YazFi disable internet access?

[amoney]

Hi

I am trying to create a guest network that i will use for IOT devices and i would like to disable internet access. I see YazFi has support for providing custom firewall rules. So i think that is a possibility. I was wondering if there is any other easier method , if not I will get on googlFu and try to understand iptables rules .

 

[eibgrad]

I suppose you could just add Network Services Filters for TCP and UDP for that IOT IP network.

 

[amoney]

Nice. Learned something new today. Will set it up .

 

[amoney]

hmm cant seem to get it working. Did the following both for udp and tcp.

source ip: 192.168.4.0/24
destination port range: 1:65535

rebooted the router and the guest network still has access to internet.

 

[eibgrad]

No need to specify ports, esp. if you intend to cover them all.

 

[amoney]

No need to specify ports, esp. if you intend to cover them all.

thats what i had tried first and it did not work so i thought may be i needed to specify ports. Will give it another try without the ports.

Edit: I do have YazFi enabled if that makes any difference. Sorry should have mentioned this earlier.

 

[eibgrad]

I found the problem. Normally using the NSF (Network Service Filter) would work, but in the case of YazFi, it inserts its own FORWARDing rules ahead of the NSF, thus preempting it. You'll have to add your own firewall rules to the existing YazFi firewall-start script.

iptables -I FORWARD -s 192.168.4.0/24 -o "$1" -j REJECT

Add the above as the very last line.

 

[amoney]

Thanks. Curious if i can add the same in the custom user defined script or it has to go in the firewall start script for YazFi?

https://github.com/jackyaz/YazFi talks about custom firewall rules can be defined in /jffs/addons/YazFi.d/userscripts.d/myscript.sh

 

[eibgrad]

Thanks. Curious if i can add the same in the custom user defined script or it has to go in the firewall start script for YazFi?

https://github.com/jackyaz/YazFi talks about custom firewall rules can be defined in /jffs/addons/YazFi.d/userscripts.d/myscript.sh

I'm not an expert on YazFi. If it's suggesting you can add custom rules through its own mechanisms, go for it. But I'm NOT making that assumption. I'm just looking for whatever works.

 

[amoney]

Also when i run the command i get an error

iptables -I FORWARD -s 192.168.4.0/24 -o "$1" -j REJECT
iptables v1.4.15: Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.

on RT-AC88U: 386.3_2

 

[amoney]

I'm not an expert on YazFi. If it's suggesting you can add custom rules through its own mechanisms, go for it. But I'm NOT making that assumption. I'm just looking for whatever works.

Thanks will give both a shot and see what works.

 

[eibgrad]

Also when i run the command i get an error

iptables -I FORWARD -s 192.168.4.0/24 -o "$1" -j REJECT
iptables v1.4.15: Empty interface is likely to be undesired
Try `iptables -h' or 'iptables --help' for more information.

on RT-AC88U: 386.3_2

The command will NOT work unless it's part of the firewall-start script. "$1" is passed by the router to that script, which specifies the output network interface.

If you intend to use a different mechanism, then you need the following instead.

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -s 192.168.4.0/24 -o "$WAN_IF" -j REJECT

 

[amoney]

The command will NOT work unless it's part of the firewall-start script. "$1" is passed by the router to that script, which specifies the output network interface.

If you intend to use a different mechanism, then you need the following instead.

WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -I FORWARD -s 192.168.4.0/24 -o "$WAN_IF" -j REJECT

Thanks. I think i follow now. I can add the original command to

/jffs/scripts/firewall-start

afer YazFi is called. I will also try to use the YazFi custom script and see if i can get that to work.

 

[amoney]

I setup the following by looking at the existing YazFi firewall rules that were setup

arpit@RT-AC88U-BC40:/tmp/home/root# cat /jffs/addons/YazFi.d/userscripts.d/myscript.sh
#!/bin/sh
# disable internet access for subnet
iptables -I YazFiFORWARD -s 192.168.4.0/24 -o eth0 -j YazFiREJECT
arpit@RT-AC88U-BC40:/tmp/home/root#

 

[Jack Yaz]

I'm working on adding a disable internet setting to YazFi, it's over on the develop branch if you want to try it out

YazFi develop

 

[amoney]

I'm working on adding a disable internet setting to YazFi, it's over on the develop branch if you want to try it out

YazFi develop

nice. Do i just run YazFi master if i want to switch back to the GA release?

 

[Jack Yaz]

nice. Do i just run YazFi master if i want to switch back to the GA release?

yes, but it might cause some issues with the webui due to the new setting added in develop. I intend to release the develop version in the next few days, just waiting for payday to buy myself a new domain to tie-in with my adoption of Scarf gateway

 

[amoney]

I see. I will test out the develop version and then switch back to master when the new release happens. Will report back shortly.

Since i added iptables rules in a custom script would i need to reboot the router or will the existing rule get removed if just remove my user defined script?

 

[amoney]

Confirmed working as expected. Removed the user defined script, rebooted router, updated YazFi and selected allow internet to no.

See the following new rules in the YazFiFORWARD chain

0     0 DROP       all  --  tun1+  wl0.3   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 3 block internet */
    0     0 DROP       all  --  eth0   wl0.3   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 3 block internet */
    0     0 YazFiREJECT  all  --  wl0.3  tun1+   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 3 block internet */
    0     0 YazFiREJECT  all  --  wl0.3  eth0    0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 3 block internet */

 

[Jack Yaz]

Confirmed working as expected. Removed the user defined script, updated YazFi and selected allow internet to no.

See the following new rules in the YazFiFORWARD chain

0     0 DROP       all  --  tun1+  wl0.3   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 3 block internet */
    0     0 DROP       all  --  eth0   wl0.3   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 3 block internet */
    0     0 YazFiREJECT  all  --  wl0.3  tun1+   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 3 block internet */
    0     0 YazFiREJECT  all  --  wl0.3  eth0    0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 3 block internet */

great news! the rules block traffic to WAN and vpn clients, leaving LAN and VPN Server (if you use it) as allowed access methods