YazFi YazFi v4.x

[Jack Yaz]

Didn't manage to sneak any more of those awesome Jack-features in, did you?

not this time. the service-event changes i'm making are part of a theory as to why there's significant cpu usage on slower routers with the YazFi WebUI - each service call calls service-event which fires off several scripts (depending on how many addons you use). for mine, the scripts will exit as the event isn't for them, but it's still an extra process being spun up by the router. the change I'm making is like Diversion and FlexQoS, adding a logic check to service-event so that pointless process isn't created in the first place

 

[kaval]

v4.3.4
Updated 2021-08-04

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to:

* Dedicated VPN WiFi networks
* Separate subnets for organisation of devices
* Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS
* Allow guest networks to make use of pixelserv-tls (if installed)
* Allow guests to use a local DNS server
* Extend DNS Filter to guest networks

This project is hosted on GitHub

YazFi is free to use under the GNU General Public License version 3 (GPL 3.0).

Love the script and want to support future development? Any and all donations gratefully received!
PayPal donation
Buy me a coffee

Supported firmware versions
Core YazFi features
You must be running firmware no older than:

• Asuswrt-Merlin 384.5
• john9527 fork 374.43_32D6j9527

WebUI page for YazFi
You must be running firmware no older than:

• Asuswrt-Merlin 384.15

Installation
Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:

/usr/sbin/curl --retry 3 "https://raw.githubusercontent.com/jackyaz/YazFi/master/YazFi.sh" -o "/jffs/scripts/YazFi" && chmod 0755 /jffs/scripts/YazFi && /jffs/scripts/YazFi install

Please then follow instructions shown on-screen. An explanation of the settings is provided in the FAQs in post #2

Usage
WebUI
YazFi can be configured via the WebUI, in the Guest Network section.

Command Line
To launch the YazFi menu after installation, use:

YazFi

If you do not have Entware installed, you will need to use the full path:

/jffs/scripts/YazFi

Just upgraded to YazFi v4.3.4 on Asus RT-AX88u router. I set up a guest network and non-guest network. I set up LAN printer IP numbers to fixed. I have had problems on several of the firmwares so I think this issue is still problematic in terms of reliable printing.

Then I created custom firewall myscript.sh as per
/jffs/addons/YazFi.d/userscripts.d/myscript.sh

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

For 2 Brother printers both tied by LAN to the Asus router:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.5 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.5 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.7 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.7 -j ACCEPT

Both printers will work upon a reboot or reinstall when setting up some of the time on guest, and then will fail the next day or in a short period of time. A reboot of the router sometimes fixes the problem but not always. On the computers tied to non-guest, the printing is reliable.

Any thoughts?
Thanks!

 

[bennor]

I set up LAN printer IP numbers to fixed.

How or where did you set the printer's IP addresses to "fixed"?

Just to confirm. Are the two Brother printers YazFi guest WiFi clients? Or are the two printers on the main LAN and you are having problems with YazFi clients accessing and printing to the two printers?

Generally when using YazFi, guest WiFi devices will use IP address outside of the main LAN IP address subnet range and won't use any assigned IP address from that LAN IP address range. One can create static IP addresses for the YazFi clients such that they use the IP range(s) used by YazFi. There is a general description of how to do so on the YazFi GitHub Wiki page in the section A Note on DHCP Reservations. Or see my write up on it in an earlier YazFi thread here: https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403

Couple of things one may have to set, change or check depending on the exact network clients setup in the YazFi settings. One may need to enable One way to guest or Two way to guest and disable Client isolation in the YazFi settings (either GUI or CLI).

 

[kaval]

How or where did you set the printer's IP addresses to "fixed"?

Just to confirm. Are the two Brother printers YazFi guest WiFi clients? Or are the two printers on the main LAN and you are having problems with YazFi clients accessing and printing to the two printers?

Generally when using YazFi, guest WiFi devices will use IP address outside of the main LAN IP address subnet range and won't use any assigned IP address from that LAN IP address range. One can create static IP addresses for the YazFi clients such that they use the IP range(s) used by YazFi. There is a general description of how to do so on the YazFi GitHub Wiki page in the section A Note on DHCP Reservations. Or see my write up on it in an earlier YazFi thread here: https://www.snbforums.com/threads/y...inc-ssid-vpn-client.45924/page-32#post-473403

Couple of things one may have to set, change or check depending on the exact network clients setup in the YazFi settings. One may need to enable One way to guest or Two way to guest and disable Client isolation in the YazFi settings (either GUI or CLI).

