What's new

YazFi YazFi isolation of guest networks

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

kobi

New Around Here
Hi,
First of all thanks for your great work!!

I am currently testing YazFi on a fresh installed RT-AX68S (388.2) and found some strange behavior, or at least I think it is strange.
I have created 2 guest networks, see config here:
config.jpg


The devices in the same guest network are perfectly isolated from each other. Also the LAN devices cannot be accessed from any guest network.
However devices in guest network 1 can access devices in guest network 2.
If I disable ONEWAYTOGUEST then they cannot access each other but then they obviously also cannot be accessed from LAN.
I have tried to reconfigure it several times and even did a fresh install.

I would in this configuration expect that clients in different guest networks are isolated from each other.
Is this normal behavior? Any idea what I do wrong?

I have a YazFi diagnostics file ready in case someone can review this.

Thanks for your help!
 
Standard question. Are you using AiMesh? If so YazFi doesn't work on mesh nodes.

A suggestion, try using Guest 2 and 3 rather than Guest 1 and 2 and see if the issue persists. The Asus firmware, that Asus-Merlin is based on, apparently treats Guest 1 differently, in part due to using it for AiMesh (or something like that).

Edit to add: Also you appear to have set your DNS servers on the Guest WiFi to one of the Guest WiFi clients in the same Guest WiFi network. That might potentially present issues due to client isolation.
 
Thanks for the fast reply!

No AiMesh.
DNS is configured to use the routers IP in the guest network and not a client. This is a configuration also shown in the Documentation.
This this wrong in my case?

As suggested I have tried Guest 2 and 3 and there everything works as expected. So it really seems to be somehow related to Guest 1.
I there anything I can do to get this fixed?
I was planning to use all three 2,4GHz guest networks.
 
DNS is configured to use the routers IP in the guest network and not a client. This is a configuration also shown in the Documentation.
This this wrong in my case?

As suggested I have tried Guest 2 and 3 and there everything works as expected. So it really seems to be somehow related to Guest 1.
I there anything I can do to get this fixed?

Yes the example in the documentation shows it but note that the example does not have client isolation enabled. Either way you will need to test to ensure it works with client isolation enabled.

The Guest 1 issue is what it is, and has been around for some time now. You'd likely have to complain directly to Asus about why their firmware coding (likely for AiMesh) is treating Guest 1 differently than Guest 2 and higher.
 
I did many more tests in the last weeks and the issue seems to be really related only to guest1.
I have found the matching forward rules in iptables:
  • Rule 10 matches if a device in guest1 pings a device in guest2
  • Rule 9 matches if the device in guest2 replies via ping to the device in guest1

  • Rule 11 matches if the a device in guest2 tries to ping a device in guest1 but cannot reach it (dropped, no reply)

Code:
Chain YazFiFORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 ACCEPT     all  --  wl0.3  !eth0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  !eth0  wl0.3   0.0.0.0/0            0.0.0.0/0          
3        0     0 YazFiREJECT  all  --  wl0.3  !eth0   0.0.0.0/0            0.0.0.0/0          
4        0     0 ACCEPT     all  --  wl0.3  *       0.0.0.0/0            0.0.0.0/0          
5        0     0 DROP       all  --  tun1+  wl0.2   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
6        0     0 DROP       all  --  eth0   wl0.2   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
7        0     0 YazFiREJECT  all  --  wl0.2  tun1+   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
8      537 34376 YazFiREJECT  all  --  wl0.2  eth0    0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
9        8   480 ACCEPT     all  --  wl0.2  !eth0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
10       8   480 ACCEPT     all  --  !eth0  wl0.2   0.0.0.0/0            0.0.0.0/0          
11     145 12180 YazFiREJECT  all  --  wl0.2  !eth0   0.0.0.0/0            0.0.0.0/0          
12       0     0 ACCEPT     all  --  wl0.2  *       0.0.0.0/0            0.0.0.0/0          
13       0     0 ACCEPT     all  --  wl0.1  !eth0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
14       0     0 ACCEPT     all  --  !eth0  wl0.1   0.0.0.0/0            0.0.0.0/0          
15       0     0 YazFiREJECT  all  --  wl0.1  !eth0   0.0.0.0/0            0.0.0.0/0          
16      72 13289 ACCEPT     all  --  wl0.1  *       0.0.0.0/0            0.0.0.0/0



When I look at this rules and how they match then I think that Rule 3, 10 and 14 should be set to YazFiREJECT instead of ACCEPT.
Is it possible that this is an error in the config?

