YazFi YazFi v4.x

[bennor]

The next thing that's puzzling me is that I have YazFi enabled and "applied" the settings, but preexisting guest devices are not moving over to the new subnet. I tried power cycling one of the devices, but it did not cause the device to move over to the YazFi IP address range. What am I doing wrong?

Where are you checking to see if the Guest WiFi clients are using the YazFi IP addresses?

You don't look at the Network Map information, instead look at the System Log > Wireless Log page for the correct YazFi WiFi guest IP address assignments. Or do a "cat /var/lib/misc/dnsmasq.leases" when SSH'd into the router. Or from the YazFi CLI menu choose option 2 "Show connected clients using YazFi".

 

[maxbraketorque]

Thanks again. I'm seeing a variety of different IP addresses depending on what method I use.

- If I use the Wireless Log, it shows the guest network device IP address as the DHCP manual assignments that I had previously applied to those devices but disabled before enabling YazFi.
- dnsmasq.leases shows IP addresses matching values in the Network Map Information.
- Option 2 in the YazFi CLI shows the IP addresses as "unknown".

Pretty good, eh? Perhaps I need to reboot my router?

 

[Jack Yaz]

Thanks again. I'm seeing a variety of different IP addresses depending on what method I use.

- If I use the Wireless Log, it shows the guest network device IP address as the DHCP manual assignments that I had previously applied to those devices but disabled before enabling YazFi.
- dnsmasq.leases shows IP addresses matching values in the Network Map Information.
- Option 2 in the YazFi CLI shows the IP addresses as "unknown".

Pretty good, eh? Perhaps I need to reboot my router?

you might need to restart dnsmasq and the client for it to ignore the manual assignment that you've now removed

 

[bennor]

In addition to what Jack suggested. Check to ensure the WiFi device is actually connected to the Guest WiFi network. I've got a few WiFi devices that always revert back to connecting to the non guest WiFi when ever the router is rebooted or WiFi connection is reset/changed/updated. In some cases one may need to disconnect the WiFi device from the guest WiFi network, then manually reconnect it to the Guest WiFi network in order for the WiFi device to properly pull the new IP address and DNS information from YazFi.

Edit to add: Also if one previously manually assigned an IP address (using the DHCP section) to a WiFi device, remove/delete that manual entry if one is moving the WiFi device to the Guest WiFi network (that is running YazFi).

 

[maxbraketorque]

So, I took the nuclear option - I disabled YazFi, turned off the guest network, uninstalled YazFi, rebooted the router, installed YazFi, configured it, enabled the guest network, and rebooted the router again.

All working now. A few comments questions:

- Does the YazFi IP range need to be at a higher range than my ASUS LAN IP range, i.e, if my ASUS LAN IP range is 192.168.31.0, does the YazFi IP range need to be at least 192.168.32.0?
- I can verify that with YazFi enabled, guest clients on this network cannot see LAN clients on my remote networks that are connected to the local LAN via OVPN.
- Apparently, YazFi guests do not show up on the Network Map? That's kind of a bummer, but I guess I'll trade that for true guest device isolate from my LANs.

 

[bennor]

- Apparently, YazFi guests do not show up on the Network Map? That's kind of a bummer, but I guess I'll trade that for true guest device isolate from my LANs.

This was previously answered/addressed with one of your prior questions. When using YazFi the guest clients don't show up in the Network Map. Its something that is asked quite often and has to pointed out every time. As was previously stated:

... look at the System Log > Wireless Log page for the correct YazFi WiFi guest IP address assignments. Or do a "cat /var/lib/misc/dnsmasq.leases" when SSH'd into the router. Or from the YazFi CLI menu choose option 2 "Show connected clients using YazFi".