I am setting the IP numbers of the printers under the main router settings Advanced Settings, LAN entry, tab entry DHCP server, and then set etherneted printers based on MAC Address to 192.168.1.5 and 192.168.1.7. So, the printers are on the main LAN. Then I have trouble with YazFi clients on the guest network accessing although occasionally I can get them to print on the guest network and then it stops.

I do not want the guest network to access any of my other LAN devices such as computers on the main LAN network, so I have one way to guest and 2-way to guest set to No, and client isolation is set to No in YazFi.

I thought the following would solve the problem for myscript.sh
as per https://github.com/jackyaz/YazFi
for custom firewall rules:

in /jffs/addons/YazFi.d/userscripts.d/myscript.sh

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.5 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.5 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.7 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.7 -j ACCEPT

Am I missing something as this is not working reliably?

 

[kaval]

Is it possible that it is working on the 2.4Gz interface wl0.1 but not on the 5Gz wireless which is a separate subnet? I am set up with smart connect. In that case, would I need to specify additional firewall rules for the 5GHz wireless network?

 

[kaval]

I will have to test, but I think I solved the problem. The intermittent functionality was because things worked when I happened to connect via the 2.4 GHz but not 5 GHz. For my 2 printers as mapped, this is what I created for myscript.sh


#!/bin/sh
#2.4 GHz network
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.5 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.5 -j ACCEPT

iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.7 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.7 -j ACCEPT

#5 GHz network
iptables -I YazFiFORWARD -i wl1.1 -o br0 -d 192.168.1.5 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl1.1 -s 192.168.1.5 -j ACCEPT

iptables -I YazFiFORWARD -i wl1.1 -o br0 -d 192.168.1.7 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o w10.1 -s 192.168.1.7 -j ACCEPT

Hopefully, this will solve the problem.

 

[Martinski]

v4.3.4 is now available
Changelog:

• CHANGED: When enabling FORCEDNS, DNS1 is copied to DNS2 and DNS2 is disabled
• CHANGED: service-event hook is more selective when it calls YazFi

Jack Yaz,

Last weekend I updated the YazFi add-on to the latest 4.3.4 version. This weekend while testing/verifying some custom changes I had made to the 'service-event' script, I discovered a syntax error in the latest '/jffs/scripts/YazFi' script, 'Auto_ServiceEvent()' function, line #253.

CURRENT SYNTAX:

STARTUPLINECOUNTEX=$(grep -cx 'if echo "$2" | /bin/grep -q "'"$SCRIPT_NAME"'" || { [ "$1" = "restart" ] && [ "$2" = "wireless" ]; }; then { /jffs/scripts/'"$SCRIPT_NAME"' service_event "$@" & }; fi # '"$SCRIPT_NAME Guest Networks" /jffs/scripts/service-event)

FIXED SYNTAX:

STARTUPLINECOUNTEX=$(grep -cx 'if echo "$2" | /bin/grep -q "'"$SCRIPT_NAME"'" || { \[ "$1" = "restart" \] && \[ "$2" = "wireless" \]; }; then { /jffs/scripts/'"$SCRIPT_NAME"' service_event "$@" & }; fi # '"$SCRIPT_NAME Guest Networks" /jffs/scripts/service-event)

The relevant part of the fixed syntax is this:
... \[ "$1" = "restart" \] && \[ "$2" = "wireless" \] ...

IOW, the open/closed square brackets must be escaped (e.g. " \[ ... \] ")

This is not a critical error in this case because the only result is that the "grep -cx ..." command always fails to find the new "YazFi line" in the "service-event" script when it already exists, so the script proceeds to delete the line and then appends it to the file again every time that code is run. IOW, this syntax error does not really change the actual functionality of the add-on. In any case, I hope this helps to improve the code.

Thank you for creating & maintaining YazFi. I've been using it for about 10 months now, and it's been working well.

/Martinski

 

[Jack Yaz]

Jack Yaz,

Last weekend I updated the YazFi add-on to the latest 4.3.4 version. This weekend while testing/verifying some custom changes I had made to the 'service-event' script, I discovered a syntax error in the latest '/jffs/scripts/YazFi' script, 'Auto_ServiceEvent()' function, line #253.

