What's new

YazFi Blocking internet access for certain devices on YazFi guest network

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JoppeA

New Around Here
Hi there,
I've been using YazFi for my IOT devices in the house, and have a question. I have a guest network that has internet access, but want to add 2 devices that do not need internet access but need to be accessed by my Homekit hub on the primary WiFi network.
The first step I've been doing is to block internet access for these devices with some specific rules in /jffs/addons/YazFi.d/userscripts.d/myscript.sh
CHMOD is set to 755, and I clicked apply in YazFi settings. However the devices still seem able to access the internet. Any idea what might cause this?
The HomeKit hub is on Wi-Fi, so should it remain br0 or should I change it to eth6/eth7?

The current script I have is:
#!/bin/sh
iptables -I YazFiFORWARD -s 192.168.4.215 -o eth0 -j YazFiREJECT
iptables -I YazFiFORWARD -s 192.168.4.193 -o eth0 -j YazFiREJECT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.193 -j ACCEPT
iptables -I YazFiFORWARD -o br0 -i wl0.3 -d 192.168.50.24 -s 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -o br0 -i wl0.3 -d 192.168.50.24 -s 192.168.4.193 -j ACCEPT

The first lines are supposed to block WAN access, the other lines are there to allow access from the HomeKit hub to the devices, but this also does not seem to work unfortunately, as I cannot access the devices within the Home app.

The YazFi network is setup to allow internet access in general, client isolation is on, and 1/2way to guest is disabled. I only want these specific two devices to not be able to access the internet but able to be accessed from my home WiFi.

Thanks
 

bennor

Very Senior Member
The first lines are supposed to block WAN access, the other lines are there to allow access from the HomeKit hub to the devices, but this also does not seem to work unfortunately, as I cannot access the devices within the Home app.
See the following post, if you haven't already, in another thread which may have some suggestions:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521
To allow a single main LAN client to access to all YazFi Guests you may need to do something like this (adjusting for your setup).
Code:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -j ACCEPT
Or to allow a specific main LAN client to access a specific YazFi Guest(s).
Code:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -s 192.168.3.50 -d 192.168.1.100 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.100 -d 192.168.3.50 -j ACCEPT
Make sure to check the entries carefully to ensure the correct punctuation and IP addresses are used. You may need to use reserved/static IP addresses for your YazFi Clients as well. Example here:
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403
And here:
https://github.com/jackyaz/YazFi/wi...e-and-ARP-records#a-note-on-dhcp-reservations
 
Last edited:

JoppeA

New Around Here
Hi, thanks for your message. I indeed found those links and your earlier posts and tried to replicate the posted scripts (as shown in the startpost), but for some reason I still cannot connect to the devices and they keep internet access, despite my changes. So what could I have done wrong? When comparing your lines with the one I use, it seems to be an exact copy, except for the exact IP addresses.
 

bennor

Very Senior Member
When comparing your lines with the one I use, it seems to be an exact copy, except for the exact IP addresses.
Your code looks somewhat different than the examples in my post. Maybe try the following to allow traffic between the main LAN IP address 192.168.50.24 and the two YazFi 2.4Ghz Guest #3 IP addresses 192.168.4.215 and 192.168.4.193:
Code:
iptables -I YazFiFORWARD -i wl0.3 -o br0 -s 192.168.4.215 -d 192.168.50.24 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.215 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.3 -o br0 -s 192.168.4.193 -d 192.168.50.24 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.3 -s 192.168.50.24 -d 192.168.4.193 -j ACCEPT
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top