YazFi Guest Network for WiFi Smart Home Devices

[Background]

Hi all, Happy New Year!

Making a guest WiFi network for smart devices (Hue lights, Alexa, Google Home etc).

Should I enable/disable any of two way to guest, one way to guest or client isolation? I'm not 100% sure I truly understand what they mean.

Thanks.

 

[bennor]

May depend on the specific IoT device, what features you use on it, and if you need local main LAN network clients to access the YazFi guest WiFi network clients. For example, if you have multiple Amazon Echo (Alexa) devices in the home certain features (if I remember right the multi-room speaker/music feature) do not work if the devices cannot communicate with each other.

See the GitHub for YazFi to see the YazFi explanation what each of it's options/settings means. Or mouse over each of the options in the YazFi GUI and click on the text name when you see a "?":

wl01_TWOWAYTOGUEST​

Should LAN/Guest Network traffic have unrestricted access to each other? (true/false) Cannot be enabled if _ONEWAYTOGUEST is enabled

wl01_ONEWAYTOGUEST​

Should LAN be able to initiate connections to Guest Network clients (but not the opposite)? (true/false) Cannot be enabled if _TWOWAYTOGUEST is enabled

wl01_CLIENTISOLATION​

Should Guest Network radio prevent clients from talking to each other? (true/false)

Personally, I have two way to guest and one way to guest set to No. And Client Isolation set to Yes. No general issues with WiFi smart plugs, WiFi cameras, WiFi smart bulbs, and several Amazon Echo devices. My main LAN mobile devices can control/access those devices without issue. But as indicated above it depend on the features you use with certain devices. I normally don't use the Amazon Echo multi room speaker option. If I want to its a simple mater to set Client Isolation to No so I can group the Amazon Echo devices in multi room music mode in the Amazon Alexa app

 

[Background]

May depend on the specific IoT device, what features you use on it, and if you need local main LAN network clients to access the YazFi guest WiFi network clients. For example, if you have multiple Amazon Echo (Alexa) devices in the home certain features (if I remember right the multi-room speaker/music feature) do not work if the devices cannot communicate with each other.

See the GitHub for YazFi to see the YazFi explanation what each of it's options/settings means. Or mouse over each of the options in the YazFi GUI and click on the text name when you see a "?":


Personally, I have two way to guest and one way to guest set to No. And Client Isolation set to Yes. No general issues with WiFi smart plugs, WiFi cameras, WiFi smart bulbs, and several Amazon Echo devices. My main LAN mobile devices can control/access those devices without issue. But as indicated above it depend on the features you use with certain devices. I normally don't use the Amazon Echo multi room speaker option. If I want to its a simple mater to set Client Isolation to No so I can group the Amazon Echo devices in multi room music mode in the Amazon Alexa app

Hi,

I don't have multiple of the same devices just one Alexa and one Google Home Hub (due to some services only work on Alexa some Google so one of each).

I guess they will need to talk to each other as asking Google/Alexa to turn on Lights needs to allow Google to talk to Hue and so on? I don't use no multi room as well. Ideally my iPhone, iPad on the Main WiFi network talk to the Guest Network (named Smart Home) but not other way round (Smart Home read my Main WiFi)?

I did see the GitHub and hovered over the fields but admittedly confused me more! lol.

 

[bennor]

I guess they will need to talk to each other as asking Google/Alexa to turn on Lights needs to allow Google to talk to Hue and so on?

Again, depends on the devices and their features/functions. If you are really worried about it, just test them with each of those three settings enabled then disabled in your environment and usage. In my case with close to a dozen IoT WiFi devices, the following settings work fine for more than a year. All the WiFi smart devices (bulbs, plugs and cameras) work fine with no issues.

I personally wanted to avoid having certain smart devices "talk" to each other or see other devices on the same local network. The specific traffic that turns them on/off or streams video generally travels to/from the smart device to the internet, not within the local network to a specific device. One can do even more like assign static IP addresses and use Pi Hole with YazFi guest clients. See this YazFi link and my post here on static IP's for more.

 

[roundaway]

RT-AC66_B1, Merlin 386.4, with YazFi, Diversion, and Unbound.

I have the first 2.4 guest network with a different IP range than the router. The network is only for guests, and using force DNS, one-way to guest, and client isolation all set to yes. From the home lan I do not get a ping from the guest device(s). Good.