CURRENT SYNTAX:

STARTUPLINECOUNTEX=$(grep -cx 'if echo "$2" | /bin/grep -q "'"$SCRIPT_NAME"'" || { [ "$1" = "restart" ] && [ "$2" = "wireless" ]; }; then { /jffs/scripts/'"$SCRIPT_NAME"' service_event "$@" & }; fi # '"$SCRIPT_NAME Guest Networks" /jffs/scripts/service-event)

FIXED SYNTAX:

STARTUPLINECOUNTEX=$(grep -cx 'if echo "$2" | /bin/grep -q "'"$SCRIPT_NAME"'" || { \[ "$1" = "restart" \] && \[ "$2" = "wireless" \]; }; then { /jffs/scripts/'"$SCRIPT_NAME"' service_event "$@" & }; fi # '"$SCRIPT_NAME Guest Networks" /jffs/scripts/service-event)

The relevant part of the fixed syntax is this:
... \[ "$1" = "restart" \] && \[ "$2" = "wireless" \] ...

IOW, the open/closed square brackets must be escaped (e.g. " \[ ... \] ")

This is not a critical error in this case because the only result is that the "grep -cx ..." command always fails to find the new "YazFi line" in the "service-event" script when it already exists, so the script proceeds to delete the line and then appends it to the file again every time that code is run. IOW, this syntax error does not really change the actual functionality of the add-on. In any case, I hope this helps to improve the code.

Thank you for creating & maintaining YazFi. I've been using it for about 10 months now, and it's been working well.

/Martinski

good find!

 

[Cleanev]

I posted this in another thread but was asked to move this to dedicated Yazfi thread, so am posting it here to see if there is any solution to my request below.

Hello team,

I am looking for iptables related guidance

Bought RT-AX86U where my freshtomato is not applicable so am trying to see if this will help.

I have been using RT-AC68U for many years with freshtomato where I used following iptables rules stashed in firewall script to block clients from using any dns server while forcing to pi-hole ip.

iptables -I FORWARD 1 -p udp -s 10.x.x.3 --dport 53 -j ACCEPT
iptables -I FORWARD 2 -p tcp -s 10.x.x.4 --dport 53 -j ACCEPT
iptables -I FORWARD 3 -p udp -s 10.2.x.x --dport 53 -j ACCEPT
iptables -I FORWARD 4 -p tcp -s 10.2.x.x --dport 53 -j ACCEPT
iptables -I FORWARD 5 -p udp --dport 53 -j DROP
iptables -I FORWARD 6 -p tcp --dport 53 -j DROP

After few hours of reading figured I need to install yazfi script by @Jack Yaz. Now I have few files under /jffs/scripts.
What i am failing to understand is where should above lines go? I plugged them in firewall-start script and find that after adding these lines guest access to internet drops even though I have explicitly added 10.x.x.3 & 10.x.x.4 under configuration.

Any assistance will be appreciated.

 

[bennor]

After few hours of reading figured I need to install yazfi script by @Jack Yaz.

Why do you think you need to use YazFi? Do you know what YazFi does? If not, see the very first post of the thread or see the YazFi GitHub page: https://github.com/jackyaz/YazFi

YazFi works to extend the configuration and features of Guest WiFi clients. Once YazFi is installed one either uses the YazFi command line interface (CLI) via SSH (run the command: /jffs/scripts/YazFi), or the YazFi graphical user interface (GUI) via the Asus-Merlin Guest WiFi > YazFi page. There is a Wiki of sorts on the YazFi GitHub page that discusses some elements of using Pi-Hole with YazFi: https://github.com/jackyaz/YazFi/wiki/Setting-up-YazFi-with-Pi-hole-and-ARP-records

Generally the basic setup for using Pi-Hole on Asus Merlin is to input the Pi-Hole device IP address into the LAN > DHCP > DNS Server(s) fields and then set Advertise router's IP in addition to user-specified DNS to "no". One can also add the Pi-Hole device (MAC address) to the DNSFilter section with it's filter mode set to No Filtering. This should generally force all DHCP clients (depending on certain settings) to route their DNS requests through the Pi-Hole.

One can use YazFi to extend the features/options of the Guest WiFi. One can input the Pi-Hole device IP address into the YazFi DNS Server field(s) to force YazFi Guest WiFi devices to use the Pi-Hole for DNS requests. One can visit the first page of this thread or the YazFi GitHub page to see what each of the YazFi settings or options does.

Personally I use a Raspberry Pi running Pi-Hole and Unbound in conjunction with the Asus Merlin firmware with YazFi. I run YazFi to force all my wireless IoT devices DNS requests through the Pi-Hole and to separate/isolate those IoT devices (on the guest WiFi network) from my main LAN/WiFi clients. Works fine. Pi-Hole generally processes all (or most all) of my network's clients DNS requests. For my uses I don't need to mess with the IPTables or the firewall. Only extra scripting I've done is assigned static IP addresses to my various YazFi WiFi guest clients. The use of static IP addresses with YazFi something that is also mentioned on the YazFi PiHole Wiki page.

