This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enable connection to a printer on different subnet

I have two subnets, A and B both established on different ports on my sg135 UTM. 

I have had to had to move my duplex printer from my subnet A to a different subnet B so that it can be used by clients on subnet B. 

What is the best/correct way for me to be able to use this printer from my own subnet A whilst maintaining security between the subnets so that my subnet is not otherwise exposed or accessible to clients on subnet B.

Grateful for advice please.



This thread was automatically locked due to age.
Parents
  • I would just add, while you can do  ports: any, most network printers use port 9100/tcp.  You can always open up firewall live view/real time to see what's getting blocked.

    Also, you will need to have a gateway IP defined for the printer. Without, traffic won't move between different subnets. You don't necessarily need to define a dns server though.

    I have a networked printer here with just a hardcoded ip/subnet.  For my use case, the printer does not need to phone home or have internet access.  If this is a concern for you, i'd add another firewall rules to block printer -->any--internet. 

    I hate devices that phone home!!!

  • Hi Jay Jay,

    Thanks for the tip.  My only remaining question is that the popups are useful now the printer is remote and I am not sure where or how they are generated.  I suspect on my system but will do as you suggest and look at the live logs.  Knowing what to look for is the question!.

  • Open up the firewall log live view.  You'll see what's being blocked from where to where and respective port. There may be other ports that need to be allowed through.  Post a pic of the firewall rule(s) you've configured.

    Re your workstation, by default, windows firewall only allows access to allowed ports on the same subnet.  You need to edit (in windows advanced firewall rules), the respective rules to allow other subnet access.

  • Hi Jay Jay and thanks for staying in touch.

    I have been trying to work out how to work the log search.  I'm a slow learner!  It seems I got lucky with my first attempt and since then my workstation and another laptop have both failed.

    Not using windoze but openSUSE Tumbleweed. I tried to connect even with local firewall turned off but no although I can ping the printer.  The UTM setting I have for the printing connection uses   HP Jetdirect, IPP and LDP.  I guess I need to add the protocol/service which enables the HP connection wizard to find the device but I have no idea which to use.  I had assumed SLP or similar would be available.

    Will try and capture what is going on in firewall log

  • Hi Jay Jay,

    As you can tell I am not a coder and well outside my area of expertise so if you have time I would appreciate some help pinning down my problem.  I have set up the connection between the printer as a host object in the remote subnet with the printing services bundle.  Even so it seems port 9100 is blocked and SLP cannot see the printer from my network.  I cannot find SLP as a service so I am stuck.     I have a snapshot of the rules I have set up:

    What I do not know is had to add port etc.

  • When editing the firewall rule you can click on the PLUS in the SERVICES box and assign a destination port. Port ranges are entered as x:y.... ie,1000:2000 for ports 1000-2000.

    For live firewall viewing, hover over the clipboard next to the user name up at the top, then click on firewall.

    I would look at some youtube video tutorials on how to use UTM. You can pick up the fundamentals much quicker visually than reading about it.

Reply
  • When editing the firewall rule you can click on the PLUS in the SERVICES box and assign a destination port. Port ranges are entered as x:y.... ie,1000:2000 for ports 1000-2000.

    For live firewall viewing, hover over the clipboard next to the user name up at the top, then click on firewall.

    I would look at some youtube video tutorials on how to use UTM. You can pick up the fundamentals much quicker visually than reading about it.

Children
  • Hi,

    I am very slow but can now see that UDP packets are being dropped from port 161 with a dstmac address I do not recognise.  One of the devices between my machine and the printer seems to be the problem so now I have to do some more work.  What I do not understand is why I can ping the printer in this situation.  Will start reading up what to do next.

    Thanks for your help so far btw.  The UTM videos were a great help but I have not yet found a trouble shooting example, only basic configurations.   

  • Hi Jay Jay,

    I have it working now.  There was an error in my rule which combined with a static setting from long ago caused a conflict and gave inconsistent behaviour.  Once found all was well.  Many thanks for your guidance.

    I do have one remaining question concerning firewall configuration.  If I wish to send filtered traffic on should it be sent to "any" or External (WAN)?  I ask because the "any" icon suggests 'the world' but to me it could mean any interface, either in the outside world  or among device interfaces.  You suggested I stop printer from calling out, so do I tell the printer to drop traffic addressed to External WAN or 'any'?  

  • You're right, "Any" means all your LANs and the entire Internet.  The "Internet IPv4" object is the one that includes the entire Internet but not your LANs.

    "External (Network)" only includes the subnet defined on the "External" interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA