YazFi Guest Network with YazFi assigning LAN IPs, not the IPs of my guest settings.

jorgsmash · May 15, 2023

So my current plan is to not use a guest network, and have DHCP reservations for my IoT devices so they always get the same IP. I am doing some preliminary testing with IPtables and I'm having no luck.

Just to test if I could use IPtables to block a client from accessing other devices on the LAN, I assigned my Mac an IP of 192.168.50.199.

I SSH'd into the router and issued the following command:

Code:

iptables -I FORWARD -s 192.168.50.199 -d 192.168.50.0/24 -j DROP

This should drop packets from my mac when I ping other devices on the LAN.

I ran #iptables -L -n

Code:

jorg@RT-AX88U-F610:/tmp/home/root# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
INPUT_PING  icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
logdrop    all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
PTCSRVWAN  all  --  0.0.0.0/0            0.0.0.0/0
PTCSRVLAN  all  --  0.0.0.0/0            0.0.0.0/0
logdrop    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
INPUT_ICMP  icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:67
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:68
DROP       all  --  0.0.0.0/0            0.0.0.0/0
WGSI       all  --  0.0.0.0/0            0.0.0.0/0
WGCI       all  --  0.0.0.0/0            0.0.0.0/0
OVPNSI     all  --  0.0.0.0/0            0.0.0.0/0
OVPNCI     all  --  0.0.0.0/0            0.0.0.0/0
logdrop    all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.50.199       192.168.50.0/24
IPSEC_DROP_SUBNET_ICMP  all  --  0.0.0.0/0            0.0.0.0/0
IPSEC_STRONGSWAN  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
WGSF       all  --  0.0.0.0/0            0.0.0.0/0
OVPNSF     all  --  0.0.0.0/0            0.0.0.0/0
WGNPControls  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
logdrop    all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
logdrop    all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
SECURITY   all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate DNAT
DNSFILTER_DOT  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:853
WGCF       all  --  0.0.0.0/0            0.0.0.0/0
OVPNCF     all  --  0.0.0.0/0            0.0.0.0/0
VPNCF      all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
logdrop    all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_DNS  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
OUTPUT_DNS  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
OUTPUT_IP  all  --  0.0.0.0/0            0.0.0.0/0

You can see the first rule in the FORWARD chain should drop all packets from 192.168.50.199 to other clients on 192.168.50.0/24

If I ping a device from the mac, I still get replies.

Code:

 % ifconfig
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=400<CHANNEL_IO>
        ether b8:f6:b1:17:67:2b
        inet 192.168.50.199 netmask 0xffffff00 broadcast 192.168.50.255
        media: autoselect
        status: active
        
~ % ping 192.168.50.3
PING 192.168.50.3 (192.168.50.3): 56 data bytes
64 bytes from 192.168.50.3: icmp_seq=0 ttl=64 time=3.637 ms
64 bytes from 192.168.50.3: icmp_seq=1 ttl=64 time=4.444 ms
64 bytes from 192.168.50.3: icmp_seq=2 ttl=64 time=3.726 ms
^C
--- 192.168.50.3 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.637/3.936/4.444/0.361 ms

I tried restarting skynet but that just overwrites the rules. If I can figure out how to get the rules even working I will try my hand at adding them to a script to make them persistent.

Thread starter	Title	Forum	Replies	Date
B	YazFi YazFi Guest Network unable to access Pi-Hole DNS server	Asuswrt-Merlin AddOns	22	Feb 1, 2024
B	Yazfi: VPN Server for guest network access only	Asuswrt-Merlin AddOns	10	Dec 9, 2023
	YazFi, ntpMerlin and guest network isolation	Asuswrt-Merlin AddOns	1	Sep 6, 2023
	sbnMerlin 1.2.1 - Network Isolation Tool based on Guest Networks, April 19 2024	Asuswrt-Merlin AddOns	65	Feb 6, 2024
P	YazFi hostname and ip address UNKNOWN for all guest network devices	Asuswrt-Merlin AddOns	29	Sep 10, 2023
	vpnmgr Can I route all Guest Wifi clients to VPN automatically? [SOLVED]	Asuswrt-Merlin AddOns	3	Dec 15, 2023
T	Make IoT devices on one-way-to-guest YazFi VLANs discoverable on main LAN	Asuswrt-Merlin AddOns	5	Dec 2, 2023
O	YazFi SOLVED : No Internet access for Guest (no VPN used)	Asuswrt-Merlin AddOns	19	Oct 29, 2023
I	AdGuardHome AdGuard Home and Guest Networks	Asuswrt-Merlin AddOns	5	Oct 19, 2023
M	YazFi Dot with guest networks	Asuswrt-Merlin AddOns	2	Jul 15, 2023

Search

Search

YazFi Guest Network with YazFi assigning LAN IPs, not the IPs of my guest settings.

jorgsmash

Senior Member

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Members online