 

[Cleanev]

The reason I landed up with YazFi is due to the fact that after installing merlin, I realized that there is nowhere to plug in iptables rules. Went thru xmrouting and skynet add-ons that was too much for me to understand and found that Yazfi created folders with scripts that I read to the best my understanding (not great you must have surmised) so thought of using anyone of the files in ‘jffs/scripts/ by adding previously mentioned 6 FW rules that mostly broke more than helped. I figured this as YazFi is the one that creates these iptables rules for guest wifi and so figured that I will find someone who can assist me to add iptables rules.

As mentioned, I am trying to drop all UDP/TCP port 53 traffic to any provider and force all clients to use pihole with unbound. Only clients that are allowed are 2 pihole RPi’s that resolve using root server. I am sure you are quite familiar with that. I also used to force dns servers using custom dnsmasq config - “dhcp-option=6, 10.2.x.x, 10.2.x.x”. If someone tries to plug in 8.8.8.8 or 9.9.9.9 and try to bypass pihole, they will get no resolution and will need to use pihole at all times. One of the key reasons I do this is smart TV like LGs Netflix client wants to resolve using 8.8.8.8. Some sneaky way these clients try to upload stats that pihole clearly stops.

If there is no need to use YazFi and I can still add states 6 rules somehow that persists post reboot, that is golden, however playing with YazFi I plan to use guest network to go thru VPN. A cool solution there.

 

[bennor]

There may be other ways to block certain DNS servers that are hard coded into client devices.

One possible way is to use the "static route" option that forces the client to use the router. This is a basic explanation:
https://blog.nicktamm.com/block-google-dns-on-asuswrt-merlin/

If you haven't seen it already there is a Merlin Wiki entry for using IPTables at this link:
https://github.com/RMerl/asuswrt-merlin.ng/wiki/Iptables-tips

The DNSFilter option is another way (apparently) to force clients to use certain DNS servers without having to resort to IPTables:
https://github.com/RMerl/asuswrt-merlin.ng/wiki/DNS-Filter
https://www.snbforums.com/threads/how-do-you-add-iptables-to-asuswrt-merlin.32447/

Edit to add: As I understand (and I could be wrong) one way DNSFiltering works. When enabled, set the global filtering to "router", and set the Pi-Hole devices to "no filtering", then it is supposed to route all DNS requests through the Pi-Hole. Devices that try to bypass with hard coded DNS values are filtered and routed to the router which then uses the router's DHCP DNS value, which then passes it to the Pi-Hole's (supposedly) if the Pi-Hole's are used in the DHCP DNS Server field(s). As an example, how I have the DNSFilter configured with two Pi-Hole devices.

 

[Cleanev]

@bennor Appreciate your thorough response to my query. Saturday was dedicated to get this working so read thru all the articles you've linked and then some in other forums to see if there was anything I can do. None of the iptables FORWARD or PREROUTING rules allowed internet access, I'm no expert on networking in general but can read and follow with modifications so kept on trying to no avail.

Following your edit I made it exactly as yours and then once everything was set as you've shown (screenshot below), I saw that LG TV's Netflix client still seemed to be bypassing pi-hole and directly connecting to 8.8.8.8. So I erased and rebuilt everything and same result, not giving up I erased it again following link by @L&LD.

This morning I started to read up on tcpdump and finally got it working
Command and its results are pasted below.

Does this show (prove?) that clients can still reach whatever dns servers they point to bypassing pi-hole? I tried with my iPad by pointing it to Quad9 and ended up with same result where I had full internet access and all ads on sites with ads showing, while tcpdump showed packets going to 9.9.9.9 and back on port 53.

