What's new

YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

However, when a device connects to this guest wifi, in the Network Map, this device (my Android phone) is identified as having IP of the main network subnet, e.g. 192.168.1.30
When I use Ping Tools app on my mobile, it is identified as having IP in the guest wifi subnet, e.g. 192.168.3.2.
Do you know why this is the case?

I too am experiencing this issue, with the primary network reported for all addresses with no guest network addresses shown. In my case, the IPv4 addresses are dynamically assigned by the router.

leave network map open for a few seconds, it should update. if not, have you assigned a static ip for the device?

Unfortunately that doesn't fix the issue for me, nor does rebooting the router.

I do note that the IPv4 addresses assigned for each device on the primary and guest networks are correctly reported within Advanced Settings --> System Log --> Wireless Log.

@Jack Yaz Would the Network Map Client Listings be hard coded at all to report the primary network i.e. 192.168.1.X and not the guest network?

If it helps, in my case I am running RT-AC68U ... Merlin 384.14 (Wireless Router) along with Diversion | YazFi (recently installed within the last week) with a single 2.4Ghz Guest Network.
 
I too am experiencing this issue, with the primary network reported for all addresses with no guest network addresses shown. In my case, the IPv4 addresses are dynamically assigned by the router.
<snip>
One potential option, that I use, is to manually assign a guest IP address to each guest device. I think it was previously discussed (somewhere around page 32, or this link for a post by me) in this discussion thread. I created a dnsmasq.postconf file in /jffs/scripts/ and then added a number of entries that will append the mac address, ip address and device name to the dhcp-host. An example of this is below. I have two guest networks via the Yaz script, one 2.4 Ghz and the other 5 Ghz. One can modify this below to suit their needs. Additional SSH calls are included below to restart DNS and check if the proper IP addresses are being issued/displayed.

Note: For me however, also using a RT-AC68U + Merlin 384.14, these changes do not show up in the router admin interface network map client list, but are reflected correctly when issuing the cat /var/lib/misc/dnsmasq.leases command via SSH.

Code:
nano /jffs/scripts/dnsmasq.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_append "dhcp-host=<mac address>,192.168.3.2,<device name>" $CONFIG
pc_append "dhcp-host=<mac address>,192.168.3.3,<device name>" $CONFIG
pc_append "dhcp-host=<mac address>,192.168.3.4,<device name>" $CONFIG
pc_append "dhcp-host=<mac address>,192.168.3.5,<device name>" $CONFIG
pc_append "dhcp-host=<mac address>,192.168.4.2,<device name>" $CONFIG
pc_append "dhcp-host=<mac address>,192.168.4.3,<device name>" $CONFIG
pc_append "dhcp-host=<mac address>,192.168.4.4,<device name>" $CONFIG
pc_append "dhcp-host=<mac address>,192.168.4.5,<device name>" $CONFIG

Save and exit nano.

Change dnsmasq.postconf permissions:
chmod +xxx /jffs/scripts/dnsmasq.postconf

Check Dnsmasq.conf file to see if updated with YazFi guest wifi static IP’s:
cat /etc/dnsmasq.conf

Restart DNSmasq:
service restart_dnsmasq

Show all active DHCP leases:
cat /var/lib/misc/dnsmasq.leases
One may have to reboot the router entirely to get the new guest IP addresses issued.
 
Last edited:
Is there anyway to have port forwarding go to a computer on one of these guest networks if they are on different subnets? So if my router is 192.168 and I want one of my servers on a guest network of 10.10 is there a way for YazFi to get the relevant port traffic to the 10.10 domain and my server?
 
It is 2020, and I finally got around to getting ipv6 to work with my isp (all these years, and all I had to do was try passthrough mode). Anyhow, I was playing with my smart tv (isolated guest client) and noticed ipv6 isn't working on the guest networks. I read earlier in this thread that jack doesn't have ipv6 to troubleshoot this.

https://www.snbforums.com/threads/y...-inc-ssid-vpn-client.45924/page-8#post-407778

I'm willing to help however I can (ac86u, but relative networking noob). Jack, were you able to make any progress on this? If you still need relevant iptables I might be able to help. Is the command "iptables -L"?
 
