What's new

YazFi YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Jack Yaz

Part of the Furniture
YazFi
v4.1.4

Updated 2020-08-16

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to:

* Dedicated VPN WiFi networks
* Separate subnets for organisation of devices
* Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS
* Allow guest networks to make use of pixelserv-tls (if installed)
* Allow guests to use a local DNS server
* Extend DNS Filter to guest networks

This project is hosted on GitHub

YazFi is free to use under the GNU General Public License version 3 (GPL 3.0).

Love the script and want to support future development? Any and all donations gratefully received!
PayPal donation
Buy me a coffee

a095903835.png


0f32c1da9d.png


Supported Models
Models
All modes supported by Asuswrt-Merlin. Models confirmed to work are below:
  • RT-AC56U
  • RT-AC66U
  • RT-AC68U
  • RT-AC86U
  • RT-AC87U (2.4GHz guests only)
  • RT-AC88U
  • RT-AC3100
  • RT-AC3200
  • RT-AC5300
  • RT-AX88U (clientisolation is not supported and is forced to false)
Firmware versions
Core YazFi features

You must be running firmware no older than:
WebUI page for YazFi
You must be running firmware no older than:

Installation
Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:
Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/jackyaz/YazFi/master/YazFi.sh" -o "/jffs/scripts/YazFi" && chmod 0755 /jffs/scripts/YazFi && /jffs/scripts/YazFi install

Please then follow instructions shown on-screen. An explanation of the settings is provided in the FAQs in post #2

Usage
To launch the YazFi menu after installation, use:
Code:
YazFi

If you do not have Entware installed, you will need to use the full path:
Code:
/jffs/scripts/YazFi
Updating
Launch YazFi and select option u
 
Last edited:
FAQs

What do each of the settings mean?

wl01_ENABLED

Enable YazFi for this Guest Network (true/false)

wl01_IPADDR
IP address/subnet to use for Guest Network

wl01_DHCPSTART
Start of DHCP pool (2-253)

wl01_DHCPEND
End of DHCP pool (3-254)

wl01_DNS1
IP address for primary DNS resolver

wl01_DNS2
IP address for secondary DNS resolver

wl01_FORCEDNS
Should Guest Network DNS requests be forced/redirected to DNS1? (true/false) N.B. This setting is ignored if sending to VPN, and VPN Client's DNS configuration is Exclusive

wl01_REDIRECTALLTOVPN
Should Guest Network traffic be sent via VPN? (true/false)

wl01_VPNCLIENTNUMBER
The number of the VPN Client to send traffic through (1-5)

wl01_TWOWAYTOGUEST
Should LAN/Guest Network traffic have unrestricted access to each other? (true/false) Cannot be enabled if _ONEWAYTOGUEST is enabled

wl01_ONEWAYTOGUEST
Should LAN be able to initiate connections to Guest Network clients (but not the opposite)? (true/false) Cannot be enabled if _TWOWAYTOGUEST is enabled

wl01_CLIENTISOLATION
Should Guest Network radio prevent clients from talking to each other? (true/false)


Can I add my own firewall rules?
Yes. YazFi supports calling custom scripts after setting up the guest network. To use a user script, create your script file the appropriate directory with a .sh extension. e.g.
Code:
/jffs/addons/YazFi.d/userscripts.d/myscript.sh
Remember to make it executable with
Code:
chmod +x /jffs/addons/YazFi.d/userscripts.d/myscript.sh
An example script to allow a guest on 2.4GHz guest 1 to talk to a specific IP address on the LAN:
Code:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.50 -j ACCEPT
The above will work if "One way" access to the guest enabled. With no access enabled, the script would be:
Code:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.50 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.50 -j ACCEPT

I haven't used scripts before on AsusWRT-Merlin, what do I do?

If this is the first time you are using scripts, don't panic! In your router's WebUI, go to the Administration area of the left menu, and then the System tab. Set Enable JFFS custom scripts and configs to Yes. Further reading about scripts is available here: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts

00a43283ed.png


Donations
PayPal donation
 
Last edited:
Thank you for all the effort you put into developing this script :).
You can add the RT-AC56U to the list - it has been running smoothly on there for the past couple of weeks with no issues at all. Keep up the great work, I am personally looking forward to LAN access.
 
v1.1.1 is now available. Changes include:
  • Validation of config file
  • Colour highlighting when running script in terminal
  • Removal of DHCP option 252 "\n" to replicate an upcoming change in 384.5

Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/jackyaz/YazFi/master/YazFi" -o "/jffs/scripts/YazFi" && chmod 0755 /jffs/scripts/YazFi && /jffs/scripts/YazFi
 
Installation
Using your preferred SSH Client, copy and paste the following command, then press Enter:

Code:
/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/jackyaz/YazFi/master/YazFi" -o "/jffs/scripts/YazFi" && chmod 0755 /jffs/scripts/YazFi && /jffs/scripts/YazFi install
This is all new to me, sorry for the stupid question - have successfully learned how to connect via SSH on my Ubuntu system - do I first navigate to a specific directory on the router before I paste in your command or?
 
