YazFi YazFi v4.x - continued

[Jack Yaz]

v4.4.4
Updated 2023-11-26

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to:

* Dedicated VPN WiFi networks
* Separate subnets for organisation of devices
* Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS
* Allow guest networks to make use of pixelserv-tls (if installed)
* Allow guests to use a local DNS server
* Extend DNS Filter to guest networks

This project is hosted on GitHub

YazFi is free to use under the GNU General Public License version 3 (GPL 3.0).

Supporting development
Love the script and want to support future development? Any and all donations gratefully received!

PayPal donation



Supported firmware versions
Core YazFi features
You must be running firmware no older than:

• Asuswrt-Merlin 384.5
• john9527 fork 374.43_32D6j9527

WebUI page for YazFi
You must be running firmware no older than:

• Asuswrt-Merlin 384.15

Installation
Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:

/usr/sbin/curl -fsL --retry 3 "https://jackyaz.io/YazFi/master/install/YazFi.sh" -o "/jffs/scripts/YazFi" && chmod 0755 /jffs/scripts/YazFi && /jffs/scripts/YazFi install

Please then follow instructions shown on-screen. An explanation of the settings is provided in the FAQs in post #2

Usage
WebUI
YazFi can be configured via the WebUI, in the Guest Network section.

Command Line
To launch the YazFi menu after installation, use:

YazFi

If you do not have Entware installed, you will need to use the full path:

/jffs/scripts/YazFi

 

[Jack Yaz]

v4.4.3 is now available

All credit for this release goes to @Martinski

Changelog:

• NEW: Added functionality to properly recognize and correctly map virtual interfaces to the corresponding WiFi radio bands on routers with 6GHz capability (e.g. Tri-band routers like the GT-AXE11000, and Quad-band routers like GT-AXE16000).
• NEW: New wl*_DHCPLEASE configuration variable and corresponding "DHCP Lease" input field in the WebGUI to allow setting a DHCP Lease time for each Guest Network independently from the NVRAM setting used for main LAN clients. The valid range is 120 to 7776000 seconds (2 minutes to 90 days). Time values can be entered in seconds (e.g. 86400s), minutes (e.g. 1440m), hours (e.g. 24h), days (e.g. 2d), or weeks (e.g. 2w). A single digit ZERO '0' or an upper-case letter 'I' indicates that an "infinite" lease time value will be applied.
• FIXED: Fixed a bug in the WebGUI list of "Connected Guests" where sometimes the wrong IP address was shown for some of the active clients; other times a client that was no longer connected to the network was shown as active and with the wrong IP address.

 

[Antani]

what are the differences between yazfi managed networks and merlin standard ones ?

my mobile provider has enabled wifi calling... if i connect my phone to the "standard" wifi or to a guest network not managed by yazfi the wifi calling doesn't work, if i connect to a yazfi managed network it works

 

[bennor]

what are the differences between yazfi managed networks and merlin standard ones ?

This is explained in Jack Yaz's first post above:

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to:
* Dedicated VPN WiFi networks
* Separate subnets for organization of devices
* Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS
* Allow guest networks to make use of pixelserv-tls (if installed)
* Allow guests to use a local DNS server
* Extend DNS Filter to guest networks

 

[Antani]

NAT Passthrough settings of main network are applied to yazfi networks ?

edit: no they aren't

i discovered that vowifi open an ipsec tunnel and enbling IPSec Passthrough make it works on main wifi ssid

 

[torstein]

Two bugs in 4.4.3:

1) "one way to guest" and "two way to guest" is not respected, and I can still access the guest devices from my main network even if they are set to "no".

2) When one of them is set to "yes" however, the guest-devices are accessible, but not visible under "Clients" in Network Map. They become visible again if I uninstall YazFi and just use stock Asus Guest-network feature, but on YazFi the devices are invisible in the client list.

Or maybe I'm doing something wrong?

 

[Jack Yaz]

Two bugs in 4.4.3:

1) "one way to guest" and "two way to guest" is not respected, and I can still access the guest devices from my main network even if they are set to "no".

