YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[maghuro]

we'd need 3 new settings per guest, ul bandwidth, dl bandwidth, and bandwidth limiter off/on

then to handle those both in CLI and WebUI - not the worst job but not particularly quick either

I'm no good at asp, but I may try to help on bourneshell...

 

[maghuro]

we'd need 3 new settings per guest, ul bandwidth, dl bandwidth, and bandwidth limiter off/on

then to handle those both in CLI and WebUI - not the worst job but not particularly quick either

https://github.com/jackyaz/YazFi/pull/68

 

[mbze430]

For som reason my YazFi keeps adding TWO entries every time. I erase one and then it would come back... it's so weird
anyone know why this is happening?

 

[Jack Yaz]

For som reason my YazFi keeps adding TWO entries every time. I erase one and then it would come back... it's so weird
anyone know why this is happening?

What happens if you delete both?

F/w version and router model?

 

[archiel]

Can this even work?

I am wondering if I can use this script to force a guest device to to route 'local' traffic out onto the internet and back via the routers external interface.

I have both plex and emby media servers on the lan and hopefully very soon (covid-19 permitting) will be going to visit my in-laws.
As such I would like to configure and test remote access on the devices we will take with us (phones, ipad and shield tv). As our offices are closed and I do not have easy access to another network, I would like to force any clients to access the Plex/Emby servers via the web interface (using DDNS) and I would prefer to do this without tethering anything to my phone, as this sucks up data on a very limited contract

I have tried using my phone connected to the built in Guest connections (AX88U), however although Access Intranet is set to Disable, the phone is connecting directly to the media servers (they are on the same subnet) - which I can easily check by looking into the media server logs.

My hope was that by using this script and putting the guest devices on a separate subnet, I could force the traffic out and back again, but I do not know if this could ever work and, even if it could, would the fact that clientisolation is not currently supported on the AX88U would mean I cannot test this way.

 

[Jack Yaz]

Can this even work?

I am wondering if I can use this script to force a guest device to to route 'local' traffic out onto the internet and back via the routers external interface.

I have both plex and emby media servers on the lan and hopefully very soon (covid-19 permitting) will be going to visit my in-laws.
As such I would like to configure and test remote access on the devices we will take with us (phones, ipad and shield tv). As our offices are closed and I do not have easy access to another network, I would like to force any clients to access the Plex/Emby servers via the web interface (using DDNS) and I would prefer to do this without tethering anything to my phone, as this sucks up data on a very limited contract

I have tried using my phone connected to the built in Guest connections (AX88U), however although Access Intranet is set to Disable, the phone is connecting directly to the media servers (they are on the same subnet) - which I can easily check by looking into the media server logs.

My hope was that by using this script and putting the guest devices on a separate subnet, I could force the traffic out and back again, but I do not know if this could ever work and, even if it could, would the fact that clientisolation is not currently supported on the AX88U would mean I cannot test this way.

assuming plex is on the LAN, with a guest set to one and two way disabled, i can't see why it wouldn't work?

 

[archiel]

assuming plex is on the LAN, with a guest set to one and two way disabled, i can't see why it wouldn't work?

made a few errors in setting this up
192.168.2.2 was already routed (to the internal interface on my modem) so needed to change first range from 192.168.2.x to 192.168.20.x
Did not realise I needed to start the guest wi-fi in the standard tab before enabling the equivalent Yaz-Fi (otherwise the clients will pick up an address from the standard router DHCP range).

Also noted that Yaz-Fi has no effect on IPV6 settings (native with DHCP-PD), so that although the IP4 address and default gateway, move to the new range, the ipv6 address, temp. address, link local address and default gateway are all unchanged. As both Plex and Emby support ipv6, I am disabling this on the test devices (just in case the traffic could be routed internally via ipv6, rather than externally via ipv4).

Finally I could not get any changes on Guest Client 1 for 2.4ghz to take via the web interface (no problem with 5.0Ghz). Any changes, including enabling needed to either be via the amtm/Yazfi interface (nano/vi) of by editing directly via WinSCP.

 

[Jack Yaz]

made a few errors in setting this up
192.168.2.2 was already routed (to the internal interface on my modem) so needed to change first range from 192.168.2.x to 192.168.20.x
Did not realise I needed to start the guest wi-fi in the standard tab before enabling the equivalent Yaz-Fi (otherwise the clients will pick up an address from the standard router DHCP range).