It is a very simple matter, if using Windows for example, to create a ".bat" file to run Plink (part of Putty) to issue the terminal command "cat /var/lib/misc/dnsmasq.leases" to display the current IP addresses including the YazFi addresses. Personally I have a shortcut on my Windows 10 desktop to run it and quickly show me the IP addresses. No need to access the Asus-Merlin GUI. An example ".bat" file script (saved to the same location as Plink), adjust the user name/password, router IP address and Plink location as needed:

plink.exe -batch -ssh -l sshname -pw sshpassword 192.168.2.1 cat /var/lib/misc/dnsmasq.leases

PAUSE

 

[maxbraketorque]

This was previously answered/addressed with one of your prior questions. When using YazFi the guest clients don't show up in the Network Map. Its something that is asked quite often and has to pointed out every time. As was previously stated:

It is a very simple matter, if using Windows for example, to create a ".bat" file to run Plink (part of Putty) to issue the terminal command "cat /var/lib/misc/dnsmasq.leases" to display the current IP addresses including the YazFi addresses. Personally I have a shortcut on my Windows 10 desktop to run it and quickly show me the IP addresses. No need to access the Asus-Merlin GUI. An example ".bat" file script (saved to the same location as Plink), adjust the user name/password, router IP address and Plink location as needed:

plink.exe -batch -ssh -l sshname -pw sshpassword 192.168.2.1 cat /var/lib/misc/dnsmasq.leases

PAUSE

Thanks. I realized from the prior discussion that the YazFi IPs do not show up in the Network Status window, but that wasn't the central aspect of the prior discussion. I just wanted to mention that it was a bummer. If no one ever provides feedback, things may not improve as fast as they might otherwise. Imagine what Microsoft Office might be if no one ever provided feedback. With that said, I know that this is not MS Office, and YazFi is freeware, so I don't have an expectation that this is going to be fixed, and I imagine that its not fixable anyhow. But in case it ever becomes fixable...

ok on the alternate method of viewing connected devices. I'd rather that the Network Status window showed things because I like a centralized approach to network management, but I'm happy to use an alternate method in exchange for true guest network isolation.

Last item - Thanks for the help.

 

[TITAN]

you'll need to use a userscript (https://github.com/jackyaz/YazFi#custom-firewall-rules) for this. enable redirect to VPN for the guests in YazFi, then follow the below

create

/jffs/addons/YazFi.d/userscripts.d/myscript.sh

Remember to make it executable with

chmod +x /jffs/addons/YazFi.d/userscripts.d/myscript.sh

Contents:

#!/bin/sh
iptables -I YazFiFORWARD -i eth0 -o wl0.2 -d 192.168.3.2 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o eth0 -s 192.168.3.2 -j ACCEPT
iptables -I YazFiFORWARD -i eth0 -o wl1.2 -d 192.168.6.3 -j ACCEPT
iptables -I YazFiFORWARD -i wl1.2 -o eth0 -s 192.168.6.3 -j ACCEPT

if your WAN interface isn't eth0 then replace accordingly
then apply YazFi settings (option 1 CLI or Save in WebUI)
hopefully I haven't missed anything!

Thank you for your help Jack, you're a legend! That seems to have done the trick.
Initially I wasn't sure if the iptables rules were correct as I had no connectivity at first. The trick was re-adding the guests to the policy rules of VPN2

For anyone else who may try this, this is my setup/config
YazFi settings
- Force DNS = yes
- Redirect all to VPN = yes
- Two way/One way/Client Isolation = all set to no

VPN 2 settings
- Accept DNS = strict
- Force internet through tunnel = policy rules (strict)
YazFi will automatically add the Guest subnets
- you will need to manually add all of the ip addresses from your 'myscript.sh' to the policy rules

Be sure to save the VPN connection profile in the WebGUI
Reboot the router for good measure and ensure the rules still work

P.S. I've sent you a little thank you for all your awesome work and support

 

[Jack Yaz]

Thank you for your help Jack, you're a legend! That seems to have done the trick.
Initially I wasn't sure if the iptables rules were correct as I had no connectivity at first. The trick was re-adding the guests to the policy rules of VPN2

For anyone else who may try this, this is my setup/config
YazFi settings
- Force DNS = yes
- Redirect all to VPN = yes
- Two way/One way/Client Isolation = all set to no

VPN 2 settings
- Accept DNS = strict
- Force internet through tunnel = policy rules (strict)
YazFi will automatically add the Guest subnets
- you will need to manually add all of the ip addresses from your 'myscript.sh' to the policy rules

Be sure to save the VPN connection profile in the WebGUI
Reboot the router for good measure and ensure the rules still work

P.S. I've sent you a little thank you for all your awesome work and support

Glad to hear everything is working, and thank you!!

