YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[JaimeZX]

LAN resources (except DHCP and DNS on the router, and/or Pixelserv-tls if you run it) are currently all blocked. Allowing whitelisting of LAN devices, IPs and ports etc. is on my to-do!

I'll qualify that by saying the external HD I have as a Samba share on the router is accessible by any machine on the router if it has the correct password.

 

[Jack Yaz]

I'll qualify that by saying the external HD I have as a Samba share on the router is accessible by any machine on the router if it has the correct password.

Yes...that's odd, because my samba share on the router (all 4) cannot even be reached for authentication! Perhaps we need to sort out a screensharing session so that we can see what's going on there.

 

[JaimeZX]

Dunno. But I'm happy with it as-is!

 

[Paulo Pereira]

Hello everyone, does any way to yazfi work in AP Mode??? If not, is there a way to work arround??
Tanhs in advance

 

[Jack Yaz]

Hello everyone, does any way to yazfi work in AP Mode??? If not, is there a way to work arround??
Tanhs in advance

Unfortunately it wont work in AP mode

 

[mxyz]

Hello everyone, does any way to yazfi work in AP Mode??? If not, is there a way to work arround??
Tanhs in advance

^ +1 for this ^

I've got two AC68Us; the main one in the house in router mode, the other in the garage in AP mode, connected via ethernet. Same SSID, moving between them now seems perfectly seamless.

What I need is a separate guest network on the AP mode Router2. The guest network could be on Router1 also, if it's easier since its already doing the routing, but would still need to be on Router2.

Router1 is where the phone line, and modem are so they cant be easily swapped. The two simple solutions that I'm trying to avoid are, plug in a third router or put them both in router mode.

I've found some router only features, like VPN, work just fine in AP mode, set up by manually going to the page, start and stop the service with a script.
It doesn't look like AiMesh repeats the main router's guest networks, that would be an ideal solution. When it was first released I tried it and it was a disaster, I'd give it anther chance if it did guest networks.

I guess what I'm looking for is advice or direction before I start experimenting, screw things up, then put it back together the way it was.

 

[HuskyHerder]

It doesn't look like AiMesh repeats the main router's guest networks, that would be an ideal solution. When it was first released I tried it and it was a disaster, I'd give it anther chance if it did guest networks..

It, AiMesh does not support Guest Network's... in my reading, that is. I am giving it a try currently.

 

[Grisu]

probably with aimesh phase 2, some of next firmwares will support guest-WiFi on nodes.

 

[Jack Yaz]

^ +1 for this ^

I've got two AC68Us; the main one in the house in router mode, the other in the garage in AP mode, connected via ethernet. Same SSID, moving between them now seems perfectly seamless.

What I need is a separate guest network on the AP mode Router2. The guest network could be on Router1 also, if it's easier since its already doing the routing, but would still need to be on Router2.

Router1 is where the phone line, and modem are so they cant be easily swapped. The two simple solutions that I'm trying to avoid are, plug in a third router or put them both in router mode.

I've found some router only features, like VPN, work just fine in AP mode, set up by manually going to the page, start and stop the service with a script.
It doesn't look like AiMesh repeats the main router's guest networks, that would be an ideal solution. When it was first released I tried it and it was a disaster, I'd give it anther chance if it did guest networks.

I guess what I'm looking for is advice or direction before I start experimenting, screw things up, then put it back together the way it was.

Might be possible to do something with vlan tagging on the AP guest interfaces, but that goes beyond the current scope of YazFi

 

[Jack Yaz]

I'd like to but I don't have the free time to write a menu driven script at the moment

 

[Jack Yaz]

It was just a suggestion and Thanks for this beautiful script!

I know, I do want to make it easier to use, but the new job is taking it out of me

I have got lan access working on my personal version, I need to make it robust and then i can add it to the main script

 

[bobpaul]

I'm using IPv6 via HE's free tunnel broker as described on the Merlin Wiki. This gives me a /48 on the router, so in theory I should be able to set many /64 subnets. But as configured per the wiki, I get a /64 on my LAN.

