YazFi Blocking internet access for certain devices on YazFi guest network

JoppeA · Feb 21, 2023

Hi there,
I've been using YazFi for my IOT devices in the house, and have a question. I have a guest network that has internet access, but want to add 2 devices that do not need internet access but need to be accessed by my Homekit hub on the primary WiFi network.
The first step I've been doing is to block internet access for these devices with some specific rules in /jffs/addons/YazFi.d/userscripts.d/myscript.sh
CHMOD is set to 755, and I clicked apply in YazFi settings. However the devices still seem able to access the internet. Any idea what might cause this?
The HomeKit hub is on Wi-Fi, so should it remain br0 or should I change it to eth6/eth7?

The current script I have is:
#!/bin/sh
iptables -I YazFiFORWARD -s 192.168.4.215 -o eth0 -j YazFiREJECT
iptables -I YazFiFORWARD -s 192.168.4.193 -o eth0 -j YazFiREJECT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.193 -j ACCEPT
iptables -I YazFiFORWARD -o br0 -i wl0.3 -d 192.168.50.24 -s 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -o br0 -i wl0.3 -d 192.168.50.24 -s 192.168.4.193 -j ACCEPT

The first lines are supposed to block WAN access, the other lines are there to allow access from the HomeKit hub to the devices, but this also does not seem to work unfortunately, as I cannot access the devices within the Home app.

The YazFi network is setup to allow internet access in general, client isolation is on, and 1/2way to guest is disabled. I only want these specific two devices to not be able to access the internet but able to be accessed from my home WiFi.

Thanks

bennor · Feb 21, 2023

JoppeA said:
The first lines are supposed to block WAN access, the other lines are there to allow access from the HomeKit hub to the devices, but this also does not seem to work unfortunately, as I cannot access the devices within the Home app.

See the following post, if you haven't already, in another thread which may have some suggestions:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521
To allow a single main LAN client to access to all YazFi Guests you may need to do something like this (adjusting for your setup).

Code:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -j ACCEPT

Or to allow a specific main LAN client to access a specific YazFi Guest(s).

Code:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -s 192.168.3.50 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -d 192.168.3.50 -j ACCEPT

Make sure to check the entries carefully to ensure the correct punctuation and IP addresses are used. You may need to use reserved/static IP addresses for your YazFi Clients as well. Example here:
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403
And here:
https://github.com/jackyaz/YazFi/wi...e-and-ARP-records#a-note-on-dhcp-reservations

JoppeA · Feb 21, 2023

Hi, thanks for your message. I indeed found those links and your earlier posts and tried to replicate the posted scripts (as shown in the startpost), but for some reason I still cannot connect to the devices and they keep internet access, despite my changes. So what could I have done wrong? When comparing your lines with the one I use, it seems to be an exact copy, except for the exact IP addresses.

bennor · Feb 21, 2023

JoppeA said:
When comparing your lines with the one I use, it seems to be an exact copy, except for the exact IP addresses.

Your code looks somewhat different than the examples in my post. Maybe try the following to allow traffic between the main LAN IP address 192.168.50.24 and the two YazFi 2.4Ghz Guest #3 IP addresses 192.168.4.215 and 192.168.4.193:

Code:

iptables -I YazFiFORWARD -i wl0.3 -o br0 -s 192.168.4.215 -d 192.168.50.24 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.3 -o br0 -s 192.168.4.193 -d 192.168.50.24 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.193 -j ACCEPT

Thread starter	Title	Forum	Replies	Date
Q	Blocking internet access for devices with randomized mac address	Asuswrt-Merlin AddOns	18	Jan 1, 2023
B	How to disable skynet http/https blocking?	Asuswrt-Merlin AddOns	2	Apr 11, 2023
C	Diversion Multiple Dnsmasq IP's for alternate blocking list / Excluding devices causing issues	Asuswrt-Merlin AddOns	2	Mar 24, 2023
	Diversion blocking ads, my PC still sees them	Asuswrt-Merlin AddOns	3	Feb 10, 2023
	Solved Diversion + Skynet not blocking ads on iOS 16.1.2 & 16.2 Safari	Asuswrt-Merlin AddOns	9	Jan 31, 2023
	Diversion Diversion (not) blocking local domains	Asuswrt-Merlin AddOns	1	Jan 26, 2023
A	Skynet Looking for details on the Skynet settings that are off by default (fast switching/IOT blocking) and why	Asuswrt-Merlin AddOns	2	Jan 23, 2023
N	Blocking the Google signin popup?	Asuswrt-Merlin AddOns	15	Dec 26, 2022
	Diversion Diversion v other ad blocking options	Asuswrt-Merlin AddOns	4	Nov 20, 2022
	Skynet device blocking	Asuswrt-Merlin AddOns	6	Nov 7, 2022

Search

Search

YazFi Blocking internet access for certain devices on YazFi guest network

JoppeA

New Around Here

bennor

Very Senior Member

JoppeA

New Around Here

bennor

Very Senior Member

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Staff online

Members online