What's new

YazFi Guest Network with YazFi assigning LAN IPs, not the IPs of my guest settings.

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

So my current plan is to not use a guest network, and have DHCP reservations for my IoT devices so they always get the same IP. I am doing some preliminary testing with IPtables and I'm having no luck.

Just to test if I could use IPtables to block a client from accessing other devices on the LAN, I assigned my Mac an IP of

I SSH'd into the router and issued the following command:

iptables -I FORWARD -s -d -j DROP

This should drop packets from my mac when I ping other devices on the LAN.

I ran #iptables -L -n

jorg@RT-AX88U-F610:/tmp/home/root# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
INPUT_PING  icmp --              icmptype 8
ACCEPT     all  --              state RELATED,ESTABLISHED
logdrop    all  --              state INVALID
PTCSRVWAN  all  --  
PTCSRVLAN  all  --  
logdrop    tcp  --              tcp dpt:5152
ACCEPT     all  --              state NEW
ACCEPT     all  --              state NEW
ACCEPT     udp  --              udp spt:67 dpt:68
INPUT_ICMP  icmp --  
ACCEPT     udp  --              udp dpt:53
ACCEPT     udp  --              udp dpt:67
ACCEPT     udp  --              udp dpt:68
DROP       all  --  
WGSI       all  --  
WGCI       all  --  
OVPNSI     all  --  
OVPNCI     all  --  
logdrop    all  --  

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --
ACCEPT     all  --              state RELATED,ESTABLISHED
WGSF       all  --  
OVPNSF     all  --  
WGNPControls  all  --  
ACCEPT     all  --  
logdrop    all  --  
ACCEPT     all  --  
logdrop    all  --              state INVALID
SECURITY   all  --  
ACCEPT     all  --              ctstate DNAT
DNSFILTER_DOT  tcp  --              tcp dpt:853
WGCF       all  --  
OVPNCF     all  --  
VPNCF      all  --  
ACCEPT     all  --  
logdrop    all  --  

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_DNS  udp  --              udp dpt:53 u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
OUTPUT_DNS  tcp  --              tcp dpt:53 u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
OUTPUT_IP  all  --  

You can see the first rule in the FORWARD chain should drop all packets from to other clients on

If I ping a device from the mac, I still get replies.

 % ifconfig
        ether b8:f6:b1:17:67:2b
        inet netmask 0xffffff00 broadcast
        media: autoselect
        status: active
~ % ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=3.637 ms
64 bytes from icmp_seq=1 ttl=64 time=4.444 ms
64 bytes from icmp_seq=2 ttl=64 time=3.726 ms
--- ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.637/3.936/4.444/0.361 ms

I tried restarting skynet but that just overwrites the rules. If I can figure out how to get the rules even working I will try my hand at adding them to a script to make them persistent.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!