YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

[Jack Yaz]

I succesfuly create a setup for my 1900p that use YazFi to separate guests network from my family's one. Only guests networks is using the VPN tunnel. Everything is working great except that devices connected to the guests network leak the guests network ip through WebRTC... As I wish to make sure that if one of my guests do something wrong when connected to my network (like downloading copyrighted stuff), it will be a bit more difficult to trace route to my network address, and thus, maybe avoiding further problems; blocking WebRTC is critical to me.

Is there a way to completely tunnel traffic of my guests directly into the router's settings?

It shouldn't via webrtc. Can you please describe how you're testing so that I can try to recreate?

 

[MidasWrk]

Hi - New to the SNB scene.

I am trying to enable YazFi to route my Guest Network through one of my VPN clients. The issue I have is that I cannot get the YazFi to stick to enabled. It always stays "No" after I apply settings whether I redirect to a VPN client or not.

Any help is appreciated, thanks.

 

[Jack Yaz]

Hi - New to the SNB scene.

I am trying to enable YazFi to route my Guest Network through one of my VPN clients. The issue I have is that I cannot get the YazFi to stick to enabled. It always stays "No" after I apply settings whether I redirect to a VPN client or not.

Any help is appreciated, thanks.

Sounds like something is erroring and not being caught by validation in the webui. Try manually editing the config file in the CLI (option 3 iirc) then apply with option 1. Any errors will be reported

 

[MidasWrk]

Sounds like something is erroring and not being caught by validation in the webui. Try manually editing the config file in the CLI (option 3 iirc) then apply with option 1. Any errors will be reported

Yup - easy fix thanks. Once set true in config it sticks in webui.

 

[Jcquantum]

Hi

I'm new here. I have a question on the one/two way traffic on the setup. If I put the guest network on just isolation, does that mean it's only internet access? What about isolation and a one way traffic? I assume two way is a bi-directional traffic via wifi. Just want to make sure.

I've also wondered why I'm able to ping the DHCP on the guest network. But I need some more testing as I've noted that my ip did not change even switching to the guest from the main.

I'm also wondering if there is a sample of a guest network with YazFi setup. I wanna get a better idea of what should and can go right/wrong.

If anyone can give me some answers, I'd appreciate it. Thanks!

 

[bennor]

If I put the guest network on just isolation, does that mean it's only internet access? What about isolation and a one way traffic? I assume two way is a bi-directional traffic via wifi.

If you haven't done so already see the FAQ in the second post of the YazFi thread: https://www.snbforums.com/threads/y...t-wifi-inc-ssid-vpn-client.45924/#post-397023

That FAQ gives an general explanation of what the various options do including answering what one way and two way to guest do and what client isolation is.

Generally the whole point of a Guest WiFi network is to isolate (prevent access) to the main local network clients (both Ethernet and WiFi clients). Devices on the Guest WiFi will still have Internet access. Client Isolation is generally used to prevent Guest network WiFi devices from being able to see and communicate with each other. One of the main advantage of this setting is to prevent an compromised/infected Guest WiFi client device from being able to infect other Guest WiFi client devices.

wl01_TWOWAYTOGUEST
Should LAN/Guest Network traffic have unrestricted access to each other? (true/false) Cannot be enabled if _ONEWAYTOGUEST is enabled

wl01_ONEWAYTOGUEST
Should LAN be able to initiate connections to Guest Network clients (but not the opposite)? (true/false) Cannot be enabled if _TWOWAYTOGUEST is enabled

wl01_CLIENTISOLATION
Should Guest Network radio prevent clients from talking to each other? (true/false)

 

[Jcquantum]

Thank you @bennor! I was having an issue before it was more clear. I installed YazFi and enabled it, but after applying the settings, I kept getting back to default (nothing applied) so I wanted to make sure.

In regards to the guest network sample, I probably wasn't as clear. I meant a IoT setup sample. I'm trying to do one and just wanted to know the general layout.

As well as the DHCP assignment. Within the settings, do connected devices get a new IP within the set DHCP range? I didn't so im asking/wondering. As well as pinging the DJCP, even set as isolation flat, i am able to, is that supposed to happen?

Thanks

 

[Jack Yaz]

Hm it sounds like something might be broken for fresh installs and then configuring for the first time in the WebUI - I'll take a look.

 

[Jcquantum]

Thank you @Jack Yaz

 

[bennor]

Thank you @bennor! I was having an issue before it was more clear. I installed YazFi and enabled it, but after applying the settings, I kept getting back to default (nothing applied) so I wanted to make sure.

Are you using the GUI interface or SSH?
If you use SSH to access the router and run YazFi to manually edit the settings using SSH does the same thing happen?

In regards to the guest network sample, I probably wasn't as clear. I meant a IoT setup sample. I'm trying to do one and just wanted to know the general layout.

The IoT devices you have may affect which settings you want to enable or disable in YazFi. For example if one puts Amazon Echo type devices on YazFi and want to create a Multi Room Speaker group with Amazon Echo's one typically has to disable Client Isolation.

Attached is an example of my current YazFi setup. I have a number of IoT devices using the Guest networks. Including smart plugs, smart LED bulbs, Amazon Echo's, cheap wifi security cameras. Everything works just fine with no issues. I even have these Guest WiFi IoT devices using Pi-Hole servers which are on the main local network for DNS.

