YazFi YazFi Guest Network unable to access Pi-Hole DNS server

[buzzy]

I couldn't quite find this exact situation in searching the forum. I have a Pi-Hole connected via non-Guest WIFI working well as the LAN's DNS (not DHCP) server for a whle. The PI-Hole DNS is set to "permit all origins." I recently installed YazFi and if I use a public DNS such as Cloudflare (1.1.1.1) for the Guest VLAN, it works fine. If I switch the Guest VLAN DNS to my Pi-Hole, the devices connected to my Guest VLAN state "Connected, no Internet". DNS DIrector is OFF. Internet and Intranet access are both on. How do I make this work? I have the PI-Hole server set on my LAN DNS setting because I want to be able to keep detailed logs by device (individual IP). I also want to eventually turn on Client Isolation, but this is not as important right now.
Does anyone have any thoughts on this?

 

[cptnoblivious]

There is no communication between the guest and main network unless you allow it. The "Two way to guest" and "One way to guest" boxes are clearly set to "no" so no traffic will pass.

 

[buzzy]

I enabled Two way to Guest, but the Guest VLAN can't reach the Pi-Hole, and it still states "Connected, no Internet"

 

[bennor]

@buzzy, For starters do not use IP address range 192.168.100.x or 192.168.101.x. The Asus firmware sets aside both of those IP address ranges, possibly for AiMesh/Guest Network #1 use. If you have problems using Guest Network #1, you may want to avoid using it and use Guest Network #2 and or #3 instead. Asus treats Guest Network #1 slightly differently since it uses it for AiMesh apparently. Each YazFi IP address range must be unique and not the same as the main LAN IP address range.

No issues running PI-Holes with YazFi (for years) once configured properly. Example that has been working for my setup:
YazFi with two main LAN Pi-Hole IP addresses in DNS Server fields:

Pi-Hole Interface Setting (may or may not have to use the respond only on a specific network interface setting):

 

[bennor]

There is no communication between the guest and main network unless you allow it.

YazFi is supposed to allow certain traffic (ICMP, DHCP, DNS, NTP and NetBIOS) through to the main router and allow users to use a local DNS server like Pi-Hole.
https://github.com/jackyaz/YazFi
https://github.com/jackyaz/YazFi/wiki/Setting-up-YazFi-with-PiHole-and-Reverse-DNS-records

 

[buzzy]

@buzzy, For starters do not use IP address range 192.168.100.x or 192.168.101.x. The Asus firmware sets aside both of those IP address ranges, possibly for AiMesh/Guest Network #1 use. If you have problems using Guest Network #1, you may want to avoid using it and use Guest Network #2 and or #3 instead. Asus treats Guest Network #1 slightly differently since it uses it for AiMesh apparently. Each YazFi IP address range must be unique and not the same as the main LAN IP address range.

No issues running PI-Holes with YazFi (for years) once configured properly. Example that has been working for my setup:
YazFi with two main LAN Pi-Hole IP addresses in DNS Server fields:


Pi-Hole Interface Setting (may or may not have to use the respond only on a specific network interface setting):

OK, I changed it the IP away from 192.168.100.0, but there was no change (with the Two-Way to Guest enabled). Then I copied all of your settings for YazFi and PiHole, and it worked. I slowly undid the changes back to my original settings and Pi-Hole continued working I finally disabled the "Two-Way to Guest" setting. I am not sure why this is the case, but it seems to defeat the purpose. I'd like all the clients on this Guest VLAN to see each other, but not the main LAN. After further tinkering, I am able access my pi-Hole if I enable either:

• Two-Way to Guest, OR
• Client Isolation

Still not ideal, but much better than my original situation. Thanks, @bennor

 

[buzzy]

Update: Client Isolation enabled and Two-Way to Guest disabled worked for about 10 minutes, then failed. And now Client Isolation disabled and Two-Way to Guest enabled no longer works, either. I'll have to tinker with these later.

