YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Jcquantum

Occasional Visitor
Hi all!

I'm wondering about the PMS setting and does it affect anything on YazFi? Also, is PMS something recommended of use?

Thanks!
 

bennor

Regular Contributor
First thing I've done is setting my Lan subnet to 10.0.0.1/25 (which is covering 10.0.0.0-128). Then I allocate the guest network on the rest of the IP pool, here I set it at 10.0.0.192/27 (10.0.0.192-224). I've managed to do it, the connected devices shows up on the network maps. But the problem is they can't access the internet. Then I don't know what things to configure anymore so I gave up.
Do you have any idea why the guest network can't access the internet?
No idea but a wild guess it's related to putting guests that YazFi tries to put into a seperate IP address range into the same IP address range as the main LAN/WiFi clients.
 

Jcquantum

Occasional Visitor
The PMF is within the settings of the wifi in the router, so how is it that it doesn't have anything do with the router?
 

L&LD

Part of the Furniture
@AntonK didn't say 'PMF', he is talking about 'PMS'. :)
 

Jcquantum

Occasional Visitor
Thanks @L&LD "Ha ha", is that what people want me to say? I'm asking to get some knowledge. Yes, I made a typo, but im sure non of you makes mistakes right?

I'm sorry I'm not perfect. I'm asking to understand, but if no one wants to help, I guess just not my luck. Please, have some respect for others not as smart as you all.
 

Jcquantum

Occasional Visitor
@bennor , I know what you all are talking of, and please don't yub it in more. If you don't want to help, just say so.

Please, have some respect for others! And im not white, I know that means my English is super terrible for you white folks. Sorry for not being white!
 

Jcquantum

Occasional Visitor
Thank you @Jack Yaz . I'm asking because I've had a slight challenge recently where one of my device won't connect to a guest network, even if there is no change in settings. Just trying to eliminate what may or may not be.

Thanks
 

Jack Yaz

Part of the Furniture
Thank you @Jack Yaz . I'm asking because I've had a slight challenge recently where one of my device won't connect to a guest network, even if there is no change in settings. Just trying to eliminate what may or may not be.

Thanks
I would check syslog for messages when you try to join the device. Does the device provide any useful error messages?
 

Jcquantum

Occasional Visitor
Ok @Jack Yaz . Ill check and get back. Thank There isn't really any error as I tried to reset the device multiple times trying to see if its on the device side (as I mentioned, no changes on the router side). The device reports connection success, but when negotiating for the device to join from its AP mode to a client mode, its working half the time and not changing mode half the time.

All in all ill double check the router syllogism and get back.. hope I see something that I can handle myself.

Thanks
 

Wallace_n_Gromit

Regular Contributor
Thank you @Jack Yaz . I'm asking because I've had a slight challenge recently where one of my device won't connect to a guest network, even if there is no change in settings. Just trying to eliminate what may or may not be.

Thanks
@Jcquantum I have been searching through the forums for a posting by one of the script developers about his realization about the settings of PMF

It had been posted earlier this year, I couldn't find it.

The gist of it was that setting PMF to "capable" didn't do what "capable" seemed to imply, i.e. if your devices can utilize PMF then all is good, if [some of] your devices can't utilize PMF then all is good too, they will still be able to connect. His realization was that it didn't work that way. His recommendation after his explanation was to disable PMF (to the best of my recollection).

EDIT --> Found it! @john9527 https://www.snbforums.com/threads/protected-management-frames.63961/
 
Last edited:

memphis2k

Occasional Visitor
Does this script work in AP mode?

Running pfSense for DHCP, DNS, NAT/Firewall and just need AC68U merlin to run multiple Wifi's for secure & guest (iot) networks.

I tried running AC68U as an router and turning off everything, DHCP, DNS, NAT but I couldn't get a Android phone to get an DHCP IP from pfSense.

Running Merlin is great for scripts, but when creating a guest network in AP mode, I don't get network isolation between 2.4/5 & Guest networks. Can ping either which way.

Just trying to plan a growing network. Coming from Sophos UTM, really liking pfSense so far. Have a HP 48g (vlan support) switch, VM for pfSense with as many NIC's as needed. Two AC68U for wifi inside the house in AP mode.

2.4 for handful of devices, insecure
5ghz for iOS and Echo's
Insecure Wired devices and get issued a VLAN

Would like to get some UniFi once they are WIFI 6.

Thanks for some input.
 
Last edited:

hoodfavourite

New Around Here
I finally got Yazfi to work. I've been trying to understand .sh scripts last few weeks, and getting somewhere at least.
I have a bridged isp modem thats connected via WAN to AC RT68U which is in default router mode. Maybe this makes things extra dodgy.
The problem i have is that i dont really know if what i've finally put together is a safe and correct sollution. What i've wanted is to have separate guest SSIDs routed thru specific vpnclients, i.e what Yazfi dies. Usually, if i got that far to get a new network running, it still was'nt connectable, no internet etc.
It started to work after i created 2 new vlans and added 2 new bridges. Added the guestclients interfaces to br1 and br2I just been mixing parts of scripts from other threads into my own. IM NOT sure that the vlan nor bridges are correctly set up!
Its still not a persistent script, i literally got it to work just now manually. And i dont really know why, or if its appropriately executed, or if it has obvious security flaws or routing flaws.
What i would like to understand is why its functioning now, and what routing rules and commands thats missing... for security, for stability so forth. Not 100% sure where to put it all. I have a few ideas ofcourse, theres plenty of info in the forum on the wiki.
Anyways here’s what I put together. Its just a mix of strings and parts of commands I found in several other threads. Especially the routingpart is just guessing and maybe a few of them isn’t even needed.


