Hi, I know this topic was discussed several times but I didn't found a solution in the forum yet.
I use a XG106 (SFOS 18.0.1 MR-1-Build396) and several AP100c and APX320 access points. LAN has a different IP range than two of the WLANs have. This is by purpose to keep the devices separated in both networks. The printer+scanner (OKI MC853) is based in LAN. Access from within LAN works fine.
Now I need to access this printer from WLAN using notebooks and iPhones/iPads.
I have added a rule to access the printer from WLAN. With this I could ping the printer but nothing else. I also added a rule from the printer on LAN to all WLAN devices allowing all services.
This way back is blocked. I tested with Policy Tester and on one notebook using ping to the printer. Printing still not works. Don't want to think about scanning yet. Policy Tester shows that no rule was found.
I don't know why.
Here is a screenshot:
Why is rule #2 (LAN to WiFi_WORK) not working at all?
What do I have to do to get printing working?
Thank you very much,
Somebody out there who solved such an issue already and who is willing to share the knowledge?
Thank you for contacting the Sophos Community!
If you run a Conntrack -E | grep x.x.x.x (IP of the printer)
What does the fwid says? This should be the fwid that the printer is using.
Thanks for your answer.
Conntrack shows fwid = 5.
What am I doing with this information?
Thank you for the follow-up!
What have you configured in the XG for Firewall rule ID number 5? I see you have a Group of Firewall rules, this rule might be inside this.
I checked the rules and rule ID 5 is the very last rule and configured like this:
On top of this is a general LAN->WAN rule and a rule for VoIP/SIP. Above those rules are the above mentioned WiFi->LAN and LAN->WiFi rules.
Thank you for the follow-up.
It means that your traffic is not matching what the Rule #2 says.
Are your definitions correct for Wireless in the Firewall rule?
You want WLAN devices to be able to send print jobs to the Printer I believe? If you do that and do a
console> drop-packet-capture 'host x.x.x.x' (IP of computer or Ipad) do you see anything being dropped?
Thank you for your answer.
How do I verify my definitions to be correct for Wireless in my Firewall rule? APs are setup with zone WiFi_WORK. Zone WiFi_WORk is part of the two rules as shown in previous posts. Any hint what to check or where to look at?
Right, I’d like WLAN devices to be able to send print jobs to this printer (MC583) attached to LAN zone.
I would do that dropped-package-capture but the devices don’t even see the printer. So I can’t send a print job to capture its packages.
Agreed, similar issue except in reverse. This issue did not appear until V18, and some previously answers mentioned a bug that would be fixed with V18 GA, however still an issue with MR-3
You mentioned you are able to Ping, from WLAN to the Printer on the LAN, is this correct?
Did you happen to do the drop-packet I suggested?
I also have the same issue, would like my WiFi AP zone to be able to communicate with LAN zone subnet, but no matter what I try with firewall rules in v18 MR3, can't get it to work. Even tried bizarre SD-WAN rules like I saw in another thread, no luck.
Wireless SSID-A: bridged to AP LAN (192.168.100.0/24) - default WAN load balance between GW-1 and GW-2 as primary, GW-3 as backup
Wireless SSID-B: separate zone Zone-B (192.168.101.0/24) - SD-WAN configured to use WAN GW-3 only
From SSID-B/Zone-B, cannot ping a device with static IP 192.168.100.202 unless I switch to SSID-A. However I can ping 192.168.100.1 from SSID-B.