Jack Yaz
Part of the Furniture
The settings will be reapplied on reboot via the firewall-start script
YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client
- Thread starter Jack Yaz
- Start date
JohnSmith
Senior Member
Just a suggestion Jack Yaz, but on menu #2 - Edit Configuration, you give the options of nano or pi I believe, but if you could offer an option to go back to the main menu, in case you made a mistake going into that menu in the first place like I did (I used WinSCP for my edits), that would save cancelling out, and killing the process, or waiting for it to timeout.
Jack Yaz
Part of the Furniture
Good point, I'll add that
cmkelley
Very Senior Member
I'm only one data point, but I run both with no issues. They act separately from one another. If I point the guest (YazFi) network DNS at 1.1.1.1 it bypasses stubby, if I point it at the router's IP on the guest network it uses Stubby. Pure freaking magic as far as I'm concerned.
Zonkd
Very Senior Member
I'm only one data point, but I run both with no issues. They act separately from one another. If I point the guest (YazFi) network DNS at 1.1.1.1 it bypasses stubby, if I point it at the router's IP on the guest network it uses Stubby. Pure freaking magic as far as I'm concerned.
Thanks for confirming this.
Zonkd
Very Senior Member
I'm only one data point, but I run both with no issues. They act separately from one another. If I point the guest (YazFi) network DNS at 1.1.1.1 it bypasses stubby, if I point it at the router's IP on the guest network it uses Stubby. Pure freaking magic as far as I'm concerned.
Do you use Skynet? I wonder if Skynet will still be able to do blocking for IoT clients connected to a YazGi guest network. Can you confirm?
Edit: I use Skynet to block 1 of my IoT clients (on the guest network) from using any port except 443.
cmkelley
Very Senior Member
I use Skynet, but I have no IoT clients anywhere. If you look at my signature you can see all the scripts I run.
Zonkd
Very Senior Member
Sorry didn't think to read the sig.
Hoping someone may know if the Skynet Ban Devices option will work for YazFi guest clients? The feature is not exclusively for IoT devices. As seen below you can specify a private IP address of any client to block it's internet access.
Code:
Select Menu Option:
[1] --> Unban
[2] --> Ban
[3] --> Banmalware
[4] --> Whitelist
[5] --> Import IP List
[6] --> Deport IP List
[7] --> Save
[8] --> Restart Skynet
[9] --> Temporarily Disable Skynet
[10] --> Update Skynet
[11] --> Settings
[12] --> Debug Options
[13] --> Stats
[14] --> Install Skynet
[15] --> Uninstall
[r] --> Reload Menu
[e] --> Exit Menu
[1-15]: 11
Select Setting To Toggle:
[1] --> Autoupdate | [Enabled]
[2] --> Banmalware | [daily]
[3] --> Debug Mode | [Enabled]
[4] --> Filter Traffic | [all]
[5] --> Unban PrivateIP | [Enabled]
[6] --> Log Invalid Packets | [Enabled]
[7] --> Ban AiProtect | [Enabled]
[8] --> Secure Mode | [Enabled]
[9] --> Fast Switch | [Disabled]
[10] --> Syslog Location | [Default]
[11] --> IOT Blocking | [Disabled]
[1-11]: 11
Select IOT Option:
[1] --> Unban Devices
[2] --> Ban Devices
[3] --> List Blocked Devices
[4] --> Add Custom Allowed Ports
[5] --> Reset Custom Port List
[6] --> Select Allowed Protocols
[1-6]: 2
Input Local IP(s) To Ban:
Seperate Multiple Addresses With A Comma
[IP]: 192.168.x.xJack Yaz
Part of the Furniture
It comes down to how the iptables rules are implemented. I think Skynet does banning in the raw table so will supercede the filter table where YazFi operates
Jack Yaz
Part of the Furniture
This is also a rule ordering
iptables -t nat -S PREROUTING
will show you which rules are processed, from to bottom
Bubbagump210
Occasional Visitor
I tried using this which appears to be 2.3.10 and got the same behavior. I did a bit of digging and installed this:
https://raw.githubusercontent.com/jackyaz/YazFi/9230246d2627b37e544262403256e83fce5c2c79/YazFi
Which appears to be 2.3.8 and it has been working all day without an issue. So it appears something changed after 2.3.8 to cause the guests to fall offline.