 

[oOMrYairOo]

Hello,im have a problem whit yazfi,i have guest wifi that i set on 172.18.17.0/24 subnet but when im traying to connect to guest wifi i dont get any ip and cannot connect,before i installed yazfi when i connect to guest wifi i was getting ip 192.168.101.0/24 subnet after i uninstalled yazfi now im getting my local subnet which is 10.250.1.0/24,how i can fix this? im running latest stable merlin firmware,any ideas?

 

[L&LD]

What firmware are you using, specifically? What router actual model?

What client device(s) have this issue?

 

[oOMrYairOo]

What firmware are you using, specifically? What router actual model?

What client device(s) have this issue?

if I install yazfi all devices, I can connect to guest wifi but none of the devices getting IP, Router AX88U running on 386.2_6, for now I removed yazfi now I can connect to guest and all devices getting IP from 192.168.101.0/24

 

[L&LD]

After installing YazFi and configuring it properly, did you reboot the router and the clients?.

 

[oOMrYairOo]

After installing YazFi and configuring it properly, did you reboot the router and the clients?.

Yes no change still all devices not getting IP, what strange is that if I enable guest wifi after reboot all devices on guest wifi getting IP from my main lan and I can connect from guest to my nas on my main lan and if I go to the main page on Guest Network the option intranet access is always enabled even if I change to disable after refreshing the UI it comes back to enabled, It looks like some bug in the yazfi because on an older version of Asus merlin this addon worked great I was able t set different DNS to my guest network and different subnet.

 

[Jack Yaz]

Yes no change still all devices not getting IP, what strange is that if I enable guest wifi after reboot all devices on guest wifi getting IP from my main lan and I can connect from guest to my nas on my main lan and if I go to the main page on Guest Network the option intranet access is always enabled even if I change to disable after refreshing the UI it comes back to enabled, It looks like some bug in the yazfi because on an older version of Asus merlin this addon worked great I was able t set different DNS to my guest network and different subnet.

diagnostics please
also check syslog for any errors

 

[oOMrYairOo]

diagnostics please
also check syslog for any errors

syslog show an error whit yazfi
Jun 29 21:20:00 YazFi: YazFi firewall rules not detected during persistence check, re-applying rules
Jun 29 21:20:00 YazFi: YazFi v4.2.1 starting up
Jun 29 21:20:01 YazFi: No YazFi guests are enabled in the configuration file!

But I do have a guest network whit SSID and password.

 

[Jack Yaz]

syslog show an error whit yazfi
Jun 29 21:20:00 YazFi: YazFi firewall rules not detected during persistence check, re-applying rules
Jun 29 21:20:00 YazFi: YazFi v4.2.1 starting up
Jun 29 21:20:01 YazFi: No YazFi guests are enabled in the configuration file!

But I do have a guest network whit SSID and password.

have you turned the guest on in YazFi though?

 

[oOMrYairOo]

have you turned the guest on in YazFi though?

yes

 

[bennor]

Jun 29 21:20:01 YazFi: No YazFi guests are enabled in the configuration file!

But I do have a guest network whit SSID and password.

As Jack indicated have you enabled/turned on at least one of the YazFi guests?

In the YazFi Guest tab, select the Guest Network you are setting up, then select Enabled value Yes, then select the Apply button when finished assigning the values for each of the YazFi Guest Network's you've enabled. Example:

If using the YazFi CLI (via SSH), make sure to change the w1x1_ENABLED value from false to true and configure YazFi Guest as needed. Then save the changes. One will then need to apply those changes in the main YazFi CLI menu by selecting Option 1. Example of the configuration using nano:

 

[Jack Yaz]

yes

the error message from the syslog suggests it isn't on. can you screenshot the webui for YazFi please?