEV.sh
chmod 755 /jffs/scripts/YazFi.445.DEV.sh

After downloading it, rename your current script file (e.g. YazFi_ORIG.sh) and replace it with the develop 4.4.5 version:

cp -fp /jffs/scripts/YazFi.445.DEV.sh /jffs/scripts/YazFi

Now run the following command to reset YazFi firewall rules and restart the firewall.

/jffs/scripts/YazFi runnow

This takes about 15-20 seconds so wait until the guest network clients reconnect and are re-authenticated; then go to the YazFi WebGUI and set the "Allow Internet Access" & "Two Way to Guest" options as needed to test how they work for you now.

Thanks for taking a look at the issue. Seems I still have issues with not being able to access main LAN clients with the new YazFi file you posted. Maybe someone else can do some testing on their end to see if maybe its just my router. Some observations using the 4.4.5 YazFi file you put up.

Change YazFi permission to 0755 otherwise it will say permission denied when executing the /jffs/scripts/YazFi runnow command.
YazFi GUI page still indicates v4.4.4 rather than 4.4.5. YazFi CLI shows correct 4.4.5.

Guest Network #2 YazFi 4.4.5
Allow Internet access No
Two way to guest ON
LAN (PC) can ping YazFi client (smartphone)
YazFi client could not access LAN client (a NAS)

For some reason after making changes to the 2.4Ghz in YazFi GUI and clicking the Apply button my WiFi client wouldn't see either then main 2.4Ghz WiFi SSID nor the Guest Network 2.4Ghz WiFi SSID.
Rebooted router. Same issue the 2.4Ghz Wifi SSID's seemed not to be found by the WiFi client. If I turn off WiFi on the WiFi client then turn back on then it would sometimes picked up 2.4Ghz WiFi SSID's (both of them).
If I applied the setting via the YazFi CLI then the 2.4Ghz Guest Network WiFi seem to be visible to WiFi client. Strange not sure what's going on with the SSID's not being visible right away or disappearing later on.

Rolling back to the 4.4.4 YazFi for now.
PS: After rolling back to 4.4.4 and issuing the /jffs/scripts/YazFi runnow command, WiFi client picked up the 2.4Ghz SSID's right away but later again had trouble seeing the 2.4Ghz SSID's. Wonder if firmware issue, will look at the system logs later to see if anything strange is happening.

 

[Martinski]

Change YazFi permission to 0755 otherwise it will say permission denied when executing the /jffs/scripts/YazFi runnow command.

It looks like you forgot to run the "chmod 755 /jffs/scripts/YazFi.445.DEV.sh" command that I posted in my download instructions before overwriting the script (cp -fp /jffs/scripts/YazFi.445.DEV.sh /jffs/scripts/YazFi).

YazFi GUI page still indicates v4.4.4 rather than 4.4.5. YazFi CLI shows correct 4.4.5.

Yes, that's expected because your original script was simply replaced with the develop branch version *without* doing a full installation so the webGUI has not been "told" that a new version was just "installed." When a proper installation is performed, such details are taken care of automatically.

For some reason after making changes to the 2.4Ghz in YazFi GUI and clicking the Apply button my WiFi client wouldn't see either then main 2.4Ghz WiFi SSID nor the Guest Network 2.4Ghz WiFi SSID.
Rebooted router. Same issue the 2.4Ghz Wifi SSID's seemed not to be found by the WiFi client. If I turn off WiFi on the WiFi client then turn back on then it would sometimes picked up 2.4Ghz WiFi SSID's (both of them).
If I applied the setting via the YazFi CLI then the 2.4Ghz Guest Network WiFi seem to be visible to WiFi client. Strange not sure what's going on with the SSID's not being visible right away or disappearing later on.

Those are very strange behaviors but, AFAICT (and as you later found out), unrelated to the YazFi changes.

I have another 4.4.5 test version available on my GitHub repository. If you want to try it out, use the same instructions as before. These latest changes also work on my router+YazFi setup & environment so here's hoping for some good results on your side.

Good Luck. Happy Holidays to you & your loved ones.

 

[bennor]

I have another 4.4.5 test version available on my GitHub repository. If you want to try it out, use the same instructions as before. These latest changes also work on my router+YazFi setup & environment so here's hoping for some good results on your side.

Just tried the 4.4.5 again on RT-AX86U Pro 3.0.0.4.388.5. Still no go on my end. With internet disabled and two way to guest enabled on YazFi Guest Network 2 the WiFI client cannot access main LAN client even though the main LAN client can ping the WiFi client. If internet access is enabled then the WiFi client can access main LAN client. If it is working on your end, but not working on mine it would help if others could test on their routers to see if its something specific to my settings (or yours) or something limited to specific routers.

Happy Holidays to all.

 

[Martinski]

Just tried the 4.4.5 again on RT-AX86U Pro 3.0.0.4.388.5. Still no go on my end. With internet disabled and two way to guest enabled on YazFi Guest Network 2 the WiFI client cannot access main LAN client even though the main LAN client can ping the WiFi client. If internet access is enabled then the WiFi client can access main LAN client. If it is working on your end, but not working on mine it would help if others could test on their routers to see if its something specific to my settings (or yours) or something limited to specific routers.

Well, currently I'm out of ideas as to what could possibly fix the problem you're seeing on your specific router + YazFi setup, especially since it's working on mine.

For the record, the following test is what works for my particular case:

RT-AC86U with AsusWRT-Merlin 386.12_4
YazFi 4.4.5 develop test version.
YazFi Guest Network client is an iPad (iPadOS 17.1.2)
LAN client is a Windows 10 PC wired connected via an unmanaged 4-port Ethernet switch.

5GHz Guest Network #2
Force DNS: NO
Allow Internet Access: NO
Two Way to Guest: YES
Client Isolation: YES or NO (same results)
NO VPN Client & NO Redirect All to VPN

Results:
---------
LAN PC can ping the iPad.
iPad can ping the LAN PC & access a network share on the PC.

 

[bennor]

Well, currently I'm out of ideas as to what could possibly fix the problem you're seeing on your specific router + YazFi setup, especially since it's working on mine.

Same here, out of ideas for the cause on a RT-AX86U Pro. Might break out a RT-AC68U to test with to see if it exhibits this same issue as the RT-AX86U Pro when using YazFi.

 

[bennor]

@Martinski , Pulled a unused RT-AC68U out of the closet, did a factory reset of the 386.12_4 firmware on it, did basic setup, then installed YazFi 4.4.4 to it. Same issue. When internet access for YazFi clients is disabled, Two-Way to Guest (enabled) doesn't work. With internet access enabled it works.

Installed YazFi 4.4.5 Develop to the router and same issue persists. When internet access for YazFi clients is disabled, Two-Way to Guest (enabled) doesn't work. With internet access enabled it works.

Not sure it will help but I dumped the IPTables (via iptables -vL -t filter) after each change in YazFi internet setting was made. Click here for a link to a zip file containing the four text files. Looked at the system log but didn't see anything jump out indicating an issue or problem during the basic testing I'd on the RT-AC68U. Strange issue to be sure if it works for some but not others.

It would help if others could do some quick testing to see if they experience this particular issue YazFi client not accessing LAN client when YazFI internet is disabled with YazFi Two-Way to Guest enabled. But in my case, two different routers show similar results.

Hope the info helps with isolating what ever the issue is.

Testing notes:
RT-AC68U
386.12_4
Hard factory reset then basic setup with YazFi 4.4.4 installed. No Pi-Hole.
YazFi DNS 1&2 set to router (192.168.1.1)

2.4Ghz WiFi
Guest Network #1
Internet access
Two way to guest YES
LAN (PC) can ping YazFi client (smartphone)
YazFi client can access LAN client (a NAS)

2.4Ghz WiFi
Guest Network #1
No internet access
Two way to guest YES
LAN (PC) can ping YazFi client (smartphone)
YazFi client could not access LAN client (a NAS)

Installed YazFi 4.4.5 develop

2.4Ghz WiFi
Guest Network #1
Internet access
Two way to guest YES
LAN (PC) can ping YazFi client (smartphone)
YazFi client can access LAN client (a NAS)

2.4Ghz WiFi
Guest Network #1
No internet access
Two way to guest YES
LAN (PC) can ping YazFi client (smartphone)
YazFi client could not access LAN client (a NAS)
YazFi client (smartphone) could not ping router or LAN client(s)

 

[Martinski]

@Martinski , Pulled a unused RT-AC68U out of the closet, did a factory reset of the 386.12_4 firmware on it, did basic setup, then installed YazFi 4.4.4 to it. Same issue. When internet access for YazFi clients is disabled, Two-Way to Guest (enabled) doesn't work. With internet access enabled it works.

