Allowing intranet traffic for single host to guest wifi network

[mikalcarbine]

I have a guest 2.4 Wi-Fi network that does not allow intranet access and I've placed all of my IoT devices into it. I'm setting up a home assistant which is connected directly to my RT-AX86U. Because of the intranet access restriction my home assistant can't see any of my local IoT devices (by design). I'm wondering what the best way would be to allow connectivity from the IoT network to my single home assistant host. Can Yazfi help here or will this need to be done with iptable entries? Is anyone familiar enough with iptables to suggest where I should start?

 

[bennor]

Yes YazFi might be able to help. If you haven't done so already, use the forum search feature and search for Home Assistant. There are a number of discussions on trying to get communications from Guest Network (or Guest Network Pro) to the main LAN for Home Assistant with varying degrees of success.
https://www.snbforums.com/search/1530512/?q=home+assistant&o=relevance

YazFi - YazFi v4.x - continued

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

And look at the various YazFi discussions on using YazFi custom firewall rules scripting to pass traffic from/to main LAN from/to Guest Network YazFi clients. For example see my post here:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521

For anyone using the Asus-Merlin 3006.102.x firmware, note that YazFi is not currently supported under the 3006 firmware.

 

[bbunge]

One way would be to set up the Home Assistant on a device that has Ethernet and WIFI such as a Raspberry Pi. Use the Ethernet of the RPI to connect to the LAN and the WIFI to connect to the Guest WIFI. Set the HA to listen on both Ethernet and WIFI. I have done this with a RPI3b+ and it worked very well! No tricky network changes involved!

 

[mikalcarbine]

I couldn't for the life of me figure out the iptable entries with the built in guest wifi/no intranet access. From what I could see it is using AP isolation to prevent intranet access and doesn't modify the iptables.

For any others who may find this in the future - I installed Yazfi, disabled two and one way guest traffic, enabled client isolation and then created firewall rules in a custom script that boots with Yazfi as documented here: https://github.com/jackyaz/YazFi/blob/master/README.md#custom-firewall-rules

For my RT-AX86U my guest wifi interface was wl0.2. Here are the two entries I added to allow bi-directional traffic to my HA.

iptables -I YazFiFORWARD -i wl0.2 -o br0 -d 192.168.1.99 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.2 -s 192.168.1.99 -j ACCEPT

It's working great like this. Clients on my guest network can't reach each other nor my private LAN but still have internet access. I'll probably make this rule more robust, limiting specific ports and services once I nail down all of my automation.