YazFi issues with connecting to DNS on my LAN

[jsn2233]

Router: GT-AX11000
Firmware: 3004.388.11_0_rog

No idea why this is happening. It works for a few days then I will restart my router or come in and change a totally unrelated setting and the guest network isn't able to reach the DNS suddenly. My last router, an AC68U never had this intermittent issue, it just connected to my DNS through the guest.

I thought I resolved the issue when I realized I forgot to disable my router firewall, I disabled it and it worked for awhile, but now the issue has started again and it's so damn annoying.

The DNS is my pihole which permits all origins

Even tried to add a stupid rule that would hopefully do something but no joy:

During the time it doesn't work I can ping something like 1.1.1.1 but if i try to say nslookup google.com 192.168.50.8 - just straight errors. How can I force my guest to use the pi-hole and figure out what's causing the issue? I thought this is what YazFi was for, pinhole access for DNS? Why after power cycling my router a thousand times it starts working again?

 

[bennor]

First DO NOT disable the router firewall unless you have another firewall in place upstream from the router. Even then, it's usually not a good idea to disable the router's firewall.

YazFi does create pinhole's for DNS. There is typically no need to add extra IPTables entries to open up DNS pinholes. If you created extra IPTables DNS pinholes you should remove them and reboot the router.

It may help if you add more context to your setup.
Are you running any additional addon scripts? If so which ones?
Have you added any additional IPTable's scripting? If so what was added?
Are you using AiMesh nodes or AP nodes? If so, YazFi does not work with AiMesh or AP nodes downstream from the main router.
Are you using DNS Director? If so, how is it configured?
How have you configured the router to use Pi-Hole? Have you included the YazFi guest networks (properly) in Pi-Hole's Settings > DNS> Conditional Forwarding section?
What version of YazFi are you running?
Have you tried uninstalling then reinstalling YazFi?

There are examples of how to configure a 3004.388.x router for use with Pi-Hole. One of those general setup directions are listed in the following post:

Solved - Device not respecting DNS Director or (Yaz)DHCP Server settings

I have an Intel NUC running Pi-hole that I'm currently using as my DNS server for my network: I have a device on my IoT network that's pretty chatty (a baby monitor), and it regularly causes my Pi-hole to throw a warning that the concurrent DNS query limit is reached. I've tried both of the...

www.snbforums.com

 

[jsn2233]

First DO NOT disable the router firewall unless you have another firewall in place upstream from the router. Even then, it's usually not a good idea to disable the router's firewall.

YazFi does create pinhole's for DNS. There is typically no need to add extra IPTables entries to open up DNS pinholes. If you created extra IPTables DNS pinholes you should remove them and reboot the router.

It may help if you add more context to your setup.
Are you running any additional addon scripts? If so which ones?
Have you added any additional IPTable's scripting? If so what was added?
Are you using AiMesh nodes or AP nodes? If so, YazFi does not work with AiMesh or AP nodes downstream from the main router.
Are you using DNS Director? If so, how is it configured?
How have you configured the router to use Pi-Hole? Have you included the YazFi guest networks (properly) in Pi-Hole's Settings > DNS> Conditional Forwarding section?
What version of YazFi are you running?
Have you tried uninstalling then reinstalling YazFi?

There are examples of how to configure a 3004.388.x router for use with Pi-Hole. One of those general setup directions are listed in the following post:

Solved - Device not respecting DNS Director or (Yaz)DHCP Server settings

I have an Intel NUC running Pi-hole that I'm currently using as my DNS server for my network: I have a device on my IoT network that's pretty chatty (a baby monitor), and it regularly causes my Pi-hole to throw a warning that the concurrent DNS query limit is reached. I've tried both of the...

www.snbforums.com

Thanks for the response! I've got no idea wtf the issue is. Ok, I've enabled the firewall and removed those lines and kind of back to ground zero once again:

No other addons, only entware. I've also factory reset and left everything default except YazFi and STILL get this issue.
I did add one more rule for my other guest to work with wireguard:

Yes, I do have an AP node but I'm not trying to run my guest through that if that's what you mean? I only added an AP last week and was having this issue before then, ever since I got this router in December.

The issue persists whether or not I have DNS Director on. I added it back in the other day, desperate to try and fix this issue:

The router uses the pi-hole perfectly. The guests struggle for some reason. I never had to configure conditional forwarding on my pihole before, it just worked on last router. What do I change here?:

Yes I have tried reinstalling and factory resetting with minimal settings changes and the issue persists. I read another comment about the router firewall causing it and decided to disable it and that's when it actually started working, just intermittently.

Thanks for that post about 3004.388.x routers, will check that out ASAP. Any idea what I'm dong wrong?

Edit: Also using the latest version of YazFi.