Installed YazFi 4.4.5 Develop to the router and same issue persists. When internet access for YazFi clients is disabled, Two-Way to Guest (enabled) doesn't work. With internet access enabled it works.

Not sure it will help but I dumped the IPTables (via iptables -vL -t filter) after each change in YazFi internet setting was made. Click here for a link to a zip file containing the four text files. Looked at the system log but didn't see anything jump out indicating an issue or problem during the basic testing I'd on the RT-AC68U. Strange issue to be sure if it works for some but not others.

I've looked through the iptables outputs you provided and ran them through diffs but did not catch anything that seemed "out of place" or any clues that would indicate a possible issue. Granted, I'm not a true expert in reviewing/analyzing firewall rules so it's possible that I may be missing something that would jump out when seen by fully expert eyes.

Trying not to leave any stones unturned, I wondered if there was possibly any difference between the 5GHz radio (used for my tests so far) and the 2.4GHz radio (which I had not used for testing until today), so I set up the 2.4GHz Guest Net #2 (172.26.133.0/26) and ran exactly the same tests (NO Internet Access + 2-Way to Guest YES). I then switched the YazFi client from my iPad to my smartphone, wondering if different WiFi devices would behave differently. The target LAN client was still the same: Windows 10 PC (172.25.225.13) connected via Ethernet.

Well, in all test runs using my YazFi 4.4.5 develop test version, the results were the same (i.e. successful) as reported in my previous post #27. Here are some screenshots from these latest tests using my smartphone (pings to router & LAN client + traceroute) on the 2.4GHz Guest Net #2. I've attached a screenshot of the YazFi webGUI as well just to show all settings used for the latest tests.

Traceroute from YazFi guest to LAN PC:
----------------------------------------------

Pings from YazFi guest to router:
--------------------------------------

Pings from YazFi guest to LAN PC:
----------------------------------------

FYI.

 

[bennor]

@Martinski, Still no go on my end with the RT-AC68U after more testing and experimenting. YazFi client just cannot access LAN client(s). Not sure why it works for you and not for me. Wonder, based on your sig line, if perhaps Entware is the reason, or if you have some other router setting or script that is allowing it to work for you. But for me, on two different routers (the RT-AC68U was hard factory reset with base configuration), two way to guest doesn't work (for the YazFi client to access LAN) when access internet is set to no in YazFi. Shrugs.

The YazFi Settings page:

LAN client:

LAN client can ping YazFi client:

YazFi client cannot ping LAN client:

YazFi client cannot ping router:

 

[Martinski]

@Martinski, Still no go on my end with the RT-AC68U after more testing and experimenting. YazFi client just cannot access LAN client(s). Not sure why it works for you and not for me. Wonder, based on your sig line, if perhaps Entware is the reason, or if you have some other router setting or script that is allowing it to work for you. ...

Yeah, I'm starting to suspect that something like that might be at play here. Although at this point we can't rule anything out completely, I highly doubt that Entware would be a factor in this situation, especially since I don't have any Entware-based add-ons installed, and the only Entware services installed are OpenSSH & Fail2Ban, which were not running at the time the tests were performed (they run occasionally & on-demand under very specific & limited conditions).

The only 3rd-party add-ons I have installed & used are YazFi & YazDHCP, nothing else. I do have many custom personal scripts located under the "/jffs/scripts" directory (several of which run as cron jobs), but none is specifically changing wireless settings, modifying/adding firewall rules, or targeting the WAN interface to allow/disallow internet access - all of that is being done with YazFi.

