1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

YazFi - enhanced AsusWRT-Merlin Guest WiFi Networks

Discussion in 'Asuswrt-Merlin' started by Jack Yaz, Apr 8, 2018.

  1. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    In the YazFi config file
     
  2. Raymond74

    Raymond74 Occasional Visitor

    Joined:
    Oct 8, 2018
    Messages:
    15
    I'm new here and this script might be usefull for me.

    I am running AsusMerlin 384.7 on an RT-AC87U and this is what I am looking for.
    A seperate IoT/Chromcast/AppleTV guest Wifi (preffered also VLAN - for wired) in a different subnet with iptables for filtereing traffic. The seperate IoT/C/A networks should be reachable from the main internal WiFi (and some LAN devices should be reachable from the guest Wifi).

    Is this script something that would help? Or is there already something else out there ?

    PS: I will not be usig any of the VPN features.
     
  3. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    Currently guests are isolated on their own interface and firewalled off from the LAN.

    LAN access is on the to-do but I haven't had time. It will likely be achieved by ipset, rather than Vlan since switch ports vary between models and i have no way to test and support them readily
     
  4. Raymond74

    Raymond74 Occasional Visitor

    Joined:
    Oct 8, 2018
    Messages:
    15
    As I need an external swtch to be part of the same vlan and subnet I need to tag it (or at least have that asus port in a different vlan. So ipset will not work for me... But thnx for your input.
    Please see my thread: https://www.snbforums.com/threads/seperate-wifi-ssid-seperate-subnet.49211/#post-436146
     
  5. kernol

    kernol Occasional Visitor

    Joined:
    Feb 24, 2018
    Messages:
    21
    Location:
    South Africa
    How to uninstall YazFi ???
    Tried it out of curiosity ... and may well revert once VPN configured - but not using any VPN for now - so would like to remove completely.
    I see there is a routine in the YazFi script for "uninstall" - so ran the install SSH command and changed switch from "install" to "uninstall".

    Is that sufficient - or do I also need to manually clean up all YasFi installed scripts and config files ??
    Sorry if the answer lurks somewhere else ... but have trawled all 14 pages under this thread AND the GitHub site - but could not find any guidance.
    Thnx.
     
  6. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    Uninstall will remove all references in startup scripts etc. Its up to you whether you then delete the script and config files (should you wish to reinstall and not lose your config)
     
  7. wacko911

    wacko911 New Around Here

    Joined:
    Dec 26, 2015
    Messages:
    4
    Jack_Yaz, I intsalled this in minutes and it just works as advertised - I've tried scripts in the past and failed after many hours of trying. I've sent you a small donation, thankyou and please keep up the good work.

    Now if only we could get this included in merlin's builds...
     
    Jack Yaz likes this.
  8. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    Glad to be of service! Reminds me that I really should crack on with LAN access
     
    jmedaglia likes this.
  9. SMS786

    SMS786 Regular Contributor

    Joined:
    Nov 29, 2017
    Messages:
    157
    Hi @Jack Yaz,

    Thanks for the great script! Been eyeing it for a while..finally took the plunge and installed today. I had a quick question:
    Code:
    wl01_DNS1=8.8.8.8
    wl01_DNS2=8.8.4.4
    Could I leave the above DNS lines blank if I want my guests to default to my dnscrypt setup?
     
  10. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    Yes, leaving blank should be detected by the script and replaced with the router IP, and relevant firewall rules will be added

    If you happen to have pixelserv-tls running, the script should allow access to the IP for that as well, so guests can benefit from ad-blocking

    If not, let me know and we'll get to troubleshooting!
     
    SMS786 likes this.
  11. kernol

    kernol Occasional Visitor

    Joined:
    Feb 24, 2018
    Messages:
    21
    Location:
    South Africa
    Hi Jack

    Pleased to confirm ... fully installed YazFi guest again ... and its a keeper - many thanks for a great add-on.
    Hopping over to your donation link in appreciation.
    Frankly I don't want guests to access my intranet - so content if you chill on that one ;-).

    Brgds
    Kernol
     
    Jack Yaz likes this.
  12. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    Thank you for the donation, and I'm glad my script is of use :D
     
  13. carloskar

    carloskar New Around Here

    Joined:
    Nov 10, 2018
    Messages:
    5
    Thanks for a great script!
    It is working almost perfect on my RT-AC66U running 380.70.

    I have one guest network for "untrusted" clients, like a air purifier and a roomba, that use the 192.168.2.0 net on the wl0.1 interface, and the main network at 192.168.1.0 (br0).
    Unfortunately those clients are very qick to connect to the wifi after rebooting the router, and they manage to connect even before the dnsmas.conf.add script has run so they are always assigned an IP from the main network.
    Any ideas how to remedy this?
     