Jack Yaz
Part of the Furniture
The main change was where the YazFi FORWARD rule got inserted: https://www.diffchecker.com/AhWNcQ8e
and a change to block all connections regardless of state
next time the network fails can you run
Code:
iptables -I INPUT -i wl0.1 -j LOG
iptables -I FORWARD -i wl0.1 -j LOGBubbagump210
Occasional Visitor
Here we go:
Feb 14 12:37:41 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30462 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:46 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30876 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:51 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=30989 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:37:56 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=31025 DF PROTO=UDP SPT=42905 DPT=53 LEN=44
Feb 14 12:38:01 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31367 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:06 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31457 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:11 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31954 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
Feb 14 12:38:16 kernel: IN=wl0.1 OUT=br0 SRC=192.168.180.98 DST=192.168.178.5 LEN=70 TOS=0x00 PREC=0x00 TTL=63 ID=31996 DF PROTO=UDP SPT=42905 DPT=53 LEN=50
It appears the access to my PiHole on the private network is getting blocked.
Just to make sure I didn't screw the pooch, here is my config that I have used for all versions of YazFi.
wl01_ENABLED=true
wl01_IPADDR=192.168.180.0
wl01_DHCPSTART=50
wl01_DHCPEND=100
wl01_DNS1=192.168.178.5
wl01_DNS2=192.168.178.5
wl01_FORCEDNS=true
wl01_REDIRECTALLTOVPN=false
wl01_VPNCLIENTNUMBER=
wl01_LANACCESS=
wl01_CLIENTISOLATION=true
bearever
Regular Contributor
I am using Pihole too. Looks like clientislolation has to set to false.
Sent from my iPhone using Tapatalk Pro
Jack Yaz
Part of the Furniture
I wouldn't have thought that setting would have an impact on this issue but worth a go I suppose.
Are the devices able to ping say 8.8.8.8 if it is just DNS failing?
Bubbagump210
Occasional Visitor
So I tried a few things. DNS fails. However, pings, SSH and HTTP to the internet works. After the testing, I have set wl01_CLIENTISOLATION to false to see what that does in the meantime.
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=119 time=47.491 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=36.655 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=221.526 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=139.665 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 36.655/111.334/221.526/75.163 ms
$ nslookup
> server 192.168.178.5
Default server: 192.168.178.5
Address: 192.168.178.5#53
> google.com
;; connection timed out; no servers could be reached
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> reddit.com
;; connection timed out; no servers could be reached
> exit
$ ssh 68.183.106.34
qwerty@68.183.106.34's password:
Last login: Sun Jan 27 14:12:14 2019 from cpe-75-187-52-188.columbus.res.rr.com
$ curl 68.183.106.34
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html><head>
EDIT: wl01_CLIENTISOLATION set to false shows the same behavior. Think that is a red herring.
Last edited:
complete total newb here...
i have a 68u running Merlin 384.9. If I add this YazFi, will it help me protect my main network from IoT hackers? Right now these devices are on a guest network with "access intranet" off. I probably need to do more than that to secure my primary network. I was looking into other routers (ubiquiti) to manage vlans and such, but if not necessary, I'd just stay with my current router or move to a 86u.
please advise if I can protect my main network using some of the things the brilliant people here have created.. thanks
i have a 68u running Merlin 384.9. If I add this YazFi, will it help me protect my main network from IoT hackers? Right now these devices are on a guest network with "access intranet" off. I probably need to do more than that to secure my primary network. I was looking into other routers (ubiquiti) to manage vlans and such, but if not necessary, I'd just stay with my current router or move to a 86u.
please advise if I can protect my main network using some of the things the brilliant people here have created.. thanks
SMS786
Senior Member
As you mentioned, LAN client isolation on guest networks is already part of the stock Merlin firmware. But in the future if you would like your guest clients to take advantage of ad-blocking by pixelserv, or have custon VPN routing policies for your guest network clients, then YazFi would definitely make your life easier.
Similar threads
Similar threads
Similar threads
-
YazFi YazFi Guest Network unable to access Pi-Hole DNS server
- Started by buzzy
- Replies: 22
-
-
Yazfi: VPN Server for guest network access only
- Started by boomstick3289
- Replies: 10
-
Make IoT devices on one-way-to-guest YazFi VLANs discoverable on main LAN
- Started by treefrog
- Replies: 5
-
YazFi Can/Should YazFi be installed on external USB drive?
- Started by noob1
- Replies: 2
-
-
-
-
Skynet Is skynet active on guest networks? (without the use of YazFi, etc)
- Started by JTnola
- Replies: 1
-
Latest threads
-
RT-AX88U VPN Server "Others" Page Bug- Started by Db Major
- Replies: 1
-
-
-
-
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!