I'm more inclined to believe that maybe some wireless settings in the "Professional" webGUI page might be involved or perhaps some other router settings; but out of a hundred or so possible options, at this moment I can't think of one specific router setting that would affect this particular scenario regarding YazFi.

For the record & for the sake of comparison, here are screenshots of my "Professional" settings for both WiFi bands.

 

[bennor]

I'm more inclined to believe that maybe some wireless settings in the "Professional" webGUI page might be involved or perhaps some other router settings; but out of a hundred or so possible options, at this moment I can't think of one specific router setting that would affect this particular scenario regarding YazFi.

The professional settings for a hard factory reset RT-AC68U who's YazFi clients cannot access main LAN clients when internet is disabled and two way to guest enabled shown below. These were default values, some are different than yours. I tried using the exact same values in your screen capture (where I could), didn't work to fix the issue.

Did a bit more experimenting on a RT-AC68U. Still no joy in getting two way to guest working properly under YazFi when YazFi internet is disabled. YazFi clients cannot access LAN clients. Did a hard factory reset as indicated in notes below with minimum configuration and the YazFi two way to guest just doesn't allow YazFi clients to access LAN clients when access internet is disabled in YazFi for some reason. As my notes below indicate one still has the option of not using YazFi to achieve the same goal of Guest Network having LAN access while Internet is disabled for the Guest Network. The downside is having to disable internet access per Guest Network client rather than a blanket block on internet access that YazFi does.

Testing notes:
WPS hard factory reset RT-AC68U router and basic configure (set wifi ssid/password, set admin name/password).
Enable SSH.
Enable Guest WiFi 1 (2.4Ghz & 5Ghz)
Run amtm, install YazFi 4.4.4.
Manually edit YazFi config (via CLI) to set no internet access and enable two way guest access on Guest Network #1. Changed all DNS1&2 values to router IP address 192.168.1.1.
LAN PC can ping YazFi client (smartphone) on Guest Network #1 2.4Ghz.
YazFi client cannot ping LAN router, or LAN NAS.
YazFi client cannot access router web page or NAS web page.

Using YazFi CLI enabled internet access for Guest Network #1.
LAN PC can ping YazFi client (smartphone) on Guest Network #1 2.4Ghz.
YazFi client can ping LAN router, can ping LAN NAS.
YazFi client can access NAS web page.

Uninstall YazFi via CLI.
Re-enable Guest Network WiFi 1 (2.4Ghz & 5Ghz) by simply hitting the apply button for each guest network.
Enable Allow Intranet Access on Guest WiFi #1
Guest Network #1 WiFi client can ping LAN PC, LAN router, and LAN NAS.
Guest Network #1 WiFi client could access router web page and LAN NAS web page

Configured Block Internet Access on the Guest Network client (Time Scheduling).
Guest Network #1 WiFi client cannot access internet
Guest Network #1 WiFi client can ping LAN PC, LAN router, and LAN NAS.
Guest Network #1 WiFi client could access router web page and LAN NAS web page

 

[bennor]

Another observation/data point. With YazFi installed on a RT-AX86U Pro, if I enable another Guest Network but do not enable YazFi for it. Then set that Guest Network to have Intranet access, and block internet access to the specific Guest Network WiFi client connected to that Guest Network, that Guest Network WiFi client cannot access the Intranet/LAN client(s). As indicated in notes above on a RT-AC68U with YazFi uninstalled a Guest Network WiFI client could access Intranet/LAN client(s) when Internet was blocked for that client and Intranet was enabled under Guest Network.

 

[Martinski]

Another observation/data point. With YazFi installed on a RT-AX86U Pro, if I enable another Guest Network but do not enable YazFi for it. Then set that Guest Network to have Intranet access, and block internet access to the specific Guest Network WiFi client connected to that Guest Network, that Guest Network WiFi client cannot access the Intranet/LAN client(s). As indicated in notes above on a RT-AC68U with YazFi uninstalled a Guest Network WiFI client could access Intranet/LAN client(s) when Internet was blocked for that client and Intranet was enabled under Guest Network.

That's a very good, interesting observation because it seems to suggest that YazFi is doing "something" after installation & initial setup that interferes with the regular Guest Network "Intranet Access" even when that interface is not even enabled in the YazFi configuration file.

