Printer

Hello together,

I come to you because I have a funny situation.

Setup:
Network A: 192.168.2.0/24 (clients)
Network B: 192.168.3.0/24 (printer)

The printer is in network B - but the clients are in network A.

Problem:
- If I print via network A to Network B, it does not work.
- When I print over network B, it works fine

Setting:
- I made a firewall rule that the clients in network A can access the printer network B (Source: Network Subnet / Port: Any / Destination: Printer)
- The printer assignment is done via IP address

Remark:
- Both on mobile and Windows 10 I have the problem.
- Firewall Sophos UTM - newest version


Why does it not work? Is there anything I can adjust on the firewall?

Best regards

  • Does the firewall block any traffic between Network B and A  /use live protocol):

    Sounds to me as if the return route is not allowed.

  • Copy here a line from the firewall log where the IP of the printer occurs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •   no, the firewall logs show that it is not blocked. I tried it with a return firewall rule, but the problem still persists.

      Here you have the logs - i have tried over the mobil (Port 161) or over the laptop (port 80). but is still not printed


    What can I do to solve the problem?

    Best regards

  • Sorry, but neither port 80 nor port 161 are used for printing.
    Mostly port 80 is used to access the printer's configuration page, port 161 is SNMP ... some printerdrivers use it for a status query.

    First try to ping the printer. Successful?

    BTW... your client IP (10.242.3.2) is not from any of the subnets listed above...
    i would think you come from VPN currently.

    ... and the destination IP (192.168.230.240) is possibly incorrect ... (not Network B: 192.168.3.0/24 (printer))


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Your source IP 10.242.3.2 is from one of the VPN pools, from where are you testing this?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Salut,

    Philipp and Dirk haven't found an answer for you because there's no real information about your problem.  We need to see lines where traffic to the printer is blocked - check #1 in Rulz.  If there are no blocks in the UTM logs, one has to suspect a printer setting.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have a similar set up. Printer connectivity is via wifi which is on a different subnet from the lan.

    While printer can be "connected", I chose to use it in offline mode.  No need for it to be sending back telemetry data to the mothership (canon), or any other details. I don't need to print when not local.

    So in terms of set up, two ways to implement this.

    Easier method - would be using a SNAT rule where traffic going to the printer's ip gets rewritten with an IP from the printer's subnet.

    Internal_port2 - local lan
    vlan_port2 - wifi subnet

    Note above FROM refers to internal_port2 NETWORK

    Change source refers to vlan4_port2 ADDRESS (refers to the utm address on that subnet x.y.z.1 )

    This works well and doesn't require printer to have a GATEWAY IP defined.

    I chose not to go this route as my printer also doubles as a scanner and dumps the scans to a NAS in a different subnet. Using SNAT would make later troubleshooting more difficult as it would not retain the client's true ip in the logs).

    -----

    Method 2

    1) Define proper gateway ip in the printer's tcp/ip settings - DNS entries not important.

    2) In utm's firewall setting, establish a permit permission from subnet A to the printer's IP address (or entire subnet if you wish). For services, enter what ever ports are needed for the protocols you're using to print. For my canon laser AIO, I believe its 9100.  You can start with an ANY rule with logging enabled. That will show you what ports are used. Then you can modify the rule to be more granular to the specific ports needed.

    In my application, after this rule, I have another rule allowing the printer access to the nas then a subsequent rule which blocks all printer outbound access to the internet and any (latter probably redundant).

    Posting the logs would help determine where the issue is. The log portion shown above doesn't even reference the subnet's in your OP.

  • What does your reply have to do with the OP's issue?

  • Can you delete this toner cartridge rubbish, please?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.