As well as the DHCP assignment. Within the settings, do connected devices get a new IP within the set DHCP range? I didn't so im asking/wondering. As well as pinging the DJCP, even set as isolation flat, i am able to, is that supposed to happen?

The guest WiFi devices will obtain an IP address from what ever guest WiFi network they are attached to. When using YazFi, you generally must use different IP address subnets, example 192.168.2.x, 192.168.3.x, etc. for the YazFi guest networks. One cannot use the IP address range from the main LAN. With respect to being able to ping the router for DHCP, note what is stated for guest to router access in the very first post of the thread: "Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS".

Generally the Guest network has to contact the router for certain services like; obtaining a DHCP address, for DNS if the router is set to provide it's own IP address as a DNS server, for the network time protocol (NTP), and for some other services including NetBIOS and ICMP. That is why you can possibly ping the router or network DHCP server.

 

[Jcquantum]

Thank you very much @bennor! That really helped clarify it for me. I guess for the IoT, I'll have to trial a d error it to get the best setting for my situation. I have a similar setup, except using Google rather then Amazon. Amazon failed on me the first 2 hours of trying it out.

As for the failed to apply, I tried it like 4 times on the WebUI. Didn't work, so I went to the SSH to take a run at it. But bad eye site for me, so I just re-installed it and the WebUI worked.

Thanks again for clarifying the settings and the sample.

 

[Jcquantum]

Hi @bennor

I wonder if you can help me a bit more on my quest of isolating my IoT. Today I tried putting one device into this guest network. I turned on the two way for the time being to help setup the device. Intranet, isolation are both turned off. I can use the app to find the device, but the device can't connect to that particular network. Is there something I might be missing? Thanks

 

[Jack Yaz]

Hi @bennor

I wonder if you can help me a bit more on my quest of isolating my IoT. Today I tried putting one device into this guest network. I turned on the two way for the time being to help setup the device. Intranet, isolation are both turned off. I can use the app to find the device, but the device can't connect to that particular network. Is there something I might be missing? Thanks

What error does your device show when trying to join?

 

[Jack Yaz]

Thank you @Jack Yaz

Found the bug with config from WebUI on fresh installs, working on a fix now

 

[bennor]

I can use the app to find the device, but the device can't connect to that particular network. Is there something I might be missing? Thanks

What is the make/model of the device? And as Jack asked, what is the specific error message?

 

[Jack Yaz]

v4.1.4 is now available!

Changelog:

• FIXED: WebUI would not apply settings for fresh installs until YazFi had been opened at CLI
• IMPROVED: WebUI validation of settings

 

[Jack Yaz]

@maghuro I haven't forgotten your PR for bandwidth limitation, I just haven't had the time to set aside to investigate it further. Sorry!

 

[maghuro]

@maghuro I haven't forgotten your PR for bandwidth limitation, I just haven't had the time to set aside to investigate it further. Sorry!

No problem my friend even I haven't had the time to try to investigate it...now that we're fully back to work, everything went to second stage...

 

[Jcquantum]

Thanks @Jack Yaz! Helps a lot! Sorry @bennor I have been a bit busy as I made some side mistakes after I wrote. Re-did the router and updated @Jack Yaz 's great script. I finally got some devices on my planned IoT area and am looking to see if they hold well.

I noticed that while using the MAC filter, thats when I get unto a bit of problem. Devices seem to just get isolated automatically. I can see the device while on setup, but I can't get the device connected to the network. As though the handshake is incomplete somewhere. I disable the filter and it works with no issue. But just one extra twist. I have the same device on a MAC filter on the network on the main SSID as well. When devices start connecting, it takes 5-10 sec for it to properly connect to the IoT SSID. So I dont know if its relate had d. I turned MAC filtering on the Iot SSID and its fine now. Thats why I'm just testing some devices for now, but seemed odd.

Anways, I didn't get a per say error message. More of a behavior kind of issue. One new thing I wanted to ask was in terms of IP cameras. In past experience, if i had the ca.era and a NVR on the same network, it tends to hug the traffic a lot. So I had it on an older router as a sort of physical isolation. With this great script @Jack Yaz have, would I see problems due to the higher load of traffic? Or if I mix it with the Iot group, would it sort of wash out the other device's traffic? I know that the IoT devices don't take much unless streaming or simple firmware updates.

Again, thanks, I know my questions may be not very related to the script. I just wanna ask someone who has had experiences already.

 

[bennor]

@Jcquantum
Cannot comment on how Wireless MAC Filtering would work with the YazFi script. But I would point out that MAC Filtering provides at best limited security protection if that is what one is using that feature for. There are many blog posts/web articles discussing that MAC filtering doesn't offer much in the way of security protection in the grand scheme of things.

On the subject of network traffic due to IP cams and NVR. One could see if using the QoS within Asus-Merlin can help. Otherwise the question is how would one be connecting a second router to the main router (which I assume is the Asus router running the YazFi script)? The YazFi script (apparently) has no effect or control on or over wired clients. If using WiFi between the two routers that is a better question for others as to how the YazFi script would affect (if at all) any of the wireless or wired devices connected to the second router. And if that second router is likewise an Asus router running Merlin and the YazFi script, no clue how that would work with the upstream router.