Enable connection to a printer on different subnet

Hello Budgie2.

There are several possibilities to do that.

The minimalistic way would be:

1. Give the printer a static IP or DHCP reserved IP in subnet B
2. Create a Host object in UTM with the printer IP
3. Create a firewall rule to allow traffic from "subnet A" --> "Printer in subnet B"

The services allowed to access in the firewall rule depend the printing protocols used.

Hi and many thanks for your quick answer.  Looks good to me; a couple of follow up questions please:

The printer is required to have dhcp enabled because of the user requirements on subnet B so I need to check how to reserve the dhcp address.  I assume it will be done by device name or MAC address but your further direction would be appreciated.

I am not familiar with how to create a Host object.  Never done that before.  Is there a wiki I can read please?

As you can tell I am very much in learning mode here!!!

Thanks again,

Budge 

If the firewall is doing DHCP you just may klick on the 'make static' button under "Network Services -> DHCP -> IPv4 Lease Table". Then you will already have a network host definition which you may use in your firewall rules.

If the UTM is not providing DHCP services in that network, just navigate to "Definitions & User -> Network Definitions -> Network Definitions" and create a new one of type host providing the IP.

Hi and many thanks once more.

I have to go out now but will get back to it this evening. 

I spent a few minutes looking further before your reply and think I understand.  My only concern now is not to interfere with the "normal" function of the subject printer from subnet B.  What I am intend, with your help, is that my connection should not interfere with the working of subnet B.  I did look at the leases listed in the DHCP tab and could not see the printer, which is odd because it is turned on.  I suspect the printer has some HP technique set up for all remote users who will no doubt be using Wifi and could be on subnets B or C.  Will check the printer setup when I return.

Regards,

Budge

Hi, I have it working now almost correctly.  The printer did have a fixed IP within reserved addresses so didn't appear on lease table but I found it using nmap and set up the host, including the MAC address.

I was not sure about DHCP but as the printer had fixed IP, I selected 'no dhcp'

Similarly I didn't set up anything on DNS.

I specified my subnet in the advanced section.

I set up a firewall link between my subnet and the host and I can now print OK but I do not get the pop up telling me the job has been started and another when it has been completed.  If you can help that would be great.  

I would just add, while you can do  ports: any, most network printers use port 9100/tcp.  You can always open up firewall live view/real time to see what's getting blocked.

Also, you will need to have a gateway IP defined for the printer. Without, traffic won't move between different subnets. You don't necessarily need to define a dns server though.

I have a networked printer here with just a hardcoded ip/subnet.  For my use case, the printer does not need to phone home or have internet access.  If this is a concern for you, i'd add another firewall rules to block printer -->any--internet. 

I hate devices that phone home!!!

Hi Jay Jay,

Thanks for the tip.  My only remaining question is that the popups are useful now the printer is remote and I am not sure where or how they are generated.  I suspect on my system but will do as you suggest and look at the live logs.  Knowing what to look for is the question!.

I was too quick to say I have it working now.  Strange but it works from my laptop but not from my workstation.  I have turned off the firewall off the workstation and I have no difficulty pinging the printer with or without this firewall but darned if I can get a connection established from the workstation.

Since the connection is working I assume this is a printer/local issue so will verify the answer.  Thanks again,

Budge

Open up the firewall log live view.  You'll see what's being blocked from where to where and respective port. There may be other ports that need to be allowed through.  Post a pic of the firewall rule(s) you've configured.

Re your workstation, by default, windows firewall only allows access to allowed ports on the same subnet.  You need to edit (in windows advanced firewall rules), the respective rules to allow other subnet access.

Hi Jay Jay and thanks for staying in touch.

I have been trying to work out how to work the log search.  I'm a slow learner!  It seems I got lucky with my first attempt and since then my workstation and another laptop have both failed.

Not using windoze but openSUSE Tumbleweed. I tried to connect even with local firewall turned off but no although I can ping the printer.  The UTM setting I have for the printing connection uses   HP Jetdirect, IPP and LDP.  I guess I need to add the protocol/service which enables the HP connection wizard to find the device but I have no idea which to use.  I had assumed SLP or similar would be available.

Will try and capture what is going on in firewall log