2) When one of them is set to "yes" however, the guest-devices are accessible, but not visible under "Clients" in Network Map. They become visible again if I uninstall YazFi and just use stock Asus Guest-network feature, but on YazFi the devices are invisible in the client list.

Or maybe I'm doing something wrong?

2. is well known, Asus Network Map only shows devices on the same subnet/network

 

[bennor]

1) "one way to guest" and "two way to guest" is not respected, and I can still access the guest devices from my main network even if they are set to "no".

2) When one of them is set to "yes" however, the guest-devices are accessible, but not visible under "Clients" in Network Map. They become visible again if I uninstall YazFi and just use stock Asus Guest-network feature, but on YazFi the devices are invisible in the client list.

Not seeing #1. I always have both one way and two way to guest set to No and cannot access devices on the YazFi Guest Wifi. I do however have Client Isolation enabled (Yes) under YazFi. Standard troubleshooting steps apply here: reboot the router, or trigger YazFi to reapply it's settings. Check the devices to ensure they are on the Guest WiFi network, sometimes IoT devices will roll back to a previously saved main LAN WiFi network if they loose the Guest WiFi network.

For #2, as Jack Yaz mentions the Network Map not showing the the YazFi clients is a very long well known issue that has been commented about in a number of past YazFi threads. To view YazFi connected clients see the System Log > Wifi Log page. Or see the YazFi tab's Connected Clients under Guest Network. Or access the YazFi CLI and select option #2 via SSH. Or issue the cat /var/lib/misc/dnsmasq.leases command via SSH (or a batch file).

 

[torstein]

Not seeing #1. I always have both one way and two way to guest set to No and cannot access devices on the YazFi Guest Wifi. I do however have Client Isolation enabled (Yes) under YazFi. Standard troubleshooting steps apply here: reboot the router, or trigger YazFi to reapply it's settings. Check the devices to ensure they are on the Guest WiFi network, sometimes IoT devices will roll back to a previously saved main LAN WiFi network if they loose the Guest WiFi network.

For #2, as Jack Yaz mentions the Network Map not showing the the YazFi clients is a very long well known issue that has been commented about in a number of past YazFi threads. To view YazFi connected clients see the System Log > Wifi Log page. Or see the YazFi tab's Connected Clients under Guest Network. Or access the YazFi CLI and select option #2 via SSH. Or issue the cat /var/lib/misc/dnsmasq.leases command via SSH (or a batch file).

try disabling client isolation and see if that "breaks" oneway and toway functions. i have rebooted the router many times, and the mac which im testing it with has a deleted known networks list and only knows of my guest network. iow it cannot connect to snything else.

 

[bennor]

try disabling client isolation and see if that "breaks" oneway and toway functions.

Nothing changes, cannot ping or access YazFi Guest clients with Client Isolation set to No. In other words, YazFI is working as it should, for me, with One way to Guest, Two way to Guest and Client Isolation all set to No. Cannot see or access YazFi Guest clients from main LAN clients.

Have you tried uninstalling YazFi then reinstalling it?
Are you using AiMesh? If so YazFi doesn't work on AiMesh nodes.
https://www.snbforums.com/threads/guest-network-clients-not-using-yazfi-subnet.71718/#post-680188

YazFi doesn't work on Aimesh nodes. The guest network on the node will be unrestricted

 

[lepa71]

How do I update from 4.4.2? I tried to use UI but it did not update. Thanks

 

[bennor]

How do I update from 4.4.2? I tried to use UI but it did not update. Thanks

If updating YazFi through the router GUI's Guest Network > YazFi tab doesn't work, try updating through the YazFi CLI. Use option "u" or "uf" in the CLI to update YazFi.