  14. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    I would have hoped firewall-start would be early enough to stop this...I'll see if there's a way to solve this
     
  15. carloskar

    carloskar New Around Here

    Joined:
    Nov 10, 2018
    Messages:
    5
    I've been looking into this some more.
    I' must have been tired back then when I said that clients connected even before dnsmasq.conf.add. That is not the case, or at least I cannot get that behavior anymore.

    But some of my devices are connecting to my guest wifi on wl0.1 but are assigned an IP from the wrong pool after a reboot of the router.
    The common denominator is that they are all connected to the powerline, maybe they retry like crazy when they loose the connection.

    Would it be possible to start YazFi in the dnsmaq.postconf script instead of the firewall-start? And skip the '&' to make the script finish before starting the dnsmasq?
     
  16. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    Dropping the & was my first thought. The odd thing is though, that dnsmasq.conf.add is persistent across reboots so dnsmasq starts with that. The real issue is the firewall rules to separate the interface aren't running soon enough. I will PM an updated script with some things re-ordered, to see if that helps.

    I suppose it depends what comes up first, dnsmasq or the firewall. @RMerlin is there a defined service start order please ?
     
    Last edited: Nov 10, 2018
  17. carloskar

    carloskar New Around Here

    Joined:
    Nov 10, 2018
    Messages:
    5
    The "faulty" device is connecting to the guest wifi really early and sending DHCPDISCOVER, see the syslog snippet below.
    If the wl0.1 interface has not been configured with an IP can it respond to dhcp requests?

    Code:
    Aug  1 02:00:35 kernel: nf_nat_rtsp v0.6.21 loading
    Aug  1 02:00:35 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
    Aug  1 02:00:35 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
    Aug  1 02:00:35 YazFi: YazFi v2.2.4 starting up
    Aug  1 02:00:36 rc_service: udhcpc 435:notify_rc start_upnp
    Aug  1 02:00:36 rc_service: waitting "stop_upnp" via udhcpc ...
    Aug  1 02:00:36 dnsmasq-dhcp[312]: DHCPDISCOVER(br0) f0:03:8c:b3:4c:67
    Aug  1 02:00:36 dnsmasq-dhcp[312]: DHCPOFFER(br0) 192.168.1.159 f0:03:8c:b3:4c:67
    Aug  1 02:00:37 ntp: start NTP update
    
     
  18. carloskar

    carloskar New Around Here

    Joined:
    Nov 10, 2018
    Messages:
    5
    I have managed to get it to work correctly, my solution below.

    The only problem I can see is that at startup because the wifi is activated but not the DHCP then devices can connect but will not be assigned an IP, and some devices might use a fallback IP configuration or disable autoconnect for that wifi network.

    Delay DHCP Startup

    Whe the router starts the DHCP is, if enabled, running on the br0 interface and if a device connects to a guest network before the YazFi script has finished it will be assigned a IP configuration for the main network.

    The solution for this problem is to enable DHCP for all interfaces first after the YazFi script has finished.
    1. Disable DHCP for all interfaces by adding no-dhcp-interface for br0 and all the guest networks to dnsmasq.conf.add, for example:
      Code:
      no-dhcp-interface=br0
      no-dhcp-interface=wl0.1
      no-dhcp-interface=wl0.2
    2. Modify dnsmasq.postconf so that it deletes the no-dhcp-interface lines added by dnsmasq.conf.add above if the YazFi script has finished:
      Code:
      #!/bin/sh
      CONFIG=$1
      source /usr/sbin/helper.sh
      
      FILE=/tmp/0-enable-dhcp
      if [ -f "$FILE" ]; then
         logger -t "$(basename $0)[$$]:" "enabling dhcp"
         pc_delete "no-dhcp-interface=br0" $CONFIG
         pc_delete "no-dhcp-interface=wl0.1" $CONFIG
         pc_delete "no-dhcp-interface=wl0.2" $CONFIG
      fi
    3. Modify the YazFi script to signal dnsmasq.postconf to enable DHCP and then restart dnsmasq after all networks have been configured:
      Code:
      if [ -z "$1" ]; then
         Check_Lock
         Print_Output "true" "YazFi $YAZFI_VERSION starting up"
         Config_Networks
      
         touch /tmp/0-enable-dhcp
         service restart_dnsmasq
      
         exit 0
      fi
     
  19. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    Looks promising!

    Another thought I had, with your fix removed, what happens after a reboot with the devices on the wrong IP and running service restart_wireless?
     
  20. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    1,247
    Question, what have you set for dhcp lease time?