YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[ldee]

Thanks for your great script, it was very easy to set up! One question though: Is it possible to have exceptions to "all traffic via VPN" in guest networks? I want everything but two IPs be routed via VPN, and these two should be routed normally (these are servers and firewall rules only allow access from the non-VPN IP). I tried static IPs in the Web UI, but apparantly this doesn't work (or I did something wrong).

 

[Jack Yaz]

Thanks for your great script, it was very easy to set up! One question though: Is it possible to have exceptions to "all traffic via VPN" in guest networks? I want everything but two IPs be routed via VPN, and these two should be routed normally (these are servers and firewall rules only allow access from the non-VPN IP). I tried static IPs in the Web UI, but apparantly this doesn't work (or I did something wrong).

Do you mean in the policy routing UI? If so please send a screenshot

 

[HuskyHerder]

@Jack Yaz

Just saying the update worked flawlessly. Nice job!

v1.3.5 > v1.3.6

 

[JaimeZX]

Pixelserv IP in theory i can patch in quite readily as I won't need to account for user input. I'll see if I can get something on the testing branch working tonight.

That's awesome. I'm surprised I seem to be the only one on this forum trying to figure this out. I think lots of people are running AB-Solution and Pixelserv, but nobody is running guest networks? It's just baffling.

 

[Jack Yaz]

That's awesome. I'm surprised I seem to be the only one on this forum trying to figure this out. I think lots of people are running AB-Solution and Pixelserv, but nobody is running guest networks? It's just baffling.

Most probably don't want guests on router DNS or send traffic over the VPN

 

[JaimeZX]

OK, since we're speaking in hypotheticals here, what would be the benefit of having guests on a different DNS, and how would you enforce that if the router is handling DHCP? I don't see in the Merlin GUI where you can set different DNS for different networks.

 

[Jack Yaz]

OK, since we're speaking in hypotheticals here, what would be the benefit of having guests on a different DNS, and how would you enforce that if the router is handling DHCP? I don't see in the Merlin GUI where you can set different DNS for different networks.

If you wanted a totally isolated guest, you could set a guest to go straight upstream to say 8.8.8.8 and bypass the router completely.

That being said, YazFi 1.3.7 is now out, and it /might/ allow guests to access pixelserv if the guest network is configured to use the router for DNS.

Give it a go and let me know!

The usual update command will do the trick

/jffs/scripts/YazFi update

 

[JaimeZX]

Cool! Trying it now. Shouldn't there be somewhere in YazFi.config to specify the pixelserv IP? I obviously don't want all the guest networks to have access to the LAN or they wouldn't be on the guest network in the first place.

Follow-up: I assume 2.4 guest networks 1/2/3 go with the networks outlined left to right in the Merlin GUI, right? So if the router IP is 192.168.2.1, then Guest network 1 would be:

######                    2.4 GHz Networks                    ######
####################################################################
######                 Guest Network 1 (wl0.1)                 #####
####################################################################
wl01_ENABLED=true
wl01_IPADDR=192.168.3.0
wl01_DHCPSTART=1
wl01_DHCPEND=254
wl01_DNS1=192.168.2.1
wl01_DNS2=192.168.2.1
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=

Does that check? Of course pixelserv is 192.168.2.3; how do I specify that?

Thanks man!

 

[Jack Yaz]

Cool! Trying it now. Shouldn't there be somewhere in YazFi.config to specify the pixelserv IP? I obviously don't want all the guest networks to have access to the LAN or they wouldn't be on the guest network in the first place.

Follow-up: I assume 2.4 guest networks 1/2/3 go with the networks outlined left to right in the Merlin GUI, right? So if the router IP is 192.168.2.1, then Guest network 1 would be:

######                    2.4 GHz Networks                    ######
####################################################################
######                 Guest Network 1 (wl0.1)                 #####
####################################################################
wl01_ENABLED=true
wl01_IPADDR=192.168.3.0
wl01_DHCPSTART=1
wl01_DHCPEND=254
wl01_DNS1=192.168.2.1
wl01_DNS2=192.168.2.1
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=

Does that check? Of course pixelserv is 192.168.2.3; how do I specify that?