 

[lepa71]

It is interesting that UI shows 4.4.2 but logs are showing 4.4.3

Logs
Mar 13 18:07:04 dnsmasq[2521]: using nameserver 127.0.1.1#53
Mar 13 18:07:04 YazFi: YazFi v4.4.3 starting up
Mar 13 18:07:09 YazFi: wl0.1 (SSID: .....) - sending all interface internet traffic over WAN interface
Mar 13 18:07:21 YazFi: Forcing YazFi Guest WiFi clients to reauthenticate

 

[bennor]

It is interesting that UI shows 4.4.2 but logs are showing 4.4.3

Does your YazFi GUI have the DHCP Lease field? If not maybe try forcing a forced update through the YazFi CLI and hopefully that would replace or update the GUI page with the updated DHCP lease field.

 

[Bazingaa]

I just installed YazFi for the first time on my RT-AX68U router, and it seems that I'm now finally able to put my Guest / IoT stuff on a seperate network, while keeping the ability for the IoT devices to connect to each other. So far so good!

Before I started this morning this was my setup:

1 5GHz WiFi network on the home LAN (192.168.50.1)
1 2.4 GHz WiFi network on the home LAN (192.168.50.1)
1 2.4GHz Guest network on a separate LAN (192.168.101.1)

This is almost as default as it gets right out of the box, except for the Asusmerlin firmware. This worked great till today.

This morning I wanted to isolate some IoT stuff from my home LAN, one of which is my new 3D printer.
Since this needs to be connected to the cloud always, it gave me a feeling that I should isolate this completely from the home network. I does need an internet connection, but it does not need to reach any of the devices on the home network.
Except when setting it up: In this case the printer and a phone / computer should be on the same network and able to connect to each other during the setup.
Since this does not work on the default Asusmerlin setup, I need to use YazFi to accomplish this.

Now to the actual problem: After setting up Yazfi I now should have the same list of networks as above. I made sure to keep as many settings the same as before, to make troubleshooting easier. Unfortunately, it seems that the 2.4GHz home LAN network is not working anymore. I do still see all 3 SSID's, but when connecting to this one it just doesn't connect. Also forgetting the network in my phone and reconneting does not work. I simply get an error stating "Could not connect to this network" after typing in the password. The 5GHz and new Guest network seem to work fine, Guest is indeed handing out 192.168.101.0 addresses and now lets my printer and phone connect on this network.

Does anyone have any idea what could cause this? Seems like a "simple" routing issue to me, but rebooting the router and reapplying the settings did not work unfortunately.

Bonus question: I see that in the Guest network page the "Access intranet" setting is switched from "Disabled" to "Enabled". Is this done by Yazfi and if yes, does this mean that this network is not able to reach the home LAN, even though the setting indicates that this is now enabled?

The firmware used on the RT-AX68U router is Asusmerlin 388.1 and YazFi is version 4.4.3.

Thanks in advance for any responses and help provided!

 

[bennor]

Now to the actual problem: After setting up Yazfi I now should have the same list of networks as above. I made sure to keep as many settings the same as before, to make troubleshooting easier. Unfortunately, it seems that the 2.4GHz home LAN network is not working anymore. I do still see all 3 SSID's, but when connecting to this one it just doesn't connect. Also forgetting the network in my phone and reconneting does not work. I simply get an error stating "Could not connect to this network" after typing in the password. The 5GHz and new Guest network seem to work fine, Guest is indeed handing out 192.168.101.0 addresses and now lets my printer and phone connect on this network.

Bonus question: I see that in the Guest network page the "Access intranet" setting is switched from "Disabled" to "Enabled". Is this done by Yazfi and if yes, does this mean that this network is not able to reach the home LAN, even though the setting indicates that this is now enabled?

Post a screen shot of your YazFi GUI settings. It may help others understand your specific YazFi settings and if there may be issues with it.

Yes, YazFi changes the Guest WiFi Access Intranet setting to Enabled. It then uses scripting to control that access. Search other YazFi threads. In one of them, if I remember right, @Jack Yaz explains why this was done.

Some general comments about using YazFi. Avoid using Guest WiFI network #1. Seems Guest WiFi network #1 causes issues for some people. Use Guest WiFi network #2, #3 and if you have it #4. Asus may set aside (or treat differently) Guest WiFi network #1 for AiMesh, if I remember right. Check your IP address settings for YazFi. Ensure each YazFi IP address range is unique. Sometimes it helps to check the YazFi configuration through the YazFi CLI (via SSH) if one is having weird issues happen. The CLI may provide more detailed information if there are issues. Also remember to check the System Logs if you are having WiFi issues. The System Log may indicate a cause to WiFi issues or problems.

