Menu Close

Allow Guest WiFi to use Pi-hole on Asuswrt-Merlin

I enabled the Guest WiFi on my Asuswrt-Merlin router, so that some of my IoT devices could be separated from my network. What I soon discovered was that I could not get an internet connection on the Guest WiFi because the DNS server on my LAN is an internal address pointing to my Pi-hole, and the Guest WiFi was preventing access to my LAN.

After some research I found a project on GitHub called YazFi which would allow the Guest Wifi to communicate with the router to allow (among other things) access to my internal DNS server.

Getting up and running with YazFi is very, very straight forward. The setup instructions are on but I’ll provide a quick summary below.


You will need a router running Asuswrt-Merlin firmware and SSH access to the router. For more information on Asuswrt-Merlin, see
  1. Log into the router’s GUI and create a new Guest WiFi network, with an SSID and a passphrase.
  2. Open an SSH session to your router, then copy/paste the following command and press Enter:

  1. This will install YazFi. Once it it’s installed, press Enter.
  2. In the console, type in YazFi to launch the application.
  3. In the menu, type in 3. Edit YazFi config then press Enter. You will be asked to select an editor – for simplicity use nano.
  4. In the editor, edit the options for each Guest WiFi you have setup. In my case, I only have one so I will be modifying the wl01 section. Below is what my config file looks. Note that you will need to reference the Explanation of YazFi settings section to modify this for your network, but the important part here was that I change the DNS, both DNS1 and DNS2 to point to my internal Pi-hole which is on

  1. Once you have made your changes, hit CTRL + X. You will be asked to save your script.
  2. Back at the main menu type 1 then press Enter to apply the YazFi configuration.

The application will now launch and apply your settings. Once it’s ready, you should now be able to connect your Guest Wifi to the internet and have it pass through your Pi-hole so that it can also block ads.

And yes, YazFi will automatically launch on a router reboot.


Edit: There is one setting in that needs to be adjusted in Pi-hole as mentioned by SpasilliumNexus in the comments below for this to work correctly. I had already set this option in my Pi-hole, so I missed it in this guide.

  1. Log into your Pi-hole and click on Settings, then click on the DNS tab at the top.
  2. Change the option in Interface listening behavior to Listen on all interfaces, permit all origins.
  3. Click on Save at the bottom.


Posted in ASUS, Asuswrt-Merlin, Pi-hole


  1. SpasilliumNexus

    For my setup, an Asus RT-AX88U, with Pihole set up as a DNS server, I had to switch my interface listening behavior in Pihole to “Listen on all interfaces, permit all origins” in order for my guest networks to connect to the internet.

    • Nick

      Thanks for the tip. Looks like my Pi-hole was already set this way, which is why it wasn’t mentioned in the guide. I’ll update the post to reflect this.

  2. Cynic

    @spasilliumnexus – thank you! I was banging my head against this issue for hours before reading your reply here. Setting pi-hole to “Listen on all interfaces, permit all origins” finally got the internet working on my guest wifi subnets, too.

  3. Derrick

    Hi. I managed to get the yazfi guest clients to connect to pi-hole, and I do see the requests in the Query Log. But it still doesn’t connect to the internet. Do you know what could be wrong?
    My non-guest connections go through the VPN, and I have the upstream DNS Servers connected to the public VPN DNS Servers. Those are working fine.

    • Nick

      Are you guest connections also supposed to be routed through the VPN as well?

      Assuming not, then you can try this configuration. Note that this is for the first guest network, so you’ll need to adjust your values accordingly:
      Might need to play with the configuration of YazFi.
      Try the following, adjusting your values as needed.
      Note that this configuration is for the 1st 2.4 GHz guest network connection:


      If they need to go through the VPN, then set wl01_REDIRECTALLTOVPN to true, and wl01_VPNCLIENTNUMBER to to VPN client number setup on the router.

      Hope that helps!

      • Derrick

        Hi Nick,
        Thanks for the quick response. Those settings don’t work either (i previously had wl01_TWOWAYTOGUEST=true). Are you able to explain how the data routes in pihole? I assume it’s device->router->pihole->router->internet? If my requests show up in pi-hole does it mean it gets blocked at the pihole->router->internet path?

          • Derrick

            Yup, If i change the guest dns to a public dns, it works. When I use the dns I used for pi-hole (VPN public dns), it also works fine. it looks like it only stops working when i go through pi-hole. Restarting both router and pi-hole didn’t change anything.

          • Derrick

            It looks like when I’m on the guest 5GHz network, i can’t get to the pi-hole admin page either. So for some reason it can’t seem to connect via intranet? Though I’m not sure why it does show my requests on the pihole query log.

          • Nick

            If you didn’t specifically allow your guest network to access your local LAN, you won’t be able to access the Pi-hole admin page. This is normal.
            On your Pi-hole, do you have Listen on all interfaces, permit all origins enabled? If not, enable it.

            Your YazFi connection should look like this screenshot in this link, replacing the IP listed with the IP of your Pi-hole:

          • Derrick

            I suspected that I previously played around with my pi-hole too much which is causing the problem. I reinstalled everything from scratch and it’s still not working. It shows up in pi-hole but no internet connection. See screenshots:

          • D

            Fixed it! It was something to do with my VPN. I had to play around with it and it works now. Interestingly, my VPN settings are still the same but I guess changing it and back ‘reset’ something. 🙂

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.