Thanks man!

No, I've made the script pull the pixelserv ip automatically from the router. If you set DNS1 or DNS2 to the IPADDR IP, and have pixelserv enabled, YazFi will allow access automatically. You can check with

iptables -L YazFiINPUT

or

iptables -S YazFiINPUT

 

[Jack Yaz]

Cool! Trying it now. Shouldn't there be somewhere in YazFi.config to specify the pixelserv IP? I obviously don't want all the guest networks to have access to the LAN or they wouldn't be on the guest network in the first place.

Follow-up: I assume 2.4 guest networks 1/2/3 go with the networks outlined left to right in the Merlin GUI, right? So if the router IP is 192.168.2.1, then Guest network 1 would be:

######                    2.4 GHz Networks                    ######
####################################################################
######                 Guest Network 1 (wl0.1)                 #####
####################################################################
wl01_ENABLED=true
wl01_IPADDR=192.168.3.0
wl01_DHCPSTART=1
wl01_DHCPEND=254
wl01_DNS1=192.168.2.1
wl01_DNS2=192.168.2.1
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=

Does that check? Of course pixelserv is 192.168.2.3; how do I specify that?

Thanks man!

Oh and using the IP of the router on the main subnet won't work. Instead use the equivalent on the same subnet, e.g. 192.168.3.1.

Or leave DNS blank and it will default to the correct IP for router DNS.

 

[JaimeZX]

OK great - lemme repeat that back to you, to be clear:
* Your script automatically pulls the pixelserv IP from the router
* Leave the DNS fields blank to use the router's DNS (via DNSCrypt?)

Sorry, follow-up questions:

If you set DNS1 or DNS2 to the IPADDR IP, and have pixelserv enabled, YazFi will allow access automatically.

1) ???? You said leave it blank, but you also say "set to IPADDR IP"

Oh and using the IP of the router on the main subnet won't work.

2) ??? Not following you here. If I remove the router IP from the DNS fields then the router subnet doesn't appear anywhere in the config file. Right?

Thanks, sincerely.

 

[Jack Yaz]

OK great - lemme repeat that back to you, to be clear:
* Your script automatically pulls the pixelserv IP from the router
* Leave the DNS fields blank to use the router's DNS (via DNSCrypt?)

Sorry, follow-up questions:

1) ???? You said leave it blank, but you also say "set to IPADDR IP"


2) ??? Not following you here. If I remove the router IP from the DNS fields then the router subnet doesn't appear anywhere in the config file. Right?

Thanks, sincerely.

Sorry, long week!

* Your script automatically pulls the pixelserv IP from the router

Correct

* Leave the DNS fields blank to use the router's DNS (via DNSCrypt?)
1) ???? You said leave it blank, but you also say "set to IPADDR IP"

You can do either. If left blank in the config file, YazFi will set it automatically. e.g. guest subnet 192.158.5.0, DNS will be set to 192.168.5.1
Saves you the time of typing it out twice!

2) ??? Not following you here. If I remove the router IP from the DNS fields then the router subnet doesn't appear anywhere in the config file. Right?

Correct. If you had you guest on say, 192.168.5.0, then access to any other LAN/guest subnet is blocked (for now, until I get my brain in gear and add configurable LAN access in!). This means DNS is restricted to the IP of the router but with the same subnet as the guest network, or upstream such as 8.8.8.8

EDIT: Feel free to PM me your config if you want me to take a quick look before you go live with the script!

 

[JaimeZX]

OK! Makes sense. Got it all; finished my .config update. NOW WHAT AM I DOING WRONG? lol AMTM works...

 

[Jack Yaz]

OK! Makes sense. Got it all; finished my .config update. NOW WHAT AM I DOING WRONG? lol AMTM works...

