YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[skeal]

I found a way to make it work. I hard coded a static ip and static dns on my phone for this network. Now there are no adds on the phone. The camera which is the IoT device I cannot set these static settings. I have no idea whether the camera has protection as I have no way to get the network information from it.

 

[Jack Yaz]

Without access to lan I don't see how this would work. My ip of the device is 192.168.2.x the ip of my router is 192.168.x.1

YazFi creates rules for DNS access. Can you the diagnostics option d from YazFi, and PM me the created tar and passphrase please?

 

[skeal]

I cannot see a way to send you the diag file.

 

[L&LD]

skeal, this is working for me without issues, when I'm browsing on my phone on the guest network I am getting about 42 ads less per minute vs. being on LTE.

I am running amtm, Diversion, pixelserv-tls beta statically linked, Skynet, Stubby, YazFi and FreshJR QOS on my RT-AC3100 with a 2GB swapfile.

If I leave the DNS entries blank, or, if I enter my router's IP address, I have the benefits of Diversion and all the other scripts, in addition to being able to download the x.x.x.x/ca.crt pixelserv-tls certificate for the device.

Yes, this is really the best of all worlds and far ahead of what a default install gives us (with Asus' or RMerlin's firmware installed).

Jack Yaz did provide an overview of how he accomplishes this, but it is way over my head to be able to explain it to you coherently.

I just know it works and except for a little glitch where my phone's hostname isn't showing up, it works flawlessly.

Edit: Now using YazFi v3.03! Thank you Jack Yaz! (I'll have to search for what this version changed).

 

[Jack Yaz]

skeal, this is working for me without issues, when I'm browsing on my phone on the guest network I am getting about 42 ads less per minute vs. being on LTE.

I am running amtm, Diversion, pixelserv-tls beta statically linked, Skynet, Stubby, YazFi and FreshJR QOS on my RT-AC3100 with a 2GB swapfile.

If I leave the DNS entries blank, or, if I enter my router's IP address, I have the benefits of Diversion and all the other scripts, in addition to being able to download the x.x.x.x/ca.crt pixelserv-tls certificate for the device.

Yes, this is really the best of all worlds and far ahead of what a default install gives us (with Asus' or RMerlin's firmware installed).

Jack Yaz did provide an overview of how he accomplishes this, but it is way over my head to be able to explain it to you coherently.

I just know it works and except for a little glitch where my phone's hostname isn't showing up, it works flawlessly.

Edit: Now using YazFi v3.03! Thank you Jack Yaz! (I'll have to search for what this version changed).

3.03 is in development...ah, this is where I sent you the test script. Can you edit YazFi and change the line near the top that refers to branch from "develop" to "master" please, and then use option 3f in the menu?

 

[L&LD]

Jack Yaz, sorry about that!

Made those changes as asked and am now back on v3.02.

 

[Jack Yaz]

I cannot see a way to send you the diag file.

I think you've stumbled on a bug, though I'm not sure if it's causing your issue. FORCEDNS isn't kicking in due to entering 0 for VPN client number - which is invalid but only checked if REDIRECTTOVPN is true. FORCEDNS is missing an equivalent check...I'll fix that

 

[skeal]

I think you've stumbled on a bug, though I'm not sure if it's causing your issue. FORCEDNS isn't kicking in due to entering 0 for VPN client number - which is invalid but only checked if REDIRECTTOVPN is true. FORCEDNS is missing an equivalent check...I'll fix that

In the mean time, I have made both dns1 and dns2 to be my router ip, also I put a "5" in the vpn client field. Works as expected now. It's a Sunday Jack take some time off and update the script later. You deserve plenty of beer for this script.

 

[Jack Yaz]

YazFi 3.0.3 is now available

Fix logic for FORCEDNS with VPN
Fix numpad in nano

Thanks to @skeal for spotting these

 

[bearever]

Correct, the main LAN is unaffected and is quite happy.

I just figured my guest network cannot access my Pihole dns servers after version 2.3.9 and onwards. I reported this issue to Jack today and he has fixed the script in the develop branch.



Sent from my iPhone using Tapatalk Pro

 

[Jack Yaz]

YazFi v3.0.4 is now available

Fix LAN DNS firewall rules

Thanks to @bearever for helping me track this down

 

[joe scian]

Hi Jack
I have a crazy occurrence with a Panasonic smart TV. When I create a default config for my 5.1Ghz guest wireless - it picks up the default Gateway as 192.168.4.240 correctly and DNS set to 192.168.2.240 ( same as my Router LAN IP Address ). IP Address of TV is 192.168.4.75. Subnet mask 255.255.255.0.

BUT for some crazy reason it wont connect to the network.

Yet when I just use my standard 5.1 Network - It receives its IP Address of 192.168.2.75 - Default Gateway of 192.168.2.240 , DNS 192.168.2.240 - subnet mask 255.255.255.0 - and hey presto it connects to the network. This has me totally stumped - must be some wierd quirk with the panasonic tv -

I can connect my iphone to the 5.1 Guest Network and can confirm it connects to the network properly .

####################################################################
###### 5 GHz Networks ######
####################################################################
###### Guest Network 1 (wl1.1) #####
####################################################################
wl11_ENABLED=true
wl11_IPADDR=192.168.4.0
wl11_DHCPSTART=2
wl11_DHCPEND=254
wl11_DNS1=192.168.2.240
wl11_DNS2=8.8.8.8
wl11_FORCEDNS=true
wl11_REDIRECTALLTOVPN=false
wl11_VPNCLIENTNUMBER=1
wl11_LANACCESS=false
wl11_CLIENTISOLATION=false

 

[Jack Yaz]

Hi Jack
I have a crazy occurrence with a Panasonic smart TV. When I create a default config for my 5.1Ghz wireless - it picks up the default Gateway as 192.168.4.240 correctly and DNS set to 192.168.2.240 ( same as my Router LAN IP Address ). IP Address of TV is 192.168.4.75. Subnet mask 255.255.255.0.