When I use YazFi with 1 guest WiFi on 192.168.250.x, my guests get IPv6 addresses from my LAN /64. I haven't tried other devices, but my Android 8 phone sees this and disconnects/reconnects from the guest network repeatedly. If I disable IPv6, all is fine.

At a minimum YazFi should block guests from getting IPv6, but even better would be adding support for separate IPv6 subnets for users with a larger than /64 assignment on the router.

 

[Jack Yaz]

I'm using IPv6 via HE's free tunnel broker as described on the Merlin Wiki. This gives me a /48 on the router, so in theory I should be able to set many /64 subnets. But as configured per the wiki, I get a /64 on my LAN.

When I use YazFi with 1 guest WiFi on 192.168.250.x, my guests get IPv6 addresses from my LAN /64. I haven't tried other devices, but my Android 8 phone sees this and disconnects/reconnects from the guest network repeatedly. If I disable IPv6, all is fine.

At a minimum YazFi should block guests from getting IPv6, but even better would be adding support for separate IPv6 subnets for users with a larger than /64 assignment on the router.

If you're willing to lend a hand I can look into it, I don't have ipv6 currently so no way of giving it a proper run out. I'm assuming it's something with ip6tables, but that's a complete guess

 

[bobpaul]

Definitely willing to lend a hand. My ISP doesn't offer IPv6, either, which is why I'm using tunnel broker.

 

[bobpaul]

Hey, so I chatted with my ISP and they are currently experimenting with IPv6 and can enable it for customers on request. Unfortunately they are violating RFC6177 and only hand out /64 prefixes. I suspect this is common, but that means I can test things work with the router set to Native IPv6 without the possibility to subnet and a subnettable situation via my tunnel broker account. I'll try to take a closer look at what your script is doing this weekend and see if I can figure out the right commands to run afterwards to get things working as I think they should.

 

[Brenneke]

Hi - have been using this script for many months and it has been perfect until now.
Yesterday I changed up the VPN server on Client 1 and have had issues connecting with Client 2 since.
I believe I may have something off with the policy rules for these clients, any help you can give will be much appreciated. I do not know anything about policy rules - any explanation on how they work and what they are doing along the way would also be great.

I have my main network set to run on VPN Client 1 and this works. (192.168.2.1 in YazFi config)
I have my 2.4 guest network set to run on VPN Client 1 and this works. (192.168.3.0 in YazFi config)
I have my 5.0 guest network to run on VPN Client 2 and it does not work. (192.168.4.0 in YazFi config)

When I connect to 5.0 guest network I am get no internet after a reboot and internet on Client 2 after running YazFi script in terminal:
YazFi: wl1.1 (SSID: guest) - VPN redirection enabled, sending all interface internet traffic over VPN Client 2

VPN Status in Asus shows Client 1 and Client 2 both properly connected to servers.
I have confirmed that VPN server on Client 2 is working.

Client 1 Policy Rules are set to:
2.4GHz Guest 1 192.168.3.0/24 0.0.0.0 VPN
Router 192.168.2.1 0.0.0.0 WAN
All Other 192.168.2.1/24 0.0.0.0 VPN
5.0Ghz Guest 1 192.168.4.0/24 0.0.0.0 VPN


Client 2 Policy Rules are set to:
5GHz1 Guest 1 192.168.4.0/24 0.0.0.0 VPN

Do I need to set these manually or will the script now do this?
Do I have it all correct?

Thank you!

 

[Jack Yaz]

This rule looks surplus to requirements:

5.0Ghz Guest 1 192.168.4.0/24 0.0.0.0 VPN

The .0 isn't added by YazFi so was this manually added?

 

[Brenneke]

I did manually add, maybe I got it wrong?
I take that to mean that the script will now add and set all required policy rules? (did not want to try this and and muck it up more)

 

[Jack Yaz]

If running the last released version, then setting _REDIRECTALLTOVPN will handle the rules for guests. Let me know if not

 

[Brenneke]

If running the last released version, then setting _REDIRECTALLTOVPN will handle the rules for guests. Let me know if not

Where/how do I do that? I am on latest version. Thanks.