Code:
robocfg vlan 1 ports "1 2 5t"
robocfg vlan 30 ports "3 8t"
robocfg vlan 40 ports "4 8t"
vconfig add eth0 30
ifconfig vlan30 up
vconfig add eth0 40
ifconfig vlan40 up
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl delbr br1
brctl addbr br1
brctl addif br1 vlan30
brctl addif br1 wl0.1
brctl addif br1 wl0.2

brctl delbr br2
brctl addbr br2
brctl addif br2 vlan40
brctl addif br2 wl1.1
brctl addif br2 wl1.2

ifconfig br1 192.168.xx.xx netmask 255.255.255.0
ifconfig br1 up
logger
ifconfig br2 192.168.xx.xx netmask 255.255.255.0
ifconfig br2 up
logger

nvram set vlan30ports="8 5t"
nvram set vlan30hwname=et0

nvram set vlan30ports="8 5t"
nvram set vlan40hwname=et0

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan30 wl0.1 wl1.1"
nvram set lan1_ifname="br1"

nvram set lan2_ifnames="vlan40 wl0.2 wl1.2"
nvram set lan2_ifname="br2"
nvram commit
killall eapd
eapd

iptables -I INPUT 1 -i vlan30 -j ACCEPT
iptables -I INPUT 1 -i vlan40 -j ACCEPT

iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br2 -j ACCEPT

ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -D BROUTING -i br2 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br2 -p ipv4 -j DROP
and put this dnsmasq.conf.add:

Code:
dhcp-range=br1,192.168.xx.xx,192.168.xx.xx,255.255.255.0,86400s
dhcp-option=br1,3,192.168.xx.xx
dhcp-option=br1,6,192.168.xx.xx
interface=br2
dhcp-range=br2,192.168.xx.xx,192.168.xx.xx,255.255.255.0,7200s
dhcp-option=br2,3,192.168.xx.xx
dhcp-option=br3,6,tried to put in the vpn's DNS adresses, not sure if its working.
Code:
robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: xxxxxxxxxxxxx
Port 1:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3:   DOWN enabled stp: none vlan: 30 jumbo: off mac: 00:00:00:00:00:00
Port 4:   DOWN enabled stp: none vlan: 40 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 2 jumbo: off mac: xxxxxxxxxxxxx
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 5t
   2: vlan2: 0 5
  30: vlan30: 3 8t
  40: vlan40: 4 8t
Code:
robocfg showmacs
VLAN  MAC                Type     Port
--------------------------------------
0002  xxxxxxxxxxxxx  DYNAMIC  0
0002  xxxxxxxxxxxxx  DYNAMIC  0
0001  xxxxxxxxxxxxx  DYNAMIC  5
0001 xxxxxxxxxxxxx  STATIC   5
0030  xxxxxxxxxxxxx  DYNAMIC  5
0002  xxxxxxxxxxxxx  STATIC   5
0040  xxxxxxxxxxxxx DYNAMIC  5
0002  xxxxxxxxxxxxx DYNAMIC  0
0001  xxxxxxxxxxxx  DYNAMIC  5
Code:
nvram show | grep ifnames
br0_ifnames=vlan1 eth1 eth2 wl0.1 wl0.2 wl1.1 wl1.2
sta_phy_ifnames=eth1 eth2
lan2_ifnames=vlan40 wl0.2 wl1.2
size: 56087 bytes (9449 left)
wl0_vifnames=wl0.1 wl0.2 wl0.3
wl1_vifnames=wl1.1 wl1.2 wl1.3
dpsta_all_ifnames=eth1 eth2
dpsta_ifnames=
lan_ifnames=vlan1 eth1 eth2
wan_ifnames=eth0
wl_ifnames=eth1 eth2
eth_ifnames=vlan2
wl_vifnames=wl0.1 wl0.2 wl0.3
acs_ifnames=eth1
lan1_ifnames=vlan30 wl0.1 wl1.1
sta_ifnames=eth1 eth2
I mean im not sure about these parameters either, but heres the full view right? Especially nvram contains a bunch of syntax i never seen in other threads, like dpsta_all_ifnames and so on?
So, what im wondering is if im on the right way or if its missing plenty?
 

Slawek P

Regular Contributor
Does YazFi also work on AiMesh nodes? What do I need to do get it running there?
At the moment only main router shows extra guest wifi, but I have not activaited AMTM or installed YazFi on the AiMesh node yet.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top