BUT for some crazy reason it wont connect to the network.

Yet when I just use my standard 5.1 Network - It receives its IP Address of 192.168.2.75 - Default Gateway of 192.168.2.240 , DNS 192.168.2.240 - subnet mask 255.255.255.0 - and hey presto it connects to the network. This has me totally stumped - must be some wierd quirk with the panasonic tv -

I can connect my iphone to the 5.1 Guest Network and can confirm it connects to the network properly .

OK so it's good another device can connect (and presumably internet etc works fine). Which version of YazFi are you running?

What error does the TV display when trying to join?

Do you have DNSFilter set in the normal LAN? If not, I wonder if the Panasonic doesn't like its DNS being force re-routed. You could test by setting FORCEDNS to false.

Another thing to try would be "forgetting" the network on the TV and re-entering details.

 

[EmeraldDeer]

Regarding RT-AX88U and wl01_CLIENTISOLATION=true
First apply settings with wl01_CLIENTISOLATION=true

YazFi: YazFi v3.0.4 starting up

YazFi: wl0.1 passed validation

YazFi: wl0.1 (SSID: 223_110_IoT) - sending all interface internet traffic over WAN interface

[: bad number
[: bad number
[: bad number
YazFi: DHCP configuration updated

YazFi: Forcing YazFi Guest WiFi clients to reauthenticate

YazFi: YazFi v3.0.4 completed successfully

Second apply settings with wl01_CLIENTISOLATION=false

YazFi: YazFi v3.0.4 starting up

YazFi: wl0.1 passed validation

YazFi: wl0.1 (SSID: 223_110_IoT) - sending all interface internet traffic over WAN interface

YazFi: YazFi v3.0.4 completed successfully

Third apply settings with wl01_CLIENTISOLATION=true

YazFi: YazFi v3.0.4 starting up

YazFi: wl0.1 passed validation

YazFi: wl0.1 (SSID: 223_110_IoT) - sending all interface internet traffic over WAN interface

YazFi: YazFi v3.0.4 completed successfully

Settings

wl01_ENABLED=true
wl01_IPADDR=192.168.66.0
wl01_DHCPSTART=10
wl01_DHCPEND=99
wl01_DNS1=192.168.66.1
wl01_DNS2=192.168.66.1
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true

 

[EmeraldDeer]

Decrypting YazFi diagnostics bundle
# /usr/sbin/openssl aes-256-cbc -d -in YazFi.tar.gz.enc -out YazFi.tar.gz
enter aes-256-cbc decryption password:

 

[Jack Yaz]

Decrypting YazFi diagnostics bundle
# /usr/sbin/openssl aes-256-cbc -d -in YazFi.tar.gz.enc -out YazFi.tar.gz
enter aes-256-cbc decryption password:

I'm not sure what you're trying to do?

 

[EmeraldDeer]

I'm not sure what you're trying to do?

I ran diagnostics and wanted to see the diagnostics but did not find how to decrypt. An example from a web search provided a guess of aes-256-cbc which turned out to be correct.

 

[Jack Yaz]

I ran diagnostics and wanted to see the diagnostics but did not find how to decrypt. An example from a web search provided a guess of aes-256-cbc which turned out to be correct.

Your unique password is shown on screen when you generate the diagnostics.

 

[Jack Yaz]

Regarding RT-AX88U and wl01_CLIENTISOLATION=true
First apply settings with wl01_CLIENTISOLATION=true

YazFi: YazFi v3.0.4 starting up

YazFi: wl0.1 passed validation

YazFi: wl0.1 (SSID: 223_110_IoT) - sending all interface internet traffic over WAN interface

[: bad number
[: bad number
[: bad number
YazFi: DHCP configuration updated

YazFi: Forcing YazFi Guest WiFi clients to reauthenticate

YazFi: YazFi v3.0.4 completed successfully

Second apply settings with wl01_CLIENTISOLATION=false

YazFi: YazFi v3.0.4 starting up

YazFi: wl0.1 passed validation

YazFi: wl0.1 (SSID: 223_110_IoT) - sending all interface internet traffic over WAN interface

YazFi: YazFi v3.0.4 completed successfully

Third apply settings with wl01_CLIENTISOLATION=true

YazFi: YazFi v3.0.4 starting up

YazFi: wl0.1 passed validation

YazFi: wl0.1 (SSID: 223_110_IoT) - sending all interface internet traffic over WAN interface

YazFi: YazFi v3.0.4 completed successfully

Settings

wl01_ENABLED=true
wl01_IPADDR=192.168.66.0
wl01_DHCPSTART=10
wl01_DHCPEND=99
wl01_DNS1=192.168.66.1
wl01_DNS2=192.168.66.1
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true

I suspect this might be the nvram variables for isolation misbehaving. Can you reproduce with a reboot? V3.0.5 is going to do more than validation on the variables for isolation

 

[Jack Yaz]

I ran diagnostics and wanted to see the diagnostics but did not find how to decrypt. An example from a web search provided a guess of aes-256-cbc which turned out to be correct.

I think I'll have the menu print what I'm collecting for clarity. I'm not hiding anything since it is an open source script after all