In another attempt to figure out what the issue might be, I made some changes in the YazFi shell script, and this latest version is in my GitHub 'develop' branch.

curl -kLSs --retry 3 --retry-delay 5 --retry-connrefused https://raw.githubusercontent.com/Martinski4GitHub/YazFi/develop/YazFi.sh -o /jffs/scripts/YazFi.445.DEV.sh
chmod 755 /jffs/scripts/YazFi.445.DEV.sh

If you have some time, would you please run some tests on your router & use the attached custom debug script to gather some debug info?

Here's the debug script that creates a text file with debug information
[UPDATED: 2024-Jan-02]

#!/bin/sh
#################################################################
# GetYazFiDebugInfo2.sh
# Last Modified by: Martinski W. [2024-Jan-02]
#################################################################

_GetYazFiDebugInfo_()
{
    printf "$(nvram get productid): "
    printf "$(nvram get firmver).$(nvram get buildno).$(nvram get extendno)"
    printf " [$(date)]\n"
    echo "========================================================="
    nvram show 2>/dev/null | grep -E "(wl[0-2]\.[1-3])(_bss_enabled=|_ap_isolate=|_lanaccess=)" | sort -d -t '=' -k 1
    nvram show 2>/dev/null | grep -E "lan_ifname=|wan0_ifname="
    WAN_IFN="$(nvram get wan0_ifname)"
    echo "========================================================="
    printf "brctl show\n----------\n" ; brctl show
    echo "========================================================="
    printf "ip route show\n-------------\n"
    ip route show | grep -v "dev $WAN_IFN"
    echo "========================================================="
    printf "ifconfig\n--------\n" ; ifconfig
    echo "========================================================="
    [ -f /tmp/YazFi.lock ] && \
    yazfiPID="$(cat /tmp/YazFi.lock 2>/dev/null || echo "NONE")" && \
    printf "YazFi Lock found. PID: [$yazfiPID]\n--------------------------------\n"
    TABLES="nat filter mangle raw"
    findStr="br0|eth0|wl[0-2]\.[1-3]|YazFi|$WAN_IFN"
    for tableID in $TABLES
    do
        printf "${tableID}\n------------\n"
        iptables -t $tableID -S | grep -E "$findStr"
        echo "========================================================="
    done
}
_GetYazFiDebugInfo_ > ${HOME}/YazFi_DEBUG_$(date +"%Y-%m-%d_%H-%M-%S").txt

#EOF#

Run the script without any parameters to gather the info in a text file created in the HOME directory (e.g. "YazFi_DEBUG_{DATE)_{TIME}.txt"). Make sure to remove your public IP address associated with your WAN port.

Here are the steps to gather the debug data:

1) Without installing YazFi at all, set up one Guest Network using the built-in webGUI page.

2) Run your tests as usual and when completed, execute the debug script to create a debug file.

3) Download the latest 'develop' test 4.4.5 version and replace your current version with this new 4.4.5 version (same instructions as before - listed in post #23)

4) Run your tests again with the same Guest Network that was set up in step 1 but *WITHOUT* enabling it within YazFi at all.

5) Gather debug info by executing the debug script.

6) Now, go to the YazFi webGUI and *enable* the same Guest Network that was set up in step 1. Set "Two Way to Guest" option to YES and "Allow Internet Access" to NO.

7) Run your tests and when completed, execute the debug script to create a debug file.

8) Please provide the 3 debug files that were created in the HOME directory.

Thanks in advance.

 

[bennor]

That's a very good, interesting observation because it seems to suggest that YazFi is doing "something" after installation & initial setup that interferes with the regular Guest Network "Intranet Access" even when that interface is not even enabled in the YazFi configuration file.