Last edited:
One potential option, that I use, is to manually assign a guest IP address to each guest device. I think it was previously discussed (somewhere around page 32, or this link for a post by me) in this discussion thread. I created a dnsmasq.postconf file in /jffs/scripts/ and then added a number of entries that will append the mac address, ip address and device name to the dhcp-host. An example of this is below. I have two guest networks via the Yaz script, one 2.4 Ghz and the other 5 Ghz. One can modify this below to suit their needs. Additional SSH calls are included below to restart DNS and check if the proper IP addresses are being issued/displayed.

Note: For me however, also using a RT-AC68U + Merlin 384.14, these changes do not show up in the router admin interface network map client list, but are reflected correctly when issuing the cat /var/lib/misc/dnsmasq.leases command via SSH.

...
Thanks for the information. I am certainly able to see all the actual allocated addresses in the .leases file, so that is consistent with what I am seeing in within the WebUI: Advanced Settings --> System Log --> Wireless Log, and the device itself. I'll put it down to a bug in the WebUI for now until my curiosity piques again.
 
I have another issues that I am trying to resolve, YazFi appears to enter a never ending loop. I am unsure what is triggering the constant restart of the firewall. Perhaps I can source expert advice from you all?

Snapshot from /tmp/syslog.log below - sanitised SSID & MAC addresses.

With all the WLCEVENTD entries, I searched the forums to see recommendations to alter the wifi settings (noting I am using an RT-AC68U, not the RT-AC88U as quoted). Unfortunately, this didn't remedy the issue.

Those messages aren't a cause, they are a symptom. They indicate that your clients are disconnecting and reconnecting.

Try the recommended wifi settings:

- Disable Universal/Implicit Beamforming (Explicit is fine)
- Disable Airtime Fairness
- Disable MU-MIMO

I used an RT-AC88U as my primary router for about two years, and it has always been rock stable for me.

The trigger appears to be Jan 11 13:10:27 rc_service: amas_lib 17397:notify_rc restart_firewall but I have no idea what amas_lib is and why it is being called, thoughts and/or suggestions?