 

[bennor]

You don't need Two Way to Guest or Client Isolation enabled to ping a YazFi client on the same band. The YazFi clients should be able to see each other on the Guest Network with Client Isolation disabled. Note that Two Way to Guest is: "Should LAN/Guest Network traffic have unrestricted access to each other?"
Example setup that allows YazFi clients on the same WiFi band to ping each other:
YazFi 5Ghz Settings:

YazFi Client PC pinging YazFi Client Android Phone:

YazFi Client Android pinging YazFi Client Windows PC:

Its possible that if the YazFi client is disconnecting and reconnecting every 10 minutes that may be a standard Asus setting or a non YazFi setting (ETA: maybe the Group Key Rotation Interval setting on the WiFi - General page?). See it happening with my WiFi clients where they disconnect and reconnect at specific intervals in the system log. If you are having issues check the System Log to see if it indicates any errors or warning around the time the issue starts.

A final note. YazFi doesn't work on AiMesh nodes, it only works on the main router it's running on.
Post edited to add context/information.

 

[buzzy]

You don't need Two Way to Guest or Client Isolation enabled to ping a YazFi client on the same band. The YazFi clients should be able to see each other on the Guest Network with Client Isolation disabled.

After spending more time testing and pinging back and forth with different settings, I think these basic settings are working as expected. I think the problem is that YazFi clients aren't connecting to the pi-hole DNS server. I am not sure if this is a problem with Asus-wrt, YazFi, or Pi-Hole.

Its possible that if the YazFi client is disconnecting and reconnecting every 10 minutes that may be a standard Asus setting or a non YazFi setting (ETA: maybe the Group Key Rotation Interval setting on the WiFi - General page?). See it happening with my WiFi clients where they disconnect and reconnect at specific intervals in the system log. If you are having issues check the System Log to see if it indicates any errors or warning around the time the issue starts.

Even if this were the case, shouldn't it still be able to connect to the pi-hole DNS server intermittently?

A final note. YazFi doesn't work on AiMesh nodes, it only works on the main router it's running on.

No AiMesh enabled here.

 

[buzzy]

My pi-hole is connected to my main LAN via WIFI (no AP isolation), and I can't hardwire it since it doesn't have a network port. I am not sure if this is part of the issue. The main LAN clients (wired and wireless) have no problem using the pi-hole DNS server. It's just the YazFi VLAN clients that can't connect to it.

 

[sfx2000]

I have a Pi-Hole connected via non-Guest WIFI working well as the LAN's DNS (not DHCP) server for a whle.

PiHole's were never intended to be over WiFi - they're interesting boxes, but best served over Ethernet...

 

[buzzy]

PiHole's were never intended to be over WiFi - they're interesting boxes, but best served over Ethernet...

Unfortunately, I am running it on a Pi Zero W. Maybe that's the issue

 

[sfx2000]

Unfortunately, I am running it on a Pi Zero W. Maybe that's the issue

Get a better Pi...

 

[Tech9]

It's just the YazFi VLAN clients that can't connect to it.

YazFi doesn't use VLANs. Pi-hole on RPi on Wi-Fi works well, tested. Your issue is around YazFi.

 

[bennor]

@buzzy, How is your Raspberry Pi Zero Pi-Hole Settings > DNS > Interface Settings section configured? Are you using the Recommended setting of Allowing only local requests? If so try using Respond only on interface option under the Potentially dangerous section. Reboot the Raspberry Pi Zero after making that setting change and then test if YazFi clients are using the Pi-Hole.

PI-Hole runs fine on the Pi Zero. While most will recommend using Ethernet/RJ-45 micro USB adapter with a Pi Zero, one can use the WiFi on the Pi Zero. I ran my Pi Zero W Pi-Hole via WiFi for almost a year a while back and it worked fine. Have since moved to using a micro USB Ethernet adapter because I had a adapter sitting around unused. Various places sell the micro USB Ethernet adapters.

I don't think you listed your router (unless I missed it), but another option if one doesn't want to buy a USB Ethernet adapter is to use USB Gadget Mode with the Pi Zero and Asus router. Experimented with this option a while back on a RT-AC68U and it works once setup properly. See my write up about it (using the RT-AC68U) here:
https://discourse.pi-hole.net/t/pi-zero-w-usb-ethernet-gadget-with-asus-router-fix/19352
Some recent discussion on getting Gadget Mode working on AX series routers here:
https://www.snbforums.com/threads/r...thernet-gadget-not-working.56182/#post-884718

 

[bennor]

@buzzy, A quick and dirty example indicated below of a Pi-Zero W connected to the main LAN's 2.4Ghz WiFi running Pi-Hole working with a YazFi client. After doing this quick and dirty reconfiguration, I now remember why I had to use Respond only on interface option in the DNS setting section of the Pi-Hole interface. Failure to use this setting causes YazFi clients not to complete DNS requests (and possibly not have internet access).