/tmp/mnt/AX86U# ./tcpdump -i 4-vvAls0 | grep 8.8.8.8
tcpdump: 4-vvAls0: No such device exists
(SIOCGIFHWADDR: No such device)
admin@RadheGovinda:/tmp/mnt/AX86U# ./tcpdump -i 4 -vvAls0 | grep 8.8.8.8
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
    10.2.2.56.40765 > 8.8.8.8.53: [udp sum ok] 11243+ A? cfqxsivdkaikyje5sbcz6-use1.r.nflxso.net. (57)
    10.2.2.56.40765 > 8.8.8.8.53: [udp sum ok] 52421+ A? ichnaea.netflix.com. (37)
    8.8.8.8.53 > 10.2.2.56.40765: [udp sum ok] 52421* q: A? ichnaea.netflix.com. 1/0/0 ichnaea.netflix.com. A 0.0.0.0 (53)
    8.8.8.8.53 > 10.2.2.56.40765: [udp sum ok] 11243 q: A? cfqxsivdkaikyje5sbcz6-use1.r.nflxso.net. 7/0/0 cfqxsivdkaikyje5sbcz6-use1.r.nflxso.net. CNAME ixanycast.ftl.netflix.com., ixanycast.ftl.netflix.com. CNAME oca-api.dradis.netflix.com., oca-api.dradis.netflix.com. CNAME oca-api.us-east-1.internal.dradis.netflix.com., oca-api.us-east-1.internal.dradis.netflix.com. CNAME dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com., dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 34.225.164.111, dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 52.0.22.179, dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 52.55.140.145 (296)
    10.2.2.56.40765 > 8.8.8.8.53: [udp sum ok] 34186+ A? api-global.netflix.com. (40)
    8.8.8.8.53 > 10.2.2.56.40765: [udp sum ok] 34186 q: A? api-global.netflix.com. 10/0/0 api-global.netflix.com. CNAME api-global.dradis.netflix.com., api-global.dradis.netflix.com. CNAME api-global.us-east-1.origin.prodaa.netflix.com., api-global.us-east-1.origin.prodaa.netflix.com. A 54.157.65.4, api-global.us-east-1.origin.prodaa.netflix.com. A 54.164.212.172, api-global.us-east-1.origin.prodaa.netflix.com. A 52.45.38.64, api-global.us-east-1.origin.prodaa.netflix.com. A 34.231.232.204, api-global.us-east-1.origin.prodaa.netflix.com. A 52.21.45.48, api-global.us-east-1.origin.prodaa.netflix.com. A 34.236.165.105, api-global.us-east-1.origin.prodaa.netflix.com. A 52.200.74.136, api-global.us-east-1.origin.prodaa.netflix.com. A 34.233.176.133 (249)
    10.2.2.56.40765 > 8.8.8.8.53: [udp sum ok] 11692+ A? api-global.netflix.com. (40)
    8.8.8.8.53 > 10.2.2.56.40765: [udp sum ok] 11692 q: A? api-global.netflix.com. 10/0/0 api-global.netflix.com. CNAME api-global.dradis.netflix.com., api-global.dradis.netflix.com. CNAME api-global.us-east-1.origin.prodaa.netflix.com., api-global.us-east-1.origin.prodaa.netflix.com. A 34.233.176.133, api-global.us-east-1.origin.prodaa.netflix.com. A 52.86.201.160, api-global.us-east-1.origin.prodaa.netflix.com. A 52.20.132.200, api-global.us-east-1.origin.prodaa.netflix.com. A 52.71.110.84, api-global.us-east-1.origin.prodaa.netflix.com. A 34.231.12.232, api-global.us-east-1.origin.prodaa.netflix.com. A 52.54.242.21, api-global.us-east-1.origin.prodaa.netflix.com. A 54.210.30.204, api-global.us-east-1.origin.prodaa.netflix.com. A 52.205.147.201 (249)
    10.2.2.56.40765 > 8.8.8.8.53: [udp sum ok] 53326+ A? cfqxsivdkaikyje5sbcz6-use1.r.nflxso.net. (57)
    10.2.2.56.40765 > 8.8.8.8.53: [udp sum ok] 35571+ A? oca-api.netflix.com. (37)
    8.8.8.8.53 > 10.2.2.56.40765: [udp sum ok] 35571 q: A? oca-api.netflix.com. 6/0/0 oca-api.netflix.com. CNAME oca-api.dradis.netflix.com., oca-api.dradis.netflix.com. CNAME oca-api.us-east-1.internal.dradis.netflix.com., oca-api.us-east-1.internal.dradis.netflix.com. CNAME dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com., dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 34.225.164.111, dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 52.55.140.145, dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 52.0.22.179 (237)
    8.8.8.8.53 > 10.2.2.56.40765: [udp sum ok] 53326 q: A? cfqxsivdkaikyje5sbcz6-use1.r.nflxso.net. 7/0/0 cfqxsivdkaikyje5sbcz6-use1.r.nflxso.net. CNAME ixanycast.ftl.netflix.com., ixanycast.ftl.netflix.com. CNAME oca-api.dradis.netflix.com., oca-api.dradis.netflix.com. CNAME oca-api.us-east-1.internal.dradis.netflix.com., oca-api.us-east-1.internal.dradis.netflix.com. CNAME dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com., dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 52.0.22.179, dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 34.225.164.111, dualstack.apiproxy-ftl-nlb-04ed0e117cfaebf5.elb.us-east-1.amazonaws.com. A 52.55.140.145 (296)
    10.2.2.56.40765 > 8.8.8.8.53: [udp sum ok] 34235+ A? ichnaea.netflix.com. (37)
    8.8.8.8.53 > 10.2.2.56.40765: [udp sum ok] 34235* q: A? ichnaea.netflix.com. 1/0/0 ichnaea.netflix.com. A 0.0.0.0 (53)
^C142 packets captured
176 packets received by filter
0 packets dropped by kernel