Code:
Jan 11 13:09:09 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 11 13:09:09 YazFi: Firewall restarted - sleeping 60s before running YazFi
Jan 11 13:09:25 syslog: WLCEVENTD wlceventd_proc_event(401): eth2: Disassoc 00:00:00:00:00:01, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Jan 11 13:09:57 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:09:57 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:09:57 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:09:57 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:10:09 YazFi: YazFi v3.2.2 starting up
Jan 11 13:10:16 YazFi: wl0.1 (SSID: GUEST_1) - sending all interface internet traffic over WAN interface
Jan 11 13:10:20 YazFi: wl0.2 (SSID: GUEST_2) - sending all interface internet traffic over WAN interface
Jan 11 13:10:27 rc_service: amas_lib 17397:notify_rc restart_firewall
Jan 11 13:10:27 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Jan 11 13:10:29 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jan 11 13:10:30 YazFi: Forcing YazFi Guest WiFi clients to reauthenticate
Jan 11 13:10:30 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 11 13:10:31 syslog: WLCEVENTD wlceventd_proc_event(386): wl0.2: Deauth_ind 00:00:00:00:00:03, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Jan 11 13:10:31 syslog: WLCEVENTD wlceventd_proc_event(386): wl0.2: Deauth_ind 00:00:00:00:00:02, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Jan 11 13:10:31 YazFi: Lock file found (age: 82 seconds) - stopping to prevent duplicate runs
Jan 11 13:10:31 YazFi: YazFi v3.2.2 completed successfully
Jan 11 13:10:32 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:10:32 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
(ABOVE 2 LINES REPEATED 6 TIMES - ALTERNATING BEWTEEN :02 & :03 - REMOVED FOR CHARACTER LIMIT)
Jan 11 13:12:03 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:12:03 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:12:12 rc_service: amas_lib 475:notify_rc restart_firewall
Jan 11 13:12:12 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Jan 11 13:12:13 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jan 11 13:12:14 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 11 13:12:14 YazFi: Firewall restarted - sleeping 60s before running YazFi
Jan 11 13:12:37 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:12:37 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:12:38 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:12:38 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:13:14 YazFi: YazFi v3.2.2 starting up
Jan 11 13:13:17 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:13:17 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:13:17 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:13:17 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:13:18 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:13:18 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:13:20 YazFi: wl0.1 (SSID: GUEST_1) - sending all interface internet traffic over WAN interface
Jan 11 13:13:24 YazFi: wl0.2 (SSID: GUEST_2) - sending all interface internet traffic over WAN interface
Jan 11 13:13:24 rc_service: amas_lib 19515:notify_rc restart_firewall
Jan 11 13:13:24 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Jan 11 13:13:26 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jan 11 13:13:26 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 11 13:13:27 YazFi: Lock file found (age: 73 seconds) - stopping to prevent duplicate runs
Jan 11 13:13:33 YazFi: Forcing YazFi Guest WiFi clients to reauthenticate
Jan 11 13:13:33 syslog: WLCEVENTD wlceventd_proc_event(386): wl0.2: Deauth_ind 00:00:00:00:00:03, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Jan 11 13:13:33 syslog: WLCEVENTD wlceventd_proc_event(386): wl0.2: Deauth_ind 00:00:00:00:00:02, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Jan 11 13:13:33 YazFi: YazFi v3.2.2 completed successfully
Jan 11 13:13:35 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:13:35 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
(ABOVE 2 LINES REPEATED 4 TIMES - REMOVED FOR CHARACTER LIMIT)
Jan 11 13:15:06 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:15:06 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:15:23 rc_service: amas_lib 475:notify_rc restart_firewall
Jan 11 13:15:23 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Jan 11 13:15:24 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jan 11 13:15:25 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 11 13:15:26 YazFi: Firewall restarted - sleeping 60s before running YazFi
Jan 11 13:15:41 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
Jan 11 13:15:41 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:02, status: 0, reason: d11 RC reserved (0)
(ABOVE 2 LINES REPEATED 2 TIMES - REMOVED FOR CHARACTER LIMIT)
Jan 11 13:16:26 YazFi: YazFi v3.2.2 starting up
Jan 11 13:16:31 YazFi: wl0.1 (SSID: GUEST_1) - sending all interface internet traffic over WAN interface
Jan 11 13:16:34 YazFi: wl0.2 (SSID: GUEST_2) - sending all interface internet traffic over WAN interface
Jan 11 13:16:35 rc_service: amas_lib 22639:notify_rc restart_firewall
Jan 11 13:16:35 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Jan 11 13:16:36 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jan 11 13:16:37 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 11 13:16:38 YazFi: Lock file found (age: 71 seconds) - stopping to prevent duplicate runs
Jan 11 13:16:44 YazFi: Forcing YazFi Guest WiFi clients to reauthenticate
Jan 11 13:16:44 syslog: WLCEVENTD wlceventd_proc_event(386): wl0.2: Deauth_ind 00:00:00:00:00:03, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Jan 11 13:16:44 YazFi: YazFi v3.2.2 completed successfully
Jan 11 13:16:45 syslog: WLCEVENTD wlceventd_proc_event(386): wl0.2: Deauth_ind 00:00:00:00:00:02, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Jan 11 13:16:46 syslog: WLCEVENTD wlceventd_proc_event(420): wl0.2: Auth 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
Jan 11 13:16:46 syslog: WLCEVENTD wlceventd_proc_event(449): wl0.2: Assoc 00:00:00:00:00:03, status: 0, reason: d11 RC reserved (0)
(ABOVE 2 LINES REPEATED 6 TIMES - ALTERNATING BEWTEEN :02 & :03 - REMOVED FOR CHARACTER LIMIT)
Jan 11 13:18:28 rc_service: amas_lib 475:notify_rc restart_firewall
Jan 11 13:18:29 custom_script: Running /jffs/scripts/service-event (args: restart firewall)
Jan 11 13:18:30 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jan 11 13:18:30 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jan 11 13:18:31 YazFi: Firewall restarted - sleeping 60s before running YazFi
 
The trigger appears to be Jan 11 13:10:27 rc_service: amas_lib 17397:notify_rc restart_firewall but I have no idea what amas_lib is and why it is being called, thoughts and/or suggestions?
This is the AiMesh service. If you ever used AiMesh on this router, best to do a factory default reset to remove any leftover configuration.

That library is closed source, so I have no idea what triggers a firewall restart from it.
 

Thanks for the reply. It is interesting as I have never used AiMesh on the router.
I must now mentally prepare myself to reset and reconfigure.

Update: Since disabling YazFi, this trigger is no longer executed. Perhaps I won't have to reset the router after all?
 
Last edited:
I stumbled on the YazFi GitHub site a few weeks ago. I have an Asus RT-AX88U configured with VPN and use Pi-hole (Raspberry Pi) as the DNS server. Shared drives are configured on an Intel NUC running Ubuntu 18.04, WD Personal My Cloud NAS and WD My Cloud PR4100 NAS. I want to be able to have a non-VPN network without having to configure a dual router setup and, also, be able to access shared drives, printers and other network resources on the main VPN network. Also, I want to use Pi-hole as the DNS server on the non-VPN network.