The Pi Zero W connected to RT-AX86U Pro via 2.4Ghz WiFi:

The RT-AX86U Pro YazFi Guest Network #2 5Ghz settings:
Note: The wireless Pi Zero W is denoted in the Yellow box (DNS 2) and a disconnected Pi is denoted in the red box (DNS 1). By disconnecting the DNS 1 Pi, DNS requests flow to the DNS 2 Pi Zero W.

Wireless Pi Zero W Pi-Hole DNS setting:
Note: I am using Unbound on the Pi Zero W as indicated the the custom 1 (IPv4) entry. I use the Respond only on interface wlan0 selection otherwise DNS requests by the YazFi client failed if I used the Allow only local requests option. It is also likely using the Allow only local requests option was the cause for YazFi client not having internet access until I selected/applied the Respond only on interface wlan0 option.

Wireless Pi Zero W Pi Hole Recent Queries showing YazFi client (192.168.7.143) requests:

Additional comments: There may be other ways to set this up and get it working, but the above is what works for my configuration with a wireless Pi Zero W in a quick and dirty test. It is possible one can use the other options listed under Potentially dangerous option section on the Pi-Hole DNS settings page. One may have to experiment to find what works for their specific setup if Respond only to interface wlan0 doesn't work properly.

 

[buzzy]

YazFi doesn't use VLANs. Pi-hole on RPi on Wi-Fi works well, tested. Your issue is around YazFi.

Oops, forget to hit the "Post" button a couple hours ago, so this is a late replay ....

Sorry, as a non-technically trained user, I am probably misusing the term VLAN. I probably should using the term "subnet" instead. I had trouble installing SkyNet (see link) but the YazFi installed smoothly as far as I could tell. Maybe there was an installation problem with YazFi?

 

[buzzy]

I remembered that I had manually assigned IP address to the devices, so I undid that. On Pi-hole, I changed it to the DNS settings to "Respond Only to WLAN0" and also "Permit all Origins' but no luck with either of them. I have tried using Unbound (installed on Pi-Hole) vs. using Cloudflare, but it has made no difference.

For some reason, when I use my Chromebook on the YazFi network, it gives me the "Sign in to Network" but I don't have a Captive Portal installed as far as I know.

 

[buzzy]

Wireless Pi Zero W Pi-Hole DNS setting:
Note: I am using Unbound on the Pi Zero W as indicated the the custom 1 (IPv4) entry. I use the Respond only on interface wlan0 selection otherwise DNS requests by the YazFi client failed if I used the Allow only local requests option. It is also likely using the Allow only local requests option was the cause for YazFi client not having internet access until I selected/applied the Respond only on interface wlan0 option.

Wireless Pi Zero W Pi Hole Recent Queries showing YazFi client (192.168.7.143) requests:
View attachment 56145

Additional comments: There may be other ways to set this up and get it working, but the above is what works for my configuration with a wireless Pi Zero W in a quick and dirty test. It is possible one can use the other options listed under Potentially dangerous option section on the Pi-Hole DNS settings page. One may have to experiment to find what works for their specific setup if Respond only to interface wlan0 doesn't work properly.

Pi-hole has log entries for my Chromebook when it is connected to my main WIFI AP.
When I switch to Yazfi and I have "Two Way to Guest" enabled, I have internet but no Pi-Hole entries.
When I use Yazfi and disable "Two Way to Guest", I have no internet and no Pi-Hole entries.

Huh?

 

[buzzy]

I don't think you listed your router (unless I missed it), but another option if one doesn't want to buy a USB Ethernet adapter is to use USB Gadget Mode with the Pi Zero and Asus router. Experimented with this option a while back on a RT-AC68U and it works once setup properly. See my write up about it (using the RT-AC68U) here:

Sorry, I didn't specify. Yes, it's an RT-AC68U