EDIT : Updated other thread mentioned by @bennor

 

[bennor]

How is your LG TV connecting to the router? Wired or WiFi? If WiFi is, it using a Guest SSID (i.e. YazFi if you have YazFi installed)?

Do you have any other device, computer or mobile that you can use to test if setting manual DNS addresses are bypassing any filtering you have setup or enabled?

One thing, in some quick and dirty testing, that I'm seeing. It appears DNSFiltering isn't catching the YazFi clients when I manually set a YazFi client's DNS settings (example in the Android WiFi Advanced settings) to, for example Google's DNS servers. My assumption, this is due to the YazFi clients using IP ranges outside of the main LAN IP address range. So the DNSFilter doesn't see it the request and doesn't filter/catch those requests and they are not routed to my Pi-Hole. If I manually set the Android device's DNS to Google's DNS servers when connected to the main LAN's WiFi (ie not YazFi) then the DNSFiltering catches the request and routes it to my Pi-Hole.

 

[Jack Yaz]

How is your LG TV connecting to the router? Wired or WiFi? If WiFi is, it using a Guest SSID (i.e. YazFi if you have YazFi installed)?

Do you have any other device, computer or mobile that you can use to test if setting manual DNS addresses are bypassing any filtering you have setup or enabled?

One thing, in some quick and dirty testing, that I'm seeing. It appears DNSFiltering isn't catching the YazFi clients when I manually set a YazFi client's DNS settings (example in the Android WiFi Advanced settings) to, for example Google's DNS servers. My assumption, this is due to the YazFi clients using IP ranges outside of the main LAN IP address range. So the DNSFilter doesn't see it the request and doesn't filter/catch those requests and they are not routed to my Pi-Hole. If I manually set the Android device's DNS to Google's DNS servers when connected to the main LAN's WiFi (ie not YazFi) then the DNSFiltering catches the request and routes it to my Pi-Hole.

yazfi's force dns option replicates dnsfilter for yazfi networks

 

[bennor]

yazfi's force dns option replicates dnsfilter for yazfi networks

Thanks Jack. Had Force DNS turned off because I typically have two Pi-Hole's running. So its a trade off in some respects that some will have to make; use Force DNS or don't and live with requests possibly bypassing the YazFi DNS values if the YazFi client has their own hard coded DNS entries, if/when one wants to use two DNS servers for their YazFi clients.

Quick test does show that with Force DNS enabled my YazFi Android client with manual Google DNS values input do get forced to the Pi-Hole.

 

[Jack Yaz]

Thanks Jack. Had Force DNS turned off because I typically have two Pi-Hole's running. So its a trade off in some respects that some will have to make; use Force DNS or don't and live with requests possibly bypassing the YazFi DNS values if the YazFi client has their own hard coded DNS entries, if/when one wants to use two DNS servers for their YazFi clients.

Quick test does show that with Force DNS enabled my YazFi Android client with manual Google DNS values input do get forced to the Pi-Hole.

in this case i'd recommend setting up a load balancer/proxy in front of the 2 PiHoles. Traffic is enforced to the load balancer IP, which will filter through to one of the Pis

 

[Digimite]

Any work being done on AiMesh integration with YazFi or is this a non-starter?

 

[Jack Yaz]

Any work being done on AiMesh integration with YazFi or is this a non-starter?

that depends if Asus have solved the "protocol is buggy" messages and other problems people see with guest syncing to nodes. once that's fixed on all models, I will happily start working on adding yazfi to it

 

[Digimite]

that depends if Asus have solved the "protocol is buggy" messages and other problems people see with guest syncing to nodes. once that's fixed on all models, I will happily start working on adding yazfi to it

Cool!