YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[orion44]

After upgrading my RT-AC5300 firmware to 384.16 and YazFi to v4.0.2 my wireless clients can no longer connect through the VPN tunnel. I'm also seeing a constant flood of multicast DNS traffic hitting my LAN originating from the guest WiFi (172.16.1.1:5353 going to 224.0.0.251:5353). Clients connected through the guest WiFi (using VPN tunnel) receive the error message DNS_PROBE_FINISHED_NO_INTERNET when attempt to connect to a website in Chrome.

Any ideas how to remedy this?

 

[Jack Yaz]

After upgrading my RT-AC5300 firmware to 384.16 and YazFi to v4.0.2 my wireless clients can no longer connect through the VPN tunnel. I'm also seeing a constant flood of multicast DNS traffic hitting my LAN originating from the guest WiFi (172.16.1.1:5353 going to 224.0.0.251:5353). Clients connected through the guest WiFi (using VPN tunnel) receive the error message DNS_PROBE_FINISHED_NO_INTERNET when attempt to connect to a website in Chrome.

Any ideas how to remedy this?

Multicast traffic shouldn't have an impact on network connectivity. Do you have either ONEWAY or TWOWAY enabled? Port 5353 is for mDNS, i.e. local discovery.

What DNS servers have you specified in YazFi?

 

[orion44]

After upgrading my RT-AC5300 firmware to 384.16 and YazFi to v4.0.2 my wireless clients can no longer connect through the VPN tunnel. I'm also seeing a constant flood of multicast DNS traffic hitting my LAN originating from the guest WiFi (172.16.1.1:5353 going to 224.0.0.251:5353). Clients connected through the guest WiFi (using VPN tunnel) receive the error message DNS_PROBE_FINISHED_NO_INTERNET when attempt to connect to a website in Chrome.

Any ideas how to remedy this?

Solution: The following YazFi fields are now required

1. wl01_FORCEDNS
2. wl01_CLIENTISOLATION

Adding these to my config with the appropriate values resolved my issue.

 

[mustavas]

Hi all,
Firstly, big shout out to Jack for your awesome work and support! This is such a great piece of functionality, appreciate your efforts.

Like most of you, I am trying to leverage guest networks to isolate my IOT devices from the rest of my network.
I am trying to work through an issue where I cannot provide internet access to Guest networks while restricting LAN access due to my upstream WAN router/firewall is located at 192.168.1.3 (on the main 192.168.1.0/24 subnet). The default gateway in my router DHCP server is 192.168.1.3.

The route itself is only acting as a DHCP server and wireless AP.

Does anyone know of a way I can allow access to only the 192.x.x.3 address while restricting access to everything else?

Thank you in advance!

Router /AP : RT-AC68U
WAN Router/
wl01_ENABLED=true
wl01_IPADDR=192.168.2.0
wl01_DHCPSTART=2
wl01_DHCPEND=254
wl01_DNS1=8.8.8.8
wl01_DNS2=8.8.4.4
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true

 

[Jack Yaz]

Hi all,
Firstly, big shout out to Jack for your awesome work and support! This is such a great piece of functionality, appreciate your efforts.

Like most of you, I am trying to leverage guest networks to isolate my IOT devices from the rest of my network.
I am trying to work through an issue where I cannot provide internet access to Guest networks while restricting LAN access due to my upstream WAN router/firewall is located at 192.168.1.3 (on the main 192.168.1.0/24 subnet). The default gateway in my router DHCP server is 192.168.1.3.

The route itself is only acting as a DHCP server and wireless AP.

Does anyone know of a way I can allow access to only the 192.x.x.3 address while restricting access to everything else?

Thank you in advance!

Router /AP : RT-AC68U
WAN Router/
wl01_ENABLED=true
wl01_IPADDR=192.168.2.0
wl01_DHCPSTART=2
wl01_DHCPEND=254
wl01_DNS1=8.8.8.8
wl01_DNS2=8.8.4.4
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=false
wl01_CLIENTISOLATION=true

Is the Asus connected via the WAN port? Most of the blocking is done on interface basis. Which interface can you see traffic going through if you use something like ifconfig ?

 

[box4m]

Edit 2 - FIXED
FWIW, to anyone else experiencing this issue, this was a configuration issue in Plex. The way to fix it was to login as an administrator in the Plex application, and navigate to Server->Settings->Network, there I changed the LAN Networks to "192.168.1.1/24,192.168.5.1/24" in order to explicitly define which IP origins should be considered LAN. This appears to have worked for me.
:

What might i be doing wrong when i have no such setting, "LAN Networks" ?

 

[box4m]

Excellent work with this addon!

I havent yet installed it but im about to this weekend and figure some stuff out to isolate devices.
Where can i read about how to create firewall rules? Similar to lamentary´s problem with plex, just ip tables in general?

Thank you

 

[bennor]

What might i be doing wrong when i have no such setting, "LAN Networks" ?

The field (I think) that is being referenced is called "List of IP addresses and networks that are allowed without auth". Its what I have configured on my Plex Server to allow local network devices within that IP subnet to access the Plex media server.

More here: https://www.howtogeek.com/303282/how-to-use-plex-media-server-without-internet-access/

 

[lamentary]

What might i be doing wrong when i have no such setting, "LAN Networks" ?

The field (I think) that is being referenced is called "List of IP addresses and networks that are allowed without auth". Its what I have configured on my Plex Server to allow local network devices within that IP subnet to access the Plex media server.