In another attempt to figure out what the issue might be, I made some changes in the YazFi shell script, and this latest version is in my GitHub 'develop' branch.
<snip>

Not sure how helpful the following will be as something weird happened with the RT-AC68U when I enabled Intranet access on the Guest Network 1 to do some testing (see Test Two below) and generate a log result per your script. The IP address of the WiFi client changed (see notes below) and from then on in the testing that WiFi client had internet access even though I configured internet access to be blocked initially in the Parental Controls, then after removing that Parental Control setting and installing YazFi then disabling internet access in YazFi. Repeatedly double checked to ensure the WiFi client was connected to the Guest Network 1. WiFi client would complain about no internet access when connected to Guest Network 1 (with internet blocked) yet web browser could access internet. It appears somehow the WiFi client Brave browser was picking up Cellular data connection instead of WiFi connection bypassing the settings. Something that did not happen in past testing. There are a total of five log files rather than three as I was trying to do more testing.

Click here for the zipped log files.

I can retest to create just three log files with the first of the three tests being just the base Guest Network with internet access enabled for the WiFi client and Intranet access disabled.

The notes of the testing with corresponding log file name included for each of the five tests, WAN address in log files redacted:

Initial Settings:
WPS hard factory reset RT-AC68U router and basic configure (set basic WiFi SSID/password, set admin name & password).
WAN set to Automatic IP.
Enable SSH.
Enable Guest WiFi #1 (2.4Ghz & 5Ghz) and set basic WiFi password.
In Home directory created GetYazFiDebugInfo2.sh, pasted in the script and set permissions on file to 0755.
/home/GetYazFiDebugInfo2.sh
WiFi client (Android Phone) connected to Guest Network #1 2.4Ghz
Windows 11 PC and separate NAS connected to RT-AC68U LAN ports.

Test One - Guest Network Internet Access, Access Intranet Disable:
RT-AC68U: 192.168.1.1
Windows 11 PC: 192.168.1.175
NAS: 192.168.1.99
WiFi Client: 192.168.101.110
LAN PC cannot ping WiFi Client
WiFi Client can access Internet
WiFi Client cannot ping LAN NAS
WiFI Client cannot ping LAN PC
WiFI Client cannot ping Router
WiFi Client cannot access NAS web page
WiFi Client cannot access NAS using SMB
WiFi Client cannot access Router web page
Generated GetYazFiDebugInto script: YazFi_DEBUG_2023-12-29_11-47-57.txt

Test Two - Guest Network Client Internet Access, Access Intranet Enabled:
Note: When enabling Intranet access on Guest Network 1 2.4Ghz the IP address of the Guest WiFi Client changed from 192.168.101.110 to 192.168.1.110.
RT-AC68U: 192.168.1.1
Windows 11 PC: 192.168.1.175
NAS: 192.168.1.99
WiFi Client: 192.168.1.110
LAN PC can ping WiFi Client
WiFi Client can access Internet
WiFi Client can ping LAN NAS
WiFI Client can ping LAN PC
WiFI Client can ping Router
WiFi Client can access NAS web page
WiFi Client can access NAS using SMB
WiFi Client can access Router web page
Generated GetYazFiDebugInto script: YazFi_DEBUG_2023-12-29_11-58-53.txt

Test Three - Guest Network Client No Internet Access, Access Intranet Enabled:
Note: WiFi Client indicates no Internet Access yet still had internet access.
RT-AC68U: 192.168.1.1
Windows 11 PC: 192.168.1.175
NAS: 192.168.1.99
WiFi Client: 192.168.1.110
LAN PC can ping WiFi Client
WiFi Client can access Internet for some reason even though Guest Network WiFi client indicates no internet access
WiFi Client cannot ping LAN NAS
WiFI Client cannot ping LAN PC
WiFI Client cannot ping Router
WiFi Client cannot access NAS web page
WiFi Client cannot access NAS using SMB
WiFi Client cannot access Router web page
Generated GetYazFiDebugInto script: YazFi_DEBUG_2023-12-29_12-17-48.txt

Test Four - Guest Network Client No Internet Access, Access Intranet Enabled & YazFi 4.4.5 installed but not enabled:
Note: YazFi 4.4.5 not enabled on Guest Network 1.
RT-AC68U: 192.168.1.1
Windows 11 PC: 192.168.1.175
NAS: 192.168.1.99
WiFi Client: 192.168.1.110
LAN PC can ping WiFi Client
WiFi Client can access Internet for some reason even though Guest Network WiFi client indicates no internet access
WiFi Client cannot ping LAN NAS
WiFI Client cannot ping LAN PC
WiFI Client cannot ping Router
WiFi Client cannot access NAS web page
WiFi Client cannot access NAS using SMB
WiFi Client cannot access Router web page
Generated GetYazFiDebugInto script: YazFi_DEBUG_2023-12-29_12-26-56.txt