On the second 2.4 guest network I have is for 2.4 GHz only IoT devices. The network also on a different IP address, using force DNS, one-way to guest to yes, and client isolation set to no. From the home lan I can ping and receive a reply from these devices. Not the result desired.

The first 5Ghz guest network is for IoT devices supporting 5GHz. The network is also on a different IP address, using force DNS, one-way to guest to yes, and client isolation set to no. From the home lan I can ping and receive a reply from these devices. Not the result desired.

Am I setting this up correctly? Would like the IoT guest networks not able to talk back to the home lan.

Edit: Or is it working correctly since the ping command is an ICMP echo request?

 

[Jack Yaz]

one way means LAN can initiate connections to guest and guest can reply
try starting a new ping from the guest to LAN, should fail

 

[roundaway]

one way means LAN can initiate connections to guest and guest can reply
try starting a new ping from the guest to LAN, should fail

Guest network(s) to Lan does fail. Thank you for providing this great capability.

 

[Background]

Again, depends on the devices and their features/functions. If you are really worried about it, just test them with each of those three settings enabled then disabled in your environment and usage. In my case with close to a dozen IoT WiFi devices, the following settings work fine for more than a year. All the WiFi smart devices (bulbs, plugs and cameras) work fine with no issues.

View attachment 38210

I personally wanted to avoid having certain smart devices "talk" to each other or see other devices on the same local network. The specific traffic that turns them on/off or streams video generally travels to/from the smart device to the internet, not within the local network to a specific device. One can do even more like assign static IP addresses and use Pi Hole with YazFi guest clients. See this YazFi link and my post here on static IP's for more.

Thanks. For me it's Philips Hue (3x GU10s), 1x Nest Hub, Nest Learning Thermostat and casting to TV (Nest Hub to TV for CCTV).

Bummer however, I forgot Hue is wired and not WiFi so can't move the bridge to my Guest WiFi. It seems when using Guest WiFi my iPhone can't talk to Nest Hub it claims "it's on a different network" is it not possible to link all WIFI's together? As it's same network just different bands? Or would this mean 1 single network of 2.4 + 5.0 combined no guests?

I wanted all the smart devices to talk to each other (so X can control Y) - example Nest Hub can talk to Hue to control the lights but not talk to my main network (like PCs) but my PC/iPhone can talk to Hue - but seems it's not working that way especially as Hue Bridge is on the network wired not Guest WiFi. Philips need a WiFi v2 bridge!

 

[bennor]

I wanted all the smart devices to talk to each other (so X can control Y) - example Nest Hub can talk to Hue to control the lights but not talk to my main network (like PCs) but my PC/iPhone can talk to Hue - but seems it's not working that way especially as Hue Bridge is on the network wired not Guest WiFi. Philips need a WiFi v2 bridge!

That (maybe) can be done. Just disable/turn off Client Isolation in YazFi. Then see the YazFi GitHub page and look at custom firewall rules information near the bottom of the page: https://github.com/jackyaz/YazFi#custom-firewall-rules

You can set a single firewall rule to open traffic to a single IP address on the main LAN so YazFi Guest clients can communicate to a specific LAN IP client.

 

[Background]

That (maybe) can be done. Just disable/turn off Client Isolation in YazFi. Then see the YazFi GitHub page and look at custom firewall rules information near the bottom of the page: https://github.com/jackyaz/YazFi#custom-firewall-rules

You can set a single firewall rule to open traffic to a single IP address on the main LAN so YazFi Guest clients can communicate to a specific LAN IP client.

Thanks, I'll give that a try. Should two way/one way be enabled/disabled along side client isolation disabled?

I'll have a read up on custom firewalls on the GitHub now.

 

[bennor]

Thanks, I'll give that a try. Should two way/one way be enabled/disabled along side client isolation disabled?

Depends on if you need other main LAN clients to communicate with YazFi guest clients.

But keep in mind that if you end up wanting all the LAN clients to talk with the YazFi clients it sort of defeats one of the purpose of YazFi and it may be better at that point to just put the YazFi clients back on the main WiFi LAN. One of the main features/reaons of Guest WiFi networks is to isolate specific WiFi clients from having main LAN client/network access.

You will likely have to do some experimenting and trial and error before getting things to work the way you want it to work.