Also noted that Yaz-Fi has no effect on IPV6 settings (native with DHCP-PD), so that although the IP4 address and default gateway, move to the new range, the ipv6 address, temp. address, link local address and default gateway are all unchanged. As both Plex and Emby support ipv6, I am disabling this on the test devices (just in case the traffic could be routed internally via ipv6, rather than externally via ipv4).

Finally I could not get any changes on Guest Client 1 for 2.4ghz to take via the web interface (no problem with 5.0Ghz). Any changes, including enabling needed to either be via the amtm/Yazfi interface (nano/vi) of by editing directly via WinSCP.

i don't have ipv6 so i haven't been able to implement anything, recommendation for YazFi (and vpn routing in Merlin FW in general) is to disable it.

sounds like i've missed a check in the WebUI - i'll prevent enabling a guest if it isn't enabled in the Guest Network tab

 

[archiel]

i don't have ipv6 so i haven't been able to implement anything, recommendation for YazFi (and vpn routing in Merlin FW in general) is to disable it.

sounds like i've missed a check in the WebUI - i'll prevent enabling a guest if it isn't enabled in the Guest Network tab

Accidents of geography - two of the largest ISPs in the UK have had ipv6 for several years, so for a lot of users here it normally enabled. For what I want to test, disabling ipv6 on the test clients is not a problem - once (if) I have resolved this I will probably revert to the default guest wifi (I only use it very rarely), though I may look at whether Access Intranet: Disabled really works with ipv6 enabled.

You might want to flag on the first page that users will want to disable ipv6 if they are trying to isolate subnets, etc.

 

[Jack Yaz]

I've implemented a raft of WebUI validation to try and mitigate any issues with misconfiguration. Any willing testers? It's on develop

https://github.com/jackyaz/YazFi/pull/69

 

[ugandy]

I've implemented a raft of WebUI validation to try and mitigate any issues with misconfiguration. Any willing testers? It's on develop

https://github.com/jackyaz/YazFi/pull/69

installed. UI matches current FW settings state. nice.
shouldn't DNS1/DNS2 be disabled if force dns= false?

 

[mbze430]

What happens if you delete both?

F/w version and router model?

As you requested I deleted both. Then I checked this morning again. There are three now.

Doesn't look like it was a reboot causing the re-add:

Router Info:

 

[madcheek]

Hi Guys, I hope Im not violating any rules here. Salute to the creator of Yafzi for the Asus router running Merlin. I would like to seek help regarding the Guest network I created redirected to VPN. I got all this working, but the problem I am facing is that, when Im connected to this, I cannot access the shared usb drive connected to my Asus RT-AC68U.

I was able to read Sir Jack Yaz post about this, he pointed out some script as workaround for this. My problem is, I am totally noob in this, I dont even know how where to put that script. If anyone be kind enough to walk me through with this, I would really appreciate it. The only thing I know is to ssh to my router but as far as looking for the file to edit and hot to edit, that I don't know. I was able to install Yazfi only by following the given command. That being said, I hope anyone can help me and give me a detailed instruction as to how to do this.

I only need to have access to may smb network connected directly to the Asus merlin router AC68U. I need to be able to connect on both 2.4g and 5g guest ssid wl01.

Thanks in advance.

 

[Jack Yaz]

As you requested I deleted both. Then I checked this morning again. There are three now.

View attachment 24395

Doesn't look like it was a reboot causing the re-add:
View attachment 24396

Router Info:
View attachment 24397

Can you try

YazFi develop

please? I've made some changes to align with the nvram changes in 384.18

 

[archiel]

I've implemented a raft of WebUI validation to try and mitigate any issues with misconfiguration. Any willing testers? It's on develop

https://github.com/jackyaz/YazFi/pull/69

Initial tests okay - will not update if Client is not enabled and I can now enable/disable YazFi 2.4 guest 1 settings from the web tab (previously only via nano, vi or WinSCP).

 

[archiel]

assuming plex is on the LAN, with a guest set to one and two way disabled, i can't see why it wouldn't work?

Sort of working (with Plex, nothing with Emby yet). Plex seems to be recognising the client as an external address, but with an address of 127.0.0.1:32400 - which is causing some playback issues. Normally I would expect to see the devices actual address (as happens if I connect via mobile data). Is there some way that that it would report the router's ip?