Test Five - Guest Network Client & YazFi 4.4.5 Allow Internet Access No - Two Way to Guest Yes:
Note: Removed block internet access on WiFi client from Parental Controls and turned off Parental Controls.
RT-AC68U: 192.168.1.1
Windows 11 PC: 192.168.1.175
NAS: 192.168.1.99
WiFi Client: 192.168.2.110
LAN PC can ping WiFi Client
WiFi Client can access Internet for some reason even though Guest Network WiFi client indicates no internet access
WiFi Client cannot ping LAN NAS
WiFI Client cannot ping LAN PC
WiFI Client cannot ping Router
WiFi Client cannot access NAS web page
WiFi Client cannot access NAS using SMB
WiFi Client cannot access Router web page
Generated GetYazFiDebugInto script: YazFi_DEBUG_2023-12-29_12-42-24.txt

 

[bennor]

Another set of tests after another hard factory reset. This time just three log files per the steps above (Guest Network, no YazFi - Guest Network with YazFi 4.4.5 installed but not enabled - Guest Network with YazFi 4.4.5 installed and enabled). A fourth test follows.

Click here for the three log files.

Notes:
WPS hard factory reset RT-AC68U router and basic configure (set basic WiFi SSID/password, set admin name & password).
WAN set to Automatic IP.
Enable SSH.
Enable Guest WiFi #1 (2.4Ghz) with default values and set WPA2 Guest Network WiFi password.
In Home directory created GetYazFiDebugInfo2.sh, pasted in the script and set permissions on file to 0755.
/home/GetYazFiDebugInfo2.sh
WiFi client (Android Phone) connected to Guest Network #1 2.4Ghz
Windows 11 PC connected to RT-AC68U LAN ports.
RT-AC68U: 192.168.1.1
Windows 11 PC: 192.168.1.175

Test One - Guest Network #1 2.4Ghz - Internet Access, Access Intranet Disable:
WiFi Client: 192.168.101.110
LAN PC cannot ping WiFi Client
WiFi Client can access Internet
WiFI Client cannot ping LAN PC
WiFI Client cannot ping Router
Generated Log File: YazFi_DEBUG_2023-12-29_14-55-41.txt

Test Two - Guest Network #1 2.4Ghz - Internet Access, Access Intranet Disable - YazFi 4.4.5 installed not enabled:
WiFi Client: 192.168.101.110
LAN PC can ping WiFi Client
WiFi Client can access Internet
WiFI Client cannot ping LAN PC
WiFI Client cannot ping Router
WiFi Client cannot access Router web page
Generated Log File: YazFi_DEBUG_2023-12-29_15-09-27.txt

Test Three - Guest Network #1 2.4Ghz - YazFi enabled Allow Internet Access No, Two Way to Guest Yes:
Note: WiFi client (smartphone) indicates no internet connection on WiFi
WiFi Client: 192.168.2.110
LAN PC can ping WiFi Client
WiFi Client can access Internet (Brave browser - whatismyipaddress.com shows 174.242.XXX.XXX which is not broadband WAN IP address)
WiFI Client cannot ping LAN PC
WiFI Client cannot ping Router
WiFi Client cannot access Router web page
Generated Log File: YazFi_DEBUG_2023-12-29_15-29-56.txt
-----------------------------------------------------------------------------

Click here for test four log file.

Test Four - Guest Network #2 2.4Ghz - YazFi enabled Allow Internet Access No, Two Way to Guest Yes:
Note: WiFi client (smartphone) indicates no internet connection on WiFi. Guest Network #1 2.4Ghz was disabled as was YazFi for Guest Network #1 2.4Ghz.
WiFi Client: 192.168.3.134
LAN PC can ping WiFi Client
WiFi Client can access Internet (Brave browser - whatismyipaddress.com shows 174.242.xxx.xxx which is not broadband WAN IP address)
WiFI Client cannot ping LAN PC
WiFI Client cannot ping Router
WiFi Client cannot access Router web page
Generated Log File: YazFi_DEBUG_2023-12-29_15-51-45.txt

 

[Martinski]

Another set of tests after another hard factory reset. This time just three log files per the steps above (Guest Network, no YazFi - Guest Network with YazFi 4.4.5 installed but not enabled - Guest Network with YazFi 4.4.5 installed and enabled). A fourth test follows.