Code:
iptables -R YazFiFORWARD 2  -i !eth0 -o wl0.3 -j YazFiREJECT
iptables -R YazFiFORWARD 10  -i !eth0 -o wl0.2 -j YazFiREJECT
iptables -R YazFiFORWARD 14  -i !eth0 -o wl0.1 -j YazFiREJECT

Thanks for helping!
 
Last edited:
Did some more research and found out that what I proposed in my last post was wrong.

Here the proper solution.
An additional iptables rule is needed that separates the guest networks from each other if one-way-guest is enabled.
Example:
Code:
iptables -I YazFiFORWARD 9 -i wl+ -o wl0.2 -j YazFiREJECT

Here is how the whole YazFiFORWARD chain looks for me:
(line 9 and 14 have been added)
Code:
Chain YazFiFORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination       
1        0     0 YazFiREJECT  all  --  wl0.3  !eth0   0.0.0.0/0            0.0.0.0/0         
2        0     0 YazFiREJECT  all  --  !eth0  wl0.3   0.0.0.0/0            0.0.0.0/0         
3        0     0 ACCEPT     all  --  wl0.3  *       0.0.0.0/0            0.0.0.0/0         
4        0     0 DROP       all  --  tun1+  wl0.2   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
5        0     0 DROP       all  --  eth0   wl0.2   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
6        0     0 YazFiREJECT  all  --  wl0.2  tun1+   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
7        0     0 YazFiREJECT  all  --  wl0.2  eth0    0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
8        0     0 ACCEPT     all  --  wl0.2  !eth0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
9        0     0 YazFiREJECT  all  --  wl+    wl0.2   0.0.0.0/0            0.0.0.0/0         
10       0     0 ACCEPT     all  --  !eth0  wl0.2   0.0.0.0/0            0.0.0.0/0         
11       0     0 YazFiREJECT  all  --  wl0.2  !eth0   0.0.0.0/0            0.0.0.0/0         
12       0     0 ACCEPT     all  --  wl0.2  *       0.0.0.0/0            0.0.0.0/0         
13       0     0 ACCEPT     all  --  wl0.1  !eth0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
14       0     0 YazFiREJECT  all  --  wl+    wl0.1   0.0.0.0/0            0.0.0.0/0         
15       0     0 ACCEPT     all  --  !eth0  wl0.1   0.0.0.0/0            0.0.0.0/0         
16       0     0 YazFiREJECT  all  --  wl0.1  !eth0   0.0.0.0/0            0.0.0.0/0         
17       0     0 ACCEPT     all  --  wl0.1  *       0.0.0.0/0            0.0.0.0/0

I also tried to update the YazFi script myself. In my tests everything works well.
Now I also created a pull request with my changes.

This is my first pull request and git is new for me so I am not sure if I did it right.
Please let me know in case I should change anything or if you have any other feedback. Thanks!

1684109636625.png
 
Last edited:
Did some more research and found out that what I proposed in my last post was wrong.

Here the proper solution.
An additional iptables rule is needed that separates the guest networks from each other if one-way-guest is enabled.
Example:
Code:
iptables -I YazFiFORWARD 9 -i wl+ -o wl0.2 -j YazFiREJECT

Here is how the whole YazFiFORWARD chain looks for me:
(line 9 and 14 have been added)
Code:
Chain YazFiFORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination   
1        0     0 YazFiREJECT  all  --  wl0.3  !eth0   0.0.0.0/0            0.0.0.0/0     
2        0     0 YazFiREJECT  all  --  !eth0  wl0.3   0.0.0.0/0            0.0.0.0/0     
3        0     0 ACCEPT     all  --  wl0.3  *       0.0.0.0/0            0.0.0.0/0     
4        0     0 DROP       all  --  tun1+  wl0.2   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
5        0     0 DROP       all  --  eth0   wl0.2   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
6        0     0 YazFiREJECT  all  --  wl0.2  tun1+   0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
7        0     0 YazFiREJECT  all  --  wl0.2  eth0    0.0.0.0/0            0.0.0.0/0            /* YazFi 2.4GHz 2 block internet */
8        0     0 ACCEPT     all  --  wl0.2  !eth0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
9        0     0 YazFiREJECT  all  --  wl+    wl0.2   0.0.0.0/0            0.0.0.0/0     
10       0     0 ACCEPT     all  --  !eth0  wl0.2   0.0.0.0/0            0.0.0.0/0     
11       0     0 YazFiREJECT  all  --  wl0.2  !eth0   0.0.0.0/0            0.0.0.0/0     
12       0     0 ACCEPT     all  --  wl0.2  *       0.0.0.0/0            0.0.0.0/0     
13       0     0 ACCEPT     all  --  wl0.1  !eth0   0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
14       0     0 YazFiREJECT  all  --  wl+    wl0.1   0.0.0.0/0            0.0.0.0/0     
15       0     0 ACCEPT     all  --  !eth0  wl0.1   0.0.0.0/0            0.0.0.0/0     
16       0     0 YazFiREJECT  all  --  wl0.1  !eth0   0.0.0.0/0            0.0.0.0/0     
17       0     0 ACCEPT     all  --  wl0.1  *       0.0.0.0/0            0.0.0.0/0

