What's new

YazFi YazFi Guest Network Isolation - 384.x or 386.x-like?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

anonimo

Occasional Visitor
Moving from RMerlin version 384.19 to 386.4 (after a factory reset!) I've learned Guest Network (GN) access means different things to different people. For security I relied upon main network isolation from all the guest networks on 384.x, but on 386.x selecting "Access Intranet" means it's open for all to see rather than 384.x GN normally open specifically for one network on one band . So ... does YazFi act more like 384.x or 386.x for guest network access?
 
This is a follow up to this thread here.

I think you are still misunderstanding how the "Access Intranet" option works. Probably because you're basing it on tests you did prior to the factory reset. Your final post in that thread said after the reset things started working as expected. In summary, "Access Intranet" does open that one network on one band only. But your original issue was about client isolation.
 
Thank you for the response! If my terminology is inprecise, please let me know. I do want to get it right.

On 384.19 I noticed, for example, my 5Ghz GN1 only accessed items within that single network/band. With 386.4 all items on 5Ghz GN1 are isolated from one another, but when I select "Access Intranet" it sees all bands/networks such as a printer on my main 2.4Ghz network. If one wishes to keep the main network isolated from the guest networks then how can one enable, for example, 5Ghz GN1 to only speak with items on that same network/band. Is YazFi able or is there another path?
 
but when I select "Access Intranet" it sees all bands/networks such as a printer on my main 2.4Ghz network.
Clients on GN1 would not be able to see clients on other guest networks if they have Access Intranet disabled. However, that does help your problem.

If one wishes to keep the main network isolated from the guest networks then how can one enable, for example, 5Ghz GN1 to only speak with items on that same network/band. Is YazFi able or is there another path?
YazFi has options to enable or disable client isolation on each GN individually.
 
Thank you for the response! If my terminology is inprecise, please let me know. I do want to get it right.

On 384.19 I noticed, for example, my 5Ghz GN1 only accessed items within that single network/band. With 386.4 all items on 5Ghz GN1 are isolated from one another, but when I select "Access Intranet" it sees all bands/networks such as a printer on my main 2.4Ghz network. If one wishes to keep the main network isolated from the guest networks then how can one enable, for example, 5Ghz GN1 to only speak with items on that same network/band. Is YazFi able or is there another path?
There appears to be two separate settings being discussed with your statement. "Client Isolation" and "Access Intranet". They perform different functions. Client Isolation is intended to prevent Guest WiFi Clients from communicating with each other on the same Guest WiFi network. Where as Access Intranet is intended to allow or block all Guest WiFi Clients from accessing the main LAN/WiFi network.

The Asus firmware uses the term "Set AP Isolated" for enabling Client Isolation for WiFi clients. The Set AP Isolated setting is found on the Wireless > Professional tab. And that is more of an all or nothing setting that affects (if I remember right) all Wireless clients on the specific wireless band. The YazFi Client Isolation option is more granular to control access between clients on specific Guest Networks rather than all of the Guest Networks on a wireless band. For example with YazFi one can enable Client Isolation for Guest Network 1 clients but not Guest Network 2 or 3 clients. For more granular control one can use custom rules in YazFi. See the section called Custom firewall rules on the YazFi GitHub.

YazFi has further options to only allow traffic from the LAN to the Guest WiFi using the One way to Guest and Two way to Guest YazFi options. See the YazFi GitHub page for more information on what those two specific settings do, or click on the text for each option in the YazFi GUI for the information popup.
 
Thank you. These clarifications are very helpful.

As an fyi, my house is of adobe construction so all main and guest network connections are via WiFi.

I see the "Set AP Isolated" switch and had the impression that it impacted all, i.e., both the main and guest networks, so have it set to "No" as I do wish all items on the main networks to speak to one another. This is an all-or-nothing switch, yes?

If I wish the main and guest network isolated from one another, but still wish all items on a specific guest network/band, e.g. 5GN-2, to only speak among themselves then it sounds like YazFi is the appropriate path?

It appears, since the 384.x to 386.x codebase switch, that type of guest network isolation isn't possible via firmware selection, yes?

EDIT: To answer a previous question for ColinTaylor; I have four WiFi networks on my RT-AC5300 with three as guest networks.
 
Last edited:
I see the "Set AP Isolated" switch and had the impression that it impacted all, i.e., both the main and guest networks, so have it set to "No" as I do wish all items on the main networks to speak to one another. This is an all-or-nothing switch, yes?

If I wish the main and guest network isolated from one another, but still wish all items on a specific guest network/band, e.g. 5GN-2, to only speak among themselves then it sounds like YazFi is the appropriate path?
See Asus's explanation of what Set AP Isolated does (default setting: No):

If all you want to do is prevent Guest WiFi clients (ex: 5GN-2) from accessing the main LAN then set Guest WiFi Access Intranet to Disable. Guest Wifi clients on, for example 5GN-2, should still be able to access each other on 5GN-2, but not 5GN-1 or 5GN-3. You likely wouldn't need to use YazFi if that's all you want to accomplish.

What YazFi does is create additional options and settings and Guest Network control for those Guest Network Clients.
 
Thank you for the feedback. I just tested it.

When I have “Set AP Isolated” to “No” & “Access Intranet” to “Disable” then no item on the same network/band, e.g., 5Ghz-GN2, is able to communicate with one another. If I change “Access Intranet” to “Enable” then everything is open to everything else. It appears the current 386.x firmware does not permit communication between items on the same network/band anymore – it is all or nothing.

It appears YazFi is the way.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top