 

[dave14305]

Post all the iptables rules. Redact your WAN IP.

iptables-save -c

 

[bennor]

No other addons, only entware. I've also factory reset and left everything default except YazFi and STILL get this issue.
I did add one more rule for my other guest to work with wireguard:

Do you have VPN enabled while you are trying to ping?
Are you pinging from the YazFi client? Can you ping 1.1.1.1 from the router GUI interface?
Where do you have the Pi-Hole IP Address input for the DNS on the router? In the WAN DNS fields (not recomended) or in the LAN DHCP DNS fields?
What DNS server's is the Pi-Hole configured to use? Are you using Unbound in addition to Pi-Hole?
What device is running the Pi-Hole?

 

[jsn2233]

Post all the iptables rules. Redact your WAN IP.

iptables-save -c

Thanks man!

# Completed on Thu Jan 22 00:12:07 2026
# Generated by iptables-save v1.4.15 on Thu Jan 22 00:12:07 2026
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1113:180369]
:ACCESS_RESTRICTION - [0:0]
:DNSFILTER_DOT - [0:0]
:FUPNP - [0:0]
:IControls - [0:0]
:INPUT_ICMP - [0:0]
:INPUT_PING - [0:0]
:IPSEC_DROP_SUBNET_ICMP - [0:0]
:IPSEC_STRONGSWAN - [0:0]
:OUTPUT_DNS - [0:0]
:OUTPUT_IP - [0:0]
:OVPNCF - [0:0]
:OVPNCI - [0:0]
:OVPNSF - [0:0]
:OVPNSI - [0:0]
:PControls - [0:0]
:PTCSRVLAN - [0:0]
:PTCSRVWAN - [0:0]
:SECURITY - [0:0]
:VPNCF - [0:0]
:VPNCI - [0:0]
:WGCF - [0:0]
:WGCI - [0:0]
:WGNPControls - [0:0]
:WGSF - [0:0]
:WGSI - [0:0]
:YazFiDNSFILTER_DOT - [0:0]
:YazFiFORWARD - [0:0]
:YazFiINPUT - [0:0]
:YazFiREJECT - [0:0]
:default_block - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logdrop_dns - [0:0]
:logdrop_ip - [0:0]
[916:201034] -A INPUT -j YazFiINPUT
[0:0] -A INPUT -i eth0 -p igmp -j ACCEPT
[3:160] -A INPUT -p icmp -m icmp --icmp-type 8 -j INPUT_PING
[1265:388616] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[2:104] -A INPUT -m state --state INVALID -j DROP
[851:341284] -A INPUT ! -i br0 -j PTCSRVWAN
[198:45404] -A INPUT -i br0 -j PTCSRVLAN
[0:0] -A INPUT ! -i lo -p tcp -m tcp --dport 5152 -j DROP
[198:45404] -A INPUT -i br0 -m state --state NEW -j ACCEPT
[810:337273] -A INPUT -i lo -m state --state NEW -j ACCEPT
[0:0] -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
[0:0] -A INPUT -p icmp -j INPUT_ICMP
[41:4011] -A INPUT -j WGSI
[41:4011] -A INPUT -j WGCI
[36:3655] -A INPUT -j OVPNSI
[36:3655] -A INPUT -j OVPNCI
[36:3655] -A INPUT -j DROP
[0:0] -A FORWARD -d 224.0.0.0/4 -i eth0 -j ACCEPT
[689:229182] -A FORWARD -j IPSEC_DROP_SUBNET_ICMP
[689:229182] -A FORWARD -j IPSEC_STRONGSWAN
[0:0] -A FORWARD -p tcp -m tcp --dport 853 -j YazFiDNSFILTER_DOT
[400:111049] -A FORWARD -j YazFiFORWARD
[634:202474] -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
[55:26708] -A FORWARD -j WGSF
[55:26708] -A FORWARD -j OVPNSF
[0:0] -A FORWARD ! -i br0 -o eth0 -j DROP
[0:0] -A FORWARD -i br0 -o br0 -j ACCEPT
[0:0] -A FORWARD -m state --state INVALID -j DROP
[9:652] -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
[0:0] -A FORWARD -i eth0 -o br0 -j ACCEPT
[0:0] -A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
[46:26056] -A FORWARD -j WGCF
[20:17334] -A FORWARD -j OVPNCF
[20:17334] -A FORWARD -j VPNCF
[20:17334] -A FORWARD -i br0 -j ACCEPT
[0:0] -A FORWARD -j DROP
[2:134] -A OUTPUT -p udp -m udp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
[0:0] -A OUTPUT -p tcp -m tcp --dport 53 -m u32 --u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0" -j OUTPUT_DNS
[2763:751661] -A OUTPUT -j OUTPUT_IP
[0:0] -A DNSFILTER_DOT -m mac --mac-source D8:3A:DD:5A:02:9P -j RETURN
[0:0] -A DNSFILTER_DOT ! -d 192.168.50.8/32 -j REJECT --reject-with icmp-port-unreachable
[0:0] -A FUPNP -d 192.168.50.75/32 -p tcp -m tcp --dport 22000 -j ACCEPT
[0:0] -A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
[0:0] -A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
[0:0] -A INPUT_ICMP -p icmp -j ACCEPT
[1:40] -A INPUT_PING -i eth0 -p icmp -j DROP
[0:0] -A OUTPUT_DNS -m string --hex-string "|10706f697579747975696f706b6a666e6603636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0d72666a656a6e666a6e65666a6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|1131306166646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0f376d667364666173646d6b676d726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0d386d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0f3966646d617361787373736171726b03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|1265666274686d6f6975796b6d6b6a6b6a677403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|086861636b7563647403636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|076c696e77756469056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0f6c6b6a68676664736174727975696f03636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0b6d6e627663787a7a7a313203636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|077131313133333303746f7000|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|057371353230056633333232036e657400|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|077563746b6f6e6503636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0e7a786376626d6e6e666a6a66777103636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A OUTPUT_DNS -m string --hex-string "|0a65756d6d6167766e627003636f6d00|" --algo bm --to 65535 --icase -j logdrop_dns
[0:0] -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
[0:0] -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
[0:0] -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
[0:0] -A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
[0:0] -A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
[0:0] -A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
[0:0] -A SECURITY -j RETURN
[2:120] -A WGCF -o wgc2 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
[26:8722] -A WGCF -o wgc2 -j ACCEPT
[0:0] -A WGCF -i wgc2 -j DROP
[5:356] -A WGCI -i wgc2 -j DROP
[0:0] -A YazFiFORWARD -i wgc1 -o wl1.2 -m state --state RELATED,ESTABLISHED -j ACCEPT
[0:0] -A YazFiFORWARD -i wl1.2 -o wgc1 -j ACCEPT
[0:0] -A YazFiFORWARD -s 192.168.50.8/32 -o wl1.1 -p udp -m udp --sport 53 -j ACCEPT
[0:0] -A YazFiFORWARD -d 192.168.50.8/32 -i wl1.1 -p udp -m udp --dport 53 -j ACCEPT
[0:0] -A YazFiFORWARD -s 192.168.50.8/32 -o wl1.1 -p tcp -m tcp --sport 53 -j ACCEPT
[0:0] -A YazFiFORWARD -d 192.168.50.8/32 -i wl1.1 -p tcp -m tcp --dport 53 -j ACCEPT
[0:0] -A YazFiFORWARD ! -i eth0 -o wl1.1 -j YazFiREJECT
[0:0] -A YazFiFORWARD -i wl1.1 ! -o eth0 -j YazFiREJECT
[0:0] -A YazFiFORWARD -i wl1.1 -m comment --comment "YazFi 5GHz 1" -j ACCEPT
[0:0] -A YazFiINPUT -i wl1.1 -p udp -m multiport --dports 67,123 -j ACCEPT
[0:0] -A YazFiINPUT -i wl1.1 -p icmp -j ACCEPT
[7:1649] -A YazFiINPUT -i wl1.1 -j YazFiREJECT
[7:1649] -A YazFiREJECT -j REJECT --reject-with icmp-port-unreachable
[0:0] -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
[0:0] -A logaccept -j ACCEPT
[0:0] -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
[0:0] -A logdrop -j DROP
[0:0] -A logdrop_dns -j LOG --log-prefix "DROP_DNS " --log-tcp-sequence --log-tcp-options --log-ip-options
[0:0] -A logdrop_dns -j DROP
[0:0] -A logdrop_ip -j LOG --log-prefix "DROP_IP " --log-tcp-sequence --log-tcp-options --log-ip-options
[0:0] -A logdrop_ip -j DROP
COMMIT