I also tried to update the YazFi script myself. In my tests everything works well.
Now I also created a pull request with my changes.

This is my first pull request and git is new for me so I am not sure if I did it right.
Please let me know in case I should change anything or if you have any other feedback. Thanks!

View attachment 50106

As with any 3rd party addon, there are bound to be combinations that don't work as expected, or Asus makes an update and the 3rd party has to be made aware and catch up. In your case, you've got the fact that Asus treats GW1 differently (yazfi overrides that, but some firewall rules and other settings are still present that yaz doesn't change), you've got a VPN running, and you're running the latest (almost) code. And you're doing the 1-way to guest which not everyone does, plus you have multiple guests (which not everyone has and wouldn't thus wouldn't have this issue).

Sometimes just the way you go about it has to do with it, if you install yazfi after having enabled the stock guest features, there will be different firewall rules and NVRAM variables than if you never enabled guest, etc. The solution you have is probably your best one at this point. One note, always delete any firewall rule you add before adding it. So do a -D before -I for example. The firewall script gets called twice at startup and anytime the firewall restarts for any reason, so you can end up with a mess of duplicate rules. Deleting a rule that doesn't exist in your script doesn't hurt anything, but it ensures if there is a rule already, it doesn't get duplicated.

@Jack Yaz as a heads up on the GW1 with "one way" enabled allowing GW1 to talk to GW2 and 3 glitch.
 
ah, i see the issue now.
Code:
-A YazFiFORWARD ! -i eth0 -o wl0.1 -j ACCEPT

when multiple networks have 1 way enabled will allow other guests to connect, which isn't completely incorrect but does conflict with the setting description that the setting is for LAN to Guest traffic. I've merged @kobi PR to the develop branch, as I am cautious some people may actually want guest to guest communication so before ti goes "master", an extra setting way be needed
 
ah, i see the issue now.
Code:
-A YazFiFORWARD ! -i eth0 -o wl0.1 -j ACCEPT

when multiple networks have 1 way enabled will allow other guests to connect, which isn't completely incorrect but does conflict with the setting description that the setting is for LAN to Guest traffic. I've merged @kobi PR to the develop branch, as I am cautious some people may actually want guest to guest communication so before ti goes "master", an extra setting way be needed
Maybe add a guest to guest option, which disables/enables the ability to add this rule.

From my point of view, guest to guest should only be allowed if exclusively specified by a separate option, and should definitely not be allowed if client isolation is enabled.

@Martinski , another possible place to share your creativity!
 
Last edited:
Maybe add a guest to guest option, which disables/enables the ability to add this rule.

From my point of view, guest to guest should only be allowed if exclusively specified by a separate option, and should definitely not be allowed if client isolation is enabled.

@Martinski , another possible place to share your creativity!
That does look like a very good option to add but, ATM, I simply don't have enough free time to set aside for "extracurricular" tasks (e.g. YazFi & YazDHCP) and give them the proper attention that they require. Family & work responsibilities plus personal commitments are taking almost all of my time these days, allowing me just enough free time to decompress, relax & enjoy some moments with my family & close friends.
 
That does look like a very good option to add but, ATM, I simply don't have enough free time to set aside for "extracurricular" tasks (e.g. YazFi & YazDHCP) and give them the proper attention that they require. Family & work responsibilities plus personal commitments are taking almost all of my time these days, allowing me just enough free time to decompress, relax & enjoy some moments with my family & close friends.
Hey, it's OK enjoy time with your family. These scripts are dead in development, and are not going any where anyways.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top