YazFi default Guest Network tab > Access Intranet > Enable

[Chuckles67]

After installing YazFi the Guest Network has two tabs: Guest Network and YazFi.

Before installing YazFi the Guest Network tab showed Access Intranet as Disable.

After installing YazFi the same Guest Network tab shows Access Intranet as Enable - though I did not change this setting in this tab (nor did I enable Two-way to Guest in YazFi tab). I want guest network clients to have no access to intranet. Is this expected UI after installing YazFi?

(apologies if this was already posted: I couldn't find)

 

[bennor]

After installing YazFi the same Guest Network tab shows Access Intranet as Enable - though I did not change this setting in this tab (nor did I enable Two-way to Guest in YazFi tab). I want guest network clients to have no access to intranet. Is this expected UI after installing YazFi?

(apologies if this was already posted: I couldn't find)

Expected behavior. See this post by the developer:
https://www.snbforums.com/threads/yazfi-v4-x.70308/page-23#post-737244

Is YazFI the reason why access intranet keeps getting enabled? I have 2 and 1 way to guest disabled in YazFi but on the main guest settings it keeps enabling intranet access.

yes. asus makes some changes that conflict if access internet is disabled, YazFi installs its own rules that achieves the same

 

[Chuckles67]

Thank you for the reply and link.

 

[systematic]

So what's the point then?

If access intranet cannot be disabled doesn't that defeat the purposes of segmenting devices in their own subnet? The whole idea is to separate MAIN and guest networks.

In my situation I have YAZ configured as follows and Intranet cannot. be disabled at all.

 

[bennor]

So what's the point then?

If access intranet cannot be disabled doesn't that defeat the purposes of segmenting devices in their own subnet

See the quote from Jack Yaz above. The YazFi code accomplishes the same thing. It blocks most intranet access by default. It has options on the YazFi GUI page to open up access (one way or two way) from those intranet clients. One can use scripting to open up other intranet access via the custom firewall rules (see this link and this link).

 

[Ripshod]

Using YazFi with the access intranet enabled is normal. Check your list of connected devices, none on the guest network show. run a port scan on your network, nothing other than normal network devices will show. if there's a pingable device on the guest network try pinging it's IP from the normal network - doesn't work. As the normal network cannot "see" guest devices then we assume it's the same the other way around. Connect your mobile to the guest network and ping your PC - nothing.
YazFi provides the isolation as certain services on the router are still needed (thinking dns etc)

 

[drinkingbird]

So what's the point then?

If access intranet cannot be disabled doesn't that defeat the purposes of segmenting devices in their own subnet? The whole idea is to separate MAIN and guest networks.

In my situation I have YAZ configured as follows and Intranet cannot. be disabled at all.

Here is a analogy for you:

Take a hose and put a shut off valve on the end. That is stock guest, it is on or off. Now attach a multi-pattern sprayer to the hose. You have to have the shut off valve open in order to use that fancy multi pattern sprayer (which also has its own shut off valve).

 

[systematic]

Using YazFi with the access intranet enabled is normal. Check your list of connected devices, none on the guest network show. run a port scan on your network, nothing other than normal network devices will show. if there's a pingable device on the guest network try pinging it's IP from the normal network - doesn't work. As the normal network cannot "see" guest devices then we assume it's the same the other way around. Connect your mobile to the guest network and ping your PC - nothing.
YazFi provides the isolation as certain services on the router are still needed (thinking dns etc)

Ok this makes sense thank you.

Just one part doesn't:

As the normal network cannot "see" guest devices then we assume it's the same the other way around.

I have ONE WAY TO GUEST enabled. Doesn't that mean, a LAN device (macbook) should be able to ping a device (alexa device) on the network that has the ONE WAY TO GUEST enabled? It should right? But when I ping an ALEXA device or indeed any device in the guest network I get zero response. What does that mean?

 

[drinkingbird]

Ok this makes sense thank you.

Just one part doesn't:



I have ONE WAY TO GUEST enabled. Doesn't that mean, a LAN device (macbook) should be able to ping a device (alexa device) on the network that has the ONE WAY TO GUEST enabled? It should right? But when I ping an ALEXA device or indeed any device in the guest network I get zero response. What does that mean?

Probably means you have client isolation enabled on the guest so the ARP request fails. I'm not a yazfi expert but I don't think he's doing any workaround to maintain a static ARP list, so you would need to disable client isolation for either "one way" or "two way" to work. Or put static ARP entries on your devices. On an IOT network you would want it disabled anyway since those devices usually need to be able to talk to each other (client isolation blocks that).

 

[systematic]

Screenshot above shows CLIENT ISOLATION is not enabled i.e. set to NO.

 

[drinkingbird]

Screenshot above shows CLIENT ISOLATION is not enabled i.e. set to NO.

Are you pinging hostname or IP?

