YazFi Guest Network with YazFi assigning LAN IPs, not the IPs of my guest settings.

jorgsmash · May 15, 2023

So my current plan is to not use a guest network, and have DHCP reservations for my IoT devices so they always get the same IP. I am doing some preliminary testing with IPtables and I'm having no luck.

Just to test if I could use IPtables to block a client from accessing other devices on the LAN, I assigned my Mac an IP of 192.168.50.199.

I SSH'd into the router and issued the following command:

Code:

iptables -I FORWARD -s 192.168.50.199 -d 192.168.50.0/24 -j DROP

This should drop packets from my mac when I ping other devices on the LAN.

I ran #iptables -L -n

Code:

jorg@RT-AX88U-F610:/tmp/home/root# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
INPUT_PING  icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
logdrop    all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
PTCSRVWAN  all  --  0.0.0.0/0            0.0.0.0/0
PTCSRVLAN  all  --  0.0.0.0/0            0.0.0.0/0
logdrop    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
INPUT_ICMP  icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
DROP       all  --  0.0.0.0/0            0.0.0.0/0
WGSI       all  --  0.0.0.0/0            0.0.0.0/0
WGCI       all  --  0.0.0.0/0            0.0.0.0/0
OVPNSI     all  --  0.0.0.0/0            0.0.0.0/0
OVPNCI     all  --  0.0.0.0/0            0.0.0.0/0
logdrop    all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.50.199       192.168.50.0/24
IPSEC_DROP_SUBNET_ICMP  all  --  0.0.0.0/0            0.0.0.0/0
IPSEC_STRONGSWAN  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
WGSF       all  --  0.0.0.0/0            0.0.0.0/0
OVPNSF     all  --  0.0.0.0/0            0.0.0.0/0
WGNPControls  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
logdrop    all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
logdrop    all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
SECURITY   all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT
DNSFILTER_DOT  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:853
WGCF       all  --  0.0.0.0/0            0.0.0.0/0
OVPNCF     all  --  0.0.0.0/0            0.0.0.0/0
VPNCF      all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
logdrop    all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_DNS  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
OUTPUT_DNS  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
OUTPUT_IP  all  --  0.0.0.0/0            0.0.0.0/0

You can see the first rule in the FORWARD chain should drop all packets from 192.168.50.199 to other clients on 192.168.50.0/24

If I ping a device from the mac, I still get replies.

Code:

 % ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=400<CHANNEL_IO>
        ether b8:f6:b1:17:67:2b
        inet 192.168.50.199 netmask 0xffffff00 broadcast 192.168.50.255
        media: autoselect
        status: active
        
~ % ping 192.168.50.3
PING 192.168.50.3 (192.168.50.3): 56 data bytes
64 bytes from 192.168.50.3: icmp_seq=0 ttl=64 time=3.637 ms
64 bytes from 192.168.50.3: icmp_seq=1 ttl=64 time=4.444 ms
64 bytes from 192.168.50.3: icmp_seq=2 ttl=64 time=3.726 ms
^C
--- 192.168.50.3 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.637/3.936/4.444/0.361 ms

I tried restarting skynet but that just overwrites the rules. If I can figure out how to get the rules even working I will try my hand at adding them to a script to make them persistent.

Thread starter	Title	Forum	Replies	Date
	Diversion [SOLVED] Diversion Guest Network Pro - blocklist applied to multiple SSID	Asuswrt-Merlin AddOns	14	Jun 30, 2025
D	YazFi Allowing cast traffic from guest network to IoT (media) network	Asuswrt-Merlin AddOns	11	Mar 15, 2025
M	YazFi YazFi v4.4.8 [2025-Jul-21] - Enhanced AsusWRT-Merlin Guest WiFi Networks	Asuswrt-Merlin AddOns	16	May 30, 2025
	YazFi Some devices can't connect to guest 5GHz after upgrading to Merlin 3004.388.9 on AX86U	Asuswrt-Merlin AddOns	12	Apr 21, 2025
	YazFi Using 2 Guest Networks with Yazfi and Disabling Intranet for Access Points	Asuswrt-Merlin AddOns	4	Feb 17, 2025
	AdGuardHome AdGuardHome - Any way to see IP addresses of Guest Networks?	Asuswrt-Merlin AddOns	0	Jan 27, 2025
H	YazFi guest clients not shown in client list - problems with NetAlertX	Asuswrt-Merlin AddOns	4	Jan 20, 2025
	YazFi YazFi -- "Not in Guest Net" ??	Asuswrt-Merlin AddOns	7	Jan 15, 2025
W	RT-BE88U 3006.102.2 - Guest and IoT Networks KO after installing Diversion / Skynet	Asuswrt-Merlin AddOns	1	Dec 27, 2024
J	VPNMON Network Resolution Issue (could it be an errant kill switch issue?)	Asuswrt-Merlin AddOns	6	Sep 19, 2025

Search

Search

YazFi Guest Network with YazFi assigning LAN IPs, not the IPs of my guest settings.

jorgsmash

Senior Member

Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest

Members online