Posting this as a reference for others running Ring alarm devices on a YazFi-managed IoT VLAN with Unbound as the recursive resolver. Took considerable debugging to identify — hopefully this saves someone else the time.
Setup:
- RT-AX86U / Merlin 3004.388.11_0
- YazFi v4.4.10
- Unbound (Martineau addon), recursive resolver via DNS Director
- Ring alarm base station + cameras on wl0.1 IoT VLAN (192.168.2.x)
**Problem:**
Ring alarm base station periodically going offline. Ring cameras unaffected.
**Root causes confirmed:**
1. Ring hardcodes 1.1.1.1 as its DNS server. YazFi's YazFiDNSFILTER chain intercepts port 53 traffic on wl0.1 and redirects it to Unbound. Ring rejects DNS responses from Unbound and enters a DHCP loop trying to recover.
2. Unbound's rebind protection triggers false positives on Ring's AWS-hosted endpoints, causing valid responses to be blocked.
**Important — Interface Name on RT-AX86U:**
On RT-AX86U, 2.4GHz radio guest VLANs typically present as wl0.x. Always confirm which interface your device is actually on rather than guessing:
cat /proc/net/arp | grep -i "b0:09:da" # substitute your Ring MAC
**Fix 1 — Bypass YazFi DNS hijacking for Ring base station MAC:**
Create /jffs/addons/YazFi.d/userscripts.d/ring-dns-bypass.sh:
#!/bin/sh
RING_MAC="B0:09
A:XX:XX:XX" # Replace with your Ring base station MAC
IFACE="wl0.1" # Confirm with /proc/net/arp
iptables -t nat -D PREROUTING -i $IFACE -m mac --mac-source $RING_MAC -p udp --dport 53 -j RETURN 2>/dev/null
iptables -t nat -D PREROUTING -i $IFACE -m mac --mac-source $RING_MAC -p tcp --dport 53 -j RETURN 2>/dev/null
iptables -t nat -I PREROUTING -i $IFACE -m mac --mac-source $RING_MAC -p udp --dport 53 -j RETURN
iptables -t nat -I PREROUTING -i $IFACE -m mac --mac-source $RING_MAC -p tcp --dport 53 -j RETURN
Make it executable and run it:
chmod +x /jffs/addons/YazFi.d/userscripts.d/ring-dns-bypass.sh
sh /jffs/addons/YazFi.d/userscripts.d/ring-dns-bypass.sh
YazFi automatically re-runs all scripts in userscripts.d after every firewall rebuild, so the RETURN rules persist permanently and survive reboots.
Verify rules are in place at positions 1-2 above YazFiDNSFILTER:
iptables -t nat -L PREROUTING -n -v --line-numbers | head -6
**Fix 2 — Unbound rebind protection exceptions:**
Add to /opt/share/unbound/configs/unbound.conf.add:
private-domain: "ring.com"
private-domain: "ring-alarm.io"
Note: Do NOT add amazonaws.com as a private-domain — too broad a security exception.
Add the include to /opt/var/lib/unbound/unbound.conf under the server: section:
include: "/opt/share/unbound/configs/unbound.conf.add"
Restart Unbound:
sh /jffs/addons/unbound/unbound_manager.sh restart
**Result:**
Ring base station maintains stable connectivity. RETURN rules confirmed surviving all YazFi rebuilds with packet counters incrementing correctly.
Note: If you are also running Skynet alongside YazFi, the PREROUTING RETURN rules will cause Skynet's hourly firewall save to flag an integrity violation and trigger restart_firewall every hour. See GitHub issue filed here for the workaround: https://github.com/Adamm00/IPSet_ASUS/issues/193
Setup:
- RT-AX86U / Merlin 3004.388.11_0
- YazFi v4.4.10
- Unbound (Martineau addon), recursive resolver via DNS Director
- Ring alarm base station + cameras on wl0.1 IoT VLAN (192.168.2.x)
**Problem:**
Ring alarm base station periodically going offline. Ring cameras unaffected.
**Root causes confirmed:**
1. Ring hardcodes 1.1.1.1 as its DNS server. YazFi's YazFiDNSFILTER chain intercepts port 53 traffic on wl0.1 and redirects it to Unbound. Ring rejects DNS responses from Unbound and enters a DHCP loop trying to recover.
2. Unbound's rebind protection triggers false positives on Ring's AWS-hosted endpoints, causing valid responses to be blocked.
**Important — Interface Name on RT-AX86U:**
On RT-AX86U, 2.4GHz radio guest VLANs typically present as wl0.x. Always confirm which interface your device is actually on rather than guessing:
cat /proc/net/arp | grep -i "b0:09:da" # substitute your Ring MAC
**Fix 1 — Bypass YazFi DNS hijacking for Ring base station MAC:**
Create /jffs/addons/YazFi.d/userscripts.d/ring-dns-bypass.sh:
#!/bin/sh
RING_MAC="B0:09
A:XX:XX:XX" # Replace with your Ring base station MACIFACE="wl0.1" # Confirm with /proc/net/arp
iptables -t nat -D PREROUTING -i $IFACE -m mac --mac-source $RING_MAC -p udp --dport 53 -j RETURN 2>/dev/null
iptables -t nat -D PREROUTING -i $IFACE -m mac --mac-source $RING_MAC -p tcp --dport 53 -j RETURN 2>/dev/null
iptables -t nat -I PREROUTING -i $IFACE -m mac --mac-source $RING_MAC -p udp --dport 53 -j RETURN
iptables -t nat -I PREROUTING -i $IFACE -m mac --mac-source $RING_MAC -p tcp --dport 53 -j RETURN
Make it executable and run it:
chmod +x /jffs/addons/YazFi.d/userscripts.d/ring-dns-bypass.sh
sh /jffs/addons/YazFi.d/userscripts.d/ring-dns-bypass.sh
YazFi automatically re-runs all scripts in userscripts.d after every firewall rebuild, so the RETURN rules persist permanently and survive reboots.
Verify rules are in place at positions 1-2 above YazFiDNSFILTER:
iptables -t nat -L PREROUTING -n -v --line-numbers | head -6
**Fix 2 — Unbound rebind protection exceptions:**
Add to /opt/share/unbound/configs/unbound.conf.add:
private-domain: "ring.com"
private-domain: "ring-alarm.io"
Note: Do NOT add amazonaws.com as a private-domain — too broad a security exception.
Add the include to /opt/var/lib/unbound/unbound.conf under the server: section:
include: "/opt/share/unbound/configs/unbound.conf.add"
Restart Unbound:
sh /jffs/addons/unbound/unbound_manager.sh restart
**Result:**
Ring base station maintains stable connectivity. RETURN rules confirmed surviving all YazFi rebuilds with packet counters incrementing correctly.
Note: If you are also running Skynet alongside YazFi, the PREROUTING RETURN rules will cause Skynet's hourly firewall save to flag an integrity violation and trigger restart_firewall every hour. See GitHub issue filed here for the workaround: https://github.com/Adamm00/IPSet_ASUS/issues/193