 

[Jack Yaz]

Sort of working (with Plex, nothing with Emby yet). Plex seems to be recognising the client as an external address, but with an address of 127.0.0.1:32400 - which is causing some playback issues. Normally I would expect to see the devices actual address (as happens if I connect via mobile data). Is there some way that that it would report the router's ip?

hm, check which ips plex is set to publish? it could be nat loopback on the router

 

[archiel]

hm, check which ips plex is set to publish? it could be nat loopback on the router

Is there a way to disable nat loopback - in this case I think I need the plex/emby media servers to see the connection as external (I can then revert when i have finished testing)?

 

[AJJ]

Hey everyone, new here to the forums so I hope I am doing this correctly for getting advice. I am relatively new to this so I apologize in advance if these are basic questions.

I recently installed the Merlin software on my Asus 86U router and I installed a bunch of scripts. I updated all my scripts (Diversion, Skynet, Yazfi, etc.) as as well as Merlin software to their respective latest versions as of June 29 2020. By the way, amazing work to everyone who put their time and effort in these projects, these are amazing!

I have two main questions. I am trying to isolate my guest networks in preparation for a bunch of IoT devices that I will be installing in my house. My plan is to have the IoT devices with one way to guest enabled. These would include automatic sprinklers, garage door openers, etc.

My router address is 192.168.50.1. I setup my guest network IP Addresses to 192.168.10.1, 192.168.11.1, etc. for my 2.4 and 5 Ghz networks. DNS Server 1 and 2 are both set to 192.168.50.1 to make use of Diversion (i read in another thread that you should set the DNS Server to the router IP Address) However, when I go to the main client list network map and look at the IP addresses of the devices that are connected to their respective guest networks they are all 192.168.50.x NOT 192.168.10.x / 11.x/12.x/etc as I would have expected. If Guest Network 1 is 192.168.10.1 I would have expected any client that connects to Guest Network 1 to be assigned 192.168.10.x.

1) Is this the normal expected behavior? Shouldn't the IP Addresses of the devices connected to the guest network but a subnet of the Guest Network IP address?

2) I am not sure if this way I have set it up is taxing to the router hardware. I have read that setting up vlans would probably be better. I have no idea how to do this and based on what I read seems quite complex. Can anyone point me to a good document / thread which would be a good place to start for newbies? Will I need to buy hardware or can this all be implemented from the router? Is there any feature within Merlin that would allow me to easily set this up? I will likely need to buy extra access points for the house which from what I understand does not work well with the existing Asus software and in fact may not be possible to do if I want to maintain the guest networks and security.

Thank you all in advance for your help!

AJ

 

[Jack Yaz]

Hi Guys, I hope Im not violating any rules here. Salute to the creator of Yafzi for the Asus router running Merlin. I would like to seek help regarding the Guest network I created redirected to VPN. I got all this working, but the problem I am facing is that, when Im connected to this, I cannot access the shared usb drive connected to my Asus RT-AC68U.

I was able to read Sir Jack Yaz post about this, he pointed out some script as workaround for this. My problem is, I am totally noob in this, I dont even know how where to put that script. If anyone be kind enough to walk me through with this, I would really appreciate it. The only thing I know is to ssh to my router but as far as looking for the file to edit and hot to edit, that I don't know. I was able to install Yazfi only by following the given command. That being said, I hope anyone can help me and give me a detailed instruction as to how to do this.

I only need to have access to may smb network connected directly to the Asus merlin router AC68U. I need to be able to connect on both 2.4g and 5g guest ssid wl01.

Thanks in advance.

Try running the below one-liner, then apply settings in YazFi

touch /jffs/addons/YazFi.d/userscripts.d/AllowSMB.sh && chmod +x /jffs/addons/YazFi.d/userscripts.d/AllowSMB.sh && { echo '#!/bin/sh'; echo 'iptables -D YazFiINPUT -i wl0.1 -p tcp -m multiport --dports 139,445 -j ACCEPT'; echo 'iptables -D YazFiINPUT -i wl1.1 -p tcp -m multiport --dports 139,445 -j ACCEPT'; echo 'iptables -I YazFiINPUT -i wl0.1 -p tcp -m multiport --dports 139,445 -j ACCEPT'; echo 'iptables -I YazFiINPUT -i wl1.1 -p tcp -m multiport --dports 139,445 -j ACCEPT'; } >> /jffs/addons/YazFi.d/userscripts.d/AllowSMB.sh