Network questions on a new RT-AX86U Pro

[angryfatcat]

Greetings,

I hope this is in the correct forum, if it's not please let me know.

I'm new to Asuswrt-Merlin (former Pfsense and Openwrt user). I just installed 388.2_2 on an RT-AX86U Pro. My goal is to simplify the amount of hardware I have to deal with and my network topology and to make it easier for someone who is not tech oriented to maintain. For the most part, the change has been straight forward, but I do have a few questions about a few network issues.

I have a few IP cameras (wired) that I need to stop from calling home. On my old network these were in a separate interface with a different IP range that were blocked the firewall. On the AX86Upro, I've blocked access to the internet via the gui. Unfortunately by doing this, when I VPN into the network via wireguard, I have access to the rest of the LAN, but not the cameras. If I unblock the camera, access is restored. So apparently blocking the cameras block them from more than just accessing the WAN. Oddly enough, the Instant Guard VPN does not have the same issue. Is there an easy way to resolve this?

I'm also running a guest network for a few IOT devices (and a printer). I need one-way-access to two of these devices from the LAN and they need to have static IPs. I've looked at Yazfi for this and I think this solves the one-way-access issue, but causes issues with giving them a static IP. It looks like it also causes some misrepresentation with the client list and the network map.

If this was Pfsense or openwrt, I'd know how to fix these. Unfortunately this doesn't seem to be as straight forward in Merlin.

Any guidance on how to do this in the least invasive way would be greatly appreciated.

 

[Tech9]

to make it easier for someone who is not tech oriented to maintain

How all this makes it easier to maintain for someone non-tech oriented?

Stock Asuswrt with mostly default settings and what changes in time on Auto.

 

[angryfatcat]

How all this makes it easier to maintain for someone non-tech oriented?

Stock Asuswrt with mostly default settings and what changes in time on Auto.

Thank you for your suggestion. Unfortunately it does not address the very specific questions that I was trying to find a solution to.

 

[Tech9]

You better leave your pfSense setup in place. It's equally impossible for non-tech people to maintain.

Your Asus router model has Pro Beta firmware with VLANs and Guest Network Pro. You may take a look:.

Some screenshots here:

[Wireless Router] What is VLAN and how to setup in ASUS Wireless Router? | Official Support | ASUS Global

Recreating what pfSense can do on a home router may range from some challenges to impossible. Good luck.

 

[bennor]

I've looked at Yazfi for this and I think this solves the one-way-access issue, but causes issues with giving them a static IP. It looks like it also causes some misrepresentation with the client list and the network map.

Its a known issue that the gui network map and list do not show YazFi clients. Use the system log > wireless log page instead. More on creating YazFi static ip addresses here.
https://github.com/jackyaz/YazFi/wi...verse-DNS-records#a-note-on-dhcp-reservations
And here
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403
And an example of scripting YazFi to allow main Lan client to access a specific YazFi clients.
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521

Or just use the latest ASUS RT-AX86U Pro Firmware version 9.0.0.6.102.4856 beta firmware for the RT-AX86U pro that has vlan and guest network pro support.
https://www.asus.com/us/networking-...6u-pro/helpdesk_bios/?model2Name=RT-AX86U-Pro

 

[angryfatcat]

Its a known issue that the gui network map and list do not show YazFi clients. Use the system log > wireless log page instead. More on creating YazFi static ip addresses here.
https://github.com/jackyaz/YazFi/wi...verse-DNS-records#a-note-on-dhcp-reservations
And here
https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403
And an example of scripting YazFi to allow main Lan client to access a specific YazFi clients.
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521

Or just use the latest ASUS RT-AX86U Pro Firmware version 9.0.0.6.102.4856 beta firmware for the RT-AX86U pro that has vlan and guest network pro support.
https://www.asus.com/us/networking-...6u-pro/helpdesk_bios/?model2Name=RT-AX86U-Pro

This is helpful. But I wonder if it's also overkill and if it will actually do what needs to be done. It's hard to tell from the screenshots and very sparse documentation. Don't get me wrong, I've used VLANs a ton, and they're great for isolating traffic, but it seems a bit like swatting flies with a hammer just to deny a few devices access to the WAN.

This should be, in other systems at least, easily handled by firewall rules. But asuswrt's firewall seems exclusively focused on inbound WAN traffic. I am a bit surprised by this. Does the new features include changes to the firewall that will allow routing between VLANs?

In the absence of firewall zones/routing inside the network, the original issue should be easily handled by Iptables (instead of using the GUI to block clients explicitly). Is there a reason why this was not suggested? It looks like Iptables are available via JFFS.

What I'm really curious about right now (aside from whether the VLAN support will also include the ability to manage routing between VLANS), is why the Instant Guard VPN behaves differently than Wireguard with regards to accessing devices that have had their internet access blocked. Any insight into how that VPN works would be greatly appreciated as well.

Finally, having used Pfsense and OpenWRT for a long time, I'm very impressed by this router. Aside from the few tweaks I've mentioned above, it already has helped simplify my network.

 

[bennor]

But I wonder if it's also overkill and if it will actually do what needs to be done. It's hard to tell from the screenshots and very sparse documentation.

All comes down to your use case. Personally I use YazFi to isolate a number of wifi IoT devices (12 total) on the guest network. Each device has a reserved fixed YazFi IP address. Been using this configuration for a number of years, first with an RT-AC68U and now an RT-AX86U Pro. Works well for my needs and use case. It does take a little bit of effort and learning if one isn't familiar with scripting to setup but that's the nature of the beast when customizing the firmware to do things it isn't programed from the outset to do. The scripting example I provided to allow a YazFi guest client to access a specific main LAN client will get one started with how to script it the reverse (main LAN client to YazFi Guest client) if YazFi's one way/two way to Guest doesn't work.

The setup I use with YazFi is also easy to backup and restore when doing a reset on the router. Its a matter of reconfiguring Guest WiFi, then reinstalling YazFi and copying two files (YazFi config and the reserved IP address settings file) back to their respective locations on the router.

The various ways to check for YazFi clients are either; use the System Log > Wireless Log. Or use the YazFi Gui page. Or access the YazFi CLI and list the clients via option #2. Or use cat /var/lib/misc/dnsmasq.leases via SSH. Easy to create a ".bat" (batch) file on Windows to run the cat /var/lib/misc/dnsmasq.leases command via Putty. Have such a ".bat" file on my Windows Desktop that I use from time to time to quickly check main LAN and YazFi connected clients without logging into the router's GUI.

One of the major limitations however with YazFi is its inability to work with AiMesh nodes. Not an issue for me (currently) but for others its a deal breaker. Other suggestion when using YazFi is to use Guest #2 or #3 and not Guest #1. Asus firmware treats Guest #1 differently (for AiMesh I think). And ensure to use unique IP address range for each of the YazFi networks.