 

[Jack Yaz]

Yes, YazFi changes the Guest WiFi Access Intranet setting to Enabled. It then uses scripting to control that access. Search other YazFi threads. In one of them, if I remember right, @Jack Yaz explains why this was done.

for ease of reference, it was to avoid Asus' code implementing its own firewall rules and in some cases, VLAN, that were incompatible with how YazFi expected the router to work. i assume that hasn't changed!

 

[Jeep]

maybe try forcing a forced update through the YazFi CLI and hopefully that would replace or update the GUI page with the updated DHCP lease field.

A forced update via the CLI updated the version correctly in the GUI page for me, and made a point of telling me that it was restarting the firewall to pick up the change. Maybe updating through the GUI doesn't do that? Or perhaps some GUI element is cached somewhere (shift-reload of the YazFi tab in the browser didn't update it when I tried via the GUI). To be safe I'll update via the CLI from now on.

Thanks for the awesome AddOn!

 

[Bazingaa]

Post a screen shot of your YazFi GUI settings. It may help others understand your specific YazFi settings and if there may be issues with it.

Yes, YazFi changes the Guest WiFi Access Intranet setting to Enabled. It then uses scripting to control that access. Search other YazFi threads. In one of them, if I remember right, @Jack Yaz explains why this was done.

Some general comments about using YazFi. Avoid using Guest WiFI network #1. Seems Guest WiFi network #1 causes issues for some people. Use Guest WiFi network #2, #3 and if you have it #4. Asus may set aside (or treat differently) Guest WiFi network #1 for AiMesh, if I remember right. Check your IP address settings for YazFi. Ensure each YazFi IP address range is unique. Sometimes it helps to check the YazFi configuration through the YazFi CLI (via SSH) if one is having weird issues happen. The CLI may provide more detailed information if there are issues. Also remember to check the System Logs if you are having WiFi issues. The System Log may indicate a cause to WiFi issues or problems.

Thanks for your response!

I set the Guest network to Guest Network 2. Unfortunately, this still did not solve the issue.
This is the screenshot from the YazFi GUI:

And this is the Guest Network page:

In the System logs I see the following:

If I'm connected to the guest 2.4 network and I switch to the 5GHz home network I see that it deauths nicely and reconnects as well:

Mar 21 22:06:24 wlceventd: wlceventd_proc_event(508): wl0.2: Disassoc status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Mar 21 22:06:24 wlceventd: wlceventd_proc_event(508): wl0.2: Disassoc status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Mar 21 22:06:25 wlceventd: wlceventd_proc_event(527): eth6: Auth, status: Successful (0), rssi:0
Mar 21 22:06:25 wlceventd: wlceventd_proc_event(556): eth6: Assoc, status: Successful (0),

If I now switch from this 5GHz to the 2.4GHz home network just nothing pops up in the logs.
It only deauths from the 5GHz and then just switches to the guest network.

I do see that the random key value states wl0 for the 5GHz when connecting and wl1 when connecting to the guest 2.4GHz:

5GHz: Mar 21 22:10:07 kernel: wl0: random key value:
Guest: Mar 21 22:10:29 kernel: wl1: random key value:

Should the 2.4GHz home network be wl1?

I also checked the YazFi CLI, but could not find any interesting things. Should I run the diagnostics?

 

[bennor]

If I now switch from this 5GHz to the 2.4GHz home network just nothing pops up in the logs.
It only deauths from the 5GHz and then just switches to the guest network.

As a troubleshooting step, maybe try the following for 2.4Ghz network: Wireless > General > Protected Management Frames to Disable.
See the following post where this suggested change was mentioned:
https://www.snbforums.com/threads/3...med-to-be-fixed-in-386-9-0.84141/#post-829883