YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

Jack
The other issue (prob connected with Dport 8200) is that the Panasonic TV does not connect via DLNA using 5.1 Guest. Sometimes I use DLNA server ( inbuilt into TV ) to connect to my Iphone to view TV channels or movies on iphone. Also sometimes I use DLNA to cast movies to TV - as an alternative to using Chromecast.
I tried issuing this command
iptables -I YazFiINPUT -i wl1.1 -p tcp --dport 8200 -j ACCEPT
but still not working

I think you might also need udp 1900

 

[joe scian]

I think you might also need udp 1900

iptables -I YazFiINPUT -i wl1.1 -p udp --dport 1900 -j ACCEPT

tried that as well - still no go

 

[Jack Yaz]

I think you might also need udp 1900

I need to add that these rules will be lost on a reboot/restart of your firewall

I'll add router services as a consideration for LAN access when I start cracking that feature back open

 

[Jack Yaz]

iptables -I YazFiINPUT -i wl1.1 -p udp --dport 1900 -j ACCEPT

tried that as well - still no go

Would be worth using the reject logging to see what's being flagged as rejected when trying to cast. Does the TV have a DLNA client built-in? It might be the casting from a LAN device to the TV that's the bit failing, rather than TV to DLNA server

 

[joe scian]

Would be worth using the reject logging to see what's being flagged as rejected when trying to cast. Does the TV have a DLNA client built-in? It might be the casting from a LAN device to the TV that's the bit failing, rather than TV to DLNA server

No the TV has a DLNA server built in - When I use Cast to device from a right click on a movie with windows explorer the Panasonic Device comes up as an option when its working. Also using Nplayer on Iphone - I can scan for DLNA devices on my netwok. When using 5,1 Network i get Panasonic TV device up. No go when on 5.1Guest - Im not seeing any Reject lines in Log after deploying

iptables -I YazFiINPUT -i wl1.1 -d 224.0.0.0/4 -j ACCEPT
iptables -I YazFiINPUT -i wl1.1 -m multiport -p udp --dports 137,138 -j ACCEPT
iptables -I YazFiREJECT -j LOG --log-prefix "REJECT " --log-tcp-sequence --log-tcp-options --log-ip-options

 

[Jack Yaz]

No the TV has a DLNA server built in - When I use Cast to device from a right click on a movie with windows explorer the Panasonic Device comes up as an option when its working. Also using Nplayer on Iphone - I can scan for DLNA devices on my netwok. When using 5,1 Network i get Panasonic TV device up. No go when on 5.1Guest - Im not seeing any Reject lines in Log after deploying

iptables -I YazFiINPUT -i wl1.1 -d 224.0.0.0/4 -j ACCEPT
iptables -I YazFiINPUT -i wl1.1 -m multiport -p udp --dports 137,138 -j ACCEPT
iptables -I YazFiREJECT -j LOG --log-prefix "REJECT " --log-tcp-sequence --log-tcp-options --log-ip-options

How is the Windows computer connected? Wired/wireless? Likely blocking on the forward chain (LAN access isn't a feature yet, the conf setting is just a placeholder )

Where are the movies stored to be cast?

Given the large amount of access to the rest of your network your TV needs it's probably best to keep it on the normal wifi until I get on with configurable LAN access as a proper feature.

Maybe I'll enable it as an all-or-nothing option for now until I can do my preferred pin-hole approach.

 

[joe scian]

Yes - my Windows PC is connected via WIFI and movies are stored both locally on PC and also on a connected drive on my USB3.0 outlet on the Router.

So I assume your cooment still stands regarding blocking on fwd chain?
By the way when I connect via NPlayer on standard 5.1 Network the port used is 55000 ( i can see this in Nplayer ).

 

[Jack Yaz]

Yes - my Windows PC is connected via WIFI and movies are stored both locally on PC and also on a connected drive on my USB3.0 outlet on the Router.

So I assume your cooment still stands regarding blocking on fwd chain?
By the way when I connect via NPlayer on standard 5.1 Network the port used is 55000 ( i can see this in Nplayer ).

For now....on the develop branch lurks 3.1.0 which makes _LANACCESS effective in an all-or-nothing approach

 

[joe scian]

Thanks for all your help Jack- I will definitely donate once you release 3.1

 

[L&LD]

To all - what's the general consensus on allowing guests to ping the router?

I would prefer the router 'invisible' to guests by default. Don't know if it is possible to toggle this per device?

 

[cmkelley]

To all - what's the general consensus on allowing guests to ping the router?

It seems to me that if the guest network is used to segregate devices with poorly written software from the rest of the network, you probably need to allow the router to be pinged because some idiot somewhere will write being able to ping the gateway as a working/not working gate into the firmware.

 

[Jack Yaz]

I would prefer the router 'invisible' to guests by default. Don't know if it is possible to toggle this per device?

Not per device without a large chunk of work but could be per network if I put in a new setting (maybe this is the excuse i need to finally investigate settings migration)

It seems to me that if the guest network is used to segregate devices with poorly written software from the rest of the network, you probably need to allow the router to be pinged because some idiot somewhere will write being able to ping the gateway as a working/not working gate into the firmware.

True, that seems to be what Panasonic (a large company!) have done with at least one of their TVs.

 

[Jack Yaz]

YazFi v3.1.0 is now available

Implement LAN access toggle
Add confirmation prompt to diagnostics
Use dnsmasq leases file is hostname is missing in ARP cache
Enable ICMP from guests to router
Enable NetBIOS from guests to router if Samba and WINS Server are enabled
Further validation of radio isolation nvram variables (attempt to fix issues seen by RT-AX88U users)

Quite a big update, as it turned out! Please let me know if you experience any issues with this version

 

[bearever]

YazFi v3.1.0 is now available

Implement LAN access toggle
Add confirmation prompt to diagnostics
Use dnsmasq leases file is hostname is missing in ARP cache
Enable ICMP from guests to router
Enable NetBIOS from guests to router if Samba and WINS Server are enabled
Further validation of radio isolation nvram variables (attempt to fix issues seen by RT-AX88U users)

Quite a big update, as it turned out! Please let me know if you experience any issues with this version

Thanks Jack.

If I do not allow full LAN access, LAN DNS should remain working like previous releases?




Sent from my iPhone using Tapatalk Pro

 

[L&LD]

Just wondering if YazFi intentionally throttles clients vs. the main WiFi network(s)?

 

[Jack Yaz]

Just wondering if YazFi intentionally throttles clients vs. the main WiFi network(s)?

Nope, where are you seeing throttling? If Internet speedtest, is it a vpn routed ssid?

 

[Jack Yaz]

Thanks Jack.

If I do not allow full LAN access, LAN DNS should remain working like previous releases?

This should work as before yes

 

[L&LD]

Nope, where are you seeing throttling? If Internet speedtest, is it a vpn routed ssid?

No vpn is being used. I'll investigate it further (this was on a phone connected to my 1Gbps ISP getting about 75Mbps less than 12 feet from the RT-AC3100).

 

[Jack Yaz]

No vpn is being used. I'll investigate it further (this was on a phone connected to my 1Gbps ISP getting about 75Mbps less than 12 feet from the RT-AC3100).

Does the standard network get full speed? I only have a 70mbps connection to play with but i get the same speed on guests and main.

 

[L&LD]

Does the standard network get full speed? I only have a 70mbps connection to play with but i get the same speed on guests and main.

Yes, the main network is full speed. For example; on my personal phone (Note 8) when I connect to the main network the phone shows 975Mbps for connection quality. When I connect to the network, it is showing 520Mbps (now), but usually as high as 720Mbps.