YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[carloskar]

Another thought I had, with your fix removed, what happens after a reboot with the devices on the wrong IP and running service restart_wireless?

Not working, all requests go to br0 after doing this. Didn't have time to investigate further, but I suspect that restarting the wireless service brings the wl0.x interfaces down and when they come up again they are not configured?

Question, what have you set for dhcp lease time?

48h for main network and 12h for the quest network.

 

[Jack Yaz]

Not working, all requests go to br0 after doing this. Didn't have time to investigate further, but I suspect that restarting the wireless service brings the wl0.x interfaces down and when they come up again they are not configured?

I thought it might but hoped not

 

[consorts]

why won't yazfi work on my ac3100

i like the idea of vpn'ing one of my ssid's.

 

[Jack Yaz]

why won't yazfi work on my ac3100

i like the idea of vpn'ing one of my ssid's.

If you're referring to the supported list on the first page, that's just a list of confirmed working It should work on all ARM based Merlin supported routers .

If, on the other hand, you're trying to run it and it's not working, then let me know the error(s) you're seeing and I'll do what I can to fix them.

 

[orion44]

Does this work with Merlin legacy firmware 380.70?

 

[Jack Yaz]

Does this work with Merlin legacy firmware 380.70?

IIRC 382/384.X didn't exist at the time when YazFi was created so yes it should be supported.

I don't have a way of testing for that firmware level however.

 

[orion44]

Thanks for the quick reply. After further debate, I've decided to sacrifice accurate traffic (SNMP) monitoring to stay on the current firmware branch (see: https://www.snbforums.com/threads/s...fter-upgrading-to-384-4_2-on-rt-ac5300.46512/). I'll be using your add-in with
384.7_2 as to prevent any "legacy" issues.

 

[orion44]

Tested YazFi with 384.7_2 and it works PERFECTLY! All guest wifi subnet traffic is routed through VPN client and an intensive nmap scan yields no leaks to the 192.168.1.0/24 LAN subnet.

A feature request I have is a minor change. My guest network SSID is named "LAB" and it would be beneficial to carry this name over to the VPN routing rules instead of the generic name for the guest wifi.

 

[Jack Yaz]

Tested YazFi with 384.7_2 and it works PERFECTLY! All guest wifi subnet traffic is routed through VPN client and an intensive nmap scan yields no leaks to the 192.168.1.0/24 LAN subnet.

A feature request I have is a minor change. My guest network SSID is named "LAB" and it would be beneficial to carry this name over to the VPN routing rules instead of the generic name for the guest wifi.
View attachment 15134

View attachment 15135

It used to do this, but I reverted it to a generic name so that it can reliably be referenced by some script functions when moving an SSID between VPN Clients

 

[orion44]

Interesting, I wasn't aware as a new user. Would be nice to have both perhaps, such as:

2.4GHz Guest 1 (LAB)

... if that wouldn't complicate/break the script functionality.

 

[mr8]

I’ve noticed that I sometimes need to rerun the script every now and then to get the guest Wi-Fi working again.
Can I call the script via cron every hour or so to make sure everything is running correctly, or is there another way to ensure everything is up?

 

[Jack Yaz]

I’ve noticed that I sometimes need to rerun the script every now and then to get the guest Wi-Fi working again.
Can I call the script via cron every hour or so to make sure everything is running correctly, or is there another way to ensure everything is up?

You can run via cron, yes. It would be interesting to see what's happening for the script to need re-running, however.

 

[Jack Yaz]

Interesting, I wasn't aware as a new user. Would be nice to have both perhaps, such as:

2.4GHz Guest 1 (LAB)

... if that wouldn't complicate/break the script functionality.

I'll take a look

 

[pjv]

Hi Jack Yaz, thanks for your script.

I have a question about the upcoming feature on the first page that hasn't yet been incorporated.

I have some IoT stuff on my lan that is currently on a guest network which I have turned off intranet access for in the GUI (I have not yet installed your script). Now I am experimenting with adding a home automation "hub" (raspberry pi device with home assistant on it) to manage these devices and do some automation.

It would be convenient to be able to access the hub from my "main" network and have the hub also be able to interact with the devices on the IoT guest network. So either the hub could live on the main network and everything on the guest network would be able to access that one host, or the hub could live on the guest network and that one host would have free access to / from the main network.

I'm assuming that what you described in the OP that hasn't been crossed off yet:

Allowing access to LAN resources (either whole LAN or single LAN target)

...would let me do what I want. And the question is (to possibly save myself from learning more about iptables and ebtables than I might otherwise need to know), do you know how to do that but just haven't had time to incorporate it into your script? Or have you not figured out how to do it yet?

 

[Jack Yaz]

Hi Jack Yaz, thanks for your script.

And the question is (to possibly save myself from learning more about iptables and ebtables than I might otherwise need to know), do you know how to do that but just haven't had time to incorporate it into your script? Or have you not figured out how to do it yet?

Its somewhere between not had time, and the best way to implement it for users

 

[pjv]

Its somewhere between not had time, and the best way to implement it for users

Any chance you could post some kind of conceptual overview, hints, pointers, sample code for how to do it? I'm trying to hack together something quick and dirty to hold me over until that feature of YazFi is implemented.

 

[Jack Yaz]

Any chance you could post some kind of conceptual overview, hints, pointers, sample code for how to do it? I'm trying to hack together something quick and dirty to hold me over until that feature of YazFi is implemented.

You'd need to put your rules above the drop rules that stop LAN traffic in the YazFiFORWARD chain in iptables

 

[Jack Yaz]

will this script somehow fix my problem, or only add another layer of confusion;

https://www.snbforums.com/threads/ac3100-how-completely-remove-all-guest-network-settings.49957/

dedicating a ssid for to a vpn is cool and all,
but what i really need is basic asus stuff to work correctly.

Your issue I've not seen before. YazFi won't help to resolve it, unfortunately.

 

[Kingp1n]

Need some assistance, I'm setting up the script and setting up guest 1 (2.4GHz) with VPN and guest 2 (2.4HGz) without VPN, so:

wl01_ENABLED=true

wl01_IPADDR=192.168.2.0

wl01_DHCPSTART=2

wl01_DHCPEND=254

wl01_DNS1=192.168.2.1

wl01_DNS2=192.168.2.1

wl01_REDIRECTALLTOVPN=true

wl01_VPNCLIENTNUMBER=1

####################################################################

###### Guest Network 2 (wl0.2) #####

####################################################################

wl02_ENABLED=true

wl02_IPADDR=192.168.3.0

wl02_DHCPSTART=2

wl02_DHCPEND=254

wl02_DNS1=192.168.3.1

wl02_DNS2=192.168.3.1

wl02_REDIRECTALLTOVPN=false

wl02_VPNCLIENTNUMBER=

For guest 1 how do I determine vpnclientnumber? I will setup a 5GHz as well and how would I determine the vpnclient number as well?

 

[HuskyHerder]

@Kingp1n

VPN client number is the VPN you are using, you can have multiple VPN clients. You could effectively split some to VPN 1, VPN 2 etc.
When you setup the VPN the first is usually #1, and so on. Check the VPN tab, you'll see available clients you can configure. I think you'll follow along.

Edit: fix server mis type from "server" to "client"