Click here for the three log files.
...
...

Click here for test four log file.
...

Thank you very much. I appreciate your taking the time to run all the tests & post the results. I reviewed the last 4 debug output files, and I continue to be puzzled as to why the YazFi 4.4.5 changes don't work in your specific routers. All the firewall rules and related NVRAM settings for 2-Way comms between Guest & LAN clients (e.g. intranet enabled & isolation disabled) appear to be correct, and I don't see anything else that would interfere with the Guest Network pinging/accessing LAN clients. Perhaps I'm looking in the wrong place, and there might be some other router setting(s) that somehow is/are affecting your tests.

One more data point.
Last evening we went to visit my brother, and he has an RT-AX86S router with YazFi installed (I helped him set it up from scratch when he bought the router) so after having dinner, I set up a temporary Guest Net #2 (192.168.133.0/24) for testing purposes. I took my Windows 10 laptop to run the tests pretty much exactly like my previous tests using the latest YazFi 4.4.5 test version and my brother's iPad as the YazFi Guest Network client.

Well, the tests were successful on the RT-AX86S as well:
- NO Internet Access + 2-Way to Guest YES
- The LAN PC can ping the iPad.
- The iPad can ping the LAN PC.
- The iPad can ping the router.
- The iPad can access a network share on the LAN PC.

So we have 2 routers where the latest YazFi 4.4.5 works fine and 2 others where it doesn't. FWIW, my brother's router webGUI settings are almost identical to mine since I took my configuration snapshots and duplicated the settings on his router. A few adjustments have been made since then, but I'd say the routers have about 85% to 90% the same webGUI settings.

Here are some screenshots taken when running the tests.

LAN PC (192.168.150.103) pinging the iPad (192.168.133.210)
--------------------------------------------------------------------

YazFi Guest Net #2 as shown on the iPad
-----------------------------------------------

Traceroute from iPad to LAN PC
-------------------------------------

iPad pinging the router
---------------------------

iPad pinging the LAN PC
-----------------------------

 

[bennor]

FWIW, my brother's router webGUI settings are almost identical to mine since I took my configuration snapshots and duplicated the settings on his router. A few adjustments have been made since then, but I'd say the routers have about 85% to 90% the same webGUI settings.

Is the brother's router running any other add-on scripts or using AiMesh?

In my case, not using AiMesh and do not have any other scripts beyond YazFi DHCP and YazFi running on the RT-AX86U and the RT-AC68U was hard factory reset numerous times and only running YazFi. No USB drives attached. And trying to use custom scripts likewise didn't seem to work correctly for me and it appears another person as indicated on page 1.

This is a definite head scratcher of why it works on some routers but not others.

 

[Martinski]

Is the brother's router running any other add-on scripts or using AiMesh?

In my case, not using AiMesh and do not have any other scripts beyond YazFi DHCP and YazFi running on the RT-AX86U and the RT-AC68U was hard factory reset numerous times and only running YazFi. No USB drives attached. And trying to use custom scripts likewise didn't seem to work correctly for me and it appears another person as indicated on page 1.

This is a definite head scratcher of why it works on some routers but not others.

No AiMesh nodes at all. Single router + one TP-Link WiFi Range Extender placed near the garage for the door opener & 2 surveillance cameras on the far end of the house. Only YazFi & YazDHCP for add-ons. One USB 3.0 drive with Entware but no services are running from it (it's used only to have diagnostics & extra CLI tools available and store some of my custom personal scripts).

BTW, during the tests I did double-check that the iPad did not have internet access (going to YouTube or Amazon website failed - no cellular connection).

This is a real head-scratcher indeed.

In the meantime, enjoy your New Year's Eve.