 

[dave14305]

Thanks man!

You’re missing some of the output, specifically from the nat table.
Did you run your nslookup test before posting the output? Please do that.

 

[jsn2233]

Do you have VPN enabled while you are trying to ping?

Nope, no VPN on the guest.

Are you pinging from the YazFi client? Can you ping 1.1.1.1 from the router GUI interface?

Yes, that is from the YazFi client. The router can do it no problem.

Where do you have the Pi-Hole IP Address input for the DNS on the router? In the WAN DNS fields (not recomended) or in the LAN DHCP DNS fields?
What DNS server's is the Pi-Hole configured to use? Are you using Unbound in addition to Pi-Hole?
What device is running the Pi-Hole?

I have them in LAN. I use Quad 9 for WAN:

What DNS server's is the Pi-Hole configured to use? Are you using Unbound in addition to Pi-Hole?

No, I don't have unbound I use Quad 9

What device is running the Pi-Hole?

It's an umbrel - just a pihole with a easy to use docker container firmware. It works good for the LAN, just not guests.

 

[jsn2233]

There are examples of how to configure a 3004.388.x router for use with Pi-Hole. One of those general setup directions are listed in the following post:

Solved - Device not respecting DNS Director or (Yaz)DHCP Server settings

I have an Intel NUC running Pi-hole that I'm currently using as my DNS server for my network: I have a device on my IoT network that's pretty chatty (a baby monitor), and it regularly causes my Pi-hole to throw a warning that the concurrent DNS query limit is reached. I've tried both of the...

www.snbforums.com

Also, done all your steps from here and nothing so far