This is all new to me, sorry for the stupid question - have successfully learned how to connect via SSH on my Ubuntu system - do I first navigate to a specific directory on the router before I paste in your command or?
I'm going to safely assume it's the same as Installing the fresh Jr script.
 
This is all new to me, sorry for the stupid question - have successfully learned how to connect via SSH on my Ubuntu system - do I first navigate to a specific directory on the router before I paste in your command or?
Welcome to the forums! I'll put something together for you when I'm home in few hours.

EDIT: if you're already connected via SSH then you can run the command as is and it'll put things in the right place for you
 
Welcome to the forums! I'll put something together for you when I'm home in few hours.

EDIT: if you're already connected via SSH then you can run the command as is and it'll put things in the right place for you
Sorry to say, but as a non-tech guy, I find all these answers a little ambiguous & cryptic. Driving to a destination is really really easy if you have driven it many times, but when you give those directions to another, please don't assume they can envision what the left turn at the big fir tree looks like.
Perhaps I have been a little ambiguous as well; I am working in Ubuntu Terminal, not a SSH client. (I guess)
Here is where I get to when I connect to router:
Code:
ASUSWRT-Merlin RT-AC68U 384.4-2 Sat Mar 24 17:01:45 UTC 2018
********@RT-AC68U-ADE8:/tmp/home/root#
Is this where I run your command from or do I need to navigate to a different directory on the router first......or do I run it when I am at the command prompt in Terminal before I connect to router?
Also, just noticed my router model is not on your list, is there a chance that your script may work anyway?
Thank you.
 
Sorry about the lack of clarity. I'm assuming you're running a "ssh" command in the Ubuntu terminal? Nevertheless, Terminal session looks fine so OK to run it there.

There's no reason for the script to not work for you! The list posted is confirmed working by users with those models, so all it means is that you're the first 68U!
 
Will this work on John's (Merlin) fork? You mentioned there were changes made to accommodate the changes in 384.5...
 
Will this work on John's (Merlin) fork? You mentioned there were changes made to accommodate the changes in 384.5...
I believe the change will be in John's fork, since John was the one who suggested it! The change is discussed here: https://www.snbforums.com/threads/issue-with-pulse-secure-vpn.45902/#post-396648

Truth be told, I'm unsure on how much will be compatible. The separation of subnet should be OK, but the redirection to VPN would depend entirely on how @john9527 implemented policy routing. My script is currently writing to the vpn_clientX_clientlist nvram settings. John, do you use the same settings in your fork?
 
Sorry to say, but as a non-tech guy, I find all these answers a little ambiguous & cryptic. Driving to a destination is really really easy if you have driven it many times, but when you give those directions to another, please don't assume they can envision what the left turn at the big fir tree looks like.
Perhaps I have been a little ambiguous as well; I am working in Ubuntu Terminal, not a SSH client. (I guess)
Here is where I get to when I connect to router:
Code:
ASUSWRT-Merlin RT-AC68U 384.4-2 Sat Mar 24 17:01:45 UTC 2018
********@RT-AC68U-ADE8:/tmp/home/root#
Is this where I run your command from or do I need to navigate to a different directory on the router first......or do I run it when I am at the command prompt in Terminal before I connect to router?
Also, just noticed my router model is not on your list, is there a chance that your script may work anyway?
Thank you.
Script now installed and config configged. I am a little stuck however:
1) After installing script, instruction said please run /jffs/scripts/YazFi...how do I do this?
2)My Asus router is at 192.168.2.1 - does it matter what I set wl01_IPADDR to? Should it be 192.168.2.1 or 192.168.2.0 as per your example config?
I made you chuckle didn't I?
 
I believe the change will be in John's fork, since John was the one who suggested it! The change is discussed here: https://www.snbforums.com/threads/issue-with-pulse-secure-vpn.45902/#post-396648

Truth be told, I'm unsure on how much will be compatible. The separation of subnet should be OK, but the redirection to VPN would depend entirely on how @john9527 implemented policy routing. My script is currently writing to the vpn_clientX_clientlist nvram settings. John, do you use the same settings in your fork?
Should work fine....
 
Script now installed and config configged. I am a little stuck however:
1) After installing script, instruction said please run /jffs/scripts/YazFi...how do I do this?
2)My Asus router is at 192.168.2.1 - does it matter what I set wl01_IPADDR to? Should it be 192.168.2.1 or 192.168.2.0 as per your example config?
I made you chuckle didn't I?
1) In the terminal like the install script. Copy and paste version below:
Code:
/jffs/scripts/YazFi

2) I'd recommend 192.168.3.1 in your case, i.e. the next subnet up. It can be any subnet you like, my script checks to make sure the selected subnet isn't already in use on the router.

And indeed! I'm toying with the idea of "auto-configuration", so you just set 1 thing and the script sets the rest.
 
@Jack Yaz
One thing I noticed when I browsed through your script. When you break the string for the AC86 platform, shouldn't you offset the starting positions by one?
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top