YazFi YazFi for IoT devices and control over network communication

lluke

Occasional Visitor
I’m trying to restructure my network to improve security through segregations of devices (personal vs IoT) and I have some doubts to get answered before actually starting to implement it through YazFi (breaking the entire network for a couple of days for experimenting is not an option unfortunately).

I’ve so identified 5 classes of devices for which I’d like to properly manage their behaviour and capabilities inside my network.

GroupInterfaceInternet AccessClient isolationAccess toAccessible from
1. IoT Server/HubEthernetYNIoT Manageable from localIoT Manageable from local, Personal devices
2. IoT Manageable from remote onlyWiFi (Guest #2)YYNo internal accessIoT Server/Hub
3. IoT Manageable from localWiFi (Guest #3)On demand (OTA updates)YIoT Server/HubIoT Server/Hub, Personal Devices
4. Personal DevicesWiFiYNIoT Server/Hub, IoT Manageable from remote only, IoT Manageable from localPersonal Devices
5. Guest Personal DevicesWiFi (Guest #1)YYNo internal accessNot accessible from anyone


I’ve tried to achieve this only through the “basic” Asus Guest Networks plus some ebtables rules but I’ve failed like a noob, and so I’m evaluating to move to YazFi to achieve this setup.
My idea is to setup the 3 Guest Networks from YazFi as follow:

  • GN 1 (Guest Personal Devices): Enabled, Router IP as DNS Server (I’m already using Unbound), One/Two way to guest disabled, Client Isolation enabled
  • GN 2 (IoT Remote Only): Enabled, Router IP as DNS Server, One way to guest enabled, Client Isolation enabled
  • GN 3 (IoT Local): Enabled, Router IP as DNS Server, Two way to guest enabled, Client Isolation enabled, Disable internet access for each device from Network map
Q1: Can you confirm this setup will let me achieve the needs described in the table above?

Q2: I’ve then a question about routing and multicast/mdns, can you confirm that since YazFi is not using VLANs but only subnetting if I enable One or Two Way Guest then I’ll be able to cast my content from clients on the standard WiFi network to a receiver connected to a Guest Network?

An additional point is then about IP Reservation, I’ll need to reserve a lot of IPs, as far as I understood the only way to achieve this is through the “dnsmasq.postconf” file.
Q3: Can you confirm there is no way to achieve this from the router’s UI, even by using YazDHCP?
 

bennor

Very Senior Member
Couple of comments. Generally YazFi should be able to do what you are seeking. You may have to so some additional scripting if you want to configure specific WiFi guest WiFi clients to have access to a specific LAN client. YazFi allows for this though it's Custom Firewall Rules. There are some discussions in other YazFi threads about how to use custom firewall rules to handle specific YazFi guest clients and or pass specific network traffic through the firewall to/from the LAN or WAN.

Currently YazDHCP doesn't affect static YazFi guest clients nor does the router's DHCP Manual Assignment GUI affect static YazFi guest clients. Jack Yaz has commented on it being planned to support YazFi in YazDHCP, but apparently hasn't been included yet. Currently one has to use a /jffs/scripts/dnsmasq.postconf file to create static/reserved IP addresses for YazFi clients. While it may take some time to properly setup the first time, unless one is constantly adding and removing YazFi guest clients to the file it should not be much of an issue to backup and restore if one needs to. See my post here with some general steps for doing static/reserved IP addresses with YazFi. Keep in mind you will not see the YazFi static IP mappings reflected in the Asus-Merlin Network Map. Instead they are reflected in the System Log > Wireless Log

Note that YazFi only deals with WiFi guest clients and traffic from/to them. YazFi won't isolate LAN clients and will not include LAN clients into YazFi's IP address scope.
 

lluke

Occasional Visitor
Thanks a lot @bennor for the response and for the super useful links!

I’m now defining the subnets, the DHCP reservations, and the firewall rules I should use for my needs and then I’ll give YazFi a try.

About your last point on LAN clients isolation, I’m aware of it and it’s fine since I should be able to reach the IoT server (Homebridge) from any device connected to the (iPhone, iPad, Mac, and local IoT).

The only remaining doubt now is about multicast for casting (Google Chromecast), will it work if the Client is on the main network and the receiver is on a Guest network with One Way access enabled?
 

bennor

Very Senior Member
The only remaining doubt now is about multicast for casting (Google Chromecast), will it work if the Client is on the main network and the receiver is on a Guest network with One Way access enabled?
It should work. If one doesn't enable One Way to Guest or Two Way to Guest then as previously indicated one may have to use custom firewall rules as detailed in YazFi's github page and as others have discussed in other YazFi discussions.
 

lluke

Occasional Visitor
I’ve finally managed to have some time to destroy and rebuild from scratch my network.
I’m 95% done applying the solution I was asking for in the first post, so we can say YazFi is definitely the solution for this kind of needs!

I’ve only the last point to solve, basically some IoT devices don’t accept very well to live on a different subnet than the bridge device.
They will work only if on the router the communication between the bridge and the device will be set as “MASQUERADE”, if I’m not wrong this means adding a NAT layer between these communications.

So that if I should add the rule below, is it compatible with YazFi? If yes, which is the best place to add this rule?

Code:
iptables -t nat -A POSTROUTING -s __IOT_HUB_IP__/32 -d __GUEST_2_SUBNET__/24 -p UDP -j MASQUERADE --to-ports 54321
 

bennor

Very Senior Member
So that if I should add the rule below, is it compatible with YazFi? If yes, which is the best place to add this rule?

Code:
iptables -t nat -A POSTROUTING -s __IOT_HUB_IP__/32 -d __GUEST_2_SUBNET__/24 -p UDP -j MASQUERADE --to-ports 54321
You could try using the YazFi custom firewall rules example file as a place to put that file. Per earlier post see the Custom Firewall Rules section of the YazFi GitHub for an example of the custom firewall rules file YazFi can use.

https://github.com/jackyaz/YazFi#custom-firewall-rules
 

lluke

Occasional Visitor
You could try using the YazFi custom firewall rules example file as a place to put that file. Per earlier post see the Custom Firewall Rules section of the YazFi GitHub for an example of the custom firewall rules file YazFi can use.

https://github.com/jackyaz/YazFi#custom-firewall-rules
Ah-ah it works!!! Routing, integrations and HomeKit work like a charm also after a restart.

Mega thanks for the support @bennor , now I can finally say my network is properly segregated and secure!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top