I have installed the YazFi script and configured one 2.4GHz and one 5GHz WiFi interface for non-VPN Internet access. I have _FORCEDNS=true, _LANACCESS=true and _CLIENTISOLATION=false. I can access the Internet using both the non-VPN 2.4GHz and 5GHz WiFi networks; however, the shared folders and other resources on the main VPN network cannot be accessed. Also, Pi-hole is not being recognized as the DNS server (I tried to configure _DNS1 with the Pi-hole IP address which is on a different subnet but got an error message). Pi-hole is configured to listen on all ports (Listen on all interfaces, permit all origins). VPN network devices cannot pinged the non-VPN network and the non-VPN network devices cannot pinged the VPN network.

Are static routes needed for the VPN and non-VPN networks to communicate or to share resources between each other? Should Pi-hole (same Raspberry Pi used by the VPN network) be configured as _DNS1 in the YazFi script or are there other configuration requirements to use Pi-hole?
 
Thanks for the reply. It is interesting as I have never used AiMesh on the router.
I must now mentally prepare myself to reset and reconfigure.

Update: Since disabling YazFi, this trigger is no longer executed. Perhaps I won't have to reset the router after all?
No idea, what's happening is the firewall-start script is being called each time. YazFi is called non-blocking from this, so I have no idea why the firewall would keep being restarted by the aimesh service.
 
I stumbled on the YazFi GitHub site a few weeks ago. I have an Asus RT-AX88U configured with VPN and use Pi-hole (Raspberry Pi) as the DNS server. Shared drives are configured on an Intel NUC running Ubuntu 18.04, WD Personal My Cloud NAS and WD My Cloud PR4100 NAS. I want to be able to have a non-VPN network without having to configure a dual router setup and, also, be able to access shared drives, printers and other network resources on the main VPN network. Also, I want to use Pi-hole as the DNS server on the non-VPN network.

I have installed the YazFi script and configured one 2.4GHz and one 5GHz WiFi interface for non-VPN Internet access. I have _FORCEDNS=true, _LANACCESS=true and _CLIENTISOLATION=false. I can access the Internet using both the non-VPN 2.4GHz and 5GHz WiFi networks; however, the shared folders and other resources on the main VPN network cannot be accessed. Also, Pi-hole is not being recognized as the DNS server (I tried to configure _DNS1 with the Pi-hole IP address which is on a different subnet but got an error message). Pi-hole is configured to listen on all ports (Listen on all interfaces, permit all origins). VPN network devices cannot pinged the non-VPN network and the non-VPN network devices cannot pinged the VPN network.

Are static routes needed for the VPN and non-VPN networks to communicate or to share resources between each other? Should Pi-hole (same Raspberry Pi used by the VPN network) be configured as _DNS1 in the YazFi script or are there other configuration requirements to use Pi-hole?
Are you using policy rules strict on the vpn? If so try normal policy rules
 
This would be very useful in the WebUI. Please consider doing so! This is a very useful script that needs broader accessibility for the less technical (including me!). :)
 
Yes, I was using Policy Rules (Strict). I've changed it to just Policy Rules but still can't communicate with devices and resources between networks.
Can you use option d to generate diagnostics and share them with me please? PM, or Dropbox/other filesharing site
 
i have this working on my ac3100 on an openvpn profile.

i would like to try it using PPTP my VPN provider does support.
openvpn is very slow on the ac3100, so i'm hoping pptp will be faster
as i don't care about perfect privacy, simply keeping my wan private.
i know ac2900 openvpn would be faster, but i can't afford the change.

i was able to disable the openvpn and boot start, and enable
the PPTP profile which autostarts on it's own, but i see problems;

1. yazfi itself does not seem to see/use the PPTP profile

2. everyone's DNS access seems gone (i use merlin's DoT)
this includes other wifi ssid (not yazfi'd) and wired lan.

could someone point me in the right direction on this troubleshoot,
or does yazfi simply depend on openvpn and won't vlan active pptp.
i did not yet study editing yazfi's config files, while i recall had more
to do with which ssid and subnet is the vlan, and not the vpn client.


of course i already tested the PPTP profile info using a VPN client PC
and it works fine (including it's own google dns) so it's not that.
while in use in the router, the connection status show it's active.


u7AuqKg.jpg
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top