Since you're already in /jffs/scripts then the command you need is

./YazFi

Otherwise you can use

/jffs/scripts/YazFi

to run it from anywhere. I believe the other scripts use entware to install a nice symlink command, and I've been trying to avoid dependencies on entware!

 

[JaimeZX]

AWESOME.

Everything seems to be working, INCLUDING pixelserv access on the guest wifi!!

Now, if I could only offer a few critiques... from any guest machine, I cannot ping the router. Which is always step 1 in "does my internet work?" Honestly I was going to come back here and say "it ain't working, I can't ping the pixelserv IP," but I decided to type the IP/ca.crt in a browser just on the off chance that it would work, and it DID.

So. What's going on with ping? I get that it might be disabled (or DROP) for security purposes. Maybe that's something you can add to the config file? IE, EnablePING=true/false... ?

Also, in the GUI Network Map now... nothing is there except the one machine connected via Cat 5. Any ideas?

Thanks though, this is overall awesome!

Edit: will this persist through a reboot, or do I need to edit autoexec.bat?

 

[Jack Yaz]

AWESOME.

Everything seems to be working, INCLUDING pixelserv access on the guest wifi!!

Now, if I could only offer a few critiques... from any guest machine, I cannot ping the router. Which is always step 1 in "does my internet work?" Honestly I was going to come back here and say "it ain't working, I can't ping the pixelserv IP," but I decided to type the IP/ca.crt in a browser just on the off chance that it would work, and it DID.

So. What's going on with ping? I get that it might be disabled (or DROP) for security purposes. Maybe that's something you can add to the config file? IE, EnablePING=true/false... ?

Also, in the GUI Network Map now... nothing is there except the one machine connected via Cat 5. Any ideas?

Thanks though, this is overall awesome!

Re. Network map, i think that only looks at the LAN subnet. Not sure about the Wireless Log page.

Re. Ping, all traffic is rejected for now. I could relax this to allow ICMP or as you say, add a setting. Let's throw it to the user base, setting for ping or just allow pinging of the router from guests?

Re. Pixelserv you can also use IP/servstats to see if its up

 

[JaimeZX]

Re. Network map, i think that only looks at the LAN subnet. Not sure about the Wireless Log page.

Good call. The wireless log shows all connections regardless of subnet; that'll work.

Re. Ping, all traffic is rejected for now. I could relax this to allow ICMP or as you say, add a setting. Let's throw it to the user base, setting for ping or just allow pinging of the router from guests?

Solid. I vote yes but I'm 1-of-X users. Don't kill yourself over it, I appreciate that you've gone to this trouble already!

Re. Pixelserv you can also use IP/servstats to see if its up

Yep. And now I should have a much lower number of dropped HTTPS requests.

 

[Jack Yaz]

Good call. The wireless log shows all connections regardless of subnet; that'll work.

Solid. I vote yes but I'm 1-of-X users. Don't kill yourself over it, I appreciate that you've gone to this trouble already!

Yep. And now I should have a much lower number of dropped HTTPS requests.

Good stuff! Let me know if you run into pixelserv issues. I allowed only ports 80 and 443 since i think that's all it requires!

 

[Alfsu]

Hey Jack Yaz, updated 86U to 1.3.7 with no issues, thank you!

Quick question: are these two commands supposed to be in the firewall-start script?

#!/bin/sh

/jffs/scripts/YazFi & # YazFi Guest Networks

./YazFi & # YazFi Guest Networks

 

[Jack Yaz]

Hey Jack Yaz, updated 86U to 1.3.7 with no issues, thank you!

Quick question: are these two commands supposed to be in the firewall-start script?

#!/bin/sh

/jffs/scripts/YazFi & # YazFi Guest Networks

./YazFi & # YazFi Guest Networks

It shouldn't be in there twice and I think I can see in the code the cause, will fix in next version. It won't affect anything as the second call will fail since the path is nonsense. So it's more of a blemish than a problem right now!