MACs are jerks about DNS often wanting to use their own mDNS over standard DNS. Try pinging the IP of the devices if you haven't tried that already. If that works then you need to set a domain name in the Asus and ping client.domain to bypass the MACs default behavior.

Or it is possible that with all your attempts to turn the main guest access intranet off, something has gotten stuck or corrupted and you may need to reset and start over. Deleting the guest and re-creating it may be enough, or a full reset may be in order.

Only other thing I can think is that standard ICMP ping uses two different packet types, echo and echo reply. It is possible the firewall rules created with "one way" which just allows established traffic to respond, maybe aren't recognizing echo reply. You can try a TCP based ping, though not sure if Amazon devices recognize that. I would certainly think at this point iptables would be smart enough to count echo reply as "established" but who knows. Does it work if you change it to "two way"?

I'd have a thorough read of the documentation and @Jack Yaz 's posts to get more familiar with yazfi.

 

[systematic]

Copy. I will try.

Ok I have one for you.

I have my MACBOOK and PHONE in the MAIN LAN and I have my TV connected to the DEVICES_5G SSID via YAZFI.

I can no longer mirror/airplay from the macbook to the TV and/or cast from YouTube to the TV.

The thing that baffles me is ONE WAY TO GUEST is enabled on the DEVICES_5G guest network, which in theory means any devices on the MAIN LAN should be able to connect to the TV in the Guest Network. Am I wrong in this assumption?

Possible to connect specific MAIN LAN devices to TV only?

 

[bennor]

However, even better would be to connect specific MAIN LAN devices to TV only. Possible?

Yes, possible. As previously mentioned one can use custom scripting to open up other intranet access via the custom firewall rules. See this link and see my post at this link where I talk about using custom scripting to allow access between specific IP addresses (main LAN and YazFi Guest). It might require some experimenting (like setting one way an two way to guest to off) to get it to work though if my example code doesn't work properly.

 

[drinkingbird]

Copy. I will try.

Ok I have one for you.

I have my MACBOOK and PHONE in the MAIN LAN and I have my TV connected to the DEVICES_5G SSID via YAZFI.

I can no longer mirror/airplay from the macbook to the TV and/or cast from YouTube to the TV.

The thing that baffles me is ONE WAY TO GUEST is enabled on the DEVICES_5G guest network, which in theory means any devices on the MAIN LAN should be able to connect to the TV in the Guest Network. Am I wrong in this assumption?

Possible to connect specific MAIN LAN devices to TV only?

That is because airplay requires mDNS to function. mDNS does not cross subnets without a "helper". The helper can be configured using a script in the router (cannot be done via the GUI) however that is no guarantee, airplay may require the same SSID or subnet even with the mDNS helper, I'm not sure as I don't use apple.

The easier solution is to keep the guest SSID saved in your laptop and phone and just switch to it when you want to mirror. That's what I do (using android mirroring, not apple).

 

[drinkingbird]

Yes, possible. As previously mentioned one can use custom scripting to open up other intranet access via the custom firewall rules. See this link and see my post at this link where I talk about using custom scripting to allow access between specific IP addresses (main LAN and YazFi Guest). It might require some experimenting (like setting one way an two way to guest to off) to get it to work though if my example code doesn't work properly.

They already have the firewall rules in place by allowing one-way to guest. The issue is mDNS won't cross a router without a helper, which has to be done via a script. Not even sure if that will be enough, depends on whether airplay has the functionality to work across subnets/SSIDs (even with mDNS helper).

 

[systematic]

So easiest way was to connect a MAIN WLAN device to the YAZFI GUEST SSID the TV is connected to and have client isolation set to no. Don't like the method but it works.

 

[systematic]

They already have the firewall rules in place by allowing one-way to guest. The issue is mDNS won't cross a router without a helper, which has to be done via a script. Not even sure if that will be enough, depends on whether airplay has the functionality to work across subnets/SSIDs (even with mDNS helper).

Ignore the apple device and mirroring.

Why does the same issue exist for an android phone where it fails to cast a YouTube video from-phone-to-TV given that one way to guest for the guest network is set to yes? Doesn't make sense.

 

[drinkingbird]

Ignore the apple device and mirroring.

Why does the same issue exist for an android phone where it fails to cast a YouTube video from-phone-to-TV given that one way to guest for the guest network is set to yes? Doesn't make sense.

Depends on which casting technology it uses, it may also rely on mDNS for discovery, or it may use multicast for the stream.

Guest networks were designed to be for guests, and yazfi added some additional options to address some limitations, but IOT and streaming is a whole other ballgame, often you are going to need to do scripts, firewall rules, etc to get it to work.

Or, like I said, easiest solution and the one I use is to just save the guest network and jump on it when you want to cast, all it takes is a couple taps on your phone or a couple clicks on the PC.

 

[systematic]

Yep that's what I thought. Connect to the guest network when I want to mirror or cast.