YazFi YazFi v4.x

[Ydnaroo]

I've changed DNS Server 1 in Yasfi to 192.168.50.2, selected Force DNS - Yes and Two way to guest - Yes. The client is given the first DNS and the second 8.8.4.4 but still I still get no DNS. I can ping the router 192.168.50.1 from the guest connection but not access the webpage. I cannot ping 192.168.50.2. If I set DNS 1 in Yasfi to use the router DNS 192.168.50.1 I still get no DNS.

 

[Ydnaroo]

Ah! Set VPN Client DNS to Strict and things spring to life.

DNS Leaktest shows me connecting through VPN and Pihole being the DNS.

Thank you again.

 

[Ydnaroo]

I'm a bit confused by Yasfi Force DNS. If I set to Yes I use my own local DNS (not listed in Yasfi), if I set to No, I get Google DNS (as listed in Yasfi) through the VPN? Is that right?

 

[Jack Yaz]

I'm a bit confused by Yasfi Force DNS. If I set to Yes I use my own local DNS (not listed in Yasfi), if I set to No, I get Google DNS (as listed in Yasfi) through the VPN? Is that right?

Force dns is basically YazFi's version of dns filter, it intercepts dns traffic from the clients and redirects it to the IP in dns 1. It stops any clients with a hardcoded dns ignoring the dns provided by DHCP

 

[Jack Yaz]

Ah! Set VPN Client DNS to Strict and things spring to life.

DNS Leaktest shows me connecting through VPN and Pihole being the DNS.

Thank you again.

I'll have to take a look at how exclusive works in 386.3. I usually disable dns on the tunnels to use Diversion, but I'm aware vpn dns is needed if you want to circumvent geoblocks

 

[Ydnaroo]

Force dns is basically YazFi's version of dns filter, it intercepts dns traffic from the clients and redirects it to the IP in dns 1. It stops any clients with a hardcoded dns ignoring the dns provided by DHCP

Have to say I'm a bit confused by it all. I seem to have got it going by luck! I've got the router IP as DNS 1 in Yasfi, DNS 2 is still 8.8.4.4 but greyed out. I've got Force DNS as Yes. The router is passing the router IP and 8.8.4.4 to clients as DNS but the clients are accessing the Pi-hole on 192.168.50.2 for DNS??!!. As I said luck.

 

[Jack Yaz]

Have to say I'm a bit confused by it all. I seem to have got it going by luck! I've got the router IP as DNS 1 in Yasfi, DNS 2 is still 8.8.4.4 but greyed out. I've got Force DNS as Yes. The router is passing the router IP and 8.8.4.4 to clients as DNS but the clients are accessing the Pi-hole on 192.168.50.2 for DNS??!!. As I said luck.

What do you have set for WAN DNS on the router? That's what the guests will end up using.

Dns2 is given out but technically won't be used as yazfi redirects it to dns1. Perhaps I should amend the code so dns2 isn't handed out at all

 

[Ydnaroo]

What do you have set for WAN DNS on the router? That's what the guests will end up using.

The default WAN DNS uses the BT servers and most clients use the router for DNS. My laptop and a couple of other clients have manually assigned IPs on the DHCP page with DNS pointed at the Pi-Hole

 

[Ydnaroo]

I think that part of the problem here is that for some reason the Guest '5' subnet cannot see the main '50' subnet even though 'Two way to guest' is set. I can only ping the router (but cannot enter the webpage) and cannot ping any other clients. I don't really understand how the Guest client is getting DNS from the Pi-Hole on 192.168.50.2.

 

[Ydnaroo]

I've now discovered that with the Pi-Hole DNS included in the VPN client config <dhcp-option DNS 192.168.50.2> and Accept DNS config set to anything other than Exclusive that the Pi-Hole is being used by the main router rather than the default ISP DNS as set in the WAN. That is why the Yasfi VPN is accessing the Pi-Hole via the router IP 192.168.50.1.

 

[Ydnaroo]

At last I think the problem is that the Guest/Yasfi connection on the '5' subnet cannot see the Pi-Hole on the '50' subnet. 'Two way to guest' is On in Yasfi. I'll try adding rules for the Pi-Hole IP as in the Yasfi readme tomorrow.

 

[L&LD]

The script is called YazFi. Not Yasfi.

 

[Ydnaroo]

The script is called YazFi. Not Yasfi.

Yep, realised that when typing out the rules last night. <embarrassed> Been getting it wrong all day/week!

Added a script with:

#!/bin/sh
iptables -I YazFiFORWARD -i wl1.1 -o br0 -d 192.168.50.2 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl1.1 -s 192.168.50.2 -j ACCEPT

saved and set it active. Applied the settings in the CLI and YazFi seemed to see the file when restarting. Still no joy with accessing the Pi-Hole.

Thanks to Jack's help YazFi now working pretty well for me but I still cannot access my own local DNS. I'm now pretty certain that's because I cannot access the main '50' subnet from the Guest connection.

 

[Jack Yaz]

Yep, realised that when typing out the rules last night. <embarrassed> Been getting it wrong all day/week!

Added a script with:

#!/bin/sh
iptables -I YazFiFORWARD -i wl1.1 -o br0 -d 192.168.50.2 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl1.1 -s 192.168.50.2 -j ACCEPT

saved and set it active. Applied the settings in the CLI and YazFi seemed to see the file when restarting. Still no joy with accessing the Pi-Hole.