More here: https://www.howtogeek.com/303282/how-to-use-plex-media-server-without-internet-access/

That is incorrect. What I am speaking of is labeled LAN Networks and is the 7th or so entry item from the bottom. The setting for List of IP addresses and networks that are allowed without auth is for a different purpose.

 

[box4m]

That is incorrect. What I am speaking of is labeled LAN Networks and is the 7th or so entry item from the bottom. The setting for List of IP addresses and networks that are allowed without auth is for a different purpose.

But there is no such settings

 

[bennor]

That is incorrect. What I am speaking of is labeled LAN Networks and is the 7th or so entry item from the bottom. The setting for List of IP addresses and networks that are allowed without auth is for a different purpose.

Not seeing a field named LAN Networks on my Plex server (Version 1.19.1.2645) Settings > Network page. In fact several of the fields/options in your screen grab are not in the Network page on my end.

 

[Jack Yaz]

Not seeing a field named LAN Networks on my Plex server (Version 1.19.1.2645) Settings > Network page. In fact several of the fields/options in your screen grab are not in the Network page on my end.

You might need to hit Show Advanced at the top of the page

 

[bennor]

You might need to hit Show Advanced at the top of the page

The LAN Networks option is not there on my end.

 

[Jack Yaz]

The LAN Networks option is not there on my end.

Try disabling IPv6

 

[bennor]

Try disabling IPv6

Made no difference in the options available. Could be something specific to your setup.

 

[lamentary]

That's curious. I wonder if it might be a regional thing?

EDIT
I have an active Plex Pass, and it looks like that might make the difference per this link:
https://support.plex.tv/articles/200430283-network/

LAN Networks
Very few people will need to set or change this preference. It simply lets you specify which IP addresses or networks will be considered to be “local” to you. If you set any bandwidth limits under Remote Access, those do not apply to “local” playback and only take effect for remote playback. By default, only the network subnet on which the server is located is considered to be “local” (which is appropriate for the vast majority of users).

Tip!: This feature requires an active Plex Pass subscription for the Plex Media Server admin Plex account. Addresses can be specified either as an individual IP address or a range (using IP/netmasks). Do not include spaces or tabs.

 

[lamentary]

Pretty good write up. Not sure what "Subnet Name Resolution/ARP settings for LAN clients" accomplishes though when one is using static IP addresses. Been running Pi Hole with static guest IP's and the Pi Hole resolves the name correctly per methods previously posted earlier in the thread (here and here)...

Having had a chance to fully read through these posts, and play around with my settings, here is specifically what this accomplishes (speaking for my environment only):

Reverse DNS lookups do not appear to work on my network without these entries into the Pi-hole's /etc/dnsmasq.d/nn-custom.conf file. I like having this feature for a number of reasons, as others might

Speaking for my environment only, without these entries pointing to the subnets, I still only get IP addresses in the Pi-hole's queries and "Top" graphs.

While your experience may vary, I think I'll keep this section there, with a note qualifying that it may not be necessary for some users, as it seems to be working fine for you without this modification. I will, however, reference your approach to adding DHCP Reservations via the dnsmasq.postconf instead of amending them in the YazFi config (dnsmasq.conf.add), as it allows the user more control and will work regardless of any future modifications that @Jack Yaz may do.

Regards

 

[mustavas]

Is the Asus connected via the WAN port? Most of the blocking is done on interface basis. Which interface can you see traffic going through if you use something like ifconfig ?

Hi Jack,
The upstream router/firewall which is acting as the default gateway is connected via a LAN port. The AC68U forwards all traffic to this address before its NAT'd out to my NBN connection. This is why when LAN access is disabled I am no long able to reach this gateway it seems.

How is the blocking implemented? is there anyway I can open up a specific /32? or block everything except one IP?

 

[marelit]

Hi,
is there any possibility to add an option to disable the Avahi-reflector which was added in 4.0.2 to the config file? I do not need the mdns forwarding, but noticed that most of my Apple devices hostnames would change over time by adding a number to the end of the hostname which is incremented continuously.
Thus AirPrint stopped working reliably since the printers Bonjour name is changing permanently. I have not had the issue before the update.
At first I suspected AiMesh would be the problem, but when I googled and read through lots of forum threads I soon came to the realisation that it probably is an Avahi issue. And when I looked around on my router I realised that YazFi had introduced a Postconf script for Avahi enabling the reflector.
Would be great I there was an option to just skip the creation of the Postconf script!
Have been using your script since day one and it has always been rock solid!

Thanks!

 

[Jack Yaz]

Hi,
is there any possibility to add an option to disable the Avahi-reflector which was added in 4.0.2 to the config file? I do not need the mdns forwarding, but noticed that most of my Apple devices hostnames would change over time by adding a number to the end of the hostname which is incremented continuously.
Thus AirPrint stopped working reliably since the printers Bonjour name is changing permanently. I have not had the issue before the update.
At first I suspected AiMesh would be the problem, but when I googled and read through lots of forum threads I soon came to the realisation that it probably is an Avahi issue. And when I looked around on my router I realised that YazFi had introduced a Postconf script for Avahi enabling the reflector.
Would be great I there was an option to just skip the creation of the Postconf script!
Have been using your script since day one and it has always been rock solid!

Thanks!

It should only be enabled if you have one or two way traffic enabled