Printer

Hello together,

I come to you because I have a funny situation.

Setup:
Network A: 192.168.2.0/24 (clients)
Network B: 192.168.3.0/24 (printer)

The printer is in network B - but the clients are in network A.

Problem:
- If I print via network A to Network B, it does not work.
- When I print over network B, it works fine

Setting:
- I made a firewall rule that the clients in network A can access the printer network B (Source: Network Subnet / Port: Any / Destination: Printer)
- The printer assignment is done via IP address

Remark:
- Both on mobile and Windows 10 I have the problem.
- Firewall Sophos UTM - newest version


Why does it not work? Is there anything I can adjust on the firewall?

Best regards

Parents
  • I have a similar set up. Printer connectivity is via wifi which is on a different subnet from the lan.

    While printer can be "connected", I chose to use it in offline mode.  No need for it to be sending back telemetry data to the mothership (canon), or any other details. I don't need to print when not local.

    So in terms of set up, two ways to implement this.

    Easier method - would be using a SNAT rule where traffic going to the printer's ip gets rewritten with an IP from the printer's subnet.

    Internal_port2 - local lan
    vlan_port2 - wifi subnet

    Note above FROM refers to internal_port2 NETWORK

    Change source refers to vlan4_port2 ADDRESS (refers to the utm address on that subnet x.y.z.1 )

    This works well and doesn't require printer to have a GATEWAY IP defined.

    I chose not to go this route as my printer also doubles as a scanner and dumps the scans to a NAS in a different subnet. Using SNAT would make later troubleshooting more difficult as it would not retain the client's true ip in the logs).

    -----

    Method 2

    1) Define proper gateway ip in the printer's tcp/ip settings - DNS entries not important.

    2) In utm's firewall setting, establish a permit permission from subnet A to the printer's IP address (or entire subnet if you wish). For services, enter what ever ports are needed for the protocols you're using to print. For my canon laser AIO, I believe its 9100.  You can start with an ANY rule with logging enabled. That will show you what ports are used. Then you can modify the rule to be more granular to the specific ports needed.

    In my application, after this rule, I have another rule allowing the printer access to the nas then a subsequent rule which blocks all printer outbound access to the internet and any (latter probably redundant).

    Posting the logs would help determine where the issue is. The log portion shown above doesn't even reference the subnet's in your OP.

Reply
  • I have a similar set up. Printer connectivity is via wifi which is on a different subnet from the lan.

    While printer can be "connected", I chose to use it in offline mode.  No need for it to be sending back telemetry data to the mothership (canon), or any other details. I don't need to print when not local.

    So in terms of set up, two ways to implement this.

    Easier method - would be using a SNAT rule where traffic going to the printer's ip gets rewritten with an IP from the printer's subnet.

    Internal_port2 - local lan
    vlan_port2 - wifi subnet

    Note above FROM refers to internal_port2 NETWORK

    Change source refers to vlan4_port2 ADDRESS (refers to the utm address on that subnet x.y.z.1 )

    This works well and doesn't require printer to have a GATEWAY IP defined.

    I chose not to go this route as my printer also doubles as a scanner and dumps the scans to a NAS in a different subnet. Using SNAT would make later troubleshooting more difficult as it would not retain the client's true ip in the logs).

    -----

    Method 2

    1) Define proper gateway ip in the printer's tcp/ip settings - DNS entries not important.

    2) In utm's firewall setting, establish a permit permission from subnet A to the printer's IP address (or entire subnet if you wish). For services, enter what ever ports are needed for the protocols you're using to print. For my canon laser AIO, I believe its 9100.  You can start with an ANY rule with logging enabled. That will show you what ports are used. Then you can modify the rule to be more granular to the specific ports needed.

    In my application, after this rule, I have another rule allowing the printer access to the nas then a subsequent rule which blocks all printer outbound access to the internet and any (latter probably redundant).

    Posting the logs would help determine where the issue is. The log portion shown above doesn't even reference the subnet's in your OP.

Children
No Data