Thanks to Jack's help YazFi now working pretty well for me but I still cannot access my own local DNS. I'm now pretty certain that's because I cannot access the main '50' subnet from the Guest connection.

YazFi should already have created rules to allow dns to Pihole if you configured the Pihole ip as either dns 1 or 2. What error do you get when trying to ping? Have you enabled any sort of firewall on the Pihole?

 

[Ydnaroo]

YazFi should already have created rules to allow dns to Pihole if you configured the Pihole ip as either dns 1 or 2. What error do you get when trying to ping? Have you enabled any sort of firewall on the Pihole?

I've always had Two way to guest on YazFi set to Yes.

Currently I've got Force DNS at No.

The Guest connection works fine using the VPN's own DNS server, something on 10.*.*.*. (I've removed the Pi-Hole !P from the VPN client custom config for now.)

If I add the Pi-Hole IP to the VPN custom config or add it to YazFi and set Force DNS to Yes I don't get any DNS. The Guest is connected to VPN, traceroutes to external IPs show this, but no DNS.

If I add the router's IP 192.168.50.1 to DNS server 1 in YazFi and set Force DNS On it works but using whatever DNS the main router is using. (I was lead on a bit of a wild goose chase yesterday because when I did this I was getting DNS from the Pi-Hole - I realised that that was because I had the Pi-Hole in the VPN config with Accept DNS to Strict. This was giving the main router access to Pi-Hole. Everything was using Pi-Hole. If I set VPN Accept DNS back to Exclusive I then get the ISP DNS service from the router for the Guest VPN connection.)

Confirming, with Two way to guest On I find:

I can ping the router on 192.168.50.1 but not access the webpage.

I cannot ping the Pi-Hole on 192.168.50.2 or any other client on the main '50' subnet from the Guest connection on the '5' subnet.

 

[Jack Yaz]

I've always had Two way to guest on YazFi set to Yes.

Currently I've got Force DNS at No.

The Guest connection works fine using the VPN's own DNS server, something on 10.*.*.*. (I've removed the Pi-Hole !P from the VPN client custom config for now.)

If I add the Pi-Hole IP to the VPN custom config or add it to YazFi and set Force DNS to Yes I don't get any DNS. The Guest is connected to VPN, traceroutes to external IPs show this, but no DNS.

If I add the router's IP 192.168.50.1 to DNS server 1 in YazFi and set Force DNS On it works but using whatever DNS the main router is using. (I was lead on a bit of a wild goose chase yesterday because when I did this I was getting DNS from the Pi-Hole - I realised that that was because I had the Pi-Hole in the VPN config with Accept DNS to Strict. This was giving the main router access to Pi-Hole. Everything was using Pi-Hole. If I set VPN Accept DNS back to Exclusive I then get the ISP DNS service from the router for the Guest VPN connection.)

Confirming, with Two way to guest On I find:

I can ping the router on 192.168.50.1 but not access the webpage.

I cannot ping the Pi-Hole on 192.168.50.2 or any other client on the main '50' subnet from the Guest connection on the '5' subnet.

What error on ping? Is it a timeout, or "no route to host"?

 

[Ydnaroo]

What error on ping? Is it a timeout, or "no route to host"?

Request timed out.

Can ping from within '50' subnet.

PiHole set to: Listen on all interfaces, permit all origins.

 

[SomeWhereOverTheRainBow]

v4.3.3
Updated 2021-07-31

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to:

* Dedicated VPN WiFi networks
* Separate subnets for organisation of devices
* Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS
* Allow guest networks to make use of pixelserv-tls (if installed)
* Allow guests to use a local DNS server
* Extend DNS Filter to guest networks

This project is hosted on GitHub

YazFi is free to use under the GNU General Public License version 3 (GPL 3.0).

Love the script and want to support future development? Any and all donations gratefully received!
PayPal donation
Buy me a coffee

Supported firmware versions
Core YazFi features
You must be running firmware no older than:

• Asuswrt-Merlin 384.5
• john9527 fork 374.43_32D6j9527

WebUI page for YazFi
You must be running firmware no older than:

• Asuswrt-Merlin 384.15

Installation
Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/jackyaz/YazFi/master/YazFi.sh" -o "/jffs/scripts/YazFi" && chmod 0755 /jffs/scripts/YazFi && /jffs/scripts/YazFi install

Please then follow instructions shown on-screen. An explanation of the settings is provided in the FAQs in post #2

Usage
WebUI
YazFi can be configured via the WebUI, in the Guest Network section.

Command Line
To launch the YazFi menu after installation, use:

YazFi

If you do not have Entware installed, you will need to use the full path:

/jffs/scripts/YazFi

@Jack Yaz Awesome job keeping everything up with the times. Tested all the latest features and I could not find any smoking guns or bullet holes.

Tested with Pihole, Adguard Home, and VPN. (and combination of sorts i.e. VPN-Pihole).

 

[Jack Yaz]

Request timed out.

Can ping from within '50' subnet.

PiHole set to: Listen on all interfaces, permit all origins.

ok, i'll test this on 386.3 now. can you post a screenshot of your YazFi configuration for the guest in question please?

 

[Jack Yaz]

@Jack Yaz Awesome job keeping everything up with the times. Tested all the latest features and I could not find any smoking guns or bullet holes.

it was nice to spend some time on a feature rather than trying to keep up with maintenance for once!